Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation JSA Series Virtual Appliance Juniper Secure Analytics Configuring DSMs Guide Palo Alto Networks

Juniper Secure Analytics Configuring DSMs Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper Secure Analytics Configuring DSMs Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Palo Alto Networks PA Series

date_range 16-May-22
arrow_backward
arrow_forward

Use the JSA DSM for Palo Alto PA Series to collect events from Palo Alto PA Series, Next Generation Firewall logs, and Prisma Access logs, by using Cortex Data Lake.

To send events from Palo Alto PA Series to JSA, complete the following steps:

  1. If automatic updates are not enabled, download the most recent version of the following RPMs from the Juniper Downloads.

    • DSMCommon RPM
    • TLS Syslog Protocol RPM
    • Palo Alto PA Series DSM RPM

  2. Configure your Palo Alto PA Series device to send events to JSA.

  3. If JSA does not automatically detect the Palo Alto PA Series as a log source, add a Palo Alto PA Series log source on the JSA Console.

Palo Alto PA DSM Specifications

The following table identifies the specifications for the Palo Alto PA Series DSM:

Table 1: DSM Specifications for Palo Alto PA Series

Specification

Value

Manufacturer

Palo Alto Networks

DSM name

Palo Alto PA Series

RPM file name

DSM-PaloAltoPaSeries-JSA_version-build_number.noarch.rpm

Event format

LEEF for PAN-OS v3.0 to v9.1, and Prisma Access v2.1

CEF for PAN-OS v4.0 to v6.1. (CEF:0 is supported)

JSA recorded log types

Traffic

Threat

Config

System

HIP Match

Data

WildFire

Authentication

Tunnel Inspection

Correlation

URL Filtering

User-ID

SCTP

File Data

GTP

HIP Match

IP-Tag

Global Protect -

Note:

To use this log type, you must enable the EventStatus field in Palo Alto.

Decryption

Automatically discovered?

Yes

Includes identity?

Yes

Includes custom properties?

No

More information

Palo Alto Networks website

Creating a Syslog Destination on Your Palo Alto PA Series Device

To send Palo Alto PA Series events to JSA, create a Syslog destination (Syslog or LEEF event format) on your Palo Alto PA Series device.

Note:

Palo Alto can send only one format to all Syslog devices. By modifying the Syslog format, any other device that requires Syslog must support that same format.

  1. Log in to the Palo Alto Networks interface.

  2. On the Device tab, click Server Profiles > Syslog, and then click Add.

  3. Create a Syslog destination by following these steps:

    1. In the Syslog Server Profile dialog box, click Add.

    2. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a syslog server.

    3. If you are using Syslog, set the Custom Format column to Default for all log types.

  4. Configure LEEF events by following these steps:

    Note:

    Due to formatting issues, copy the text into a text editor, remove any carriage return or line feed characters, and then paste it into the appropriate field.

    1. Click the Config Log Format tab in the Syslog Server Profile dialog.

    2. Click Config, copy the following text and paste it in the Config Log Format column for the Config log type.

      • PAN-OS v3.0 - v6.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS Syslog
Integration|4.0|$result|x7C|cat=$type|
usrName=$admin|src=$host|devTime=$cefformatted-
receive_time|client=$client|
sequence=$seqno|serial=$serial|msg=$cmd

      • PAN-OS v7.1 - v9.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|
$result|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|
devTime=$cef-formatted-receive_time|
src=$host|VirtualSystem=$vsys|
msg=$cmd|usrName=$admin|client=$client|
Result=$result|ConfigurationPath=$path|
sequence=$seqno|ActionFlags=$actionflags|
BeforeChangeDetail=$before-change-detail|
AfterChangeDetail=$after-change-detail|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name

    3. Click System, copy one of the following texts applicable to the version you are using and paste it in the System Log Format field for the System log type. If your version is not listed, omit this step.

      • PAN-OS v3.0 - v6.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PANOS
Syslog Integration|4.0|$eventid|x7C|
cat=$type|Subtype=$subtype|devTime=$cefformatted-
receive_time|sev=$severity|
Severity=$number-of-severity|msg=$opaque|
Filename=$object

      • PAN-OS v7.1 - v9.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|
$eventid|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|
Subtype=$subtype|devTime=$cef-formattedreceive_
time|VirtualSystem=$vsys|
Filename=$object|Module=$module|
sev=$number-of-severity|
Severity=$severity|msg=$opaque|
sequence=$seqno|ActionFlags=$actionflags|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name

    4. Click Threat, copy one of the following texts applicable to the version you are using, paste it in the Threat Log Format filed for the Threat log type. If your version is not listed, omit this step.

