Event Interoperability Standard

Common Event Format Configuration Guide

Palo Alto Networks PAN-OS 4.0.0 Date: March 2, 2011

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

CEF Connector Configuration Guide Palo Alto Networks PAN-OS 4.0.0 February 25, 2011

Revision History
Date
02/25/2011 03/02/2011

Description
First edition of this Configuration Guide. Certified CEF Compliant PAN-OS4.0.0

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

PAN-OS 4.0.0 CEF Configuration Guide

This guide provides information for configuring the Palo Alto Networks next-generation firewalls for CEF-formatted syslog event collection. PAN-OS version 4.0.0 or higher is supported.

Overview
Palo Alto Networks next-generation firewalls provide network security by enabling enterprises to see and control applications, users, and content not just ports, IP addresses, and packets using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies, found in Palo Alto Networks' enterprise firewalls, enable enterprises to create business-relevant security policies safely enabling organizations to adopt new applications, instead of the traditional all-or-nothing approach offered by traditional port-blocking firewalls used in many security infrastructures. Next-generation firewall model families include Palo Alto Networks' PA-5000 Series, PA4000 Series, PA-2000 Series, and the PA-500; and range from 250Mbps to 20Gbps in throughput capacity. Delivered as a purpose-built appliance, every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall features ensuring consistent operation across the entire line.

Configuration
Configure the Palo Alto Networks device for ArcSight CEF-formatted syslog events based on information from the PAN-OS administrators guide. 1. 2. 3. Open the UI and select the Device tab. On the left hand side select Syslog under Server Profiles and click Add. In the Syslog Server Profile Dialog enter a server profile Name and Location (location refers to a Virtual System). Select Servers tab, and click Add to provide a name for the Syslog server, IP address, Port (default 514), and Facility (default LOG_USER). Select Custom Log Format tab, and click on any of the listed log types Config/System/Threat/Traffic/HIPMatch to define a custom format based on the ArcSight CEF for that log type.

4.

5.

Below table shows the CEF-style format that was used during the certification process for each log type. These custom formats include all the fields that are displayed in the default format of the syslogs in a similar order. NOTE: Customers can choose to define their own CEF-style formats using the event mapping table provided in addition to this document. The Custom Log Format tab supports escaping any characters defined in the CEF as

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

special characters. For instance, to escape the backslash and equal characters by a backslash, specify \= as the Escaped characters and \ as the Escape character. Traffic CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes cn2Label=Packets cn2=$packets start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category deviceDirection=$direction CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $eventid|$type $eventid|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$fmt CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $hip|$type $hiptype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt

Threat

Config

System

HIP Match

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

Screen Shot
Shown below is a screenshot of the Active Channel page on the ArcSight CEF Server showing the events generated by a Palo Alto Networks Device.

Events
The different log types for which syslogs are generated include TRAFFIC, THREAT, CONFIG, SYSTEM, and HIP MATCH. For the SYSTEM events, the $eventid field captures the specific event associated with that log. Refer to the System Logs document for a listing of all the events grouped by the system area.

Device Event Mapping to ArcSight Data Fields

Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, and then mapped to an ArcSight data field. Definitions of Prefix Fields and their values for syslog messages generated by Palo Alto Networks firewalls. The Extension Dictionary that lists Palo Alto Networks-specific event definitions and their mapping to ArcSight CEF data fields.

Prefix fields
CEF Name Data type Meaning Palo Alto Networks Value 0

Version

Integer

Identifies the version of the CEF format. Device Vendor Device Product Device Version Unique identifier per event-type

Device Vendor Device Product Device Version Signature ID

String String String String

Palo Alto Networks PAN-OS Configurable. E.g. 4.0.0 Value is event-type specific:

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

Traffic:$subtype Threat:$subtype $threatid Config:$subtype $result System: $subtype $eventid HIP: $subtype $hip Name String Represents a humanreadable and understandable description of the event. Value is event-type specific. Traffic:$type Threat:$type Config:$type System: $type $eventid HIP Match:$type $hiptype Severity Integer Reflects the importance of the event. Only numbers from 0 to 10 are allowed, where 10 indicates the most important event. $number-of-severity Always 1 for traffic, config, and HIP events.

Extension Dictionary
CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field Value is eventtype specific: Traffic : $action Threat: $action Config: $cmd app ApplicationProto col String 31 Application level protocol, example values are: HTTP, HTTPS, SSHv2, Telnet, POP, IMAP, IMAPS, etc. Represents the category assigned by the originating device. Devices oftentimes use their own categorization schema to classify events. SessionID $sessionid $app

act

deviceAction

String

63

Action mentioned in the event.

cat

deviceEventCat egory

String

1023

cn1

deviceCustomN umber1

Long

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

CEF Key Name

Full Name

Data Type

Length

Meaning

Palo Alto Networks Value Field

cn1Label

deviceCustomN umber1 Label deviceCustomN umber2 deviceCustomN umber2Label deviceCustomN umber3 deviceCustomN umber3Label baseEventCount

