Configuring Panorama Syslogs for TCP

Overview

From R22-2 PHF1.0.0, you can configure encrypted syslogs over TCP in Panorama devices.

For general information about sending syslogs, see Sending Additional Information using Syslog.

Syslogs sent over TCP must always be encrypted and this option is not available for TOS deployments on Azure, AWS or GCP. For non-encrypted syslogs, see Configuring Palo Alto Syslogs for UDP.

This procedure is relevant for Panorama management devices, not PAN-OS stand-alone firewalls.

Prerequisites

Set up encrypted syslogs over TCP in Panorama

  1. Import the certificate to the TOS server:

    1. Run:

      [<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
      tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
    2. where

      Parameter

      Description

      Required/Optional

      <CERT-PATH>

      Location of the CA.

      Required

      <CERT-PATH>

      Location of the certificate.

      Required

      <KEY-PATH>

      Location of the key.

      Required

      Sample output

      $ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key

      The message "Successfully changed configuration for syslog -agent-service." is displayed.

    3. Verify that the certificate was successfully imported to the TOS server: 

      [<ADMIN> ~]# kubectl get secrets syslog-agent-nginx-secret -oyaml
      kubectl get secrets syslog-agent-nginx-secret -oyaml

      An encrypted version of the certificate is displayed. Verify that it's the certificate you just created by checking the creationTimestamp.

      Example

  2. Define the syslog VIP:

    sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

    where

    Parameter

    Description

    Mandatory /Optional

    <SYSLOG_VIP>

    Syslog VIP of the cluster.

    Mandatory

    --port

    Allows you to specify a port; otherwise, the default port 6514 is used.

    Optional

    The process might take a few minutes.

    The message "INFO VIP "<VIP-ADDRESS>" Added!" is displayed.

  3. Add a new Palo Alto Panorama device or configure an existing device where:

    Syslog Settings is configured as Custom > TCP.

    By default, all TCP syslogs will be encrypted.

  4. From the Panorama device:
    1. Import the certificate and key. Make sure to enable Import Private Key.
    2. Mark the certificate as: Certificate for Secure Syslog.
    3. Configure Panorama to send syslogs to the syslog VIP over SSL.