Palo Alto Networks Traps

When you configure your Palo Alto Networks Traps to send log data to USM Appliance, you can use the Palo Alto Networks Traps plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Palo Alto Networks
Device Type Endpoint Security
Connection Type Syslog
Data Source Name Paloalto-traps
Data Source ID 1919

Integrating Palo Alto Networks Traps

To configure Palo Alto Networks Traps to send Syslog messages to USM Appliance

  1. From the ESM Console, select Settings > ESM > Syslog, and then select Enable Syslog.
  2. Configure Palo Alto Networks Traps to send logs from ESM components to an external logging platform, USM Appliance, by specifying the following settings:
    • Syslog Server — Hostname or IP address of the USM Appliance Sensor.
    • TransportUDP, TCP, or SSL
    • Port514 for UDP, 601 for TCP, or 6514 for TSL/SSL
    • FormatBSD (default), or IETF
    • Facility — the syslog standard value your server uses to manage messages
  3. Click OK to create your profile.

To use the log forwarding profile in your security profile

  1. Go to Policy Security.
  2. Click the rule that needs to be forwarded to open its policy rule settings window.
  3. In the Security Policy Rule window, click the Actions tab.
  4. In the Log Forwarding drop-down, select the profile you created and make sure that the Log at Session End box is checked.
  5. Click OK.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: