Overview
Blumira’s modern cloud SIEM platform integrates with Palo Alto Next-Generation Firewalls to stream security event logs to the Blumira service for automated threat detection and actionable response.
Additionally, enabling Blumira’s dynamic blocklist capabilities on your integrated next-generation firewall allows us to provide automated blocking of known threats.
Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.
Also, refer to Palo Alto's instructions in Use an External Dynamic List in Policy.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
You must first configure log forwarding in Palo Alto to allow Blumira to collect the logs. See directions on how to configure log forwarding in Palo Alto’s Tips & Tricks: Forward traffic logs to a syslog server.
Provide the Blumira sensor information when setting up your syslog server:
- IP address of the Blumira sensor you will log events to
- Port number 514
While completing this step, take the time to review your current security policies and ensure that they are up to date. Blumira generally prefers settings that will result in the most verbosity in regard to log content and volume and should be applied to every policy in the device.