Quick Links

Integrating with Palo Alto Networks Panorama

Overview

Palo Alto Panorama offers easy-to-implement and centralized management features to gain insight into network-wide traffic and threats, and administer your firewalls everywhere.

Panorama enables you to forward logs to external servers, including syslog, email, and SNMP trap servers. By forwarding logs to Blumira’s platform, you can reduce firewall load and provide a reliable approach to log forwarding.

With this configuration, Blumira will be able to provide log aggregation, threat detection, and actionable response for network segments protected by Palo Alto Panorama.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Ingestion > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.

Configuring log forwarding from Palo Alto Networks Panorama

Reference: See additional details, including steps for securing TLS connections, in these Palo Alto's Configure Syslog Monitoring. Also see Configure Log Forwarding from Panorama to External Destinations and Log Forwarding Options.

To start forwarding Panorama logs to Blumira, do the following:

  1. In Palo Alto, navigate to Device > Server Profiles > Syslog.
  2. Click Add.
  3. In the Syslog Server Profile window, do the following:
    1. Type a name for the server profile.
    2. Click Add.
    3. Type a name for the Blumira sensor you will use as the syslog server to collect log data.
    4. Enter the IP address of the Blumira sensor.
    5. Type port number 514.
    6. Click OK.
  4. Configure destinations:
    1. Select Panorama > Log Settings.
    2. For System, Correlation, and Threat logs, click each Severity level, select the Syslog server profile you just created for Blumira, and click OK.
    3. For WildFire logs, click each Verdict, select Syslog server profile for Blumira you just created, and click OK.
  5. Configure destinations for firewall logs that an M-Series appliance in Panorama or Log Collector mode collects (M-Series appliance only):
    1. Select Panorama > Collector Groups and select the Collector Group that receives the firewall logs.
    2. Click the Collector Log Forwarding tab.
    3. For each log Severity level in the System, Threat, and Correlation tabs, click a cell in the Syslog Profile column, and select the server profile you just created.
    4. In the Config, HIP Match, and Traffic tabs, select the Syslog server profile you just created.
    5. For each Verdict in the WildFire tab, click a cell in the Syslog Profile column, and select the server profile you just created.
    6. Click OK to save your changes to the Collector Group.
  6. To commit the changes, do the following:
    1. Click Commit, set the Commit Type to Panorama, and click Commit again.
    2. Click Commit, set the Commit Type to Device Group.
    3. Select all the device groups of the firewalls from which Panorama collects logs, and include Device and Network Templates.
    4. Click Commit again.
    5. Click Commit, set the Commit Type to Collector Group.
    6. Select the collector group you configured to forward logs and click Commit again (M-Series appliance only).