Skip to content

Palo Alto Networks Firewalls

This guide details the process of configuring your Palo Alto Networks Firewall to forward logs to a designated Syslog endpoint. Palo Alto Networks firewalls support Syslog natively, facilitating direct log forwarding.

Prerequisites

  • Administrative access to the Palo Alto Networks Firewall web interface.
  • The Syslog endpoint and port provided by the service (replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with the actual values).

Step 1: Configure Syslog Server Profile

  1. Log in to the Palo Alto Networks Firewall web interface.
  2. Navigate to Device > Server Profiles > Syslog.
  3. Click Add to create a new Syslog server profile. Provide a meaningful name for the profile.
  4. Under Servers, click Add and enter the Syslog server's details:
    • Name: Enter a name for the Syslog server configuration.
    • Syslog Server: Enter the IP address of the Syslog endpoint (<SYSLOG_ENDPOINT>).
    • Transport: Select the protocol used by your Syslog server (usually UDP).
    • Port: Enter the port number (<SYSLOG_PORT>).
    • Facility: Choose the appropriate Syslog facility level based on your logging requirements.
  5. Click OK to save the Syslog server profile.

Step 2: Assign Syslog Server Profile to Log Forwarding Profile

  1. Navigate to Objects > Log Forwarding.
  2. Click Add to create a new log forwarding profile, or select an existing profile to modify.
  3. In the profile settings, assign the Syslog server profile created in Step 1 to the log types you wish to forward (e.g., Traffic, Threat, URL Filtering, etc.).
  4. Commit your changes to apply the configuration.

Step 3: Apply Log Forwarding Profile to Security Policies

  1. Navigate to Policies > Security.
  2. Edit the security policy rules for which you want to enable log forwarding.
  3. In the policy rule settings, go to the Actions tab.
  4. Select the log forwarding profile created or modified in Step 2 from the Log Forwarding drop-down menu.
  5. Commit your changes to apply the policy updates.

Step 4: Verify Log Forwarding

  • Generate test traffic that matches the security policy rules configured for log forwarding.
  • Contact your service provider to confirm that the logs are being received at the Syslog endpoint.

Troubleshooting

  • Connectivity: Ensure there is network connectivity between the Palo Alto Networks Firewall and the Syslog endpoint. Check for any firewalls or network devices that might block the Syslog traffic.
  • Syslog Server Configuration: Verify the Syslog server configuration, including the IP address, port, and protocol, to ensure they match the settings provided by your service.
  • Firewall Commit: Make sure to commit your changes on the firewall after configuring the Syslog server profile and log forwarding settings.

For further assistance or specific configurations, please contact your service provider's support team or refer to Palo Alto Networks documentation.