a lt o f i r e wa l l s c o n n e c t o r w i t h …...dm arc deep dive a zure sentinel connector...
TRANSCRIPT
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 1/12
AZURE SENTINELCONNECTOR WITH PALO
ALTO FIREWALLSPosted by Ahmed Nabil | Jun 5, 2019 | Azure Sentinel | 0
|
In my previous article, I introduced Azure Sentinel basiccon�guration and different connector options as o�ce365. Another type of connector will be shown in thisarticle which is the Palo Alto connector. This is one ofthe rich features of Azure Sentinel by having differentconnectors to Microsoft as well as another 3rd partysolutions.
WHY PALO ALTO CONNECTORWITH AZURE SENTINELCONNECTOR ?
SEARCH …
ABOUT ME
Ahmed Nabil Mahmoud(MVP)
CATEGORIES
Active Directory(8)
Azure AIP (1)
Azure Sentinel(2)
Bitlocker (3)
DirectAccess (16)
LinkedIn3k
Followers
525Follower
s
3.5k Follows
HOME BLOG CATEGORY ABOUT CONTACT
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 2/12
The power of any SIEM whether its traditional or cloudSIEM as Sentinel is to aggregate and collect logs frommultiple different sources. On the other hand the Firewalldevice on the edge of your corporate network is an idealcandidate. All company tra�c in both directions willpass by the �rewall for all internal users. Passing thistra�c to the Sentinel SIEM allows you to smoothly runqueries and analytics on these logs. Remember the mainidea is to connect all sources of tra�c and user actionsto Sentinel for analysis.
The process of connecting Palo Alto Firewall to AzureSentinel SIEM is straight forward. First you need to havea syslog agent machine or VM which can be on-premiseor created on the cloud. Microsoft con�guration canautomatically create one for you on Azure SentinelWorkspace. Secondly you need to forward the logs fromthe �rewall box or virtual machine to the syslog machinecreated earlier. Finally you will need to validate theconnection if it didn’t work after con�guration.
AZURE SENTINEL AND PALO ALTOCONNECTOR CONFIGURATION
First we need to add a new connector to the AzureSentinel for the Palo Alto device. Navigate to theAzure Sentinel – Connectors
Hyper-V (8)
Lync (6)
Microsoft Azure(2)
O�ce 365 (1)
PKI (9)
SQL (3)
System Center(10)
UAG (23)
Uncategorized(33)
Windows 10 (1)
WSUS (4)
RECENTPOSTS
O�ce 365 SPFDKIM andDMARC DeepDive
Azure SentinelConnector withPalo AltoFirewalls
Azure SentinelCloud SIEMSolution
Azure AIPI t ti ith
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 3/12
Choose the Palo Alto Networks and Click onCon�gure
SYSLOG CONFIGURATION, AUTOMATICOR MANUAL ?
The �rst step of the con�guration will be the Syslog.As i mentioned earlier you can have it on-premise oron the cloud. If there is an existing on-premise syslogserver then you will pick manual and go with the stepsto install the Sentinel agent. In our case/demo I willgo with Automatic deployment. Click on Automaticagent deployment. This will move us to create a newVM which will be used as the syslog machinepreloaded with Sentinel VM (Automatically).Furthermore will start this machine and provide youwith needed details as IP address. Take a note thatthis machine Facility is Local4.
Integration withPalo AltoFirewalls
Windows 10version 1809black screenwhen connectingRDP to Server2019
TAGS
AIP
ALWAYS ON
AZURE
AZURE AIP
CLOUD
DIRECTACCESS
ECHOSYSTEM
FIREWALLS
HYPER-V
INFORMATIONPROTECTION
MIP
PALOALTO
PALO ALTO
RDP SDK
SEAMLESS
SENTINEL
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 4/12
Automatic deployment will direct you to creating newvirtual machine template. Make sure to pick yoursubscription and resource group pointing to theSentinel workspace. Create a name, admin usernameand password for the VM. This is important later forvalidation and any troubleshooting. Finally click onPurchase
SIEM
VPN
WINDOWS10
SITESTATISTICS
Users online: 0
Visitors today : 0
Page views today : 0
Total visitors : 0
Total page view: 0
TWITTERFEED
Tweets by @ITCalls_ANabil
Jul 13, 2019
#DNS #Hijacking and mitigation advice. NCSC Releases Advisory on Ongoing DNS Hijacking Campaign | CISA #MVP #MVPBuzz #CISO #infosec us-cert.gov/ncas/current-a…
Ahmed NabilMahmoud Retweeted
Friday Five: The Azure Solution Architect Map, Office 365 SPF DKIM and DMARC Deep Dive, and
Ahmed Nabil M@ITCalls_ANa
James van den Be@JamesvandenBe
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 5/12
Next from your Azure portal navigate to VirtualMachines. Open the Virtual machines that wascreated in the previous step. Make sure its in theSentinel Workspace, secondly take a note with itspublic IP. Finally ensure its up and running.
Now its time to switch to our PaloAlto Firewall device.Go to device then Syslog to con�gure our Syslogsettings
Create a new syslog pro�le for Sentinel forwarding. Inthe Syslog server add the public IP address of yourSyslog agent VM. Finally ensure you are using BSDformat and facility Local4.
Jul 12, 2019
Jul 12, 2019
more! techcommunity.microsoft.com/t5/Microsoft-M… #MVPBuzz via @MVPAward Blog #Azure #Office365 #SQL and More...with Great MVP's@clusterMVP @stephaneeyskens@SQLInTheWild@ITCalls_ANabil @chnasarre
Ahmed NabilMahmoud Retweeted
My Blog is posted on the Friday Five: The Azure Solution Architect Map, Office 365 SPF DKIM and DMARC Deep Dive! #MVPBuzz @MVPAward #Azure #Office365 #SQL #Cloud #bastion #WinServ@Clustermvp @stephaneeyskens@SQLintheWild@ITCalls_ANabil @chnasarre techcommunity.microsoft.com/t5/Microsoft-M…
My blog post on #O365 #Spf #Dmarc #DKIM was featured on Friday Five #Microsoft Tech community #MVP #MVPBuzz #infosec #informationsecurity #Azure #CloudComputing #emailsecurity
Robert Smit@Clustermvp
Frida…How …techc…
Ahmed Nabil M@ITCalls_ANa
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 6/12
CEF CUSTOM LOG FORMAT
Click on Custom Log format. This is a tricky andcritical step to get your logs on Azure Sentinel. Firstwe need to con�gure PaloAlto to send the Logs in CEFformat in order to be proceed in Azure SentinelSyslog. For more info please check PaloAlto CEFcon�guration guides here. Pick the guide thatmatches your PaloAlto Operating system. I picked thelatest version OS version 8.0 and on page 10 you can�nd examples of CEF format. Next you need to copyeach custom format to your log type (For exampleThreat or Tra�c Log type as shown below).
However as per Microsoft recommendation and myexperience, direct copy from PDF will corrupt somedata. Few characters might get missed or replaced.So you need to check them carefully after the copy toensure the syntax is correct. I found few blogs andsites with clear text CEF formats that you can copyinstead of the PDF. For example IBM Syslogcon�guration for PaloAlto. Its very handy and you cancopy directly from it. CEF is a common Event Formatwith most devices using it. Finally you will hit Ok tosave your settings.
Embed View on Twit
Jul 12, 2019
#emailsecurity itcalls.net/office365-spf-…
Stop #phish and #Spam by applying #Office365 SPF, DKIM and DMARC. Deep dive post to configure #Office365 step by step and limit #phishing and #spoofing#MVP #MVPBuzz #Security #Mail #InformationSecurity #infosec #CISO #Microsoft #M365 #Gateway itcalls.net/office365-spf-…
Office 365 SPF D…Learn how to secu…itcalls.net
Ahmed Nabil M@ITCalls_ANa
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 7/12
Next you need to go to Objects – Log Forwarding.Create a new Log forwarding rule to forward logs toour Azure Sentinel Syslog pro�le create earlier.
In the Log pro�le details, con�gure your log type and�ler. This will specify which logs will be sent toSentinel. Pick the log type that you have con�gure thecustom CEF format earlier. These are the ones thatcan show up in Azure sentinel.
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 8/12
SYSLOG FORWARDING PROFILE
Next we need to assign this log forwarding pro�le toour Security rules. Move to Policies then security.Typically i would select the most general securitypolicy applied to all users accessing the internet.Remember we need to get all tra�c going out fromthe Palo Alto device to be sent to Azure Sentinel.
In the Security Policy actions. Ensure the Logforwarding rule is pointing to the log forwardingpro�le created earlier. This Log forwarding pro�lecontains all Azure Sentinel settings. Finally Click Okthen Commit. We are done from the Firewall part ofcon�guration.
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 9/12
Moving back to the Azure Sentinel Palo Altoconnector. Give it some time around 1 hour, if its notshown as connected then you can move to step 3which is validating the connection fortroubleshooting.
In my case there was one missing thing that need toget con�gured and checked. Go to the Azure SentielWorkspace settings – then Advanced settings – Data– Syslog. Ensure the Facility con�gured for thisworkspace is Local4. In my case there were nothingdisplayed. So i added Local4, ensure all logs areenabled and saved it.
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 10/12
That should do the trick and setup your Palo Altoconnector. Finally you can install the Palo AltoDashboards and give it some time to see the logs �yingto your Sentinel Workspace.
CONCLUSION
I like the idea of having out of the box connectorsavailable for the Azure Sentinel SIEM. This enriches mySIEM dashboard and connect all critical tra�c toSentinel. This will allow further analysis andinvestigations. Remember Azure Sentinel is in Previewand free of charge for now. Why waiting ? go ahead andgive it a try.
Hopefully this post was informative and till we meet onanother Azure Sentinel article.
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 11/12
SHARE:
RATE:
Azure Sentinel Cloud SIEMSolution
O�ce 365 SPF DKIM andDMARC Deep Dive
ABOUT THE AUTHOR
Ahmed Nabil
Ahmed Nabil has more than 17 years ofexperience in the �eld of InformationTechnology/Systems, Infrastructure,Project Management, InformationSecurity, Applicationdevelopment/Automation, ITmanagement and holds severalprofessional IT certi�cations fromMicrosoft, CISCO, ISACA, ISC2, PMI,CWNP, PECB and EC- Council. Ahmed isan industry expert in Information Securityand Digital Transformation, publicspeaker at several internationalconferences and author of several articlespublished in different internationalsecurity magazines.
RELATED POSTS
PREVIOUS NEXT
Translate »Translate »
15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog
https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 12/12
AzureSentinelCloud SIEMSolution
May 12, 2019
NAME * EMAIL * WEBSITE
POST COMMENT
LEAVE A REPLYYour email address will not be published. Required �elds are marked *
COMMENT
Save my name, email, and website in this browser for the next time Icomment.
This site uses Akismet to reduce spam. Learn how your comment datais processed.
© 2019 © 2019 ITCalls.net - All Rights Reserved.| Owned by Ahmed Nabil
Translate »Translate »