Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.
This guide describes the steps required to configure Palo Alto Networks next generation firewall to send syslog to the Samurai XDR.
1) Configure the Samurai XDR application
- Complete the Palo Alto Networks Next-Generation Firewall Integration from Samurai XDR Application
2) Configure Palo Alto Networks Next-Generation Firewall
Complete the configuration from the Palo Alto Networks Next-Generation Firewall
- Configure syslog forwarding
- Create Log Forwarding Profiles
- Create URL Filtering Profile
- Create Filtering Profile Group
- Create Security Policy Rule
Configure the Samurai XDR Application
To complete the configuration to receive logs:
- Login to your Samurai XDR application tenant
- Click Telemetry > Integrations from the main menu
- Click Create
- In the Create Integration screen, find and select Palo Alto Networks Next-Generation Firewall
- The screen will show the Telemetry Collection and parameters.
- Make note of the IP Address and Port on the screen, they will be used in the device configuration below.
- Click on Finish
Configure Palo Alto Networks Next-Generation Firewall
Configure Syslog Forwarding
Follow the steps outlined within the Palo Alto Networks documentation to configure your firewall to send logs to your Samurai XDR Secure Syslog Collector
Use the following parameters when completing the steps:
Field Name | Parameter |
Server Profile Name | Whatever you want, however we suggest NTT_Syslog_Profile |
Syslog Server | syslog.xdr.security.ntt |
Transport | TCP |
Port | Port number of your Samurai Secure Syslog Collector |
Format | BSD (Default) |
Facility | keep as default |
Custom Log Format | keep as default for every log type |
Once you have configured syslog as described above, you will also need to enter the following command from the firewall CLI:
set syslogng ssl-conn-validation explicit OCSP skip CRL skip EKU skip
Create Log Forwarding Profiles
Follow the steps outlined within the Palo Alto Networks documentation:
You will need to configure Log forwarding profiles for each log type as per the table below:
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_Log_Fwd_Profile |
Name for each Log Type | Whatever you want, however we suggest NTT_<log type>_Fwd_Profile. Where <log type> denotes each log type available |
Log Type | All (you need to include all log types eg. traffic, threat, wildfire etc) |
Filter | All logs |
Forward Method | Select the syslog Server Profile you configured inConfigure syslog to Samurai XDR Secure Syslog Collector (we suggested NTT_Syslog_Profile) |
Create URL Filtering Profile
Follow the steps outlined within the Palo Alto Networks documentation:
(Alternatively, modify your existing URL filtering profile(s). If reusing existing profile(s), ensure that no URL categories are set to the action allow unless you do not want them logged)
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_URL_Profile |
Site Access for Each Category | Alert. If your company policy requires Block for certain categories, set it that way. |
User Credential Submission for Each Category | Alert. If your company policy requires Block for certain categories, set it that way. |
Settings | Ensure Log container page only is not selected |
HTTP Header Logging | Enable: User-Agent, Referer, X-Forwarded-For |
Create Filtering Profile Group
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters when completing the steps:
Field Name | Parameter |
Security Profile Group name | Whatever you want, however we suggest NTT_Security_Profile |
Filtering Profiles | All as applicable eg. Anti-virus, Anti-Spyware, Vulnerability Protection, and URL Filtering created in Create URL Filtering Profile and Enable Packet Capture Profiles |
Create Security Policy Rule
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters in the Actions tab when completing the steps:
Field Name | Parameter |
Profile Setting | Select the Group Profile you provided in Create Filtering Profile Group (we suggested NTT_Security_Profile) |
Log at Session Start | Enabled |
Log at Session End | Enabled |
Log Forwarding | Select the Log Forwarding Profile you provided in Create Log Forwarding Profile (we suggested NTT_Log_Fwd_Profile) |
Once you have completed the configuration of your firewall to send logs to Samurai XDR, your integration will automatically be discovered once Samurai XDR starts receiving logs from your firewall.