15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 1/12

AZURE SENTINELCONNECTOR WITH PALO

ALTO FIREWALLSPosted by Ahmed Nabil | Jun 5, 2019 | Azure Sentinel | 0

|

In my previous article, I introduced Azure Sentinel basiccon�guration and different connector options as o�ce365. Another type of connector will be shown in thisarticle which is the Palo Alto connector. This is one ofthe rich features of Azure Sentinel by having differentconnectors to Microsoft as well as another 3rd partysolutions.

 

WHY PALO ALTO CONNECTORWITH AZURE SENTINELCONNECTOR ?

SEARCH …

ABOUT ME

Ahmed Nabil Mahmoud(MVP)

CATEGORIES

Active Directory(8)

Azure AIP (1)

Azure Sentinel(2)

Bitlocker (3)

DirectAccess (16)

LinkedIn3k

Followers

Twitter

525Follower

s

3.5k Follows

HOME BLOG CATEGORY ABOUT CONTACT

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 2/12

The power of any SIEM whether its traditional or cloudSIEM as Sentinel is to aggregate and collect logs frommultiple different sources. On the other hand the Firewalldevice on the edge of your corporate network is an idealcandidate. All company tra�c in both directions willpass by the �rewall for all internal users. Passing thistra�c to the Sentinel SIEM allows you to smoothly runqueries and analytics on these logs. Remember the mainidea is to connect all sources of tra�c and user actionsto Sentinel for analysis.

 

The process of connecting Palo Alto Firewall to AzureSentinel SIEM is straight forward. First you need to havea syslog agent machine or VM which can be on-premiseor created on the cloud. Microsoft con�guration canautomatically create one for you on Azure SentinelWorkspace. Secondly you need to forward the logs fromthe �rewall box or virtual machine to the syslog machinecreated earlier. Finally you will need to validate theconnection if it didn’t work after con�guration.

 

AZURE SENTINEL AND PALO ALTOCONNECTOR CONFIGURATION 

First we need to add a new connector to the AzureSentinel for the Palo Alto device. Navigate to theAzure Sentinel – Connectors

 

Hyper-V (8)

Lync (6)

Microsoft Azure(2)

O�ce 365 (1)

PKI (9)

SQL (3)

System Center(10)

UAG (23)

Uncategorized(33)

Windows 10 (1)

WSUS (4)

RECENTPOSTS

O�ce 365 SPFDKIM andDMARC DeepDive

Azure SentinelConnector withPalo AltoFirewalls

Azure SentinelCloud SIEMSolution

Azure AIPI t ti ith

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 3/12

 

Choose the Palo Alto Networks and Click onCon�gure

 

 

SYSLOG CONFIGURATION, AUTOMATICOR MANUAL ?

The �rst step of the con�guration will be the Syslog.As i mentioned earlier you can have it on-premise oron the cloud. If there is an existing on-premise syslogserver then you will pick manual and go with the stepsto install the Sentinel agent. In our case/demo I willgo with Automatic deployment. Click on Automaticagent deployment. This will move us to create a newVM which will be used as the syslog machinepreloaded with Sentinel VM (Automatically).Furthermore will start this machine and provide youwith needed details as IP address. Take a note thatthis machine Facility is Local4.

Integration withPalo AltoFirewalls

Windows 10version 1809black screenwhen connectingRDP to Server2019

TAGS

AIP

ALWAYS ON

AZURE

AZURE AIP

CLOUD

DIRECTACCESS

ECHOSYSTEM

FIREWALLS

HYPER-V

INFORMATIONPROTECTION

MIP

PALOALTO

PALO ALTO

RDP SDK

SEAMLESS

SENTINEL

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 4/12

 

Automatic deployment will direct you to creating newvirtual machine template. Make sure to pick yoursubscription and resource group pointing to theSentinel workspace. Create a name, admin usernameand password for the VM. This is important later forvalidation and any troubleshooting. Finally click onPurchase

 

SIEM

VPN

WINDOWS10

SITESTATISTICS

Users online: 0

Visitors today : 0

Page views today : 0

Total visitors : 0

Total page view: 0

TWITTERFEED

Tweets by @ITCalls_ANabil

Jul 13, 2019

#DNS #Hijacking and mitigation advice. NCSC Releases Advisory on Ongoing DNS Hijacking Campaign | CISA #MVP #MVPBuzz #CISO #infosec us-cert.gov/ncas/current-a…

Ahmed NabilMahmoud Retweeted

Friday Five: The Azure Solution Architect Map, Office 365 SPF DKIM and DMARC Deep Dive, and

Ahmed Nabil M@ITCalls_ANa

James van den Be@JamesvandenBe

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 5/12

Next from your Azure portal navigate to VirtualMachines. Open the Virtual machines that wascreated in the previous step. Make sure its in theSentinel Workspace, secondly take a note with itspublic IP. Finally ensure its up and running.

 

 

Now its time to switch to our PaloAlto Firewall device.Go to device then Syslog to con�gure our Syslogsettings

 

 

Create a new syslog pro�le for Sentinel forwarding. Inthe Syslog server add the public IP address of yourSyslog agent VM. Finally ensure you are using BSDformat and facility Local4.

