PAN-OS 9.1 GlobalProtect CEF Format

AFaugno — Thu, 07 Jan 2021 19:25:14 GMT

Hi,

I'm having issues finding the GP CEF format to send logs to SIEM. It's not in the documentation. I belive the GP logs were being sent my SYSTEM prior to 9.1 and has changed to it's own log starting in 9.1

Re: PAN-OS 9.1 GlobalProtect CEF Format

aleksandar.astardzhiev — Fri, 18 Mar 2022 17:04:30 GMT

Hey @AFaugno ,

I am curious if you find solution to your problem? It seems we may experience the same think.

Starting from PanOS 9.1 GlobalProtect logging was enhanced and moved to dedicate logs type/section. Before that they were subtype of System logs. So now if we want to forward GP logs to external we need to add it to the Device -> Log Settings config and specific GP logs to be forwarded to the syslog server.

In addition under Device -> Syslog Server Profile -> Custom Format there is new type that needs to be re-formatted to use CEF format.

The bizarre think is that GlobalProtect is not defined in the CEF guide for 9.1 PAN-OS 9.1 CEF Configuration Guide (paloaltonetworks.com)

It is mentioned for 10.0 - MF_ Palo Alto Networks_NGFW_PANOS 10.0 _ArcSight_CEF_Integration_Guide

Unfortunately using GP CEF format for 10.0 in 9.1 may be a problem as we still don't see GP CEF logs in SIEM after configuring it according to above steps.

I am wondering if anyone else have similar issue.

Re: PAN-OS 9.1 GlobalProtect CEF Format

aleksandar.astardzhiev — Thu, 24 Mar 2022 08:59:21 GMT

I am writing this here if someone else face any issues with forwarding logs in CEF format.

It seems the documentation for CEF formatting here have several issues Common Event Format (CEF) Configuration Guides (paloaltonetworks.com)

1. Dedicated GlobalProtect log type was introdused in PanOS 9.1, but this type format is missing from 9.1 CEF format guide

2. GP format log can be found in 10.0 format guide, but it has several issues which could cause parsing issues and missing this type of logs in your SIEM

- GP logs were greatly enhanced in 10.0 and there are several log fields which are not supported by 9.1, so even that you can commit without issues, there is no point adding extra empty log fields

- CEF requires strict format of the prefix fields. Every log needs to start with "cef-version|vendor|product|os-version|subtype|type|severity|". GP logs doesn't really have severity, but we will need to provide something in order for the logs to be parsed correctly. As mentioned in the documentation you should use "1" for all log types for which severity is irrelevant. Most of the CEF syslog servers will run regex check to confirm proper CEF formatting before parsing the log and since severity is missing from GP log type format, those logs will not be parased and stored by your SIEM.

- Documentation is using "receive_time", but it is better to use "cef-formatted-receive_time" to be sure that all of the log timestamps are correct

- Since GP logs (at least for 9.1) doesn't really have subtype, it value will always be 0, which doesn't provide any information, I would suggest to use "eventid" in the prefix instead.

- It is a bit annoying that none of the GP log fields are actually mappted to any of the standard CEF extentions fields. This is not actually a problem, since the information is still there, but in my case grabbing the interesting information from those fields requires additional parsing.

I have played for a while and came up with GP log fromat of my own.

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$eventid|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial fname=$portal cs1Label=Stage cs1=$stage suser=$srcuser shost=$machinename src=$public_ip cs2Label=Private IP cs2=$private_ip msg=$opaque app=$tunnel_type cs3Label=Client Version cs3=$client_ver cs4Label=Error cs4=$error cs5Label=Client OS cs5=$client_os cs6Label=Status cs6=$status cn1Label=Duration in seconds cn1=$login_duration PanOSAuthMethod=$auth_method PanOSSourceRegion=$srcregion PanOSPublicIPv6=$public_ipv6 PanOSPrivateIPv6=$private_ipv6 PanOSHostID=$hostid PanOSEndpointOSVersion=$client_os_ver PanOSCountOfRepeats=$repeatcnt PanOSQuarantineReason=$reason PanOSGPGatewayLocation=$location PanOSConnectionMethod=$connect_method PanOSConnectionErrorID=$error_code PanOSSequenceNo=$seqno PanOSActionFlags=$actionflags

You can change it according to your needs, but what is most important is to use correct prefix format, if not GP logs will not be parsed by CEF syslog server

topic Re: PAN-OS 9.1 GlobalProtect CEF Format in GlobalProtect Discussions

PAN-OS 9.1 GlobalProtect CEF Format

Re: PAN-OS 9.1 GlobalProtect CEF Format

Re: PAN-OS 9.1 GlobalProtect CEF Format