Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CEF Connector Configuration Guide Palo Alto Networks PAN-OS 4.0.0 February 25, 2011
Revision History
Date
02/25/2011 03/02/2011
Description
First edition of this Configuration Guide. Certified CEF Compliant PAN-OS4.0.0
Overview
Palo Alto Networks next-generation firewalls provide network security by enabling enterprises to see and control applications, users, and content not just ports, IP addresses, and packets using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies, found in Palo Alto Networks' enterprise firewalls, enable enterprises to create business-relevant security policies safely enabling organizations to adopt new applications, instead of the traditional all-or-nothing approach offered by traditional port-blocking firewalls used in many security infrastructures. Next-generation firewall model families include Palo Alto Networks' PA-5000 Series, PA4000 Series, PA-2000 Series, and the PA-500; and range from 250Mbps to 20Gbps in throughput capacity. Delivered as a purpose-built appliance, every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall features ensuring consistent operation across the entire line.
Configuration
Configure the Palo Alto Networks device for ArcSight CEF-formatted syslog events based on information from the PAN-OS administrators guide. 1. 2. 3. Open the UI and select the Device tab. On the left hand side select Syslog under Server Profiles and click Add. In the Syslog Server Profile Dialog enter a server profile Name and Location (location refers to a Virtual System). Select Servers tab, and click Add to provide a name for the Syslog server, IP address, Port (default 514), and Facility (default LOG_USER). Select Custom Log Format tab, and click on any of the listed log types Config/System/Threat/Traffic/HIPMatch to define a custom format based on the ArcSight CEF for that log type.
4.
5.
Below table shows the CEF-style format that was used during the certification process for each log type. These custom formats include all the fields that are displayed in the default format of the syslogs in a similar order. NOTE: Customers can choose to define their own CEF-style formats using the event mapping table provided in addition to this document. The Custom Log Format tab supports escaping any characters defined in the CEF as
special characters. For instance, to escape the backslash and equal characters by a backslash, specify \= as the Escaped characters and \ as the Escape character. Traffic CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes cn2Label=Packets cn2=$packets start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category deviceDirection=$direction CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $eventid|$type $eventid|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$fmt CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $hip|$type $hiptype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt
Threat
Config
System
HIP Match
Screen Shot
Shown below is a screenshot of the Active Channel page on the ArcSight CEF Server showing the events generated by a Palo Alto Networks Device.
Events
The different log types for which syslogs are generated include TRAFFIC, THREAT, CONFIG, SYSTEM, and HIP MATCH. For the SYSTEM events, the $eventid field captures the specific event associated with that log. Refer to the System Logs document for a listing of all the events grouped by the system area.
Prefix fields
CEF Name Data type Meaning Palo Alto Networks Value 0
Version
Integer
Identifies the version of the CEF format. Device Vendor Device Product Device Version Unique identifier per event-type
Palo Alto Networks PAN-OS Configurable. E.g. 4.0.0 Value is event-type specific:
Traffic:$subtype Threat:$subtype $threatid Config:$subtype $result System: $subtype $eventid HIP: $subtype $hip Name String Represents a humanreadable and understandable description of the event. Value is event-type specific. Traffic:$type Threat:$type Config:$type System: $type $eventid HIP Match:$type $hiptype Severity Integer Reflects the importance of the event. Only numbers from 0 to 10 are allowed, where 10 indicates the most important event. $number-of-severity Always 1 for traffic, config, and HIP events.
