- 24 Jul 2024
- 4 Minutes to read
- PDF
Integrate Palo Alto Networks Wildfire with Red Canary via Syslog
- Updated on 24 Jul 2024
- 4 Minutes to read
- PDF
Palo Alto Networks Wildfire provides critical insights into malicious file behavior. By integrating Wildfire with Red Canary through Syslog, you can significantly enhance your threat detection and response capabilities. This integration enables the seamless transfer of crucial threat intelligence data directly to Red Canary's advanced analytics platform. To integrate Palo Alto Networks Wildfire with Red Canary via syslog, follow the procedure below from beginning to end.
Step 1: Red Canary–Create your Red Canary provided-URL
Create a Red Canary provided-URL to send PAN-OS alerts for ingestion.
From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.
In the search bar, type and then select Palo Alto Networks Wildfire.
Click Configure.
Click Edit Configuration.
Enter a Name for your external alert source.
Select a Display Category.
Under the Ingest Format/Method dropdown, select Palo Alto Networks WildFire via Syslog.
Click Save Configuration.
Click Edit Configuration.
Click Activate.
Red Canary will generate a URL and Port number that you will use to input into your PAN-OS account. Copy and save this number as you will use it in subsequent steps.
With your Red Canary URL generated, log in to your PAN-OS device of choice.
Step 2: Your PAN-OS Device–Generate a PAN-OS certificate
Generate a PanOS custom certificate to send syslogs from your PAN-OS device to Red Canary.
Step 2.1–Create a Syslog Profile
From your PAN-OS dashboard, click Device.
From the Server Profiles dropdown in the navigation pane, click Syslog.
Click +Add.
Name your Syslog Profile.
Click +Add.
Name your Syslog Server.
Copy and paste the syslog server URL address from Step 1.12.
From the Transport dropdown, select SSL.
In the Port section, enter the Port number from Step 1.12.
From the Format dropdown, select BSD.
From the Facility dropdown, select LOG_User.
Click OK.
Step 2.2–Create a Log Forwarding Profile
Click Objects.
In the navigation pane, click Log Forwarding.
Click +Add.
Name your log forwarding profile, and then write a description for the profile.
Click +Add.
Name your log forwarding profile match list, and then write a description for the profile match list.
From the Log Type dropdown, select wildfire.
From the Filter dropdown, select All Logs.
From the Syslog section, click +Add, and then select the syslog created from Step 2.1.
Click OK.
With your Log Forwarding Profile created, click OK.
Step 2.3–Create a Security Policy Rule
Click Policies.
In the navigation pane, click Security.
Click +Add.
To create a Security Policy Rule, fill in the required information in all of the tabs.
Once you get to the Actions tab, from the Action dropdown, select Allow.
From the Profile Type dropdown, select Profiles.
From the WildFire Analysis dropdown, select default.
From the Log Forwarding dropdown, select Wildfire Syslog Output.
With all of the required information filled in, click OK.
Step 2.4–Export your PAN-OS certificate
Click Device.
From the Certificate Management dropdown in the navigation pane, click Certificates.
Click Generate.
Name your certificate.
For Common Name, enter the address you acquired from Red Canary in Step 1.12.
From the Signed By dropdown, select the trusted CA or the self-signed CA that the syslog server and the firewall both trust.
Note: The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).
Click Generate.
Click your newly created certificate, and then select Certificate for Secure Syslog.
Click OK.
From the Device Certificates landing page, select the new certificate, and then click Export Certificate.
Select Export Private Key.
Enter a Passphrase.
Confirm your Passphrase.
Click OK.
With your PAN-OS generated certificate downloaded, log in to Red Canary.
Step 3: Your PAN-OS Device–Create a Certificate Authority (CA) (Optional)
Generate a PanOS CA certificate to send syslogs from your PAN-OS device to Red Canary. If you choose to perform this step, you do so before you perform Step 4.
Review this article and complete steps 1-4 to configure the PAN-OS syslog monitoring process.
Note: If a CA certificate is not already present, PAN-OS allows for their firewall to act as a certificate authority. Learn more about creating a certificate authority on a PAN device.
From your PAN-OS dashboard, click Device.
From the Certificate Management dropdown in the navigation pane, click Certificates.
Click Generate.
Name your certificate.
For Common Name, enter the URL address you acquired from Red Canary in Step 1.12.
From the Signed By dropdown, select the trusted CA or the self-signed CA that the syslog server and the firewall both trust.
Note: The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).
Select Certificate Authority.
From the Certificate Attributes section, click +Add.
From the Type dropdown, select Email.
From the Value dropdown, enter your email address.
Click Generate.
Click your newly created certificate, and then select Certificate for Secure Syslog.
Click OK.
From the Device Certificates landing page, select your new certificate, and then click Export Certificate.
Select Export Private Key.
Enter a Passphrase.
Copy and save this Passphrase for future reference.
Confirm your Passphrase.
Click OK.
Save the downloaded certificate as you will use it in subsequent steps.
With your PAN-OS generated CA certificate downloaded, log in to Red Canary.
Step 4: Red Canary–Upload your PanOS certificates to Red Canary
Connect your custom certificates to Red Canary in order to start receiving PAN-OS alerts.
From your Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
Click Edit Configuration.
Select Use Custom TLS server certificate for ingest over TLS.
Upload the certificates you generated in Step 2.
Upload a certificate file (PEM or DER)–Upload the server.crt from Step 2.4.
Click Save Configuration.