Palo Alto Networks Firewall integration

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

The Palo Alto Networks Firewall and ESET PROTECT integration enables ingestion and normalization of selected network security indicators (threat logs), providing visibility into network-related threats alongside ESET security events. Indicators are available for investigation in Advanced Search and are correlated into Incidents.

How to enable the integration

Prerequisites

Before setting up the integration, complete the following prerequisites:

•Ensure you are using Palo Alto Networks PAN-OS version 11.1.10 and later. Using earlier versions is not recommended and may result in integration failure or security vulnerabilities.

•Ensure you have configured Palo Alto Firewall with a static IP address.

•Configure Syslog monitoring in Palo Alto using the steps below.

If you are using Panorama, consider configuring the Syslog server profile and setting up Syslog forwarding in Panorama. Then, commit and push the changes to the Palo Alto Firewall. Note that security policy rules managed by Panorama generally take precedence over locally configured firewall policies.

1.Configure the Syslog server profile with the following values in Palo Alto:

•Syslog Server—The DNS name of your Syslog server based on its region: eu.security-integration.eset.systems, us.security-integration.eset.systems, jpn.security-integration.eset.systems, ca.security-integration.eset.systems, de.security-integration.eset.systems

•Transport—SSL

•Port—6514

•Format—IETF

2.Configure Syslog forwarding for the Threat logs in Palo Alto. Ensure you specify the Threat log type in the Log Forwarding Profile Match List and assign your log forwarding profile to the Security Policy rule to enable Threat logs to be generated when a detection is found:

•Action Setting > Action—Allow

•Profile Setting > Profile Type—Group or Profiles; set the relevant profile types (Antivirus, Vulnerability Protection, Anti-Spyware, etc.) as Default instead of None to generate threat logs.

•Log Setting > Log Forwarding—your log forwarding profile

Security Policy rules are evaluated sequentially, from left to right and from top to bottom. Ensure that an earlier, broader rule does not take precedence over the policy you create. For more information, refer to the Palo Alto Security Policy article.

Do not configure the Traffic log type. There is no need to configure the Syslog forwarding for any logs other than Threat.

There is no need to configure the header format of Syslog messages.

3.Create the Certificate for secure Syslog communication in Palo Alto. Export the created public certificate with the following options and the Certificate Authority—the parent entry of your created public certificate marked as CA, using the Export a Certificate instructions:

•File Format—Base64 Encoded Certificate (PEM)

•Export Private Key—Keep this check box deselected.

If you do not have the Certificate Authority, you can create a Self-Signed Root CA Certificate. You need to provide both the exported public certificate and Certificate Authority during the integration setup in the ESET PROTECT Web Console.

4.Commit the changes.

Integration setup in ESET PROTECT Web Console

To install and set up the integration application, select the ESET PROTECT Web Console > Integrations > Marketplace and follow the steps below.

1.On the Marketplace page, find Palo Alto Networks Firewall and click Connect.

2.Review the integration requirements and click Begin Setup.

3.In Prerequisite Configurations, verify the prerequisites are completed and select the I confirm I have completed all necessary configurations in Palo Alto check box. Click Continue.

4.In General Setup, complete the following fields. Then, click Continue.

•Name (optional)—Type an integration distinct name.

•Description (optional)—Type an integration description of your preference.

5.In IP and Certificate, complete the following fields. Then, click Continue.

•Static Public IP addresses—Provide the static public egress (source NAT) IP address or addresses (separated by semicolon) that your Palo Alto Firewall's outbound traffic uses to reach the internet.

•Certificate—Upload the public certificate for secure Syslog communication exported from Palo Alto in the Base64 Encoded Certificate (PEM) format. The certificate must be unique and not associated with any other Palo Alto Networks integration within ESET.

•Certificate Authority—Upload the Certificate Authority of the created public certificate exported from Palo Alto.

6.In Supporting Certificates, download the provided certificate files, both Server Certificate and Certificate Authority, and import them to Palo Alto using the Import a Certificate instructions. Click Continue.

7.In Summary, review your settings and click Finish. It may take up to five minutes to complete the integration setup.

Integration verification and troubleshooting

When the integration setup is complete, the forwarded logs from Palo Alto appear in the ESET PROTECT Web Console > Advanced Search.

You can check the generated Threat logs in Palo Alto Web Interface > Logs > Threat. Only log entries that match the security policy rule to which the Syslog log forwarding profile is assigned are forwarded.

Additionally, you can check logs by running the tail mp-log logrcvr.log command in the Palo Alto Firewall console. If the command returns error messages, the configuration may contain issues. The following examples describe common error messages and their causes.

Issue cause	Returned message
The client configured log forwarding with an incorrect DNS name and/or an incorrect Port.	Info: [Syslog] Triggered offline log purger for system log type. Error: [COMM] Cannot connect. remote ip=<IP Address> port=<Port> err=Connection timed out(110) Info: Connecting to remote address <IP Address> @ fd -1 Error: [Server connect] Failed to connect to server: <IP Address> Error: [Server connect] Failed to connect to ip address: <IP Address>. Timing out. Error: [Socket init] Failed to initialize socket.
The client configured log forwarding, but set the Transport to TCP instead of SSL.	Error: [Syslog] TCP send failure, socket is broken errno (32) Info: Created new cache socket:1024 for <Server>
The client uploaded their own Certificate Authority and certificate, but did not mark the certificate as a Secure Syslog Connection.	Error: [Syslog] Connection reset.
The client uploaded the server certificate, but did not upload the server Certificate Authority.	Error: [secure_conn] Verification of server certificate was unsuccessful: unable to get local issuer certificate. Error: [SSL_connect] Error during SSL connection. Info: Server IPv4 address: <IP Address> Info: Successfully resolved FQDN IP (<IP Address>) Info: Client starting. addr=<IP Address> port=6515 Error: [COMM] Cannot connect. remote ip=<IP Address> port=6515 err=Connection refused(111) Info: Connecting to remote address <IP Address> @ fd -1 Error: [Server connect] Failed to connect to server: <IP Address> Error: [Socket init] Failed to initialize socket.
The client uploaded the server Certificate Authority but did not upload the required server certificate.	Error: [Certificate verification] Verification of the client certificate against the authorized list failed. Error: [Peer identity check] Failed to verify the peer identity for server IP: <IP Address>. Connection rejected. Error: [X509 validation] Validation of IP address from X509 certificate failed.

˄˅