      • PAN-OS v3.0 - v6.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|
PAN-OS Syslog Integration|4.0|
$threatid|x7C|cat=$type|Subtype=$subtype|
src=$src|dst=$dst|srcPort=$sport|
dstPort=$dport|proto=$proto|
usrName=$srcuser|SerialNumber=$serial|
srcPostNAT=$natsrc|dstPostNAT=$natdst|
RuleName=$rule|SourceUser=$srcuser|
DestinationUser=$dstuser|
Application=$app|VirtualSystem=$vsys|
SourceZone=$fromDestinationZone=$to|
IngressInterface=$inbound_if|
EgressInterface=$outbound_if|
LogForwardingProfile=$logset|
SessionID=$sessionid|
RepeatCount=$repeatcnt|
srcPostNATPort=$natsport|
dstPostNATPort=$natdport|
Flags=$flags|URLCategory=$category|
sev=$severity|Severity=$numberof-
severity|Direction=$direction|
ContentType=$contenttype|action=$action|
Miscellaneous=$misc

      • PAN-OS v7.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|
$threatid|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|
Subtype=$subtype|devTime=$cefformatted-
receive_time|src=$src|
dst=$dst|srcPostNAT=$natsrc|
dstPostNAT=$natdst|RuleName=$rule|
usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|
Application=$app|VirtualSystem=$vsys|
SourceZone=$from|DestinationZone=$to|
IngressInterface=$inbound_if|
EgressInterface=$outbound_if|
LogForwardingProfile=$logset|
SessionID=$sessionid|
RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|
dstPostNATPort=$natdport|Flags=$flags|
proto=$proto|action=$action|
Miscellaneous=$misc|ThreatID=$threatid|
URLCategory=$category|sev=$numberof-
severity|Severity=$severity|
Direction=$direction|sequence=$seqno|
ActionFlags=$actionflags|
SourceLocation=$srcloc|
DestinationLocation=$dstloc|
ContentType=$contenttype|
PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|
UserAgent=$user_agent|FileType=$filetype|
identSrc=$xff|Referer=$referer|
Sender=$sender|Subject=$subject|
Recipient=$recipient|ReportID=$reportid|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name

      • PAN-OS v8.0 - 9.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|
$threatid|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|
Subtype=$subtype|devTime=$cefformatted-
receive_time|src=$src|
dst=$dst|srcPostNAT=$natsrc|
dstPostNAT=$natdst|RuleName=$rule|
usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|
Application=$app|VirtualSystem=$vsys|
SourceZone=$from|DestinationZone=$to|
IngressInterface=$inbound_if|
EgressInterface=$outbound_if|
LogForwardingProfile=$logset|
SessionID=$sessionid|
RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|
dstPostNATPort=$natdport|Flags=$flags|
proto=$proto|action=$action|
Miscellaneous=$misc|ThreatID=$threatid|
URLCategory=$category|sev=$numberof-
severity|Severity=$severity|
Direction=$direction|sequence=$seqno|
ActionFlags=$actionflags|
SourceLocation=$srcloc|
DestinationLocation=$dstloc|
ContentType=$contenttype|
PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|
RequestMethod=$http_method|
Subject=$subject|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name|
SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|
ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|
TunnelType=$tunnel|
ThreatCategory=$thr_category|
ContentVer=$contentver

    5. Click Traffic, copy one of the following texts applicable to the version you are using and paste it in the Traffic Log Format field for the Traffic log type. If your version is not listed, omit this step.

