When you configure your Palo Alto Networks PAN-OS to send log data to USM Appliance, you can use the Palo Alto Networks PAN-OS plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information

Device	Details
Vendor	Palo Alto Networks
Device Type	Firewall
Connection Type	Syslog
Data Source Name	paloalto
Data Source ID	1615

Integrating Palo Alto Networks PAN-OS

Before configuring the Palo Alto Networks PAN-OS log collection, you must have the IP Address of the USM Appliance Sensor.

To configure PAN-OS to send log data to USM Appliance

1. Configure PAN-OS to output events in Common Event Format (CEF). See the PAN-OS CEF Configuration Guide for instructions.

   Note: The vendor documentation references ArcSight, but it applies to USM Anywhere as well.

2. Add a syslog server profile. See the PAN-OS Administrator's Guide on Configure Syslog Monitoring for instructions.

   • For Syslog Server, enter the IP address of the USM Appliance Sensor.
   • Select the transport protocol you want to use. USM Appliance supports UDP and TCP.
   • The port number depends on the transport protocol you choose. Use 514 for UDP or TCP.
3. Configure syslog forwarding on PAN-OS. See the PAN-OS Administrator's Guide on Configure Log Forwarding for instructions.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/configure-syslog-monitoring.html

http://blog.webernetz.net/2013/11/21/cli-commands-for-troubleshooting-palo-alto-firewalls/