Panorama
- Eran
Panorama is Palo Alto Networks' centralized security management solution that enables organizations to efficiently manage multiple Palo Alto Networks firewalls from a single interface. It provides visibility, control, automation, and reporting across distributed networks.
Panorama Configurations:
Log in to Panorama using the Web Interface.
Navigate to Device → Server Profiles → Syslog
Add a new profile.
Enter the profile name.
Under ‘Servers', click on the add button and define the following:
Name: name for the Syslog server.
Syslog Server: IP address or hostname of the Syslog server.
Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
Transport: Choose UDP, TCP, or SSL/TLS based on your listener type.
Format—Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
Click OK to save the profile.
XPLG Configurations:
When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:
syslog - all logs that the application will analyze must have syslog as a log type
traffic - all the logs must also be configured to have traffic as a log type
panorama - all the logs must also be configured to have panorama as a log type
Once the required information is set, you should edit the log pattern. This step is crucial to the accuracy and deployment of the Panorama App. Use the following pattern for the panorama traffic log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Date,charsLength=15;,} {text:Device,ftype=device} {text:Log Type,ftype=logtype},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Session Action,ftype=action},{text:Config Version,ftype=configversion},{date:Session Start Time,yyyy/MM/dd HH:mm:ss},{ip:SourceIP,ftype=sourceip},{ip:Destination IP,ftype=targetip},{ip:Nat SourceIP,ftype=natsourceip},{ip:Nat Destination IP,ftype=nattargetip},{text:Security Policy Name,ftype=rulename},{text:Source User,ftype=username},{text:Destination User,ftype=dstusername},{text:Application,ftype=application},{text:Virtual System,ftype=virtualsystem},{text:Source Zone,ftype=srczone},{text:Destination Zone,ftype=dstzone},{text:Ingress Interface,ftype=srcintf},{text:Egress Interface,ftype=dstintf},{text:Log Forwarding Profile,ftype=logaction},{date:First Packet Time,yyyy/MM/dd HH:mm:ss},{text:Elapsed Time (ms),ftype=elapsedtime},{text:Total Packets,ftype=packets},{number:Source Port,ftype=sourceport},{number:Destination Port,ftype=dstport},{number:Nat Source Port,ftype=natsourceport},{number:Nat Destination Port,ftype=natdstport},{text:Flags,ftype=flags},{text:IP Protocol,ftype=ipprotocol},{text:Action Taken,ftype=eventName},{number:Bytes,ftype=bytes},{text:Bytes Sent,ftype=bytesent},{text:Bytes Received,ftype=bytesreceived},{number:Packets Sent,ftype=packets},{text:First Packet Recieved Timestamp,ftype=start},{number:Packets Retransmitted,ftype=packetsretransmitted},{text:Security Rule Action,ftype=secruleaction},{text:Unknown1},{text:Sequence Number,ftype=sequencenumber},{text:Session ID,ftype=sessionid},{text:Source Country,ftype=srccountry},{text:Destination Country,ftype=dstcountry},{text:Unknown2},{text:Packets Transmitted,ftype=sentpackets},{text:Packets Recieved,ftype=packetsrecieved},{text:Session End Reason,ftype=sessionendreason},{text:Sent Packets,ftype=sentpackets},{text:Recieved Packets,ftype=recievedpackets},{text:Forwarded Bytes,ftype=forwardedbytes},{text:Reverse Bytes,ftype=reversebytes},{text:Unknown3},{text:Security Rule Name,ftype=secrulenname},{text:Source Nat Type,ftype=sourcenattype},{text:Unknown4},{text:Unknown5},{text:Unknown6},{text:Unknown7},{text:Unknown8},{text:Unknown9},{text:Unknown10},{text:Unknown11},{text:Threat ID,ftype=threatid},{text:Repeat Count,ftype=repeatcount},{text:Unknown12},{text:Unique Threat ID,ftype=uuid},{text:Unknown13},{text:Unknown14},{text:Unknown15},{text:Unknown16},{text:Unknown17},{text:Unknown18},{text:Unknown20},{text:Unknown21},{text:Unknown22},{text:Unknown23},{text:Unknown24},{text:Unknown25},{text:Unknown26},{text:Unknown27},{text:Unknown28},{text:Unknown29},{text:Unknown30},{text:Unknown31},{text:Unknown32},{text:Unknown33},{text:Unknown34},{text:Unknown35},{text:Unknown36},{text:Unknown37},{text:Unknown38},{text:Unknown39},{text:Unknown40},{text:Unknown41},{text:Unknown42},{text:Unknown43},{text:Unknown44},{text:Unknown45},{text:Unknown46},{text:Unknown47},{text:Unknown48},{text:Unknown49},{text:ISO Timestamp},{text:Unkown50},{text:Unknown51},{text:Infrastructre Type,ftype=infratype},{text:Industry Category,ftype=industrycat},{text:Threat/Category Type,ftype=threattype},{text:Threat Severity Level,ftype=threatlevel},{block,start,emptiness=true}"{block,end,emptiness=true}{text:Threat Indicators}{block,start,emptiness=true}"{block,end,emptiness=true},{text:Threat Name,ftype=threat},{text:Threat Type,ftype=threattype},{text:URL Filtering Log},{text:File Blocking Log},{text:Wildfire Analysis Score}