      • PAN-OS v3.0 - v6.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS Syslog
Integration|4.0|$action|x7C|cat=$type|
src=$src|dst=$dst|srcPort=$sport|
dstPort=$dport|proto=$proto|
usrName=$srcuser| SerialNumber=$serial|
Type=$type|Subtype=$subtype|
srcPostNAT=$natsrc|dstPostNAT=$natdst|
RuleName=$rule|SourceUser=$srcuser|
DestinationUser=$dstuser|
Application=$app| VirtualSystem=$vsys|
SourceZone=$from|DestinationZone=$to|
IngressInterface=$inbound_if|
EgressInterface=$outbound_if|
LogForwardingProfile=$logset|
SessionID=$sessionid|
RepeatCount=$repeatcnt|
srcPostNATPort=$natsport|
dstPostNATPort=$natdport|Flags=$flags|
totalBytes=$bytes|totalPackets=$packets|
ElapsedTime=$elapsed|
URLCategory=$category|
dstBytes=$bytes_received|
srcBytes=$bytes_sent|action=$action

      • PAN-OS v7.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS Syslog
Integration|$sender_sw_version|$action|
x7C|cat=$type|ReceiveTime=$receive_time|
SerialNumber=$serial|Type=$type|
Subtype=$subtype|devTime=$cefformatted-
receive_time|src=$src|
dst=$dst|srcPostNAT=$natsrc|
dstPostNAT=$natdst|RuleName=$rule|
usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|
Application=$app|VirtualSystem=$vsys|
SourceZone=$from|DestinationZone=$to|
IngressInterface=$inbound_if|
EgressInterface=$outbound_if|
LogForwardingProfile=$logset|
SessionID=$sessionid|
RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|
dstPostNATPort=$natdport|
Flags=$flags|proto=$proto|
action=$action|totalBytes=$bytes|
dstBytes=$bytes_received|
srcBytes=$bytes_sent|
totalPackets=$packets|
StartTime=$start|ElapsedTime=$elapsed|
URLCategory=$category|sequence=$seqno|
ActionFlags=$actionflags|
SourceLocation=$srcloc|
DestinationLocation=$dstloc|
dstPackets=$pkts_received|
srcPackets=$pkts_sent|
SessionEndReason=$session_end_reason|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name|
ActionSource=$action_source

      • PAN-OS v8.0 - 9.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS Syslog
Integration|$sender_sw_version|$action|
x7C|cat=$type|ReceiveTime=$receive_time|
SerialNumber=$serial|Type=$type|
Subtype=$subtype|devTime=$cefformatted-
receive_time|src=$src|
dst=$dst|srcPostNAT=$natsrc|
dstPostNAT=$natdst|RuleName=$rule|
usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|
Application=$app|VirtualSystem=$vsys|
SourceZone=$from|DestinationZone=$to|
IngressInterface=$inbound_if|
EgressInterface=$outbound_if|
LogForwardingProfile=$logset|
SessionID=$sessionid|
RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|
dstPostNATPort=$natdport|
Flags=$flags|proto=$proto|
action=$action|totalBytes=$bytes|
dstBytes=$bytes_received|
srcBytes=$bytes_sent|
totalPackets=$packets|
StartTime=$start|ElapsedTime=$elapsed|
URLCategory=$category|sequence=$seqno|
ActionFlags=$actionflags|
SourceLocation=$srcloc|
DestinationLocation=$dstloc|
dstPackets=$pkts_received|
srcPackets=$pkts_sent|
SessionEndReason=$session_end_reason|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name|
ActionSource=$action_source|
SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|
ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|
TunnelType=$tunnel

    6. If you are using versions other than PAN-OS 3.0 - 6.1, click HIP Match, copy one of the following texts applicable to the version you are using, and paste it in the HIP Match Log Format field for the HIP Match log type.

      • PAN-OS v7.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|
$matchname|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|
Subtype=$subtype|devTime=$cefformatted-
receive_time|
usrName=$srcuser|VirtualSystem=$vsys|
identHostName=$machinename|OS=$os|
identSrc=$src|HIP=$matchname|
RepeatCount=$repeatcnt|HIPType=$matchtype|
sequence=$seqno|ActionFlags=$actionflags|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name

      • PAN-OS v8.0 - 9.1--

        content_copy zoom_out_map
        LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|
$matchname|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|
Subtype=$subtype|devTime=$cefformatted-
receive_time|
usrName=$srcuser|VirtualSystem=$vsys|
identHostName=$machinename|OS=$os|
identsrc=$src|HIP=$matchname|
RepeatCount=$repeatcnt|HIPType=$matchtype|
sequence=$seqno|ActionFlags=$actionflags|
DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|
DeviceName=$device_name|
VirtualSystemID=$vsys_id|srcipv6=$srcipv6|
startTime=$cef-formatted-time_generated

    7. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the URL Filtering log type.

