Integrate Palo Alto PAN-OS with Red Canary

Create a Red Canary generated-URL to send PAN-OS alerts for ingestion.

1. From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.

   

2. In the search bar, type click Palo Alto PAN-OS.

3. Continue Configure.

4. Enter a Name for your external alert source.  

5. Select a Display Category.

6. Under the Ingest Format/Method dropdown, select Palo Alto Networks PAN OS via Syslog.

7. Click Save Configuration.

8. Click Edit Configuration.

9. Click Activate.

10. Red Canary will generate a URL and Port number that you will use to input into your PAN-OS account. Copy and save this number as you will use it in subsequent steps.

    

11. With your Red Canary URL generated, log in to your PAN-OS device of choice.

Step 2.1–Create a Syslog Profile

1. From your PAN-OS dashboard, click Device.

2. From the Server Profiles dropdown in the navigation pane, click Syslog.

   

3. Click +Add.

4. Name your Syslog Profile.

5. Click +Add.

6. Name your Syslog Server.

7. Copy and paste the syslog server URL address from Step 1.11.
   

8. From the Transport dropdown, select SSL.

9. In the Port section, enter the Port number from Step 1.11. 

10. From the Format dropdown, select BSD.

11. From the Facility dropdown, select LOG_User.

12. Click OK.

Step 2.2–Create a Log Forwarding Profile

1. From your PAN-OS dashboard, click Objects.

2. In the navigation pane, click Log Forwarding.

   

3. Click +Add.

4. Name your log forwarding profile, and then write a description for the profile.

   Note: We recommend that you name your profile something generic so it can be reused with other PAN-OS security products (for example, RC Syslog Output). 

5. Click +Add.

6. Name your log forwarding profile match list, and then write a description for the profile match list.

7. From the Log Type dropdown, select threat.

8. From the Filter dropdown, select All Logs.

9. Select Syslog.

10. From the Syslog section, click +Add, and then select the syslog created from Step 2.1.

    

11. Click OK.

     

12. With your Log Forwarding Profile created, click OK.

Step 2.3–Create a Security Policy Rule

Note:

Please ensure that the Security Policy and Zone Protection are configured correctly. For instructions, please read Palo Alto Threat Logs.

1. From your PAN-OS dashboard, click Policies.

2. In the navigation pane, click Security.

   

3. Click +Add.

4. To create a Security Policy Rule, fill in the required information in all of the tabs.

   Note: We recommend that you name your Security Policy Rule something generic so it can be reused with other PAN-OS security products (for example, RC Security Policy). 

5. In the Actions tab’s Action Setting dropdown, select Allow.

6. From the Profile Type dropdown, select Profiles.

7. Customize the type of information you want to send to Red Canary by selecting your profile settings.

8. From the Log Forwarding dropdown, select the syslog created from Step 2.1.

   

9. With all of the required information filled in, click OK.

Generate a PanOS CA certificate to send via Syslog from your PAN-OS device to Red Canary. If you choose to perform this step, you do so before you perform Step 4.

Note: If a self signed CA is not already present, then generate one using the steps below before moving on to Step 3.2.

Step 3.1-Create a local CA

1. Review this article and complete steps 1-4 to configure the PAN-OS syslog monitoring process.

   Note: If a CA certificate is not already present, PAN-OS allows for their firewall to act as a certificate authority. Learn more about creating a certificate authority on a PAN device.

2. From your PAN-OS dashboard, click Device.

3. From the Certificate Management dropdown in the navigation pane, click Certificates.

   

4. Click Generate.

5. Name your certificate.

6. For Common Name, enter the FQDN or IP of your PAN-OS Device.

7. Select Certificate Authority.

   

8. From the Certificate Attributes section, click +Add.

9. From the Type dropdown, select Email.

10. From the Value dropdown, enter your email address.

11. Click Generate.

12. After generating the CA certificate, click Export Certificate.

Step 3.2–Create your PAN-OS Certificate

1. From your PAN-OS dashboard, click Device.

2. From the Certificate Management dropdown in the navigation pane, click Certificates.

   

3. Click Generate.

4. Name your certificate.

5. For Common Name, enter the address you acquired from Red Canary in Step 1.11.

   Note: Ensure you do not copy ":port" when copying the address.

6. From the Signed By dropdown, select the trusted CA or the self-signed CA that you created.

   

7. Click Generate.

8. Click your newly created certificate.

   

9. Select Certificate for Secure Syslog.

   

10. Click OK.

11. From the Device Certificates landing page, click Commit to commit changes, then select the new certificate, and then click Export Certificate.

    

12. Select Export Private Key.

13. Enter a Passphrase.

14. Confirm your Passphrase.

15. Click OK.

    

16. Save the downloaded certificate as you will use it in subsequent steps.

17. With your PAN-OS generated certificate downloaded, log in to Red Canary.

Connect your custom certificates to Red Canary in order to start receiving PAN-OS alerts.

1. From your Red Canary homepage, click Integrations.

   

2. Scroll down, and then select your third-party security source.

3. Click Edit Configuration.

4. Select Use Custom TLS server certificate for ingest over TLS.

5. Upload the certificates you generated in previous steps:

   • Upload a certificate file (PEM or DER)–Upload the server.crt from Step 3.2.

   • Enter the Private key passphrase used to generate the server key from Step 3.2.13.

   • Upload the CA certificate corresponding to your certificate–Upload the ca.crt used to sign the server.crt.

     • Note: The passphrase is only necessary for the PEM or DER certificate created in Step 3.2. 

6. Click Save Configuration.