Guide to Onboard and Ingest Logs from Firewalls to Strata Logging Service and Cortex XSIAM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead

Title_Guide-to-Onboard-and-Ingest-Logs_palo-alto-networks.jpg

 

 

Disclaimer: This doc was created using PAN-OS version 11.2. If you are using PAN-OS versions earlier than 10.1, please refer to official documentation for steps. Also, In previous PAN-OS versions, you may see older naming conventions like “Cortex Data Lake” or “Logging Service” instead of “Cloud Logging”.

 

 

 

 

Use Case1: Ingest Self-managed Firewall Logs to Strata Logging Service

Step-1: Activate Strata Logging Service 

[Note: This Step is needed if you need to activate a new Strata logging Service instance]

  1. Activate the Strata Logging Service instance by clicking on the Activation link from the email

emgarcia_1-1725479802543.png

 

  1. Select your CSP Account from the “Customer Support Account” dropdown
  2. Specify the Tenant or TSG under “Specify the Recipient”  where you want to deploy the strata logging service or create a new TSG/tenant from the dropdown if needed
  3. Select the Region where you want your logs to be stored from “Select Region” dropdown
  4. Under “Add Strata Logging Service” select, “Create New” and specify the log storage that you have purchased and ensure the region is correct.
  5. Click on Activate

 

2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant, until then Strata logging Service app on the Hub shows “In Progress”

emgarcia_2-1725479802547.png

 

3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.

 

emgarcia_3-1725479802554.png

 

Step-2: Install Device Certificate for Firewalls

  1. Get the OTP from Support portal to fetch Device certificate on Firewall and Panorama:
    1. Go to the Support Portal: Support Portal and select your CSP Account under “Account Selector”
    2. Go to Products → Device Certificates → Generate OTP

emgarcia_4-1725479802575.png

 

c. Select the Option1: Generate OTP for Next Generation Firewall(PanOS) . If installing a Device certificate for Panorama, then use Option 2 : Generate OTP for a Panorama. Select the Serial number and Click Next.

 

emgarcia_5-1725479802539.png

 

d. Copy the OTP

 

emgarcia_6-1725479802616.png

 

2. Update the OTP on Firewall:

a. Go to Device → Setup → Device Certificate → Get Certificate

 

emgarcia_7-1725479802669.png

 

emgarcia_8-1725479802601.png

 

 

 Step-3: Add Firewalls to Strata Logging Service 

 

[Note: This Step is not needed if you don’t have Strata Logging Service subscription and only have XSIAM with XDR PRO GB license. ]

 

  1. Log in to Hub : HUB and Select your Tenant, where you want the devices to be added on the Strata logging Service
  2. Launch the Strata Logging Service App: emgarcia_9-1725479802602.png

     

  3. To Add Firewalls to Strata Logging Service: Click on Inventory > Firewalls > Add > Add New Firewalls to the instance

emgarcia_10-1725479802663.png

 

4. Now filter the firewall with the serial number and select the firewalls you want to add and hit Submit.

 

emgarcia_11-1725479802690.png

 

emgarcia_12-1725479802731.png

 

 

Step-4: Configure Firewalls to connect to Strata Logging Service or Cloud Logging

  1. Firewalls needs a device logging service license on Firewall, so that it can connect to Strata logging service. It is not a separate license, After adding the device on Strata logging service. Go to firewall UI and Retrieve license.
    1. On Firewall: Go to DEVICE > Licenses > Retrieve license keys from license server and ensure Strata Logging Service [Device Logging service] exists

emgarcia_13-1725479802713.png

 

[Note: If License is not seen on the Firewall check on adminsite for PAN-LGS-DL]

b. Enable Cloud Logging: Go to DEVICE > Setup > Management > Cloud Logging and Select Enable Cloud logging for logging to Strata logging service

[Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older Panos versions]

c. Optional: Enable Enhanced Application logging [Needed for IOT and Cortex XDR]

d. Select the Region from the drop down and Commit the configuration

emgarcia_14-1725479802729.png

 

e. To check connection to Strata logging service/ Cloud logging:  Go to DEVICE > Setup > Management > Cloud Logging and click on Show Status

emgarcia_15-1725479802719.png

 

f. You can also Check the status of Firewalls to strata logging Service on Strata Logging Service UI. Go to Inventory > Firewalls > Check the connection statusemgarcia_16-1725479802782.png

 