      PAN-OS v8.0 - 9.1-

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|
$sender_sw_version|$threatid|x7C|ReceiveTime=$receive_time|SerialNumber=$serial|
cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|
srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|
proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|
sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno|
ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|
ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|Cloud=$cloud|
URLIndex=$url_idx|RequestMethod=$http_method|UserAgent=$user_agent|identSrc=$xff|
Referer=$referer|Subject=$subject|DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|
SrcUUID=$src_uuid|DstUUID=$dst_uuid|TunnelID=$tunnelid|MonitorTag=$monitortag|
ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|TunnelType=$tunnel|
ThreatCategory=$thr_category|ContentVer=$contentver

    8. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Data log type.

      PAN-OS v8.0 - 9.1--

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|
$sender_sw_version|$threatid|x7C|ReceiveTime=$receive_time|SerialNumber=$serial|
cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|
srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|
proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|
sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno|
ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|
ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category|
ContentVer=$contentver

    9. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Wildfire log type.

      PAN-OS v8.0 - 9.1--

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|
$sender_sw_version|$threatid|x7C|ReceiveTime=$receive_time|SerialNumber=$serial|
cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|
srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|
dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|
proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|
sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno|
ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|
ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|FileType=$filetype|
Sender=$sender|Subject=$subject|Recipient=$recipient|ReportID=$reportid|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category|
ContentVer=$contentver

    10. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Authentication log type.

      PAN-OS v8.0 - 9.1--

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|$event|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|
ServerProfile=$serverprofile|LogForwardingProfile=$logset|VirtualSystem=$vsys|
AuthPolicy=$authpolicy|ClientType=$clienttype|NormalizeUser=$normalize_user|
ObjectName=$object|FactorNumber=$factorno|AuthenticationID=$authid|src=$ip|
RepeatCount=$repeatcnt|usrName=$user|Vendor=$vendor|msg=$event|sequence=$seqno|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|AdditionalAuthInfo=$desc|
ActionFlags=$actionflags

    11. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the User-ID log type.

      PAN-OS v8.0 - 9.1--

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS
Syslog Integration|$sender_sw_version|$subtype|x7C|ReceiveTime=$receive_time|
SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|
FactorType=$factortype|VirtualSystem=$vsys|DataSourceName=$datasourcename|
DataSource=$datasource|DataSourceType=$datasourcetype|FactorNumber=$factorno|
VirtualSystemID=$vsys_id|TimeoutThreshold=$timeout|src=$ip|srcPort=$beginport|
dstPort=$endport|RepeatCount=$repeatcnt|usrName=$user|sequence=$seqno|EventID=$eventid|
FactorCompletionTime=$factorcompletiontime|DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|
ActionFlags=$actionflags

    12. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Tunnel Inspection log type.

      PAN-OS v8.0 - 9.1--

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS Syslog
Integration|$sender_sw_version|$action|x7C|ReceiveTime=$receive_time|SerialNumber=$serial|
cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|
srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|
DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|
srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|
Flags=$flags|proto=$proto|action=$action|sequence=$seqno|ActionFlags=$actionflags|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|TunnelID=$tunnelid|MonitorTag=$monitortag|
ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|TunnelType=$tunnel|
totalBytes=$bytes|dstBytes=$bytes_received|srcBytes=$bytes_sent|totalPackets=$packets|
dstPackets=$pkts_received|srcPackets=$pkts_sent|MaximumEncapsulation=$max_encap|
UnknownProtocol=$unknown_proto|StrictChecking=$strict_check|
TunnelFragment=$tunnel_fragment|SessionsCreated=$sessions_created|
SessionsClosed=$sessions_closed|SessionEndReason=$session_end_reason|
ActionSource=$action_source|startTime=$start|ElapsedTime=$elapsed

    13. If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Correlation log type.

      PAN-OS v8.0 - 9.1--

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PANOS
Syslog Integration|8.0|$category|ReceiveTime=$receive_time|
x7C|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|startTime=$cefformatted-
time_generated|Severity=$severity|VirtualSystem=$vsys|VirtualSystemID=$vsys_id|
src=$src|SourceUser=$srcuser|msg=$evidence|DeviceGroupHierarchyL1=$dg_hier_level_1|
DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|
DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|
ObjectName=$object_name|ObjectID=$object_id

    14. If you are using PAN-OS 8.1 - 9.1, copy the following text, and paste it in the Custom Format column for the SCTP log type.

