Snare Central and Palo Alto
SUMMARY
Palo Alto Networks firewalls can be configured to send log data to Snare Central for collection, analysis and reporting.
The Snare Server collection subsystem is quite flexible, and is capable of dealing with a wide range of custom LEEF formats.
Some links to the Paloalto site that can help with configuration of your firewall can be found here.
https://docs.paloaltonetworks.com/resources/cef
These are the templates you load in for the different versions of the PANOS firewall.
The following fields are separated out, and are available as individually accessible indexed data within the Snare Central user interface:
cat
src
dst
srcPort
dstPort
protol
usrName
SerialNumber
Type
Subtype
NATSrcIP
NATDstIP
RuleName
SourceUser
DestinationUser
Application
VirtualSystem
SourceZone
DestinationZone
IngressInterface
EgressInterface
LogForwardingProfile
SessionID
RepeatCount
NATSourcePort
NATDestPort
Flags
Bytes
Packets
ElapsedTime
URLCategory
BytesIn
BytesOut
sev
Other LEEF fields will be grabbed from the event, and incorporated into the catch-all "String" field, from which data can be extracted via Snare Central's TOKEN capabilities, if required.
Configuration Instructions
In order to configure your PAN firewall to send data to a Snare Central server:
Log in to the Palo Alto Networks user interface.
Click the Device tab.
Click Server Profiles -> Syslog.
Click Add.
Create a Syslog destination:
In the "Syslog Server Profile" dialog box, click the "Add" button. Enter:The IP Address of the Snare Central server
The destination port (514)
A descriptive name for the destination Snare Central server
Your preferred syslog facility (note: This is not used by the Snare Server collection system for anything of note).
Click OK.
Specify the severity of events that are contained in the syslog messages:
Click Log Setting | System and then click Edit.
Select the check box for each event severity level that you want contained in the syslog message.
Type the name of the syslog destination.
Click OK.
Click the Device tab and then click Commit.
Note: Depending on your firewall policies, you may need to create a firewall rule in order to allow syslog messages to exit the PAN firewall to the Snare Central Server. The Snare Central server includes an internal firewall, but will allow syslog messages to arrive on port 514 by default.
NOTE: Snare Central previously known as Snare Server