Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
| Product |
Samurai [Local] Collector |
Samurai [Cloud] Collector |
| Palo Alto Networks Next-Generation Firewall |
|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From your Palo Alto Networks Next Generation Firewall:
- Configure syslog to your Samurai Local Collector
- Create Log Forwarding Profiles
- Create URL Filtering Profile
- Create Filtering Profile Group
- Create Security Policy Rule
- Enable Packet Capture Profiles
- Enable API Access
4) From the Samurai application:
Connectivity Requirements
You must ensure the following connectivity requirements are available:
| Source | Destination | Ports | Description |
| PAN NGFW | Samurai Local Collector | UDP/514 (syslog) | For log transmission |
| Samurai Local Collector | PAN NGFW | TCP/443 (https) | Packet captures |
Configure syslog to your Samurai Local Collector
Follow the steps outlined within the Palo Alto Networks documentation to configure your firewall to send logs to your Samurai Local Collector:
If you do not have Panorama deployed:
If you have Panorama deployed please refer to Palo Alto Networks: Panorama (Be aware of steps based on your Panorama deployment mode)
Use the following parameters when completing the steps:
| Field Name | Parameter |
| Server Profile Name | Whatever you want, however we suggest NTT_Syslog_Profile |
| Syslog Server |
IP address of your Samurai Collector |
| Transport | UDP |
| Port | 514 (Default) |
| Format | BSD (Default) |
| Facility | keep as default |
| Custom Log Format |
keep as default for every log type |
Create Log Forwarding Profiles
Follow the steps outlined within the Palo Alto Networks documentation:
You will need to configure Log forwarding profiles for each log type as per the table below:
| Field Name | Parameter |
| Name | Whatever you want, however we suggest NTT_Log_Fwd_Profile |
| Name for each Log Type | Whatever you want, however we suggest NTT_<log type>_Fwd_Profile. Where <log type> denotes each log type available |
| Log Type |
All (you need to include all log types eg. traffic, threat, wildfire etc) |
| Filter |
All logs |
| Forward Method |
Select the syslog Server Profile you configured in Configure syslog to Samurai Local Collector (we suggested NTT_Syslog_Profile) |
Create URL Filtering Profile
Follow the steps outlined within the Palo Alto Networks documentation:
(Alternatively, modify your existing URL filtering profile(s). If reusing existing profile(s), ensure that no URL categories are set to the action allow unless you do not want them logged)
| Field Name | Parameter |
| Name | Whatever you want, however we suggest NTT_URL_Profile |
| Site Access for Each Category |
Alert. If your company policy requires Block for certain categories, set it that way. |
| User Credential Submission for Each Category | Alert. If your company policy requires Block for certain categories, set it that way. |
| Settings |
Ensure Log container page only is not selected |
| HTTP Header Logging |
Enable: User-Agent, Referer, X-Forwarded-For |
Create Filtering Profile Group
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters when completing the steps:
| Field Name | Parameter |
| Security Profile Group name |
Whatever you want, however we suggest NTT_Security_Profile |
| Filtering Profiles |
All as applicable eg. Anti-virus, Anti-Spyware, Vulnerability Protection, and URL Filtering created in Create URL Filtering Profile and Enable Packet Capture Profiles |
Create Security Policy Rule
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters in the Actions tab when completing the steps:
| Field Name | Parameter |
| Profile Setting | Select the Group Profile you provided in Create Filtering Profile Group (we suggested NTT_Security_Profile) |
| Log at Session Start | Enabled |
| Log at Session End | Enabled |
| Log Forwarding |
Select the Log Forwarding Profile you provided in Create Log Forwarding Profile (we suggested NTT_Log_Fwd_Profile) |
Enable Packet Capture Profiles
Follow the steps outlined within the Palo Alto Networks documentation:
You will need to enable Packet Capture for for each profile as tables below:
Anti Virus Profile
| Field Name | Parameter |
| Name | Whatever you want, however we suggest NTT_AV_Profile |
| Anti-Virus |
Enable Packet-Capture |
Anti-Spyware Profile
| Field Name | Parameter |
| Name | Whatever you want, however we suggest NTT_Spyware_Profile |
|
Severity Critical Severity High Severity Medium |
Select extended-capture |
Vulnerability Protection Profile
| Field Name | Parameter |
| Name | Whatever you want, however we suggest NTT_IDS_Profile |
|
Severity Critical Severity High Severity Medium |
Select extended-capture |
Enable API Access
Follow the steps outlined within the Palo Alto Networks documentation:
Creating a new Admin Role Profile to be used specifically by the Samurai platform.
Under XML API ensure to disable all permissions except the following:
- Log
- Operation Requests
- Export
Once complete you now need to get the API key to be used in the Samurai application. Follow the Palo Alto documentation:
When following the steps be sure to use the username and password you created in the previous step. Once successful make a note of the <Key> string as you will need this later when you Complete the Palo Alto Networks NG Firewall Integration
Complete the Palo Alto Networks Next-Generation Firewall Integration
- Login to the Samurai MDR web application
- Click Integrations from the main menu
- Click Create
- Find and select Palo Alto Networks Next-Generation Firewall
- Select the relevant Local Collector and click Next
- You will be presented with the Local Collector IP Address on the left of the screen
- To configure Extended Telemetry Collection ensure it is enabled via the toggle
- Enter the following information
- Name for the Integration - the name will appear in the Samurai application for you to easily reference
- Description - optional but if completed will appear in the Samurai application for you to easily reference)
- Physical device name - this name is used as the source for alerts for this integration
- API-Key you captured in Enable API Access
- Hostname/IP - hostname or IP address of Palo Alto device to collect alerts from
- Click on Finish
For general information on Integrations refer to the Integrations article.
Comments
0 comments
Article is closed for comments.