      PAN-OS v8.1 - 9.1

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action|
x7C|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|genTime=$time_generated|
src=$src|dst=$dst|VirtualSystem=$vsys|SourceZone=$from|DestinationZone=$to|
IngressInterface=$inbound_if|EgressInterface=$outbound_if|SessionID=$sessionid|
RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|proto=$proto|action=$action|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vsysName=$vsys_name|DeviceName=$device_name|sequence=$seqno|AssocID=$assoc_id|
PayloadProtoID=$ppid|sev=$num_of_severity|SCTPChunkType=$sctp_chunk_type|
SCTPVerTag1=$verif_tag_1|SCTPVerTag2=$verif_tag_2|SCTPCauseCode=$sctp_cause_code|
DiamAppID=$diam_app_id|DiamCmdCode=$diam_cmd_code|DiamAVPCode=$diam_avp_code|
SCTPStreamID=$stream_id|SCTPAssEndReason=$assoc_end_reason|OpCode=$op_code|
CPSSN=$sccp_calling_ssn|CPGlobalTitle=$sccp_calling_gt|SCTPFilter=$sctp_filter|
SCTPChunks=$chunks|SrcSCTPChunks=$chunks_sent|DstSCTPChunks=$chunks_received|
Packets=$packets|srcPackets=$pkts_sent|dstPackets=$pkts_received

    15. If you are using PAN-OS 9.x, copy the following text, and paste it in the Custom Format column for the IPTag log type.

      content_copy zoom_out_map
      LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|
$event_id|x7C|cat=$type|devTime=$cef-formatted-receive_time|ReceiveTime=$receive_time|
SerialNumber=$serial|Subtype=$subtype|GenerateTime=$time_generated|
VirtualSystem=$vsys|src=$ip|TagName=$tag_name|EventID=$eventid|RepeatCount=$repeatcnt|
TimeoutThreshold=$timeout|DataSourceName=$datasourcename|DataSource=$datasource_type|
DataSourceType=$datasource_subtype|sequence=$seqno|ActionFlags=$actionflags|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|VirtualSystemID=$vsys_id

  5. Click OK.

  6. To specify the severity of events that are contained in the Syslog messages, click Log Setting.

    1. For each severity that you want to include in the Syslog message, click the Severity name and select the Syslog destination from the Syslog menu.

    2. Click OK.

  7. Click Commit.

To allow communication between your Palo Alto Networks device and JSA, create a forwarding policy. See Creating a forwarding policy on your Palo Alto PA Series device.

Forwarding Palo Alto Cortex Data Lake (Next Generation Firewall) LEEF events to JSA

To send Palo Alto Cortex Data Lake events to JSA, you must add a TLS Syslog log source in JSA and configure Cortex Data Lake to forward logs to a syslog server.

  1. Add a log source in JSA by using the TLS Syslog protocol. For more information, see TLS Syslog log source parameters for Palo Alto PA Series.

  2. Forward logs from Cortex Data Lake to JSA. For more information, see your Palo Alto documentation.

Note:

  • When forwarding logs from Cortex Data Lake, choose the LEEF log format.

  • You must enable the cat and EventStatus fields in Palo Alto. The EventStatus field is required to parse Global Protect events in JSA.

Creating a Forwarding Policy on Your Palo Alto PA Series Device

If your JSA Console or Event Collector is in a different security zone than your Palo Alto PA Series device, create a forwarding policy rule.

  1. Log in to Palo Alto Networks.

  2. On the dashboard, click the Policies tab.

  3. Click Policies > Policy Based Forwarding.

  4. Click Add.

  5. Configure the parameters. For descriptions of the policy-based forwarding values, see your Palo Alto Networks Administrator’s Guide.

Creating ArcSight CEF Formatted Syslog Events on Your Palo Alto PA Series Networks Firewall Device

Configure your Palo Alto Networks firewall to send ArcSight CEF formatted Syslog events to JSA.

