Realm.Security Documentation

Appearance

Palo Alto PANOS Firewall

Realm Security integrates seamlessly with Palo Alto firewalls, enabling intelligent routing and analysis of security event logs. Follow these concise steps to configure syslog forwarding from your Palo Alto firewall to Realm Security Data Fabric.

Realm supports two ways for collecting logs from Palo Alto firewalls.

  1. Exporting logs to an On-premise Realm Data collector via Syslog, which then forwards it over to Realm Cloud.

    • Realm collector is setup and running. See Realm Collector install guide for setting up a collector.
    • Syslog hostname: Make a note of Realm Data Collector VM IP address or FQDN
    • Syslog port number: In Realm console, go to Collectors > select collector > Copy port number listed for the Stream that corresponds to Palo Firewall.

  2. Exporting logs directly to Realm Cloud via Syslog TLS.

    • Realm Cloud Syslog input feed is setup in Realm Console. See Setup Cloud Syslog Input feed.
    • Syslog hostname: Click View Details action for the Cloud Syslog input feed in Realm Console.
    • Syslog Port: 443/6514
    • Transport: SSL / TLS
    • Format: IETF
    • Facility: LOG_USER
    • Copy the Realm CA Certificate PEM contents, save to a .pem file and import CA Certificate to Palo Alto as Trusted CA (Device > Certificate Management > Certificates.).
      • Click Import
      • Enter a descriptive name, like Realm-Syslog-Server-Root-CA
      • Select Certificate pem file you just saved
      • Format: ensure PEM is selected
      • Important: Ensure Import as Trusted CA is selected
    • Configure Syslog server profile as described below.
    • Ensure the Transport is set to SSL. The port should be the one your server uses for TLS (443/6514).

Prerequisites

  • Ensure you have administrative access to your Palo Alto firewall.

Syslog Server Setup

  1. Log in to the Palo Alto Networks firewall web interface
  2. Navigate to Device > Server Profiles > Syslog.
  3. Click Add to create a new syslog profile
  4. Enter a descriptive Name (e.g., "RealmSecuritySyslog")
  5. Under Servers, click Add and enter:
  • Name: RealmSyslog Server: <ip or hostname of Realm collector or FQDN of Realm Cloud Syslog feed>
  • Transport:
    • TCP when using Realm Data collector
    • SSL when using Realm Cloud Syslog collector
  • Port:
    • <port number for the stream configured in Realm Console> when using Realm Data collector
    • 443/6514 when using Realm Cloud Syslog collector
  • Format: IETF
  • Facility: LOG_USER
  • TLS Cert: <required when exporting directly to Realm cloud>
    • In the SSL/TLS Service Profile dropdown, select the profile you just created like Realm-Syslog-TLS-Verification-Profile.

Configure Log Forwarding

  1. Navigate to Objects > Log Forwarding.
  2. Click Add to create a new log forwarding profile:
Name: RealmSecurityLogForwarding
  1. Under Traffic, Threat, WildFire, URL Filtering, and Data Filtering logs, click Add:
  • Name: RealmForwarding
  • Syslog: <Select the syslog profile you created earlier>
  • Set desired log severity levels (Informational and higher recommended)

Apply Log Forwarding to Security Policies

  1. Navigate to Policies > Security
  2. For each relevant security policy:
  • Click to open the policy
  • In the Actions tab, set Log Forwarding to your created log forwarding profile ("RealmSecurityLogForwarding")

Configure Log Settings

Configure Log Settings to use the Realm Syslog Profile

  • Go to Device > Log Settings.
  • Ensure appropriate log types are configured to use the Realm Syslog Server Profile.

Verify Configuration

  • Navigate to Monitor > Logs and confirm logs are being forwarded correctly.
  • Confirm with Realm Security Data Fabric that logs are being received and correctly parsed.

Troubleshooting

If there are errors sending data from Palo, check the following

  • Ensure Format is set to IETF in Syslog profile
  • If using Realm Cloud Syslog
  • If using Realm on-premise Data Collector
    • Ensure Transport is set to TCP

Log format

When exporting logs over syslog, you need to select a log format. Realm Security supports ingesting logs in CSV (default) format as well as CEF (Common Event Format) format.

When ingesting logs in CSV format, please select Palo Alto / PANOS (CSV) as the source format in Realm Security's web console.

When ingesting logs in CEF format, please select Palo Alto / PANOS (CEF) as the source format in Realm Security's web console.

CEF Format Strings

Realm Security supports CEF log ingestion. Ensure that the format strings configured in Palo Alto are valid, containing the mandatory 7 fields in the CEF header and appropriate extension syntax. Palo Alto provides CEF format strings in their PAN-OS 10.0 documentation.

Use the provided CEF format strings from the Palo Alto PDF for all messages except for the 3 mentioned below.

The SCTP, GlobalProtect, and Decryption CEF formats in the documentation are incorrect (missing two required headers required by CEF standard), so we recommend using the following instead.

SCTP Logs 

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$type|$subtype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial start=$cef-formatted-time_generated src=$src dst=$dst cs1Label=Rule cs1=$rule cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inboudn_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$$sessionid cnt=$repeatcnt spt=$sport dpt=$dport proto=$proto act=$action PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name externalId=$seqno PanOSAssocID=$assoc_id PanOSPayloadProtID=$ppid PanOSChunkType=$sctp_chunk_type PanOSSCTPVerTag1=$verif_tag_1 PanOSSCTPVerTag2=$verif_tag_2 PanOSSCTPCauseCode=$sctp_cause_code PanOSDiameterApp=$diam_app_id PanOSDiameterCmdCode=$diam_cmd_code PanOSDiameterAVPCode=$diam_avp_code PanOSSCTPStreamID=$stream_id PanOSSCTPAssocEndReason=$assoc_end_reason PanOSOpCode=$op_code PanOSSCCPCallingPartySSN=$sccp_calling_ssn PanOSSCCPCallingGT=$sccp_calling_gt PanOSSCTPFilter=$sctp_filter PanOSSCTPChunks=$chunks PanOSSCTPChunkSent=$chunks_sent PanOSSCTPChunkRcv=$chunks_received PanOSRuleUUID=$rule_uuid PanOSTimeGeneratedHighResolution=$high_res_timestamp

GlobalProtect Logs 

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$type|$subtype|1|rt=$receive_time PanOSDeviceSN=$serial PanOSLogTimeStamp=$time_generated PanOSVirtualSystem=$vsys PanOSEventID=$eventid PanOSStage=$stage PanOSAuthMethod=$auth_method PanOSTunnelType=$tunnel_type PanOSSourceUserName=$srcuser PanOSSourceRegion=$srcregion PanOSEndpointDeviceName=$machinename PanOSPublicIPv4=$public_ip PanOSPublicIPv6=$public_ipv6 PanOSPrivateIPv4=$private_ip PanOSPrivateIPv6=$private_ipv6 PanOSHostID=$hostid PanOSDeviceSN=$serialnumber PanOSGlobalProtectClientVersion=$client_ver PanOSEndpointOSType=$client_os PanOSEndpointOSVersion=$client_os_ver PanOSCountOfRepeats=$repeatcnt PanOSQuarantineReason=$reason PanOSConnectionError=$error PanOSDescription=$opaque PanOSEventStatus=$status PanOSGPGatewayLocation=$location PanOSLoginDuration=$login_duration PanOSConnectionMethod=$connect_method PanOSConnectionErrorID=$error_code PanOSPortal=$portal PanOSSequenceNo=$seqno PanOSActionFlags=$actionflags PanOSTimeGeneratedHighResolution=$high_res_timestamp PanOSGatewaySelectionType=$selection_type PanOSSSLResponseTime=$response_time PanOSGatewayPriority=$priority PanOSAttemptedGateways=$attempted_gateways PanOSGateway=$gateway

Decryption Logs 

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$type|$subtype|1|rt=$receive_time PanOSDeviceSN=$serial PanOSConfigVersion=$config_ver PanOSLogTimeStamp=$time_generated src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset PanOSTimeReceivedManagementPlane=$time_received cn1Label=SessionID cn1=$sessionid PanOSCountOfRepeats=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdportproto=$proto act=$actionflags PanOSTunnel=$tunnel PanOSSourceUUID=$src_uuid PanOSDestinationUUID=$dst_uuid PanOSRuleUUID=$rule_uuid PanOSClientToFirewall=$hs_stage_c2f PanOSFirewallToServer=$hs_stage_f2s PanOSTLSVersion=$tls_version PanOSTLSKeyExchange=$tls_keyxchg PanOSTLSEncryptionAlgorithm=$tls_enc PanOSTLSAuth=$tls_auth PanOSPolicyName=$policy_name PanOSEllipticCurve=$ec_curve PanOSErrorIndex=$err_index PanOSRootStatus=$root_status PanOSChainStatus=$chain_status PanOSProxyType=$proxy_type PanOSCertificateSerial=$cert_serial PanOSFingerprint=$fingerprint PanOSTimeNotBefore=$notbefore PanOSTimeNotAfter=$notafter PanOSCertificateVersion=$cert_ver PanOSCertificateSize=$cert_size PanOSCommonNameLength=$cn_len PanOSIssuerNameLength=$issuer_len PanOSRootCNLength=$rootcn_len PanOSSNILength=$sni_len PanOSCertificateFlags=$cert_flags PanOSCommonName=$cn PanOSIssuerCommonName=$issuer_cn PanOSRootCommonName=$root_cn PanOSServerNameIndication=$sni_len PanOSErrorMessage=$error PanOSContainerID=$container_id PanOSContainerNameSpace=$pod_namespace PanOSContainerName=$pod_name PanOSSourceEDL=$src_edl PanOSDestinationEDL=$dst_edl PanOSSourceDynamicAddressGroup=$src_dag PanOSDestinationDynamicAddressGroup=$dst_dag PanOSTimeGeneratedHighResolution=$high_res_timestamp PanOSSourceDeviceCategory=$src_category PanOSSourceDeviceProfile=$src_profile PanOSSourceDeviceModel=$src_model PanOSSourceDeviceVendor=$src_vendor PanOSSourceDeviceOSFamily=$src_osfamily PanOSSourceDeviceOSVersion=$src_osversion PanOSSourceDeviceHost=$src_host PanOSSourceDeviceMac=$src_mac PanOSDestinationDeviceCategory=$dst_category PanOSDestinationDeviceProfile=$dst_profile PanOSDestinationDeviceModel=$dst_model PanOSDestinationDeviceVendor=$dst_vendor PanOSDestinationDeviceOSFamily=$dst_osfamily PanOSDestinationDeviceOSVersion=$dst_osversion PanOSDestinationDeviceHost=$dst_host PanOSDestinationDeviceMac=$dst_mac PanOSLogTypeSeqNo=$seqno PanOSActionFlags=$actionflag

Support

For additional details, refer to the official Palo Alto Networks documentation.
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring

For additional details around field names Syslog Field Descriptions
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions

For additional information around severity Syslog Severity Reference
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/system-log-reference

If you encounter any issues or require assistance, contact Realm Security support.

Event meta data

Following additional meta data fields will be included with the events

Field NameValue
_sourceCategorypaloalto/pan_os