Extension Dictionary
CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field Value is eventtype specific: Traffic : $action Threat: $action Config: $cmd app ApplicationProto col String 31 Application level protocol, example values are: HTTP, HTTPS, SSHv2, Telnet, POP, IMAP, IMAPS, etc. Represents the category assigned by the originating device. Devices oftentimes use their own categorization schema to classify events. SessionID $sessionid $app
act
deviceAction
String
63
cat
deviceEventCat egory
String
1023
cn1
deviceCustomN umber1
Long
Full Name
Data Type
Length
Meaning
cn1Label
deviceCustomN umber1 Label deviceCustomN umber2 deviceCustomN umber2Label deviceCustomN umber3 deviceCustomN umber3Label baseEventCount
String
1023
SessionID
cn2
Long
Packets
$packets
cn2Label
String
1023
Packets
cn3
Long
Elapsed time
$elapsed
cn3Label
String
1023
Elapsed time in seconds A count associated with this event. How many times was this same event observed? $repeatcnt
cnt
Integer
cs1
deviceCustomSt ring1
String
1023
Rule
$rule
cs1Label
deviceCustomSt ring1Label
String
1023
Rule
cs2
deviceCustomSt ring2
String
1023
URL Category
$category
cs2Label
deviceCustomSt ring2Label
String
1023
URL Category
cs3
deviceCustomSt ring3
String
1023
Vsys
$vsys
cs3Label
deviceCustomSt ring3Label
String
1023
Virtual System
Full Name
Data Type
Length
Meaning
cs4
deviceCustomSt ring4
String
1023
Srczone
cs4Label
deviceCustomSt ring4Label deviceCustomSt ring5 deviceCustomSt ring5Label deviceCustomSt ring6 deviceCustomSt ring6Label
String
1023
Source Zone
cs5
String
1023
Dstzone
$to
cs5Label
String
1023
Destination Zone
cs6
String
1023
LogProfile
$logset
cs6Label
String
1023
LogProfile
destinationService Name
String
1023
IPv4 Address
Identifies the translated destination that the event refers to in an IP network. The format is an IPv4 address.Example: 192.168.10.1 Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. Any information about what direction the communication that was observed has taken. 255 A name that uniquely identifies the device generating this event. Serial Number of the device.
$natdst
destinationTransla tedPort
Integer
$natdport
deviceDirection
String
$direction
deviceExternalId
String
$serial
deviceInboundInte rface
String
15
Interface on which the packet or data entered the device. Interface on which the packet or data left the device.
$inbound_if
deviceOutboundIn terface
String
15
$outbound_if
Full Name
Data Type
Length
Meaning
dpt
destinationPort
Integer
The valid port numbers are between 0 and 65535. Identifies destination that the event refers to in an IP network. The format is an IPv4 address.Example: 192.168.10.1 1023 Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are also mapped into the UserName fields. The recipient is a candidate to put into destinationUserName. The format should be a fully qualified domain name associated with the device node, when a node is available.Examples: host.domain.com or host. Total bytes (rx and tx)
dst
destinationAddr ess
IPv4 Address
$dst
duser
destinationUser Name
String
dvchost
deviceHostNam e
String
100
$bytes
Total bytes Flags Flags Module Value is eventtype specific: System:$module $flags
in
bytesIn
Integer
Number of bytes transferred inbound. Inbound relative to the source to destination relationship, meaning that data was flowing from source to
$bytes_received
10
Full Name
Data Type
Length
Meaning
destination.
msg
Message
String
1023
An arbitrary message giving more details about the event. Multiline entries can be produced by using \n as the new-line separator. Number of bytes transferred outbound. Outbound relative to the source to destination relationship, meaning that data was flowing from destination to source.
Value is eventtype specific: Threat: $misc System: $fmt Config: $path $bytes_sent
out
bytesOut
Integer
proto
transportProtoc ol
String
31
Identifies the Layer-4 protocol used. The possible values are protocol names such as TCP or UDP. The time at which the event related to the activity was received. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970).
$proto
rt
receiptTime
Time Stamp
$cef-formattedreceive_time
shost
sourceHostNam e
String
1023
Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name associated with the source node, when a node is available.Examples: host.domain.com or host. Identifies the translated source that the event refers to in an IP network. The format is an Ipv4 address. Example: 192.168.10.1 Port after it was translated by for example a firewall. Valid port numbers are 0 to 65535.
sourceTranslatedA ddress
Ipv4 Address
$natsrc
sourceTranslatedP ort
Integer
$natsport
11
Full Name
Data Type
Length
Meaning
spt
sourcePort
Integer
The valid port numbers are 0 to 65535. Identifies the source that an event refers to in an IP network. The format is an Ipv4 address.Example: 192.168.10.1 The time when the activity the event referred to started. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970). The time when the activity the event referred to started. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970). 1023 Identifies the source user by name. E-mail addresses are also mapped into the UserName fields. The sender is a candidate to put into sourceUserName.
src
sourceAddress
Ipv4 Address
$src
start
startTime
Time Stamp
$cef-formattedtime_generated
start
startTime
Time Stamp
$cef-formattedtime_generated
suser
sourceUserNam e
String
$srcuser
12