Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
Product |
Samurai [Local] Collector |
Samurai [Cloud] Collector |
Palo Alto Networks Next-Generation Firewall |
|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From your Palo Alto Networks Next Generation Firewall:
- Configure syslog to your Samurai XDR Local Collector
- Create Log Forwarding Profiles
- Create URL Filtering Profile
- Create Filtering Profile Group
- Create Security Policy Rule
- Enable Packet Capture Profiles
- Enable API Access
4) From the Samurai XDR application:
Connectivity Requirements
You must ensure the following connectivity requirements are available:
Source | Destination | Ports | Description |
PAN NGFW | Samurai XDR Local Collector | UDP/514 (syslog) | For log transmission |
Samurai XDR Local Collector | PAN NGFW | TCP/443 (https) | Optional (based on optional configuration in this article) |
Configure syslog to your Samurai XDR Local Collector
Follow the steps outlined within the Palo Alto Networks documentation to configure your firewall to send logs to your Samurai XDR Local Collector:
If you do not have Panorama deployed:
If you have Panorama deployed: (Be aware of steps based on your Panorama deployment mode)
Use the following parameters when completing the steps:
Field Name | Parameter |
Server Profile Name | Whatever you want, however we suggest NTT_Syslog_Profile |
Syslog Server |
IP address of your Samurai XDR Collector |
Transport | UDP |
Port | 514 (Default) |
Format | BSD (Default) |
Facility | keep as default |
Custom Log Format |
keep as default for every log type |
Create Log Forwarding Profiles
Follow the steps outlined within the Palo Alto Networks documentation:
You will need to configure Log forwarding profiles for each log type as per the table below:
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_Log_Fwd_Profile |
Name for each Log Type | Whatever you want, however we suggest NTT_<log type>_Fwd_Profile. Where <log type> denotes each log type available |
Log Type |
All (you need to include all log types eg. traffic, threat, wildfire etc) |
Filter |
All logs |
Forward Method |
Select the syslog Server Profile you configured in Configure syslog to Samurai XDR Local Collector (we suggested NTT_Syslog_Profile) |
Create URL Filtering Profile
Follow the steps outlined within the Palo Alto Networks documentation:
(Alternatively, modify your existing URL filtering profile(s). If reusing existing profile(s), ensure that no URL categories are set to the action allow unless you do not want them logged)
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_URL_Profile |
Site Access for Each Category |
Alert. If your company policy requires Block for certain categories, set it that way. |
User Credential Submission for Each Category | Alert. If your company policy requires Block for certain categories, set it that way. |
Settings |
Ensure Log container page only is not selected |
HTTP Header Logging |
Enable: User-Agent, Referer, X-Forwarded-For |
Create Filtering Profile Group
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters when completing the steps:
Field Name | Parameter |
Security Profile Group name |
Whatever you want, however we suggest NTT_Security_Profile |
Filtering Profiles |
All as applicable eg. Anti-virus, Anti-Spyware, Vulnerability Protection, and URL Filtering created in Create URL Filtering Profile and Enable Packet Capture Profiles |
Create Security Policy Rule
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters in the Actions tab when completing the steps:
Field Name | Parameter |
Profile Setting | Select the Group Profile you provided in Create Filtering Profile Group (we suggested NTT_Security_Profile) |
Log at Session Start | Enabled |
Log at Session End | Enabled |
Log Forwarding |
Select the Log Forwarding Profile you provided in Create Log Forwarding Profile (we suggested NTT_Log_Fwd_Profile) |
Enable Packet Capture Profiles
Follow the steps outlined within the Palo Alto Networks documentation:
You will need to enable Packet Capture for for each profile as tables below:
Anti Virus Profile
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_AV_Profile |
Anti-Virus |
Enable Packet-Capture |
Anti-Spyware Profile
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_Spyware_Profile |
Severity Critical Severity High Severity Medium |
Select extended-capture |
Vulnerability Protection Profile
Field Name | Parameter |
Name | Whatever you want, however we suggest NTT_IDS_Profile |
Severity Critical Severity High Severity Medium |
Select extended-capture |
Enable API Access
Follow the steps outlined within the Palo Alto Networks documentation:
Creating a new Admin Role Profile to be used specifically by Samurai XDR.
Under XML API ensure to disable all permissions except the following:
- Log
- Operation Requests
- Export
Once complete you now need to get the API key to be used in the Samurai XDR application. Follow the Palo Alto documentation:
When following the steps be sure to use the username and password you created in the previous step. Once successful make a note of the <Key> string as you will need this later when you Complete the Palo Alto Networks NG Firewall Integration
Complete the Palo Alto Networks Next-Generation Firewall Integration
- Login to your Samurai XDR application tenant
- Click Telemetry > Integrations from the main menu
- Click Create
- Find and select Palo Alto Networks Next-Generation Firewall
- Select the relevant Local Collector and click Next
- You will be presented with the Local Collector IP Address on the left of the screen
- To configure Extended Telemetry Collection ensure it is enabled via the toggle
- Enter the following information
- Name for the Integration - the name will appear in the XDR application for you to easily reference
- Description - optional but if completed will appear in the XDR application for you to easily reference)
- Physical device name - this name is used as the source for alerts for this integration
- API-Key you captured in Enable API Access
- Hostname/IP - hostname or IP address of Palo Alto device to collect alerts from
- Click on Finish
For general information on Integrations refer to the Integrations article.
Comments
0 comments
Article is closed for comments.