 

Jul 12, 2019

Jul 12, 2019

more! techcommunity.microsoft.com/t5/Microsoft-M… #MVPBuzz via @MVPAward Blog #Azure #Office365 #SQL and More...with Great MVP's@clusterMVP @stephaneeyskens@SQLInTheWild@ITCalls_ANabil @chnasarre

Ahmed NabilMahmoud Retweeted

My Blog is posted on the Friday Five: The Azure Solution Architect Map, Office 365 SPF DKIM and DMARC Deep Dive! #MVPBuzz @MVPAward #Azure #Office365 #SQL #Cloud #bastion #WinServ@Clustermvp @stephaneeyskens@SQLintheWild@ITCalls_ANabil @chnasarre techcommunity.microsoft.com/t5/Microsoft-M…

My blog post on #O365 #Spf #Dmarc #DKIM was featured on Friday Five #Microsoft Tech community #MVP #MVPBuzz #infosec #informationsecurity #Azure #CloudComputing #emailsecurity

Robert Smit@Clustermvp

Frida…How …techc…

Ahmed Nabil M@ITCalls_ANa

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 6/12

 

CEF CUSTOM LOG FORMAT

Click on Custom Log format. This is a tricky andcritical step to get your logs on Azure Sentinel. Firstwe need to con�gure PaloAlto to send the Logs in CEFformat in order to be proceed in Azure SentinelSyslog. For more info please check PaloAlto CEFcon�guration guides here.  Pick the guide thatmatches your PaloAlto Operating system. I picked thelatest version OS version 8.0 and on page 10 you can�nd examples of CEF format. Next you need to copyeach custom format to your log type (For exampleThreat or Tra�c Log type as shown below).

However as per Microsoft recommendation and myexperience, direct copy from PDF will corrupt somedata. Few characters might get missed or replaced.So you need to check them carefully after the copy toensure the syntax is correct. I found few blogs andsites with clear text CEF formats that you can copyinstead of the PDF. For example IBM Syslogcon�guration for PaloAlto. Its very handy and you cancopy directly from it. CEF is a common Event Formatwith most devices using it. Finally you will hit Ok tosave your settings.

 

Embed View on Twit

Jul 12, 2019

#emailsecurity itcalls.net/office365-spf-…

Stop #phish and #Spam by applying #Office365 SPF, DKIM and DMARC. Deep dive post to configure #Office365 step by step and limit #phishing and #spoofing#MVP #MVPBuzz #Security #Mail #InformationSecurity #infosec #CISO #Microsoft #M365 #Gateway itcalls.net/office365-spf-…

Office 365 SPF D…Learn how to secu…itcalls.net

Ahmed Nabil M@ITCalls_ANa

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 7/12

 

Next you need to go to Objects – Log Forwarding.Create a new Log forwarding rule to forward logs toour Azure Sentinel Syslog pro�le create earlier.

 

 

In the Log pro�le details, con�gure your log type and�ler. This will specify which logs will be sent toSentinel. Pick the log type that you have con�gure thecustom CEF format earlier. These are the ones thatcan show up in Azure sentinel.

 

 

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 8/12

 

SYSLOG FORWARDING PROFILE

 

Next we need to assign this log forwarding pro�le toour Security rules. Move to Policies then security.Typically i would select the most general securitypolicy applied to all users accessing the internet.Remember we need to get all tra�c going out fromthe Palo Alto device to be sent to Azure Sentinel.

 

 

In the Security Policy actions. Ensure the Logforwarding rule is pointing to the log forwardingpro�le created earlier. This Log forwarding pro�lecontains all Azure Sentinel settings. Finally Click Okthen Commit. We are done from the Firewall part ofcon�guration.

 

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 9/12

 

Moving back to the Azure Sentinel Palo Altoconnector. Give it some time around 1 hour, if its notshown as connected then you can move to step 3which is validating the connection fortroubleshooting.

 

 

In my case there was one missing thing that need toget con�gured and checked. Go to the Azure SentielWorkspace settings – then Advanced settings – Data– Syslog. Ensure the Facility con�gured for thisworkspace is Local4. In my case there were nothingdisplayed. So i added Local4, ensure all logs areenabled and saved it.

 

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 10/12

 

That should do the trick and setup your Palo Altoconnector. Finally you can install the Palo AltoDashboards and give it some time to see the logs �yingto your Sentinel Workspace.

 

CONCLUSION 

I like the idea of having out of the box connectorsavailable for the Azure Sentinel SIEM. This enriches mySIEM dashboard and connect all critical tra�c toSentinel. This will allow further analysis andinvestigations. Remember Azure Sentinel is in Previewand free of charge for now. Why waiting ? go ahead andgive it a try.

 

Hopefully this post was informative and till we meet onanother Azure Sentinel article.

 

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 11/12

SHARE:

RATE:

Azure Sentinel Cloud SIEMSolution

O�ce 365 SPF DKIM andDMARC Deep Dive

ABOUT THE AUTHOR

Ahmed Nabil

Ahmed Nabil has more than 17 years ofexperience in the �eld of InformationTechnology/Systems, Infrastructure,Project Management, InformationSecurity, Applicationdevelopment/Automation, ITmanagement and holds severalprofessional IT certi�cations fromMicrosoft, CISCO, ISACA, ISC2, PMI,CWNP, PECB and EC- Council. Ahmed isan industry expert in Information Securityand Digital Transformation, publicspeaker at several internationalconferences and author of several articlespublished in different internationalsecurity magazines.

RELATED POSTS

PREVIOUS NEXT

Translate »Translate »

15/07/2019 Azure Sentinel Connector with Palo Alto Firewalls | IT Calls Blog

https://itcalls.net/azure-sentinel-connector-with-palo-alto-firewalls/ 12/12

AzureSentinelCloud SIEMSolution

May 12, 2019

NAME * EMAIL * WEBSITE

POST COMMENT

LEAVE A REPLYYour email address will not be published. Required �elds are marked *

COMMENT

Save my name, email, and website in this browser for the next time Icomment.

This site uses Akismet to reduce spam. Learn how your comment datais processed.

© 2019 © 2019 ITCalls.net - All Rights Reserved.| Owned by Ahmed Nabil

Translate »Translate »