Configuring Palo Alto Syslogs for UDP

Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device - see Sending Additional Information via Syslog.

To show revision accountability and report on rule and object usage, each of your Palo Alto firewall devices must send syslogs to SecureTrack. You can only send non-encrypted syslogs over UDP. To configure sending encrypted syslogs over TCP see Configuring Panorama Syslogs for TCP.

The firewalls in the organization must be configured to allow relevant traffic.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

This procedure is relevant for both Panorama Management devices and PAN-OS stand-alone firewalls.

Configure a Palo Alto Device to Send Traffic Syslogs to SecureTrack for a Rule That Is Tracked

  1. View the security policy and click on the Options column of the rule.

    Palo Alto Rule Options

    Notice the name of the Log Forwarding profile. At least one of the Log At options must be checked. We recommend that you select only Log at Session End, to better manage the traffic load.

  2. Go to Objects > Log Forwarding and select the profile used in the rule. Note the name of the syslog profile.

  3. Go to Device > Server Profiles > Syslog, and add the SecureTrack server to the profile:

    Use port 514 (for UDP/TCP) and any facility. You must use the default log format for traffic.

    To configure a Palo Alto device to send traffic syslogs to SecureTrack for a rule that is not tracked, perform the steps in reverse order.

    1. Add a new syslog server profile with the VIP address of the cluster that is managing the device.

    2. Add the syslog profile to a new Log Forwarding profile.

    3. For the rule that you want to track, select the new log forwarding profile in the rule Options field and mark either Send at session start or Send at session end.

Configure a Palo Alto Device to Send Accountability Syslogs to SecureTrack

  1. Go to: Device > Log Settings > Config

  2. Configure the syslogs to be sent to the SecureTrack server.

  3. In SecureTrack, make sure that the Palo Alto device is monitored in real-time.

    1. Go to: Settings > Monitoring > Manage Devices

    2. Select the device and click Edit configuration.

    3. To go to the monitoring settings, click Next and Next.

    4. Click Custom and review the monitoring settings.