Palo Alto Networks: Panorama

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

2) From your Palo Alto Networks Panorama:

4) From the Samurai MDR portal:

Connectivity Requirements

You must ensure the following connectivity requirements are available:

SourceDestinationPortsDescription
PanoramaSamurai Local CollectorUDP/514 (syslog)For log transmission
Samurai Local CollectorPanoramaTCP/443 (https)For Packet Captures

Configure syslog to your Samurai Local Collector

Follow the steps outlined within the Palo Alto Networks documentation to configure your Panorama to send logs to your Samurai Local Collector:

mceclip0.png Ensure to select your current version, we have linked version 10.2 above.

Use the following parameters when completing the steps:

Documentation StepField NameParameter
4.2Server Profile NameWhatever you want, however we suggest NTT_Syslog_Profile
4.2Syslog ServerIP address of your Samurai Collector
4.2TransportUDP
4.2Port514 (Default)
4.2FormatBSD (Default)
4.2Facilitykeep as default
4.4Custom Log Formatkeep as default for every log type

If you will not be using the Panorama Management interface you will need to configure an alternative ethernet interface to forward syslog by following the documentation from Step 5.

mceclip0.png You must have your Palo Alto Next Generation Firewalls configured to forward logs to Panorama - if you have not configured this yet then follow the steps outlined in Configure Log Forwarding to Panorama

Enable API Access

Follow the steps outlined within the Palo Alto Networks documentation:

Creating a new Admin Role Profile to be used specifically by Samurai.

Under XML API ensure to disable all permissions except the following:

  1. Log
  2. Operation Requests
  3. Export

Once complete you now need to get the API key to be used in the Samurai MDR portal. Follow the Palo Alto documentation:

When following the steps be sure to use the username and password you created in the previous step. Once successful make a note of the <Key> string as you will need this later when you Complete the Palo Alto Networks Panorama Integration

Obtain your Wildfire API key

If you leverage Wildfire, follow the steps outlined in the Palo Alto documentation to obtain your Wildfire API key:

mceclip0.png ensure to select your deployment model when obtaining your API key.

Complete the Palo Alto Networks Panorama Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Palo Alto Networks Next-Generation Firewall Panorama

  5. Select the relevant Local Collector and click Next

  6. You will be presented with the Local Collector IP Address on the left of the screen

  7. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  8. Enter the following information

    • Name for the Integration - the name will appear in the application for you to easily reference
    • Description - optional but if completed will appear in the application for you to easily reference)
    • Manager name- this name is used as the source for alerts for this integration
    • API-Key you captured in Enable API Access
    • Wildfire API-key - to enable Wildfire telemetry collection include the key you captured in Obtain your Wildfire API key
    • Hostname/IP - hostname or IP address of Palo Alto device to collect alerts from
  9. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.