Ingest data from Next-Generation Firewall - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn how to ingest detection data from Next-Generation Firewall and Panorama.

You can forward firewall data from your Next-Generation Firewall (NGFW) and Panorama devices to Cortex XSIAM.

Collection of firewall data from multiple accounts is supported. Super User permissions on both the Cortex XSIAM tenant accounts and the NGFW or Panorama accounts are required for this use case.

Danger

Ensure that you have completed the following on the NGFW or Panorama side:

  • For Panorama only, ensure that the Panorama Cloud Services plugin is installed.

  • Enable log forwarding profiles on firewall rules.

On the Cortex XSIAM side, ensure that you have user role permissions for Data Collection > Data Sources.

Configuration of data ingestion from multiple accounts requires Super User permissions on both the Cortex XSIAM tenant and on the device accounts.

Note

  • If your firewalls are located in a different region, or bandwidth issues are encountered due to large log size, you can ingest NGFW logs in CEF format, using the Syslog collector. This solution provides similar protection, out-of-the-box data modeling and analytics to logs ingested into Strata Logging Service. For more information, see Ingest Next-Generation Firewall logs using the Syslog collector.

  • In the following procedure, general information is provided for NGFW and Panorama. For detailed instructions, consult the documentation for your specific devices and Panorama version.

Set up detection data ingestion
  1. In the user interface for setting up firewalls, for Strata Logging Service/Cloud Logging, enable the following options directly, or using device templates.

    (For example, go to DeviceSetupManagementCloud Logging section)

    1. Select Enable Strata Logging Service.

    2. Select Enable Enhanced Application Logging.

    3. (Optional, depending on your organization's requirements) Select Enable Duplicate Logging (Cloud and On-Premise).

  2. Depending on your PAN-OS or Panorama version, generate either a certificate or PSK.

    For PAN-OS and Panorama versions 10.1 and later, each firewall requires a separate certificate. Certificates need to be requested through the Customer Support portal. To sign in to the portal, click here. For PAN-OS and Panorama versions 10.0 and earlier, you are only required to generate one global PSK for all the firewall devices.

    Note

    Cortex XSIAM does not validate your firewall credentials, you must ensure the certificates or PSK details have been updated in your firewalls in order for data to stream.

  3. Onboard the certificates.

  4. Define a Log Forwarding profile.

  5. Map the Log Forwarding profile to a Security Policy Rule.

  6. Verify that the connection between the firewalls and Strata Logging Service is valid.

  7. Push the configuration changes to the firewalls.

  8. In Cortex XSIAM, select SettingsData Sources.

  9. On the Data Sources page, click Add Data Source, search for and select NGFW, and click Connect.

  10. Select Add NGFW Device or Add Panorama Device, and then do one of the following:

    • For devices in your account, select one or more devices from Select FW/Panorama devices.

    • To include devices from other accounts, select Select devices from other accounts, and then select one or more FW or Panorama devices from other accounts. For cross-account connections, you must have Super User permissions on the Cortex tenant account and the device account.

    Devices already connected are listed at the end. A device may be connected via Strata Logging Service, or via Cortex XSIAM. Rectify any streaming issues that may arise by checking configurations for the relevant connection type (Strata Logging Service or Cortex XSIAM).

  11. To complete the onboarding process of your devices, on the Next Steps to Connect Your Devices page, expand the relevant device version, and follow the corresponding instructions.

  12. Click Connect to establish the instance.

    Connection is established regardless of the firewall credential status and can take up to several minutes, select Sync now to refresh your instances.

  13. Validate that your data is streaming. It might be necessary to create traffic before you verify data streaming.

    To ensure the data is streaming into your tenant:

    • In your NGFW Standalone Firewall Devices, track the Last communication timestamp.

    • Run XQL Query: dataset = panw_ngfw_system_raw| filter log_source_id = "[NGFW device SN]"

  14. (Optional) Manage your Instance.

    After you create the NGFW instance, on the Data Sources page, expand the NGFW to track the status of your Standalone Firewall Devices and Panorama Devices.

    Select the ellipses to Request Certificate, if required, or Delete the instance.

Note

It might take an hour or longer after connecting the firewall in Cortex XSIAM until you start seeing notifications that the certificate has been approved, and that the logging service license has appeared on the firewall.

When Cortex XSIAM begins receiving detection data, the console begins stitching logs with other Palo Alto Network-generated logs to form stories. Use the XQL Search dataset panw_ngfw_*_raw to query your data, where the following logs are supported:

*These datasets use the query field names as described in the Cortex schema documentation.

For stitched raw data, you can query the xdr_data dataset or use any preset designated for stitched data, such as network_story. For query examples, refer to the in-app XQL Library. When relevant, Cortex XSIAM can also raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC only) from Strata Logging Service detection data. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

Note

IOC and BIOC alerts are applicable on stitched data only and are not available on raw data.

Tip

You can see an overview of ingestion status for all log types, and a breakdown of each log type and its daily consumption quota on the NGFW Ingestion Dashboard.