Snare Central and Palo Alto

Owned by Carlos Osorio
Last updated: Nov 09, 2023 by Steve Challans
2 min read


SUMMARY

Palo Alto Networks firewalls can be configured to send log data to Snare Central for collection, analysis and reporting.
The Snare Server collection subsystem is quite flexible, and is capable of dealing with a wide range of custom LEEF formats.

Some links to the Paloalto site that can help with configuration of your firewall can be found here.

https://docs.paloaltonetworks.com/resources/cef

These are the templates you load in for the different versions of the PANOS firewall.

The following fields are separated out, and are available as individually accessible indexed data within the Snare Central user interface:

  • cat

  • src

  • dst

  • srcPort

  • dstPort

  • protol

  • usrName

  • SerialNumber

  • Type

  • Subtype

  • NATSrcIP

  • NATDstIP

  • RuleName

  • SourceUser

  • DestinationUser

  • Application

  • VirtualSystem

  • SourceZone

  • DestinationZone

  • IngressInterface

  • EgressInterface

  • LogForwardingProfile

  • SessionID

  • RepeatCount

  • NATSourcePort

  • NATDestPort

  • Flags

  • Bytes

  • Packets

  • ElapsedTime

  • URLCategory

  • BytesIn

  • BytesOut

  • sev

Other LEEF fields will be grabbed from the event, and incorporated into the catch-all "String" field, from which data can be extracted via Snare Central's TOKEN capabilities, if required.

Configuration Instructions

In order to configure your PAN firewall to send data to a Snare Central server:

  1. Log in to the Palo Alto Networks user interface.

  2. Click the Device tab.

  3. Click Server Profiles -> Syslog.

  4. Click Add.

  5. Create a Syslog destination:
    In the "Syslog Server Profile" dialog box, click the "Add" button. Enter:

    • The IP Address of the Snare Central server

    • The destination port (514)

    • A descriptive name for the destination Snare Central server

    • Your preferred syslog facility (note: This is not used by the Snare Server collection system for anything of note).

  6. Click OK.

  7. Specify the severity of events that are contained in the syslog messages:

    • Click Log Setting | System and then click Edit.

    • Select the check box for each event severity level that you want contained in the syslog message.

    • Type the name of the syslog destination.

    • Click OK.

  8. Click the Device tab and then click Commit.

Note: Depending on your firewall policies, you may need to create a firewall rule in order to allow syslog messages to exit the PAN firewall to the Snare Central Server. The Snare Central server includes an internal firewall, but will allow syslog messages to arrive on port 514 by default.

NOTE: Snare Central previously known as Snare Server