Configuring Panorama Syslogs for TCP

Overview

For general information about sending syslogs, see Sending Additional Information using Syslog.

Syslogs sent over TCP must always be encrypted and this option is not available for TOS deployments on Azure, AWS or GCP. For non-encrypted syslogs, see Configuring Palo Alto Syslogs for UDP.

This procedure is relevant for Panorama management devices, not PAN-OS stand-alone firewalls.

Prerequisites

    1. Create a new private key.

      [<ADMIN> ~]# openssl genrsa -aes256 -out ca.key 4096 chmod 400 ca.key
      openssl genrsa -aes256 -out ca.key 4096 chmod 400 ca.key

      You are prompted to enter a password. Make sure to save the password somewhere safe, you will need it for later.

    2. Create a certificate signing request (CSR).

      [<ADMIN> ~]# openssl req -new -x509 -sha256 -days 2048 -key c.key -out ca.crt 
      openssl req -new -x509 -sha256 -days 2048 -key ca.key -out ca.crt

      The following message is displayed.

    3. Fill in "." in all fields except Common Name.

      In Common Name, give the certificate a meaningful name. For example, "Tufin".

    4. Create the certificate.

      [<ADMIN> ~]# openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt 
      openssl x509 -sha1 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

    Your CA key/password pair, and certificate are created:

    • ca.crt

    • ca.key

    1. Create a private key for the Tufin server:

      [<ADMIN> ~]# openssl genrsa -out server.key 2048 && chmod 400 server.key
      openssl genrsa -out server.key 2048 && chmod 400 server.key

    2. Create a Certificate Signing Request (CSR):

      [<ADMIN> ~]# openssl req -new -key server.key -sha256 -out server.csr 
      openssl req -new -key server.key -sha256 -out server.csr

      The DN fields are displayed.

    3. Fill in the field as follows:

      • Common Name - the syslog VIP

      • A Challenge Password (this may only appear in the next step) - leave blank

      • All other fields - "."

    4. Sign the CSR: 

      [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt 
      openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt
    5. Edit the permission of the file. 
      [<ADMIN> ~]#chmod 444 server.crt
      chmod 444 server.crt
    6. When prompted, enter your root CA password.

    7. Verify:

      1. The validity of the new certificate:

        [<ADMIN> ~]# openssl x509 -noout -text -in server.crt 
        openssl x509 -noout -text -in server.crt

        The server key information is displayed. Next to Server: CN=, your syslog VIP appears.

      2. That the certificate signing was successful 

        3. [<ADMIN> ~]# openssl verify -CAfile ca.crt server.crt
        openssl verify -CAfile ca.crt server.crt

      3. server.crt: OK should be displayed.

      In root@TufinOS cert, the following files appear: 

      • ca.crt

      • ca.key

      • server.crt

      • server.csr

      • server.key

Set up encrypted syslogs over TCP in Panorama

  1. Import the certificate to the TOS server:

    Run:

    [<ADMIN> ~]# tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>
    tos certificate import --type syslog --ca <CA-PATH> --cert <CERT-PATH> --key <KEY-PATH>

    where

    Parameter

    Description

    Required/Optional

    <CERT-PATH>

    Location of the CA.

    Required

    <CERT-PATH>

    Location of the certificate.

    Required

    <KEY-PATH>

    Location of the key.

    Required

    Sample output

    $ tos certificate import --type syslog --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key

  2. Define the syslog VIP:

    sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] --transport tcp [--debug]

    where

    Parameter

    Description

    Mandatory /Optional

    <SYSLOG_VIP>

    Syslog VIP of the cluster.

    Mandatory

    --port

    Allows you to specify a port; otherwise, the default port 6514 is used.

    Optional

    The process might take a few minutes.

    The message "INFO VIP "<VIP-ADDRESS>" Added!" is displayed.

  3. Add a new Palo Alto Panorama device or configure an existing device where:

    Syslog Settings is configured as Custom > TCP.

    By default, all TCP syslogs will be encrypted.

    1. Create a key:

      [<ADMIN> ~]# openssl genrsa -out client.key 2048
      openssl genrsa -out client.key 2048

      Save the key password somewhere safe. You will need it to import the certificate to the client device.

    2. Create a certificate signing request (CSR):

      [<ADMIN> ~]# openssl req -new -key client.key -out client.csr
      openssl req -new -key client.key -out client.csr

    3. Fill in the field as follows:

      • Common Name - the device IP address or resolvable host name of the client

      • A Challenge Password (this may only appear in the next step) - leave blank

      • All other fields - "."

    4. Sign the CSR with the root CA:

      [<ADMIN> ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem
      openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.pem

    5. Verify the validity of the certificate:

      [<ADMIN> ~]#  openssl x509 -noout -text -in client.pem
      openssl openssl x509 -noout -text -in client.pem

      Subject: CN=<device IP> is displayed.

    6. Verify the signature:

      [<ADMIN> ~]# openssl verify -CAfile ca.crt client.pem 
      openssl verify -CAfile ca.crt client.pem

      The message server.crt:OK is displayed.

  5. From the Panorama device:
    1. Import the certificate and key. Make sure to enable Import Private Key.
    2. Mark the certificate as: Certificate for Secure Syslog.
    3. Configure Panorama to send syslogs to the syslog VIP over SSL.