  1. Log in to the Palo Alto Networks interface.

  2. Click the Device tab.

  3. Select Server Profiles >Syslog, and then click Add.

  4. On the Servers tab, click Add.

  5. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a Syslog server:

    1. The Name is the Syslog server name.

    2. The Syslog Server is the IP address for the Syslog server.

    3. The Transport/Port default is 514.

    4. The Faculty default is LOG_USER.

  6. To select any of the listed log types that define a custom format, based on the ArcSight CEF for that log type, complete the following steps:

    1. Click the Custom Log Format tab and select any of the listed log types to define a custom format based on the ArcSight CEF for that log type. The listed log types are Config, System, Threat, Traffic, and HIP Match.

    2. Click OK twice to save your entries, then click Commit.

  7. To define your own CEF-style formats that use the event mapping table that is provided in the ArcSight document, Implementing ArcSight CEF, you can use the following information about defining CEF style formats:

    The Custom Log Format tab supports escaping any characters that are defined in the CEF as special characters. For example, to use a backslash to escape the backslash and equal characters, enable the Escaping check box, specify \=as the Escaped Characters and \as the Escape Character.

    The following list displays the CEF-style format that was used during the certification process for each log type. These custom formats include all of the fields, in a similar order, that the default format of the Syslogs display.

    Note:

    Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.

    • Traffic--

      content_copy zoom_out_map
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|1|rt=$cef-formatted-receive_time
deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc
destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser
duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys
cs4Label=Source Zone cs4=$from cs5Label=Destination Zone
cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if
cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid
cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport
destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags
proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes
in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets
PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formattedtime_
generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category
cs2=$category externalId=$seqno

    • Threat--

      content_copy zoom_out_map
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cefformatted-
receive_time deviceExternalId=$serial src=$src dst=$dst
sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule
cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System
cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone
cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if
cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid
cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport
destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags
proto=$proto act=$action request=$misc cs2Label=URL Category
cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno
requestContext=$contenttype cat=$threatid filePath=$cloud fileId=$pcap_id
fileHash=$filedigest

    • Config--

      content_copy zoom_out_map
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cef-formatted-receive_time
deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd
duser=$admin destinationServiceName=$client msg=$path externalId=$seqno

      • Optional:--

        content_copy zoom_out_map
        cs1Label=Before Change Detail cs1=$before-change-detail cs2Label=After Change Detail
cs2=$after-change-detail

    • System--

      content_copy zoom_out_map
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cefformatted-
receive_time deviceExternalId=$serial cs3Label=Virtual System
cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque
externalId=$seqno cat=$eventid

    • HIP Match--

      content_copy zoom_out_map
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$matchtype|$type|1|rt=$cef-formattedreceive_
time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System
cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname
cs2Label=Operating System cs2=$os

For more information about Syslog configuration, see the PAN-OS Administrator's Guide on the Palo Alto Networks website (https://www.paloaltonetworks.com).

TLS Syslog log source parameters for Palo Alto PA Series

If JSA does not automatically detect the log source, add a Palo Alto PA Series log source on the JSA Console by using the TLS Syslog protocol.

When you use the TLS Syslog protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect TLS Syslog events from Palo Alto PA Series:

Table 2: TLS Syslog log source parameters for the Palo Alto PA Series DSM

Parameter

Value

Log Source type

Palo Alto PA Series

Protocol Configuration

TLS Syslog

Log Source Identifier

An IP address or hostname to identify the log source.

For a complete list of TLS Syslog protocol parameters and their values, see TLS Syslog Protocol Configuration Options.

Palo Alto PA Series Sample Event Message

Use these sample event messages as a way of verifying a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Palo Alto PA Series sample message when you use the Syslog protocol

Sample 1: The following sample event message shows PAN-OS events for a trojan threat event.

