How do I configure remote syslog forwarding for Palo Alto firewalls

This article will describe the steps required to configure Palo Alto to send Syslog messages to the RocketAgent Syslog Server

CREATE SYSLOG PROFILE

  1. Open your Palo Alto dashboard.
  2. Navigate to Devices > Server Profiles > Syslog
  3. Click Add and enter a Name for the syslog profile, i.e. RocketCyber SOC syslog
  4. Server - the IP address of the specified device chosen in the RocketCyber firewall log analyzer
  5. Transport - select UDP
  6. Port - the default Palo Alto port is 1514, change this to 514
  7. Format - select BSD
  8. Facility - the default standard syslog value should be set to LOG_USER
  9. Click OK to save the syslog profile

CONFIGURE SYSLOG FORWARDING PROFILE

  1. Navigate to Objects > Log Forwarding, click Add and Enter a name (common to use the same as above ~ RocketCyber SOC syslog.
  2. For each log type, severity level and Wildfire verdict, select the syslog server profile, and click OK.
  3. Assign the log forwarding profile to security rules.

 

Optional - CONFIGURE SECURITY POLICY RULE AS LOG FORWARDING

  1. Navigate to Policies > Security
  2. Click the policy desired to be added to the log forwarding.
  3. Select Actions.
  4. Select Log Forwarding Profile from dropdown ~RocketCyber SOC syslog
  5. Click OK

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us