This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto Networks App for QRadar Troubleshooting Guide

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Networks App for QRadar Troubleshooting Guide

panguyen
L2 Linker

on ‎01-18-2019 02:22 PM - edited on ‎08-26-2019 12:41 PM by Retired Member

No ratings

Panels are not showing any data

 

1. Check to see if logs are being forwarded properly

Confirm you are receiving LEEF log format in QRadar, navigate to the “Log Activity” tab of QRadar and create an advanced search:

 

SELECT UTF8(payload) FROM events WHERE devicetype=206

 

No Results

Check log forwarding configurations in the Firewall/Panorama. Refer to the getting started guide on how to setup log forwarding from the Firewall/Panorama.

 

Results

Double check that the log contains the word LEEF in the payload.

If LEEF does not exist in the payload then you have setup log forwarding with standard log format. By default QRadar expects logs to be in LEEF format. Refer to the getting started guide on how to send logs in LEEF format.

 

LEEF Log Forwarding Guide

NOTE: Make sure you are using LEEF format for PAN-OS v7.0-v8.0+

 

If LEEF exist in the payload, then there may be an issue with the custom properties.

 

 

2. Check that custom properties are correct

Confirm each field is being parsed by running this search in the "Log Activity" tab of QRadar.

 

SELECT "PANW-type", "PANW-subtype", "PANW-category", "PANW-filename", "PANW-threatid", "PANW-vendor-action" from events WHERE "PANW-type"='THREAT'

 

The columned returned should have values in them. If you are receiving "NA" in the column then there is an issue with the parser.

 

Navigate to the admin panel and click on "Extensions" and confirm that the "Palo Alto Networks LEEF to Standard log" extension is NOT installed.

This extension is only required if if logs are being sent in the standard log format. This format is not recommended by QRadar. The recommended log format is LEEF.

 

LEEF to standard log extension was installed

Uninstall both the App and the extension. Then reinstall only the Palo Alto Networks QRadar App.

 

LEEF logs are being sent but still receiving "NA" in the columns

You may have setup the older LEEF log format on the Firewall/Panorama. In this case please review the LEEF Log Forwarding Guide and make sure you are using PAN-OS v7.0 - v8.0+ format in the log forwarding profile.

 

 LEEF Log Forwarding Guide

NOTE: Make sure you are using LEEF format for PAN-OS v7.0-v8.0+

 

For further support please contact qradar@paloaltonetworks.com

 

Rate this article:
0 Likes Likes
  • 9054 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎08-26-2019 12:41 PM
Updated by:
Retired Member
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks