https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-palo-alto-networks-integration-with-azure/ta-p/532000 <DIV class="lia-message-template-content-zone"> <P>&nbsp;</P> <SPAN>This Nominated Discussion Article is based on the post "</SPAN><FONT face="arial,helvetica,sans-serif" size="3"><STRONG><A id="link_14" href="https://live.paloaltonetworks.com/t5/general-topics/palo-alto-integration-with-azure-sentinel/m-p/531557" target="_blank" rel="noopener">Palo Alto integration with Azure Sentinel</A></STRONG>"</FONT><SPAN>&nbsp;by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/274468">@ShailUpadhyay</a>&nbsp;&nbsp;</SPAN><SPAN>Read on to see Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>'s recommendation!</SPAN> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi All,</P> <P>We are currently working on setting up the Azure Sentinel for our environment and Integration of PA firewalls with Sentinel is our top most priority.</P> <P>&nbsp;</P> <P>However we need to understand what will be the best approach for integration.</P> <P>&nbsp;</P> <P>Should we integrate independent firewalls with Azure Sentinel or Panorama with Azure Sentinel or both firewalls and Panorama with Azure Sentinel ? Also what factors drive this decision. Any leads will be helpful</P> <P>&nbsp;</P> <P>Thank you&nbsp;</P> </BLOCKQUOTE> <P>Recommendation:</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/274468">@ShailUpadhyay</a></P> <P>&nbsp;</P> <P>in our case, we have been using following scenario for about 3 years:</P> <P>&nbsp;</P> <P>Logs are sent from Firewalls to Panorama, then from Panorama to logstash, then from logstash to Sentinel. We never really run into any issue. The only issue we came across once was we started to see a log loss between Firewalls and Panorama which naturally resulted missing logs in Sentinel. This was eventually resolved by adding additional log collectors in log collector group.</P> <P>&nbsp;</P> <P>Personally, I believe that having all Firewalls to send logs to Panorama and then let Panorama to send all logs to Sentinel has many benefits. For example: ease of management or ease of troubleshooting as you have only one place to look into.</P> <P>&nbsp;</P> <P>On the other hand if you have many firewalls with a high log volume, then you might hit ingestion rate limitation of Panorama where Panorama would be a bottleneck (This of course depends on Panorama model and log collector design). In this case having Firewalls to send logs directly to Sentinel would be a better option.</P> <P>&nbsp;</P> <P>Having both Firewalls as well as Panorama to send logs to Sentinel would be the last choice that I would preferably avoid. You will end up with log duplication.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> </BLOCKQUOTE> </DIV> Wed, 22 Feb 2023 19:37:08 GMT JayGolf 2023-02-22T19:37:08Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-palo-alto-networks-integration-with-azure/ta-p/532000 <DIV class="lia-message-template-content-zone"> <P>&nbsp;</P> <SPAN>This Nominated Discussion Article is based on the post "</SPAN><FONT face="arial,helvetica,sans-serif" size="3"><STRONG><A id="link_14" href="https://live.paloaltonetworks.com/t5/general-topics/palo-alto-integration-with-azure-sentinel/m-p/531557" target="_blank" rel="noopener">Palo Alto integration with Azure Sentinel</A></STRONG>"</FONT><SPAN>&nbsp;by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/274468">@ShailUpadhyay</a>&nbsp;&nbsp;</SPAN><SPAN>Read on to see Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>'s recommendation!</SPAN> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi All,</P> <P>We are currently working on setting up the Azure Sentinel for our environment and Integration of PA firewalls with Sentinel is our top most priority.</P> <P>&nbsp;</P> <P>However we need to understand what will be the best approach for integration.</P> <P>&nbsp;</P> <P>Should we integrate independent firewalls with Azure Sentinel or Panorama with Azure Sentinel or both firewalls and Panorama with Azure Sentinel ? Also what factors drive this decision. Any leads will be helpful</P> <P>&nbsp;</P> <P>Thank you&nbsp;</P> </BLOCKQUOTE> <P>Recommendation:</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/274468">@ShailUpadhyay</a></P> <P>&nbsp;</P> <P>in our case, we have been using following scenario for about 3 years:</P> <P>&nbsp;</P> <P>Logs are sent from Firewalls to Panorama, then from Panorama to logstash, then from logstash to Sentinel. We never really run into any issue. The only issue we came across once was we started to see a log loss between Firewalls and Panorama which naturally resulted missing logs in Sentinel. This was eventually resolved by adding additional log collectors in log collector group.</P> <P>&nbsp;</P> <P>Personally, I believe that having all Firewalls to send logs to Panorama and then let Panorama to send all logs to Sentinel has many benefits. For example: ease of management or ease of troubleshooting as you have only one place to look into.</P> <P>&nbsp;</P> <P>On the other hand if you have many firewalls with a high log volume, then you might hit ingestion rate limitation of Panorama where Panorama would be a bottleneck (This of course depends on Panorama model and log collector design). In this case having Firewalls to send logs directly to Sentinel would be a better option.</P> <P>&nbsp;</P> <P>Having both Firewalls as well as Panorama to send logs to Sentinel would be the last choice that I would preferably avoid. You will end up with log duplication.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> </BLOCKQUOTE> </DIV> Wed, 22 Feb 2023 19:37:08 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-palo-alto-networks-integration-with-azure/ta-p/532000 JayGolf 2023-02-22T19:37:08Z