Palo Alto Networks: Panorama
Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
---|---|---|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From your Palo Alto Networks Panorama:
- Configure syslog to your Samurai Local Collector
- Enable API Access
- Obtain your Wildfire API key (if applicable)
4) From the Samurai MDR portal:
Connectivity Requirements
You must ensure the following connectivity requirements are available:
Source | Destination | Ports | Description |
---|---|---|---|
Panorama | Samurai Local Collector | UDP/514 (syslog) | For log transmission |
Samurai Local Collector | Panorama | TCP/443 (https) | For Packet Captures |
Configure syslog to your Samurai Local Collector
Follow the steps outlined within the Palo Alto Networks documentation to configure your Panorama to send logs to your Samurai Local Collector:
Ensure to select your current version, we have linked version 10.2 above.
Use the following parameters when completing the steps:
Documentation Step | Field Name | Parameter |
---|---|---|
4.2 | Server Profile Name | Whatever you want, however we suggest NTT_Syslog_Profile |
4.2 | Syslog Server | IP address of your Samurai Collector |
4.2 | Transport | UDP |
4.2 | Port | 514 (Default) |
4.2 | Format | BSD (Default) |
4.2 | Facility | keep as default |
4.4 | Custom Log Format | keep as default for every log type |
If you will not be using the Panorama Management interface you will need to configure an alternative ethernet interface to forward syslog by following the documentation from Step 5.
You must have your Palo Alto Next Generation Firewalls configured to forward logs to Panorama - if you have not configured this yet then follow the steps outlined in Configure Log Forwarding to Panorama
Enable API Access
Follow the steps outlined within the Palo Alto Networks documentation:
Creating a new Admin Role Profile to be used specifically by Samurai.
Under XML API ensure to disable all permissions except the following:
- Log
- Operation Requests
- Export
Once complete you now need to get the API key to be used in the Samurai MDR portal. Follow the Palo Alto documentation:
When following the steps be sure to use the username and password you created in the previous step. Once successful make a note of the <Key> string as you will need this later when you Complete the Palo Alto Networks Panorama Integration
Obtain your Wildfire API key
If you leverage Wildfire, follow the steps outlined in the Palo Alto documentation to obtain your Wildfire API key:
ensure to select your deployment model when obtaining your API key.
Complete the Palo Alto Networks Panorama Integration
Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Palo Alto Networks Next-Generation Firewall Panorama
Select the relevant Local Collector and click Next
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information
- Name for the Integration - the name will appear in the application for you to easily reference
- Description - optional but if completed will appear in the application for you to easily reference)
- Manager name- this name is used as the source for alerts for this integration
- API-Key you captured in Enable API Access
- Wildfire API-key - to enable Wildfire telemetry collection include the key you captured in Obtain your Wildfire API key
- Hostname/IP - hostname or IP address of Palo Alto device to collect alerts from
Click on Finish
For general information on Integrations refer to the Integrations article.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.