Palo Alto Firewall

Version: Palo Alto Appliance, PanOS version 2.0-8.1.

Palo Alto Networks, the next-generation firewalls provide a flexible networking architecture that includes support for dynamic routing, switching, and VPN connectivity, enabling you to deploy the firewall into nearly any networking environment. When configuring the Ethernet ports on your firewall, you can choose from virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of network segments, you can configure different types of interfaces on different ports.

Netsurion Open XDR seamlessly integrates SIEM, Log Management, File Integrity Monitoring, and machine analytics. Netsurion Open XDR enables monitoring events obtained from the Palo Alto Firewall. The alerts, reports, dashboards, and categories in the Netsurion Open XDR benefit in capturing essential and critical activities in the Palo Alto Firewall.

The following are the key Data Source Integrations available in the Netsurion Open XDR platform.

Alerts

TypeNameDescription
OperationalPalo Alto Firewall – Configuration success and failureThis alert is generated whenever any configuration succeeds or fails in the Palo Alto Firewall.
OperationalPalo Alto Firewall – VPN configuration changesThis alert is generated whenever any VPN configuration is modified in the Palo Alto Firewall.
CompliancePalo Alto Firewall – Logon failureThis alert is generated whenever any logon failure occurs in the Palo Alto Firewall.
CompliancePalo Alto Firewall – VPN login failuresThis alert is generated whenever any VPN login failure occurs in the Palo Alto Firewall.
CompliancePalo Alto Firewall – User login success outside USThis alert is generated when any logon failure has occurred outside the US region.
SecurityPalo Alto Firewall – Virus detectedThis alert is generated whenever Palo Alto Firewall detects any virus in the traffic.
SecurityPalo Alto Firewall – Vulnerability detectedThis alert is generated whenever Palo Alto Firewall detects any vulnerability in the traffic.

Reports

TypeNameDescription
OperationalPalo Alto Firewall – Traffic detailsThis report provides information related to the traffic flow. It includes session id, source address, source port, source location, destination address, destination port, destination location, protocol type, total bytes, bytes sent, bytes received, total packets, packets sent, and packets received.
OperationalPalo Alto Firewall – Configuration success and failureThis report provides information related to any modifications in the Palo Alto firewall configuration. It includes user, source IP, console type, and configuration path.
OperationalPalo Alto Firewall – VPN configuration changesThis report provides information related to any modifications in Palo Alto firewall’s VPN configuration. It includes user, source IP, console type, and configuration path.
OperationalPalo Alto Firewall – VPN activitiesThis report provides information related to all VPN activities of Palo Alto firewall.
CompliancePalo Alto Firewall – Logon failureThis report provides information related to the user logon failures in the Palo Alto firewall.
It includes source IP, user, and reason.
CompliancePalo Alto Firewall – Logon successThis report provides information related to the successful user login in Palo Alto firewall.
It includes source IP and user.
CompliancePalo Alto Firewall – VPN login failuresThis report provides information related to VPN logon failure in Palo Alto firewall. It includes source IP, user, and reason.
CompliancePalo Alto Firewall – VPN login and logout activityThis report provides information specific to all VPN login and logout activity of Palo Alto firewall.
SecurityPalo Alto Firewall – Threat detailsThis report provides information related to the threat detection. It includes threat id, protocol type, action taken, source address, source port, source location, destination address, destination port, and destination location.

Dashboard

TypeNameDescription
OperationalPalo Alto Firewall – Traffic by Source IP addressThis dashlet displays data of the Traffic by source IP address.
OperationalPalo Alto Firewall – Traffic by Destination IP addressThis dashlet displays the data of the Traffic by destination IP address.
OperationalPalo Alto Firewall – Traffic by Source IP Geo-LocationThis dashlet displays data of the Traffic by source IP location.
OperationalPalo Alto Firewall – Traffic by Destination IP Geo-LocationThis dashlet displays the data of the Traffic by destination IP location.
CompliancePalo Alto Firewall – Login Activities by UserThis dashlet displays the data of the Login Activities by username.
CompliancePalo Alto Firewall – Login by Source IP Geo-locationThis dashlet displays the data of the Logins by source IP location.
CompliancePalo Alto Firewall – Login Failed by Source IPThis dashlet displays the data of the Login Failures by source IP.
CompliancePalo Alto Firewall – Login Failed by Geo-LocationThis dashlet displays the data of the Login Failures by source IP location.
CompliancePalo Alto Firewall – Login Failed by UserThis dashlet displays data about login failure by user.
SecurityPalo Alto Firewall – Intrusion Detection by Destination IP Geo-LocationThis dashlet displays data of the Intrusion Detection by destination IP location.
SecurityPalo Alto Firewall – Intrusion Detection by Destination IPThis dashlet displays the data of the Intrusion Detection by destination IP.
SecurityPalo Alto Firewall – Intrusion Detection by Source IPThis dashlet displays the data of the Intrusion Detection by source IP.
SecurityPalo Alto Firewall – Intrusion Detection by Threat Name and ActionThis dashlet displays the data of the Intrusion Detection by threat name and action.
SecurityPalo Alto Firewall – Intrusion Detection by Source IP Geo-LocationThis dashlet displays the data of the Intrusion Detection by source IP location.

Saved Search

TypeNameDescription
OperationalPalo Alto Firewall – Allowed trafficThis saved search provides detailed information of the allowed traffics into the organization via firewall.
OperationalPalo Alto Firewall – Configuration success and failureThis saved search provides the information about all the configurational changes (success or failure) that happened in firewall console.
OperationalPalo Alto Firewall – Denied trafficThis saved search provides detailed information of the denied traffics.
OperationalPalo Alto Firewall – VPN activitiesThis saved search provides detailed information about all the firewall VPN activities.
OperationalPalo Alto Firewall – VPN configuration changesThis saved search provides the information about all the VPN configurational changes.
CompliancePalo Alto Firewall – Logon failuresThis saved search provides detailed information of the failed logins to the firewall console.
CompliancePalo Alto Firewall – Logon successThis saved search provides detailed information of the successful logins to the firewall console.
CompliancePalo Alto Firewall – URL filteringThis saved search provides information about the URL details filtered by the firewall.
CompliancePalo Alto Firewall – VPN login and logout activityThis saved search provides the information about the VPN login and logout activities.
CompliancePalo Alto Firewall – VPN login failuresThis saved search provides the information about the VPN login failures.
SecurityPalo Alto Firewall – Vulnerability detectedThis saved search provides the information of any vulnerability detected by the firewall.
SecurityPalo Alto Firewall – Virus detectedThis saved search provides information about the Virus details detected by the firewall.

Documentation

The configuration details are consistent with the Netsurion Open XDR 9.3 and later, and Palo Alto Firewall.

Download the Integration Guide for configuration instructions and more information.