Step-5: Forward Firewall logs to Strata Logging Services or Cloud Logging 

  1. Log in to Firewall, Go to Objects → Log Forwarding → Add →Log Forwarding Profile.
    1. Add a name for the profile
    2. + Add →Log Forwarding Profile Match List. Click on the drop down on the Log type to filter which log to forward.
      emgarcia_17-1725479802752.png

       

    3. Enable Cloud Logging

[Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older Panos versions]

emgarcia_18-1725479802777.pngOptional: Use Filter to filter specific log to send to Strata Logging Service

 

d. Similarly Repeat step b and c for the log types that you want to forward to Strata logging service/Cloud Logging
emgarcia_19-1725479802784.png

 

2. Optional : Enable Enhanced Application Logging [EAL] Required for Cortex XDR or IOT Subscriptions

Enable EAL : Go to Device > Setup > Management > Logging Service

emgarcia_20-1725479802786.png

 

3. Optional: Create Log forwarding profile for Enhanced Application logging [Needed for IOT and Cortex XDR]

  1. Use the predefined IoT Security Default Profile or Clone the predefined profile and customize it or create a new Log forwarding profile or create a new log forwarding profile with Enhanced Application logging enabled.
  2. Go to Objects > Log Forwarding > Add Log forwarding Profile
  3. Select - Enable enhanced application logs in cloud logging (including traffic and url logs)

emgarcia_21-1725479802844.png

 

4. Attach the Log forwarding profile or Enhanced log forwarding profile to Security rules : 

Go to Security policy Rule > Actions > Log Forwarding > <profile-name>

emgarcia_22-1725479802815.png

 

5. Follow the steps below to forward the rest of the logs: System logs, Configuration logs, User-ID logs, HIP Match logs, Global Protect logs and IP-tag logs to Cloud Logging 

a. Create profile for System logs : Go to Device > Log Settings > System > + Add > Select Cloud Logging 

[Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older PanOS versions]

 

b. Similarly create profile for Configuration, User-ID, HIP Match, Global Protect and IP tags

 

emgarcia_23-1725479802893.png

 

emgarcia_24-1725479802843.png

 

6. After the configuration is completed, Commit the configuration and you should start seeing logs on Strata logging Service UI > Explore 

 

emgarcia_25-1725479802838.png

 

Use Case2: Ingest Panorama managed Firewall logs to Strata Logging Service

Step-1: Activate Strata Logging Service 

[Note: This Step is needed if you need to activate a new Strata logging Service instance]

  1.  Activate the Strata Logging Service instance by clicking on the Activation link from the email

emgarcia_26-1725479802545.png

 

  1. Select your CSP Account from the “Customer Support Account” dropdown
  2. Specify the Tenant or TSG under “Specify the Recipient”  where you want to deploy the strata logging service or create a new TSG/tenant from the dropdown if needed
  3. Select the Region where you want your logs to be stored from “Select Region” dropdown
  4. Under “Add Strata Logging Service” select, “Create New” and specify the log storage that you have purchased and Click on Activate

 

2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant and the Strata logging Service app on the Hub shows “In Progress”

emgarcia_27-1725479802551.png

 

 

3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.

emgarcia_28-1725479802555.png

 

Step-2: Install Device Certificate for Panorama

  1. Get the OTP from Support portal to fetch Device certificate for Panorama:
    1. Go to Support Portal: Support Portal and select your CSP Account under “Account Selector”
    2. Go to Products → Device Certificates → Generate OTP

emgarcia_29-1725479802577.png

 

c. Select the Option2: Generate OTP for Panorama

emgarcia_30-1725479802866.png

 

d. Select the serial number of Panorama and generate the OTP. Copy the OTP

e. Paste the OTP on Panorama UI. Go to PANORAMA > Setup > Management > Device Certificate >Get Certificate

 

emgarcia_31-1725479802929.png

 

Step-3: Device certificates for Panorama Managed Firewalls

  1. Generate OTP on Panorama for the selected Firewalls/devices. On Panorama, Go to PANORAMA > Managed Devices > Summary > Select the devices > Request OTP from CSP and copy the OTP

emgarcia_32-1725479802942.png

 

emgarcia_33-1725479802903.png

 

2. Log in to CSP, and Select Products > Device Certificates and Generate OTP.

emgarcia_34-1725479802963.png

 

3. For the Device Type, select Generate OTP for Panorama managed firewalls and click Next.

 

emgarcia_35-1725479802923.png

 

4. Once OTP is generated you will get the below confirmation.
emgarcia_36-1725479802956.png

 

