Integrate Palo Alto Networks Threat Prevention with Red Canary

Create a Red Canary generated-URL to send Palo Alto alerts for ingestion.

1. From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.

   

2. In the search bar, type and then select Palo Alto Networks Threat Prevention.

   

3. Click Configure.

4. Click Edit Configuration.

5. Enter a Name for your external alert source.  

6. Select a Display Category.

7. Under the Ingest Format/Method dropdown, select Palo Alto Networks Threat via Syslog.

8. Click Save Configuration.

9. Click Edit Configuration.

10. Click Activate.

11. Red Canary will generate a URL and Port number that you will use to input into your Palo Alto account. Copy and save this number as you will use it in subsequent steps.

    

12. With your Red Canary URL generated, log in to your PAN-OS device of choice.

Step 2.1–Create a Syslog Profile

1. From your PAN-OS dashboard, click Device.

2. From the Server Profiles dropdown in the navigation pane, click Syslog.

   

3. Click +Add.

4. Name your Syslog Profile.

5. Click +Add.

6. Name your Syslog Server.

7. Copy and paste the syslog server URL address from Step 1.12.

8. From the Transport dropdown, select SSL.

9. In the Port section, enter the Port number from Step 1.12. 

10. From the Format dropdown, select BSD.

11. From the Facility dropdown, select LOG_User.

12. Click OK.

Step 2.2–Create a Log Forwarding Profile

1. From your PAN-OS dashboard, click Objects.

2. In the navigation pane, click Log Forwarding.

   

3. Click +Add.

4. Name your log forwarding profile, and then write a description for the profile.

   Note: We recommend that you name your profile something generic so it can be reused with other PAN-OS security products (for example, RC Syslog Output). 

5. Click +Add.

6. Name your log forwarding profile match list, and then write a description for the profile match list.

7. From the Log Type dropdown, select threat.

8. From the Filter dropdown, select All Logs.

9. From the Syslog section, click +Add, and then select the syslog created from Step 2.1.

10. Click OK. 

11. With your Log Forwarding Profile created, click OK.

    

Step 2.3–Create a Security Policy Rule

1. From your PAN-OS dashboard, click Policies.

2. In the navigation pane, click Security.

   

3. Click +Add.

4. To create a Security Policy Rule, fill in the required information in all of the tabs.

   Note: We recommend that you name your Security Policy Rule something generic so it can be reused with other PAN-OS security products (for example, RC Security Policy). 

5. In the Actions tab’s Action dropdown, select Allow.

6. From the Profile Type dropdown, select Profiles.

7. Customize the type of information you want to send to Red Canary by selecting your profile settings.

8. From the Log Forwarding dropdown, select RC Syslog Output.

9. With all of the required information filled in, click OK.

Generate a PanOS CA certificate to send via Syslog from your PAN-OS device to Red Canary. If you choose to perform this step, you do so before you perform Step 4.

Note: If a self signed CA is not already present, then generate one using the steps below before moving on to Step 3.2.

Step 3.1-Create a local CA

1. Review this article and complete steps 1-4 to configure the PAN-OS syslog monitoring process.

   Note: If a CA certificate is not already present, PAN-OS allows for their firewall to act as a certificate authority. Learn more about creating a certificate authority on a PAN device.

2. From your PAN-OS dashboard, click Device.

3. From the Certificate Management dropdown in the navigation pane, click Certificates.

   

4. Click Generate.

5. Name your certificate.

6. For Common Name, enter the URL address you acquired from Red Canary in Step 1.12.

7. From the Signed By dropdown, select the trusted CA or the self-signed CA that the syslog server and the firewall both trust.

   Note: The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).

8. Select Certificate Authority.

   

9. From the Certificate Attributes section, click +Add.

10. From the Type dropdown, select Email.

11. From the Value dropdown, enter your email address.

12. Click Generate.

13. After generating the CA certificate, click Export Certificate.

14. Click your newly created certificate, and then select Certificate for Secure Syslog.

    

    

15. Click OK.

16. From the Device Certificates landing page, select your new certificate, and then click Export Certificate.

    

17. Select Export Private Key.

18. Enter a Passphrase.

19. Copy and save this Passphrase for future reference.

20. Confirm your Passphrase.

21. Click OK.

    

22. Save the downloaded certificate as you will use it in subsequent steps.

23. With your PAN-OS generated CA certificate downloaded, log in to Red Canary.

Step 3.2–Create your PAN-OS Certificate

1. From your PAN-OS dashboard, click Device.

2. From the Certificate Management dropdown in the navigation pane, click Certificates.

   

3. Click Generate.

4. Name your certificate.

5. For Common Name, enter the address you acquired from Red Canary in Step 1.12.

6. From the Signed By dropdown, select the trusted CA or the self-signed CA that the syslog server and the firewall both trust.

7. Click Generate.

8. Click your newly created certificate.

   

9. Select Certificate for Secure Syslog.

   

10. Click OK.

11. From the Device Certificates landing page, click Commit to commit changes, then select the new certificate, and then click Export Certificate.

    

12. Select Export Private Key.

13. Enter a Passphrase.

14. Confirm your Passphrase.

15. Click OK.

    

16. Save the downloaded certificate as you will use it in subsequent steps.

17. With your PAN-OS generated certificate downloaded, log in to Red Canary.

Connect your custom certificates to Red Canary in order to start receiving PAN-OS alerts.

To return to a pre existing integration:

1. From your Red Canary homepage, click Integrations.
   

2. Scroll down, and then select your third-party security source.

3. Click Edit Configuration.

4. From your Red Canary dashboard click Integrations.

5. To configure your new alert source, scroll down and click Palo Alto Networks Threat Prevention.

6. Click Edit Configuration.

7. Select Use Custom TLS server certificate for ingest over TLS.

8. Upload the certificates you generated in previous steps:

   1. Upload a certificate file (PEM or DER)–Upload the server.crt from Step 3.2.

   2. Enter the Private key passphrase used to generate the server key from Step 3.1.18.

   3. Upload the CA certificate corresponding to your certificate–Upload the ca.crt used to sign the server.crt.

      • Note: The passphrase is only necessary for the PEM or DER certificate created in Step 3.2. 

9. Click Save Configuration.