Configuring Palo Alto Syslogs

To show revision accountability and report on rule and object usage, each of your Palo Alto firewall devices must send syslogs to SecureTrack.

The firewalls in the organization must be configured to allow relevant traffic.

Syslog traffic must be configured to arrive to the SecureTrack server that monitors the device (Central Server, Distribution Server or Remote Collector Server) from the IP and/or host name of the device.

For more information see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

Configure a Palo Alto Device to Send Traffic Syslogs to SecureTrack for a Rule That Is Tracked

  1. View the security policy and click on the Options column of the rule.

    Palo Alto Rule Options

    Notice the name of the Log Forwarding profile. At least one of the Log At options must be checked. We recommend that you select only Log at Session End, to better manage the traffic load.

  2. Go to Objects > Log Forwarding and select the profile used in the rule. Note the name of the syslog profile.

  3. Go to Device > Server Profiles > Syslog, and add the SecureTrack server to the profile:

    Use port 514 (for UDP) or port 6514 (for TCP) and any facility. You must use the default log format for traffic.

    To configure a Palo Alto device to send traffic syslogs to SecureTrack for a rule that is not tracked, perform the steps in reverse order.

    1. Add a new syslog server profile with the IP address of the SecureTrack server, remote collector or distribution server that is managing the device.

    2. Add the syslog profile to a new Log Forwarding profile.

    3. For the rule that you want to track, select the new log forwarding profile in the rule Options field and mark either Send at session start or Send at session end.

Configure a Palo Alto Device to Send Accountability Syslogs to SecureTrack

  1. Go to: Device > Log Settings > Config

  2. Configure the syslogs to be sent to the SecureTrack server.

  3. In SecureTrack, make sure that the Palo Alto device is monitored in real-time.

    1. Go to: Settings > Monitoring > Manage Devices

    2. Select the device and click Edit configuration.

    3. To go to the monitoring settings, click Next and Next.

    4. Click Custom and review the monitoring settings.