content_copy zoom_out_map
<180>May 6 16:43:53 paloalto.paseries.test LEEF:1.0|
Palo Alto Networks|PAN-OS Syslog Integration|8.1.6|trojan/
PDF.gen.eiez(268198686)|ReceiveTime=2019/05/06 16:43:53|SerialNumber=001801010877|cat=THREAT|
Subtype=virus|devTime=May 06 2019 11:13:53 GMT|src=10.2.75.41|dst=192.168.178.180|
srcPostNAT=192.168.68.141|dstPostNAT=192.168.178.180|RuleName=Test-1|usrName=qradar\\user1|
SourceUser=qradar\\user1|DestinationUser=|Application=web-browsing|VirtualSystem=vsys1|
SourceZone=INSIDE-ZN|DestinationZone=OUTSIDE-ZN|IngressInterface=ethernet1/1|
EgressInterface=ethernet1/3|LogForwardingProfile=testForwarder|SessionID=3012|RepeatCount=1|
srcPort=63508|dstPort=80|srcPostNATPort=31539|dstPostNATPort=80|Flags=0x406000|proto=tcp|
action=alert|Miscellaneous=\"qradar.example.test/du/uploads/08052018_UG_FAQ.pdf\"|
ThreatID=trojan/PDF.gen.eiez(268198686)|URLCategory=educational-institutions|sev=3|
Severity=medium|Direction=server-to-client|sequence=486021038|ActionFlags=0xa000000000000000|
SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=testPlace|ContentType=|
PCAP_ID=0|FileDigest=|Cloud=|URLIndex=5|RequestMethod=|Subject=|DeviceGroupHierarchyL1=12|
DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|DeviceGroupHierarchyL4=0|vSrcName=|
DeviceName=testName|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|
TunnelType=N/A|ThreatCategory=pdf|ContentVer=Antivirus-2969-3479
Table 3: Highlighted fields in the sample event

JSA field name

Highlighted payload fields

Event ID

The Event ID value is 268198686.

Note:

Usually the Event ID field from the LEEF header is used. However, for certain event types, more LEEF fields or custom fields such as Subtype, and action might be used to form a unique event ID.

Category

PA Series Threat

Note:

The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category.

Device Time

devTime

Source IP

src

Destination IP

dst

Source Port

srcPort

Destination Port

dstPort

Post NAT Source IP

srcPostNAT

Post NAT Destination IP

dstPostNAT

Post NAT Soure Port

srcPostNATPort

Post NAT Destination Port

dstPostNATPort

Protocol

proto

Sample 2: The following sample event message shows a Prisma event where a session is allowed by a policy.

content_copy zoom_out_map
<14>1 2021-10-26T13:56:21.887Z paloalto.paseries.test logforwarder -
panwlogs - LEEF:2.0|Palo Alto Networks|Prisma Access|2.1|allow| |
TimeReceived=2021-10-26T13:56:20.000000Z DeviceSN=no-serial cat=traffic SubType=start
ConfigVersion=10.0 devTime=2021-10-26T13:56:17.000000Z src=192.168.21.100 dst=172.16.0.3
srcPostNAT=172.16.0.4 dstPostNAT=172.16.0.5 Rule=CG-RN-Guest-to-Internet usrName=
DestinationUser= Application=web-browsing VirtualLocation=vsys1 FromZone=FromZone
ToZone=untrust InboundInterface=tunnel.101 OutboundInterface=ethernet1/1 LogSetting=to-
Cortex-Data-Lake SessionID=49934 RepeatCount=1 srcPort=59532 dstPort=80
sr=49718 dstPostNATPort=80 proto=tcp Bytes=374 srcBytes=300 dstBytes=74
totalPackets=4 SessionStartTime=2021-10-26T13:56:15.000000Z SessionDuration=0
URLCategory=any SequenceNo=13336648 SourceLocation=192.168.0.0-192.168.255.255
DestinationLocation=CA srcPackets=3 dstPackets=1 SessionEndReason=na
DGHierarchyLevel1=62 DGHierarchyLevel2=38 DGHierarchyLevel3=53
DGHierarchyLevel4=0 VirtualSystemName= DeviceName=DeviceName ActionSource=frompolicy
SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0
ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0
ChunksSent=0 ChunksReceived=0 RuleUUID=00000000-0000-0000-0000-000000000000
HTTP2Connection=0 LinkChangeCount=0 SDWANPolicyName= LinkSwitches= SDWANCluster=
SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= XForwarded-
ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel=
SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost=
SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile=
DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily=
DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID=
ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID=
EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup=
HASessionOwner= TimeGeneratedHighResolution=2021-10-26T13:56:17.911000Z NSSAINetworkSliceType=
NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
Table 4: Highlighted fields in the sample event

JSA field name

Highlighted payload fields

Event ID

The Event ID value is allow.

