Palo Alto Networks: Next-Generation Firewall

Samurai [Local] CollectorSamurai [Cloud] Collector
Picture1.svg

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

2) From your Palo Alto Networks Next Generation Firewall:

4) From the Samurai MDR portal:

Connectivity Requirements

You must ensure the following connectivity requirements are available:

SourceDestinationPortsDescription
PAN NGFWSamurai Local CollectorUDP/514 (syslog)For log transmission
Samurai Local CollectorPAN NGFWTCP/443 (https)Packet captures

Configure syslog to your Samurai Local Collector

Follow the steps outlined within the Palo Alto Networks documentation to configure your firewall to send logs to your Samurai Local Collector:

If you do not have Panorama deployed:

If you have Panorama deployed please refer to Palo Alto Networks: Panorama (Be aware of steps based on your Panorama deployment mode)

Use the following parameters when completing the steps:

Field NameParameter
Server Profile NameWhatever you want, however we suggest NTT_Syslog_Profile
Syslog ServerIP address of your Samurai Collector
TransportUDP
Port514 (Default)
FormatBSD (Default)
Facilitykeep as default
Custom Log Formatkeep as default for every log type

Create Log Forwarding Profiles

Follow the steps outlined within the Palo Alto Networks documentation:

You will need to configure Log forwarding profiles for each log type as per the table below:

Field NameParameter
NameWhatever you want, however we suggest NTT_Log_Fwd_Profile
Name for each Log TypeWhatever you want, however we suggest NTT_<log type>_Fwd_Profile. Where <log type> denotes each log type available
Log TypeAll (you need to include all log types eg. traffic, threat, wildfire etc)
FilterAll logs
Forward MethodSelect the syslog Server Profile you configured in Configure syslog to Samurai Local Collector (we suggested *NTT_Syslog_Profile)

Create URL Filtering Profile

Follow the steps outlined within the Palo Alto Networks documentation:

Field NameParameter
NameWhatever you want, however we suggest NTT_URL_Profile
Site Access for Each CategoryAlert. If your company policy requires Block for certain categories, set it that way.
User Credential Submission for Each CategoryAlert. If your company policy requires Block for certain categories, set it that way.
SettingsEnsure Log container page only is not selected
HTTP Header LoggingEnable: User-Agent, Referer, X-Forwarded-For

Create Filtering Profile Group

Follow the steps outlined within the Palo Alto Networks documentation:

Use the following parameters when completing the steps:

Field NameParameter
Security Profile Group nameWhatever you want, however we suggest NTT_Security_Profile
Filtering ProfilesAll as applicable eg. Anti-virus, Anti-Spyware, Vulnerability Protection, and URL Filtering created in Create URL Filtering Profile and Enable Packet Capture Profiles

Create Security Policy Rule

Follow the steps outlined within the Palo Alto Networks documentation:

Use the following parameters in the Actions tab when completing the steps:

Field NameParameter
Profile SettingSelect the Group Profile you provided in Create Filtering Profile Group (we suggested NTT_Security_Profile)
Log at Session StartEnabled
Log at Session EndEnabled
Log ForwardingSelect the Log Forwarding Profile you provided in Create Log Forwarding Profile (we suggested NTT_Log_Fwd_Profile)

Enable Packet Capture Profiles

Follow the steps outlined within the Palo Alto Networks documentation:

You will need to enable Packet Capture for for each profile as tables below:

Anti Virus Profile

Field NameParameter
NameWhatever you want, however we suggest NTT_AV_Profile
Anti-VirusEnable Packet-Capture

Anti-Spyware Profile

Field NameParameter
NameWhatever you want, however we suggest NTT_Spyware_Profile
Severity Critical

Severity High

Severity Medium
Select extended-capture

Vulnerability Protection Profile

Field NameParameter
NameWhatever you want, however we suggest NTT_IDS_Profile
Severity Critical

Severity High

Severity Medium
Select extended-capture

Enable API Access

Follow the steps outlined within the Palo Alto Networks documentation:

Creating a new Admin Role Profile to be used specifically by the Samurai platform.

Under XML API ensure to disable all permissions except the following:

  1. Log
  2. Operation Requests
  3. Export

Once complete you now need to get the API key to be used in the Samurai MDR portal. Follow the Palo Alto documentation:

When following the steps be sure to use the username and password you created in the previous step. Once successful make a note of the <Key> string as you will need this later when you Complete the Palo Alto Networks NG Firewall Integration

Complete the Palo Alto Networks Next-Generation Firewall Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Palo Alto Networks Next-Generation Firewall

  5. Select the relevant Local Collector and click Next

  6. You will be presented with the Local Collector IP Address on the left of the screen

  7. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  8. Enter the following information

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
    • Physical device name - this name is used as the source for alerts for this integration
    • API-Key you captured in Enable API Access
    • Hostname/IP - hostname or IP address of Palo Alto device to collect alerts from
  9. Click on Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.