Palo Alto

LogZilla App Store application: Palo Alto

Overview

Palo Alto Networks PAN-OS is a next-generation firewall operating system that provides advanced threat prevention, application visibility and control, and user identification capabilities. PAN-OS devices generate comprehensive security logs for network traffic analysis and threat detection.

App Function

The Palo Alto PAN-OS app processes firewall logs and extracts security information for network monitoring, threat analysis, and compliance reporting. The app supports both Traffic and Threat log types with custom formatting.

Vendor Documentation

Configuration Requirements

IMPORTANT: PAN-OS devices must be configured with custom log formats for proper parsing by the LogZilla Palo Alto app.

Configure Syslog Hostname Format

  1. Navigate to Panorama/Device > Setup > Management
  2. Click the Edit icon in Logging and Reporting Settings section
  3. Go to the Log Export and Reporting tab
  4. Set Syslog HOSTNAME Format to ipv4-address, then click OK

Configure Syslog Server Profile

  1. Navigate to Server Profiles > Syslog and click Add
  2. Enter server profile Name and Location (location refers to virtual system if enabled)
  3. In the Servers tab, click Add and configure:
    • Name: Descriptive name for LogZilla server
    • Syslog Server: LogZilla server IP address
    • Transport: TCP (recommended) or UDP
    • Port: 514 (default) or custom port
    • Facility: LOG_USER (default)

Configure Custom Log Formats

Threat Log Format

Select Custom Log Format tab, choose Threat, and paste:

text
PaloAlto_Threat type="$type" src="$src" dst="$dst" rule="$rule" srcuser="$srcuser" sessionid="$sessionid" action="$action" misc="$misc" dstloc="$dstloc" referer="$referer" http_method="$http_method" http_headers="$http_headers"

Traffic Log Format

Select Custom Log Format tab, choose Traffic, and paste:

text
PaloAlto_Traffic type="$type" src="$src" dst="$dst" natsrc="$natsrc" natdst="$natdst" rule="$rule" srcuser="$srcuser" from="$from" to="$to" sessionid="$sessionid" sport="$sport" dport="$dport" natsport="$natsport" natdport="$natdport" proto="$proto" action="$action" bytes="$bytes" packets="$packets" dstloc="$dstloc" action_source="$action_source"

Save and commit all configuration changes

Parsed Metadata Fields

Threat Log Fields

TaggedField NameExampleDescription
typeTHREATLog type identifier
src192.168.1.100Source IP address
dst10.0.1.50Destination IP address
ruleAllow-WebSecurity rule name
srcuserdomain\userSource username
sessionid12345Session identifier
actionallowAction taken
miscadditional-infoMiscellaneous information
dstlocUSDestination location
refererhttps://example.comHTTP referer
http_methodGETHTTP method
http_headersUser-Agent: ...HTTP headers

Traffic Log Fields

TaggedField NameExampleDescription
typeTRAFFICLog type identifier
src192.168.1.100Source IP address
dst10.0.1.50Destination IP address
natsrc203.0.113.1NAT source IP
natdst203.0.113.2NAT destination IP
ruleAllow-WebSecurity rule name
srcuserdomain\userSource username
fromtrustSource zone
tountrustDestination zone
sessionid12345Session identifier
sport54321Source port
dport443Destination port
natsport12345NAT source port
natdport443NAT destination port
prototcpProtocol
actionallowAction taken
bytes1024Bytes transferred
packets10Packets transferred
dstlocUSDestination location
action_sourcefrom-policyAction source

High-Cardinality (HC) Tags

  • src (Source IP)
  • dst (Destination IP)
  • rule (Security Rule)
  • action (Action Taken)

Log Examples

Threat Log Example

text
PaloAlto_Threat type="THREAT" src="192.168.1.100" dst="203.0.113.50" rule="Allow-Web" srcuser="domain\jdoe" sessionid="54321" action="alert" misc="" dstloc="US" referer="https://example.com" http_method="GET" http_headers="User-Agent: Mozilla/5.0"

Traffic Log Example

text
PaloAlto_Traffic type="TRAFFIC" src="192.168.1.100" dst="203.0.113.50" natsrc="203.0.113.1" natdst="203.0.113.50" rule="Allow-Web" srcuser="domain\jdoe" from="trust" to="untrust" sessionid="54321" sport="54321" dport="443" natsport="12345" natdport="443" proto="tcp" action="allow" bytes="2048" packets="15" dstloc="US" action_source="from-policy"
Palo Alto | LogZilla Documentation