Event Category

PA Series Traffic

Note:

The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category.

Device Time

devTime

Source IP

src

Destination IP

dst

Source Port

srcPort

Destination Port

dstPort

Post NAT Source IP

srcPostNAT

Post NAT Destination IP

dstPostNAT

Post NAT Soure Port

sr

Post NAT Destination Port

dstPostNATPort

Protocol

proto

Palo Alto PA Series sample message when you use the TLS Syslog protocol

The following sample event message shows Next Generation Firewall events for version 10.1.

content_copy zoom_out_map
<14>1 2021-08-09T14:00:26.364Z paloalto.paseries.test logforwarder - panwlogs
- LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop-all| |
TimeReceived=2021-08-09T14:00:25.000000Z DeviceSN=001011000011111 cat=gtp SubType=end
ConfigVersion=10.1 devTime=2021-08-09T14:00:22.000000Z src=fc00:0:e426:5678:b202:b3ff:fe1e:8329
dst=fc00:5678:90aa:cc33:f202:b3ff:fe1e:8329 srcPostNAT=10.5.5.5 dstPostNAT=192.168.178.180
Rule=allow-all-employees usrName=paloaltonetwork\testUser DestinationUser=paloaltonetwork\tUser
Application=adobe-cq VirtualLocation=aaaa1 FromZone=corporate ToZone=corporate
InboundInterface=ethernet1/1 OutboundInterface=ethernet1/3 LogSetting=rs-logging
SessionID=1111111 RepeatCount=1 srcPort=10273 dstPort=27624 srcPostNATPort=26615
dstPostNATPort=6501 proto=tcp TunnelEventType=51 MobileSubscriberISDN=
AccessPointName= RadioAccessTechnology=11 TunnelMessageType=0 MobileIP=
TunnelEndpointID1=0 TunnelEndpointID2=0 TunnelInterface=0 TunnelCauseCode=0
VendorSeverity=Unused MobileCountryCode=0 MobileNetworkCode=0 MobileAreaCode=0
MobileBaseStationCode=0 TunnelEventCode=0 SequenceNo=1111111111111111111 SourceLocation=NB
DestinationLocation=saint john DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0
DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-VM IMSI=28 IMEI=datacenter
ParentSessionID=1111111 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=tunnel
Bytes=741493 srcBytes=277595 dstBytes=463898 totalPackets=1183 srcPackets=554
dstPackets=629 PacketsDroppedMax=58 PacketsDroppedProtocol=34 PacketsDroppedStrict=171
PacketsDroppedTunnel=773 TunnelSessionsCreated=537 TunnelSessionsClosed=206
SessionEndReason=unknown ActionSource=unknown startTime=2021-08-09T13:59:51.000000Z
SessionDuration=35 TunnelInspectionRule=gtp TunnelRemoteUserIP= TunnelRemoteIMSIID=0
RuleUUID=11a111aa-1a11-1a1a-11a1-1a11a11111a1 DynamicUserGroupName=dynug-4 ContainerID=
ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup=
DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-08-09T14:00:22.079000Z
NSSAINetworkSliceDifferentiator=0 NSSAINetworkSliceType=0 ProtocolDataUnitsessionID=0
devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
Table 5: Highlighted fields in the sample event

JSA field name

Highlighted payload fields

Event ID

drop-all (LEEF header Event ID field)

Note:

Usually the Event ID field from the LEEF header is used. However, for certain event types, more LEEF fields or custom fields such as Subtype, and action might be used to form a unique event ID.

Category

PA Series GTP

Note:

The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category.

Device Time

devTime

Source IPv6

src

Destination IPv6

dst

Source Port

SrcPort

Destination Port

dstPort

Post NAT Source IP

srcPostNAT

Post NAT Destination IP

dstPostNAT

Post NAT Soure Port

srcPostNATPort

Post NAT Destination Port

dstPostNATPort

Protocol

tcp

Username

usrName

Note:

If a username contains the domain as part of its value, the domain portion is removed and only the actual username portion is used.

Related Documentation

arrow_backward PREVIOUS Palo Alto Endpoint Security Manager
NEXT arrow_forward Pirean Access: One
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top