String

1023

SessionID

cn2

Long

Packets

$packets

cn2Label

String

1023

Packets

cn3

Long

Elapsed time

$elapsed

cn3Label

String

1023

Elapsed time in seconds A count associated with this event. How many times was this same event observed? $repeatcnt

cnt

Integer

cs1

deviceCustomSt ring1

String

1023

Rule

$rule

cs1Label

deviceCustomSt ring1Label

String

1023

Rule

cs2

deviceCustomSt ring2

String

1023

URL Category

$category

cs2Label

deviceCustomSt ring2Label

String

1023

URL Category

cs3

deviceCustomSt ring3

String

1023

Vsys

$vsys

cs3Label

deviceCustomSt ring3Label

String

1023

Virtual System

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

CEF Key Name

Full Name

Data Type

Length

Meaning

Palo Alto Networks Value Field $from

cs4

deviceCustomSt ring4

String

1023

Srczone

cs4Label

deviceCustomSt ring4Label deviceCustomSt ring5 deviceCustomSt ring5Label deviceCustomSt ring6 deviceCustomSt ring6Label

String

1023

Source Zone

cs5

String

1023

Dstzone

$to

cs5Label

String

1023

Destination Zone

cs6

String

1023

LogProfile

$logset

cs6Label

String

1023

LogProfile

destinationService Name

String

1023

The service which is targeted by this event.

Value is eventtype specific: Config: $client

destinationTransla ted Address

IPv4 Address

Identifies the translated destination that the event refers to in an IP network. The format is an IPv4 address.Example: 192.168.10.1 Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. Any information about what direction the communication that was observed has taken. 255 A name that uniquely identifies the device generating this event. Serial Number of the device.

$natdst

destinationTransla tedPort

Integer

$natdport

deviceDirection

String

$direction

deviceExternalId

String

$serial

deviceInboundInte rface

String

15

Interface on which the packet or data entered the device. Interface on which the packet or data left the device.

$inbound_if

deviceOutboundIn terface

String

15

$outbound_if

ArcSight Technical Note Contains Confidential and Proprietary Information

Event Interoperability Standard

CEF Key Name

Full Name

Data Type

Length

Meaning

Palo Alto Networks Value Field $dport

dpt

destinationPort

Integer

The valid port numbers are between 0 and 65535. Identifies destination that the event refers to in an IP network. The format is an IPv4 address.Example: 192.168.10.1 1023 Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are also mapped into the UserName fields. The recipient is a candidate to put into destinationUserName. The format should be a fully qualified domain name associated with the device node, when a node is available.Examples: host.domain.com or host. Total bytes (rx and tx)

dst

destinationAddr ess

IPv4 Address

$dst

duser

destinationUser Name

String

Value is eventtype specifc: Traffic: $dstuser Threat:$dstuser Config: $admin

dvchost

deviceHostNam e

String

100

Value is eventtype specific: Config: $host

flexNumber1 flexNumber1Label flexString1 flexString1Label flexString2 String String String String

$bytes

Total bytes Flags Flags Module Value is eventtype specific: System:$module $flags

flexString2Label fname filename

String String 1023

Module Name of the file. Value is eventtype specific: System: $object

in

bytesIn

Integer

Number of bytes transferred inbound. Inbound relative to the source to destination relationship, meaning that data was flowing from source to

$bytes_received

ArcSight Technical Note Contains Confidential and Proprietary Information

10

Event Interoperability Standard

CEF Key Name

Full Name

Data Type

Length

Meaning

Palo Alto Networks Value Field

destination.

msg

Message

String

1023

An arbitrary message giving more details about the event. Multiline entries can be produced by using \n as the new-line separator. Number of bytes transferred outbound. Outbound relative to the source to destination relationship, meaning that data was flowing from destination to source.

Value is eventtype specific: Threat: $misc System: $fmt Config: $path $bytes_sent

out

bytesOut

Integer

proto

transportProtoc ol

String

31

Identifies the Layer-4 protocol used. The possible values are protocol names such as TCP or UDP. The time at which the event related to the activity was received. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970).

$proto

rt

receiptTime

Time Stamp

$cef-formattedreceive_time

shost

sourceHostNam e

String

1023

Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name associated with the source node, when a node is available.Examples: host.domain.com or host. Identifies the translated source that the event refers to in an IP network. The format is an Ipv4 address. Example: 192.168.10.1 Port after it was translated by for example a firewall. Valid port numbers are 0 to 65535.

Value is eventtype specific: HIP Match: $machinename

sourceTranslatedA ddress

Ipv4 Address

$natsrc

sourceTranslatedP ort

Integer

$natsport

ArcSight Technical Note Contains Confidential and Proprietary Information

11

Event Interoperability Standard

CEF Key Name

Full Name

Data Type

Length

Meaning

Palo Alto Networks Value Field $sport

spt

sourcePort

Integer

The valid port numbers are 0 to 65535. Identifies the source that an event refers to in an IP network. The format is an Ipv4 address.Example: 192.168.10.1 The time when the activity the event referred to started. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970). The time when the activity the event referred to started. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970). 1023 Identifies the source user by name. E-mail addresses are also mapped into the UserName fields. The sender is a candidate to put into sourceUserName.

src

sourceAddress

Ipv4 Address

$src

start

startTime

Time Stamp

$cef-formattedtime_generated

start

startTime

Time Stamp

$cef-formattedtime_generated

suser

sourceUserNam e

String

$srcuser

ArcSight Technical Note Contains Confidential and Proprietary Information

12