For more information about the panorama log fields, see below the format Conversion Table:
Field Name | Field Key | Description |
|
Date | receive_time | Time when the log was received | |
Device | device_name | Firewall that generated the log | |
Log Type | log_type | Type of log entry | |
Recieve Time | generated_time | Time when the event occurred | |
Serial# | serial_number | Firewall's unique serial number | |
Type | log_subtype | Subtype of the log | |
Session Action | session_end_reason | How the session ended | |
Config Version | config_version | Version of the configuration | |
Session Start Time | start_time | Session start time | |
SourceIP | src_ip | Source IP of the session | |
DestinationIP | dst_ip | Destination IP of the session | |
Nat SourceIP | natsrc_ip | Translated source IP if NAT applied | |
Nat DestinationIP | natdst_ip | Translated destination IP if NAT applied | |
Security Policy Name | rule_name | Name of the matched security policy | |
Source User | src_user | Username associated with source IP | |
Destination User | dst_user | Username associated with destination IP | |
Application | app | Application detected in the session | |
Virtual System | vsys | Virtual system name | |
Source Zone | src_zone | Security zone of source IP | |
Destination Zone | dst_zone | Security zone of destination IP | |
Ingress Interface | ingress_if | Physical/logical interface where session entered | |
Egress Interface | egress_if | Physical/logical interface where session exited | |
Log Forwarding Profile | log_forwarding | Log forwarding profile applied | |
First Packet Time | pkt_capture_time | Timestamp of first packet in session | |
Elapsed Time(ms) | elapsed_time | Total duration of session in ms | |
Total Packets | total_pkt | Total number of packets in session | |
Source Port | src_port | Source port of session | |
Destination Port | dst_port | Destination port of session | |
Nat Source Port | natsrc_port | Translated source port if NAT applied | |
Nat Destingation Port | natdst_port | Translated destination port if NAT applied | |
Flags | flags | Session characteristics (bitwise) | |
IP Protocol | protocol | Transport protocol used | |
Action Taken | action | Action applied (allow/deny) | |
Bytes | bytes | Total Bytes |
|
Bytes Sent | bytes_sent | Total Sent Bytes |
|
Bytes Recieved | bytes_recieved | Total Recieved Bytes |
|
Packets Sent | total_packets_sent | Total packets sent in session |
|
First Packet Recieved Timestamp | pkt_capture_time | Timestamp of first packet in session |
|
Packets Retreansmitted | total_packets_transmitted | Total packets transmitted in session | |
Security Rule Action | rule_action | Action of security rule | |
Sequence Number | session_id_64bit | Extended unique session identifier | |
SessionID | session_id | Unique session identifier | |
Source Country | src_addr_group | Source IP address group | |
Destination Country | dst_addr_group | Destination IP address group | |
Packets Transmitted | packets_tx | Total number of packets transmitted | |
Packets Recieved | packets_rx | Total number of packets received | |
Session End Reason | session_end_reason | Session ending reason |
|
Sent Packets | total_packets_sent | Total packets sent in session | |
Recieved Packets | total_packets_received | Total packets received in session | |
Forwarded Bytes | total_bytes_forwarded | Total bytes forwarded | |
Reverse Bytes | total_bytes_reversed | Total bytes received | |
Security Rule Name | security_rule_name | Security policy name applied | |
Source Nat Type | src_nat_type | Type of NAT applied to source | |
Threat ID | threat_id | Threat ID detected | |
Repeat Count | repeat_count | Number of times the same threat was observed | |
Unique Threat ID | threat_uuid | Unique identifier for detected threats | |
ISO Timestamp | gen_time | Timestamp when threat log was generated | |
Infrastructure Type | infra_type | Infrastructure type detected | |
Industry Caegory | industry_category | Industry category of the traffic | |
Threat/Category Type | threat_category | Category of detected threat | |
Threat Severity Level | severity | Severity of detected threat | |
Threat Indicators | threat_indicators | Indicators of compromise detected | |
Threat Name | threat_name | Detected threat name | |
Threat Type | threat_type | Type of detected threat | |
URL Filtering Log | url_filtering | Was URL filtering applied | |
File Blocking Log | file_blocking | Was file blocking triggered | |
Wildfire Analysis Score | wildfire_score | Wildfire threat analysis score | |