Highlighted
ifi Trusted Contributor.
Trusted Contributor.
1445 views

Palo Alto Syslog collection

Jump to solution

Hi,

I have installed SmartConnector ver. 7.1.4.7475 on Windows sever and I linked it to Palo Alto firewall to collect syslog.

I am experiencing two issues:

1) After some time (less than an hour), the logger server stops to receive Palo Alto logs (but it receives the system logs of the SmartConnector). The only solution is to reboot the SmartConnector server.

2) Logger server doesn't receive all the logs from Palo Alto: for example I see only traffic logs between two specific zones (from LAN to WAN) and not the traffic concerning other zones.

Has anyone experienced problems like these?

Thank you in advance for help.

Federico

0 Likes
1 Solution

Accepted Solutions
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Palo Alto Syslog collection

Jump to solution

Have you ensured on the Palo that all zones are sending to the same syslog source? You also have to ensure that all Traffic "types" are also being sent to that syslog source.  Palo's documentation details how to set this up.

View solution in original post

0 Likes
5 Replies
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Palo Alto Syslog collection

Jump to solution

Have you ensured on the Palo that all zones are sending to the same syslog source? You also have to ensure that all Traffic "types" are also being sent to that syslog source.  Palo's documentation details how to set this up.

View solution in original post

0 Likes
ifi Trusted Contributor.
Trusted Contributor.

Re: Palo Alto Syslog collection

Jump to solution

Thank you for help, I enabled syslog profile on all the traffic policy on Palo Alto and now it works fine.

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Palo Alto Syslog collection

Jump to solution

Great! Glad to hear its working.  One thing of note though, I have noticed that the "TRAFFIC' logs are extremely noisy and will generate an excessive amount of events.

0 Likes
ifi Trusted Contributor.
Trusted Contributor.

Re: Palo Alto Syslog collection

Jump to solution

Yes, I agree with you.

Moreover I'm noticing that the SmartConnector is generating a lot of traffic that is categorized as THREAT by the PaloAlto. This kind of traffic is directed to different public addresses, and the application type is netbios-ns.

Have you ever experienced this?

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Palo Alto Syslog collection

Jump to solution

Yes we see a lot of THREAT type traffic in their logs also.  Take note though of Palo's severity level.  Most of it is most likely "informational".  When we asked their support about what are the key identifiers that would make the traffic THREAT level they did not have a good explanation.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.