5. Go to Products > Device Certificates > View OTP History.  Wait for the OTP status to complete and then copy the OTP

emgarcia_37-1725479802987.png

 

emgarcia_38-1725479802980.png

 

6. Paste the OTP on the panorama: Go to Panorama > Managed Devices > Summary > Upload OTP

 

emgarcia_39-1725479803038.png

 

emgarcia_40-1725479803000.png

 

 Step-4: Add Panorama to Strata Logging Service UI

[Note: This Step is not needed if you don’t have Strata Logging Service subscription and only have XSIAM with XDR PRO GB license. ]

  1. Log in to Hub : HUB and Select your Tenant, where you want the devices to be added on the Strata logging Service
  2. Launch the Strata Logging Service App: emgarcia_41-1725479802604.png

     

  3. To Add Panorama to Strata Logging Service: Click on Inventory > Panorama Appliances > Add > Add New Panorama Appliance to this instance

emgarcia_42-1725479803041.png

 

4. Now filter the Panorama with the serial number and select the Panorama you want to add and hit Submit.

 

emgarcia_43-1725479803077.pngemgarcia_44-1725479803086.png

 

 Step-5: Add Firewalls to Strata Logging Service 

 

[Note: This Step is not needed if you don’t have Strata Logging Service subscription and only have XSIAM with XDR PRO GB license. ]

 

  1. Log in to Hub : HUB and Select your Tenant, where you want the devices to be added on the Strata logging Service
  2. Launch the Strata Logging Service App: emgarcia_45-1725479802605.png

     

  3. To Add Firewalls to Strata Logging Service: Click on Inventory > Firewalls > Add > Add New Firewalls to the instance

emgarcia_46-1725479802665.png

 

4. Now filter the firewall with the serial number and select the firewalls you want to add and hit Submit.

 

emgarcia_47-1725479802692.pngemgarcia_48-1725479802733.png

 

Step-6: Configure Panorama to connect to Strata Logging Service/ Cloud Logging 

  1. Although Panorama doesn’t forward any logs, but this is needed to view logs of Firewall and Prisma access logs that are stored in Strata logging service

Panorama needs a Strata logging service license on it, so that it can connect to Strata logging service. It is not a separate license, After adding Panorama on Strata logging service. 

Go to Panorama UI, Click on Panorama > Licenses >  Retrieve license Keys from License Server.

 

emgarcia_49-1725479803096.png

 

[Note: If License is not seen on the Panorama check on adminsite for PAN-LGS-DL]

 

2. Download and Install latest Cloud Services Plugin:

    1. PANORAMA > Plugins > Search for cloud_service and download and install the supported version for your Panos.

emgarcia_50-1725479803109.png

 

emgarcia_51-1725479803197.png

 

b. Generate the OTP from the Strata logging Service UI portal. Go To Inventory > Panorama Appliances > Generate OTP. Copy the OTP 

 

emgarcia_52-1725479803131.png

 

c. Go to Panorama > Cloud Services > Status. Paste the OTP. Ensure NTP is configured on Firewalls and Panorama, otherwise you will not be allowed to proceed. 

 

emgarcia_53-1725479803189.png

 

d. Once you paste the OTP, you will see the status of the Strata logging service.

 

emgarcia_54-1725479803144.png > > emgarcia_55-1725479803155.png

 

 

Step-7: Configure Panorama Managed Firewalls to connect to Strata Logging Service/ Cloud Logging and setup Log forwarding

  1. Update licenses on Managed Firewalls: Click on PANORAMA > Device Deployment > Licenses > Refresh > Select the device Name > Refresh

emgarcia_56-1725479803225.png

 

2. Enable Cloud Logging for Managed Firewalls: Templates > DEVICE > Setup > Management > Cloud Logging.  Enable Cloud Logging and Select the Region, from the drop down list. 

Optional: Enable Enhanced Application logging[Required for Cortex XSIAM and IOT]

emgarcia_57-1725479803247.png

 

[Note: Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older PanOS versions]

3. Create Log Forwarding profile from Panorama and push it to Firewalls: Go to Device Groups > Objects > Log Forwarding > + Add [New Log forwarding profile]. 

emgarcia_58-1725479803265.png

 

4. Add the log forwarding profile match list for each log type, by Clicking on Add > Log Forwarding profile Match List  > Select the log type you want to forward and Select Panorama/Cloud Logging.

