ArcSight Technical Note – Contains Confidential and Proprietary Information
2
Event Interoperability Standard
PAN-OS 4.0.0 CEF Configuration Guide
This guide provides information for configuring the Palo Alto Networks next-generation
firewalls for CEF-formatted syslog event collection. PAN-OS version 4.0.0 or higher is
supported.
Overview
Palo Alto Networks’ next-generation firewalls provide network security by enabling
enterprises to see and control applications, users, and content – not just ports, IP
addresses, and packets – using three unique identification technologies: App-ID, User-ID,
and Content-ID. These identification technologies, found in Palo Alto Networks' enterprise
firewalls, enable enterprises to create business-relevant security policies – safely enabling
organizations to adopt new applications, instead of the traditional “all-or-nothing” approach
offered by traditional port-blocking firewalls used in many security infrastructures.
Next-generation firewall model families include Palo Alto Networks' PA-5000 Series, PA4000 Series, PA-2000 Series, and the PA-500; and range from 250Mbps to 20Gbps in
throughput capacity. Delivered as a purpose-built appliance, every Palo Alto Networks
next-generation firewall utilizes dedicated, function specific processing that is tightly
integrated with a single-pass software engine. This unique combination of hardware and
software maximizes network throughput while minimizing latency. Each of the hardware
platforms supports the same rich set of next-generation firewall features ensuring
consistent operation across the entire line.
Configuration
Configure the Palo Alto Networks device for ArcSight CEF-formatted syslog events based
on information from the PAN-OS administrator’s guide.
1.
Open the UI and select the ‘Device’ tab.
2.
On the left hand side select ‘Syslog’ under ‘Server Profiles’ and click ‘Add’.
3.
In the ‘Syslog Server Profile’ Dialog enter a server profile ‘Name’ and ‘Location ‘
(location refers to a Virtual System).
4.
Select ‘Servers’ tab, and click ‘Add’ to provide a name for the Syslog server, IP
address, Port (default 514), and Facility (default LOG_USER).
5.
Select ‘Custom Log Format’ tab, and click on any of the listed log types
Config/System/Threat/Traffic/HIPMatch to define a custom format based on the
ArcSight CEF for that log type.
Below table shows the CEF-style format that was used during the certification process for
each log type. These custom formats include all the fields that are displayed in the default
format of the syslogs in a similar order. NOTE: Customers can choose to define their own
CEF-style formats using the event mapping table provided in addition to this document.
The ‘Custom Log Format’ tab supports escaping any characters defined in the CEF as
ArcSight Technical Note – Contains Confidential and Proprietary Information
3
Event Interoperability Standard
special characters. For instance, to escape the backslash and equal characters by a
backslash, specify ‘\=’ as the ‘Escaped characters’ and ‘\’ as the ‘Escape character’.
Traffic
ArcSight Technical Note – Contains Confidential and Proprietary Information
4
Event Interoperability Standard
ArcSight Technical Note – