Palo Alto Networks CEF Certified Configuration Guide 03 02 11
Palo Alto Networks CEF Certified Configuration Guide 03 02 11
Revision History
Date
Description
02/25/2011
03/02/2011
Overview
Palo Alto Networks next-generation firewalls provide network security by enabling
enterprises to see and control applications, users, and content not just ports, IP
addresses, and packets using three unique identification technologies: App-ID, User-ID,
and Content-ID. These identification technologies, found in Palo Alto Networks' enterprise
firewalls, enable enterprises to create business-relevant security policies safely enabling
organizations to adopt new applications, instead of the traditional all-or-nothing approach
offered by traditional port-blocking firewalls used in many security infrastructures.
Next-generation firewall model families include Palo Alto Networks' PA-5000 Series, PA4000 Series, PA-2000 Series, and the PA-500; and range from 250Mbps to 20Gbps in
throughput capacity. Delivered as a purpose-built appliance, every Palo Alto Networks
next-generation firewall utilizes dedicated, function specific processing that is tightly
integrated with a single-pass software engine. This unique combination of hardware and
software maximizes network throughput while minimizing latency. Each of the hardware
platforms supports the same rich set of next-generation firewall features ensuring
consistent operation across the entire line.
Configuration
Configure the Palo Alto Networks device for ArcSight CEF-formatted syslog events based
on information from the PAN-OS administrators guide.
1.
2.
On the left hand side select Syslog under Server Profiles and click Add.
3.
In the Syslog Server Profile Dialog enter a server profile Name and Location
(location refers to a Virtual System).
4.
Select Servers tab, and click Add to provide a name for the Syslog server, IP
address, Port (default 514), and Facility (default LOG_USER).
5.
Select Custom Log Format tab, and click on any of the listed log types
Config/System/Threat/Traffic/HIPMatch to define a custom format based on the
ArcSight CEF for that log type.
Below table shows the CEF-style format that was used during the certification process for
each log type. These custom formats include all the fields that are displayed in the default
format of the syslogs in a similar order. NOTE: Customers can choose to define their own
CEF-style formats using the event mapping table provided in addition to this document.
The Custom Log Format tab supports escaping any characters defined in the CEF as
special characters. For instance, to escape the backslash and equal characters by a
backslash, specify \= as the Escaped characters and \ as the Escape character.
Traffic
Threat
Config
System
HIP Match
Screen Shot
Shown below is a screenshot of the Active Channel page on the ArcSight CEF Server
showing the events generated by a Palo Alto Networks Device.
Events
The different log types for which syslogs are generated include TRAFFIC, THREAT,
CONFIG, SYSTEM, and HIP MATCH. For the SYSTEM events, the $eventid field
captures the specific event associated with that log. Refer to the System Logs document
for a listing of all the events grouped by the system area.
Prefix fields
CEF Name
Data type
Meaning
Version
Integer
Device Vendor
String
Device Vendor
Device Product
String
Device Product
PAN-OS
Device Version
String
Device Version
Signature ID
String
Value is event-type
specific:
Traffic:$subtype
Threat:$subtype $threatid
Config:$subtype $result
System: $subtype
$eventid
HIP: $subtype $hip
Name
String
Value is event-type
specific.
Traffic:$type
Threat:$type
Config:$type
System: $type $eventid
HIP Match:$type $hiptype
Severity
Integer
$number-of-severity
Always 1 for traffic, config,
and HIP events.
Extension Dictionary
CEF Key Name
Full Name
Data
Type
Length
Meaning
Palo Alto
Networks Value
Field
act
deviceAction
String
63
Action mentioned in
the event.
app
ApplicationProto
col
String
31
Application level
protocol, example
values are: HTTP,
HTTPS, SSHv2, Telnet,
POP, IMAP, IMAPS,
etc.
cat
deviceEventCat
egory
String
1023
Represents the
category assigned by
the originating device.
Devices oftentimes
use their own
categorization schema
to classify events.
cn1
deviceCustomN
umber1
Long
SessionID
$app
$sessionid
Full Name
Data
Type
Length
Meaning
cn1Label
deviceCustomN
umber1 Label
String
1023
SessionID
cn2
deviceCustomN
umber2
Long
cn2Label
deviceCustomN
umber2Label
String
cn3
deviceCustomN
umber3
Long
cn3Label
deviceCustomN
umber3Label
String
cnt
baseEventCount
Integer
cs1
deviceCustomSt
ring1
String
1023
Rule
cs1Label
deviceCustomSt
ring1Label
String
1023
Rule
cs2
deviceCustomSt
ring2
String
1023
URL Category
cs2Label
deviceCustomSt
ring2Label
String
1023
URL Category
cs3
deviceCustomSt
ring3
String
1023
Vsys
cs3Label
deviceCustomSt
ring3Label
String
1023
Virtual System
Packets
1023
$packets
Packets
Elapsed time
1023
Palo Alto
Networks Value
Field
$elapsed
Elapsed time in
seconds
A count associated
with this event. How
many times was this
same event observed?
$repeatcnt
$rule
$category
$vsys
Full Name
Data
Type
Length
Meaning
cs4
deviceCustomSt
ring4
String
1023
Srczone
cs4Label
deviceCustomSt
ring4Label
String
1023
Source Zone
cs5
deviceCustomSt
ring5
String
1023
Dstzone
cs5Label
deviceCustomSt
ring5Label
String
1023
Destination Zone
cs6
deviceCustomSt
ring6
String
1023
LogProfile
cs6Label
deviceCustomSt
ring6Label
String
1023
LogProfile
destinationService
Name
String
1023
Palo Alto
Networks Value
Field
$from
$to
$logset
destinationTransla
ted Address
IPv4
Address
Identifies the
translated destination
that the event refers
to in an IP network.
The format is an IPv4
address.Example:
192.168.10.1
$natdst
destinationTransla
tedPort
Integer
$natdport
deviceDirection
String
$direction
deviceExternalId
String
$serial
255
String
15
$inbound_if
deviceOutboundIn
terface
String
15
$outbound_if
Full Name
Data
Type
dpt
destinationPort
dst
duser
dvchost
Meaning
Palo Alto
Networks Value
Field
Integer
$dport
destinationAddr
ess
IPv4
Address
Identifies destination
that the event refers
to in an IP network.
The format is an IPv4
address.Example:
192.168.10.1
$dst
destinationUser
Name
String
Identifies the
destination user by
name. This is the user
associated with the
event's destination. Email addresses are
also mapped into the
UserName fields. The
recipient is a
candidate to put into
destinationUserName.
$bytes
deviceHostNam
e
String
Length
1023
100
flexNumber1
flexNumber1Label
String
Total bytes
flexString1
String
Flags
flexString1Label
String
Flags
flexString2
String
Module
Traffic: $dstuser
Threat:$dstuser
Config: $admin
Config: $host
$flags
flexString2Label
fname
String
filename
String
Module
1023
in
bytesIn
Integer
Number of bytes
transferred inbound.
Inbound relative to
the source to
destination
relationship, meaning
that data was flowing
from source to
$bytes_received
10
Full Name
Data
Type
Length
Meaning
Palo Alto
Networks Value
Field
destination.
msg
Message
String
out
bytesOut
Integer
proto
transportProtoc
ol
String
rt
receiptTime
Time
Stamp
shost
sourceHostNam
e
String
1023
31
1023
An arbitrary message
giving more details
about the event. Multiline entries can be
produced by using \n
as the new-line
separator.
Number of bytes
transferred outbound.
Outbound relative to
the source to
destination
relationship, meaning
that data was flowing
from destination to
source.
$bytes_sent
$proto
$cef-formattedreceive_time
Threat: $misc
System: $fmt
Config: $path
HIP Match:
$machinename
sourceTranslatedA
ddress
Ipv4
Address
Identifies the
translated source that
the event refers to in
an IP network. The
format is an Ipv4
address. Example:
192.168.10.1
$natsrc
sourceTranslatedP
ort
Integer
$natsport
11
Full Name
Data
Type
spt
sourcePort
src
Length
Meaning
Palo Alto
Networks Value
Field
Integer
$sport
sourceAddress
Ipv4
Address
$src
start
startTime
Time
Stamp
$cef-formattedtime_generated
start
startTime
Time
Stamp
$cef-formattedtime_generated
suser
sourceUserNam
e
String
$srcuser
1023
12