[Note: Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older PanOS versions]

emgarcia_59-1725479803219.png

5. Similarly repeat the step 3 and 4 for all log types that you like to forward

 

6. Associate the Log forwarding profile to the security rule. 

 

emgarcia_60-1725479803252.png

 

7. Commit and Push the configuration to the firewalls

8. Optional: Enable EAL [Enhanced Application logging ] Needed for IOT and Cortex XDR

    1. Go to Objects > Log Forwarding > + Add 
    2. In the log forwarding profile select Enable enhanced application logs in cloud logging (including traffic and url logs)

emgarcia_61-1725479803257.png

 

c. Associate the Log forwarding profile to the security rule 

d. Commit and Push the configuration to the firewalls

 

9. Forward rest of the Device logs:

    1. Go to Templates > Device > Log Settings > System > + Add
    2. Provide a Name and select Panorama/Cloud Logging

[Note: Cloud Logging is referred as Cortex Data Lake or Logging Service if you are running older Panos versions]

emgarcia_62-1725479803320.png

 

c. Similarly follow same steps as <a> and <b> for Configuration, User-ID, IP-tag, HIP Match, Global Protect, Correlation logs

d. Commit and Push the configuration to the firewalls

 

10. Verify the log ingestion on Strata Logging Service UI > Explore 

 

emgarcia_63-1725479802840.png

 

You can also view on  Panorama > Monitor page

 

Use Case3: Firewalls managed by Strata Cloud Manager

Step-1: Activate Strata Logging Service 

[Note: This Step is needed if you need to activate a new Strata logging Service instance]

  1. Activate the Strata Logging Service instance by clicking on the Activation link from the email

emgarcia_64-1725479802546.png

f. Select your CSP Account from the “Customer Support Account” dropdown

g. Specify the Tenant or TSG under “Specify the Recipient”  where you want to deploy the strata logging service or create a new TSG/tenant from the dropdown if needed

h. Select the Region where you want your logs to be stored from “Select Region” dropdown

i. Under “Add Strata Logging Service” select, “Create New” and specify the log storage that you have purchased and Click on Activate

 

2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant and the Strata logging Service app on the Hub shows “In Progress”

emgarcia_65-1725479802553.png

 

3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.

emgarcia_66-1725479802556.png

 

Step-2: Install Device certificate for Firewalls

  1. Device Certificates for firewalls is a prerequisite to onboard to Strata Cloud Manager. Hence individual firewalls need to be installed with Device certificates in order to connect to Strata Logging Service.
    You can refer to the steps for device certificate: Install Device certificate for Firewalls

 

Step-3: Add Firewalls to Strata Logging Service

 

  1. Follow these steps to Onboard the firewalls to Strata Logging Service:

 Add Firewalls to Strata Logging Service UI

 

Step-4: Forward logs from Strata Cloud Manager managed firewalls to Strata Logging Service


[Note: Firewalls that are managed by Strata Cloud Manager, will automatically get default Log forwarding profiles to Strata Logging service and have Cloud logging enabled]

  1. For Log forwarding to Strata Logging service, just edit the Security policy, Go to Log Settings > Logging in Strata Logging Service > select  Log at the Session Start/End  depending on your use case. By default all security Policy has Logging to Strata Logging service enabled, unless you explicitly disabled it.

emgarcia_67-1725479803325.png

 

2. Device logs like System, Configuration, User-ID, HIP Match, Global Protect, IP-Tag logs are forwarded to Strata logging Service by default

3. EAL logs are forwarded to strata logging service by default

 

Use Case4: Ingest NGFW Firewall logs on Cortex XSIAM: 

Step-1: Install the Device Certificate on Firewalls

  1. If you have firewalls managed by Strata Cloud Manager, then you can skip installing certificates, as the firewalls already have Device certificates.
  2. If the Firewalls are self managed and device certificate doesn’t exist on firewalls, then follow the below steps to install device certificates on firewalls: Install Device certificate for Firewalls
  3. If you have Firewalls that are managed by Panorama, you can skip the previous steps.
    1. Install Device certificate on Panorama: Install Device Certificate for Panorama
    2. Install Device Certificate on panorama managed firewalls: Device certificates for Panorama Managed Firewalls

 

Step-2: Add Firewalls and Panorama to Cortex XSIAM Console 

  1. Login to XSIAM Console, Go to Settings > Data Sources > Search NGFW > Connect > Add New Instance

emgarcia_68-1725479803366.png

 

2. Select the Firewall serial number from the drop down list and hit next

 

emgarcia_69-1725479803341.png

 

3. If you also have Panorama, the you can also add Panorama Instance:

 

emgarcia_70-1725479803318.png

 

Step-3: Configure Firewalls to forward the logs to Cloud Logging 

 

1. For Self Managed Firewalls, follow the below steps:

a. Configure Firewalls to Connect to Cloud Logging

b. Forward Firewall logs to Cloud Logging

 

2. If Firewalls are managed by Panorama, follow these steps instead of 1:

a. Configure Panorama Managed Firewalls to connect to Cloud Logging

 

3. For Firewalls managed by Strata Cloud Manager: Firewalls managed by Strata Cloud Manager

 

4. Verify the logs on XSIAM. Go to Cortex XSIAM UI, Incident Response > Investigation > Query Center > + New XQL Query and use the query below:
dataset = panw_ngfw_system_raw| filter log_source_id = "[NGFW device SN]

 

emgarcia_71-1725479803397.png

 

Use Case5: Ingest NGFW Firewall logs to both Strata Logging Service and Cortex XSIAM: 

Step-1: Activate Strata Logging Service 

[Note: This Step is needed if you need to activate a new Strata logging Service instance]

  1. Activate the Strata Logging Service instance by clicking on the Activation link from the email

emgarcia_72-1725479802546.png

 

  1. Select your CSP Account from the “Customer Support Account” dropdown
  2. Specify the Tenant or TSG under “Specify the Recipient”  where you want to deploy the strata logging service or create a new TSG/tenant from the dropdown if needed
  3. Select the Region where you want your logs to be stored from “Select Region” dropdown
  4. Under “Add Strata Logging Service” select, “Create New” and specify the log storage that you have purchased and Click on Activate

 

2. Once Strata Logging Service is activated, it takes 10-15 Mins to provision the tenant and the Strata logging Service app on the Hub shows “In Progress”

emgarcia_73-1725479802552.png

 

3. Once Provisioning is completed, the App becomes available on Hub and once its clicked it will take you to Strata Logging Service. You will also receive an email upon successful provisioning.

emgarcia_74-1725479802557.png

 

 

Step-2: Install the Device Certificate on Firewalls

  1. If you have firewalls managed by Strata Cloud Manager, then you can skip installing certificates, as the firewalls already have Device certificates.
  2. If the Firewalls are self managed and device certificate doesn’t exist on firewalls, then follow the below steps to install device certificates on firewalls: Install Device certificate for Firewalls
  3. If you have Firewalls that are managed by Panorama, you can skip the previous steps.

c. Install Device certificate on Panorama: Install Device Certificate for Panorama

d. Install Device Certificate on panorama managed firewalls: Device certificates for Panorama Managed Firewalls

 

Step-3: Add Firewalls and Panorama to Strata Logging Service

  1. For Self Managed Firewalls, follow the below steps: Add Firewalls to Strata Logging Service UI
  2. For Firewalls managed by Panorama, follow the below Steps :
    1. Add Panorama to Strata logging Service UI
    2. Add Panorama Managed Firewalls to Strata logging Service UI

 

Step-4: Add Firewalls and Panorama to Cortex XSIAM Console 

  1. Login to XSIAM Console, Go to Settings > Data Sources > Search NGFW > Connect > Add New Instance

emgarcia_75-1725479803368.png

 

2. Select the Firewall serial number from the drop down list and hit next

emgarcia_76-1725479803342.png

 

3. If you also have Panorama, the you can also add Panorama Instance:

emgarcia_77-1725479803319.png

 

Step-5: Configure Firewalls to forward the logs to Strata Logging Service or Cloud Logging 

 

  1. For Self Managed Firewalls, follow the below steps:
    1. Configure Firewalls to Connect to Cloud Logging
    2. Forward Firewall logs to Cloud Logging

 

2. For Firewalls managed by Panorama:

a. Configure Panorama Managed Firewalls to connect to Cloud Logging

 

3. For Firewalls managed by Strata Cloud Manager: Firewalls managed by Strata Cloud Manager

 

4. Verify the Logs on Strata Logging Service UI> Explore. 

emgarcia_78-1725479802839.png

 

5. Verify the logs on XSIAM. Go to Cortex XSIAM UI, Incident Response > Investigation > Query Center > + New XQL Query and use the query below:
dataset = panw_ngfw_system_raw| filter log_source_id = "[NGFW device SN]

emgarcia_79-1725479803400.png

 

  • 2802 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors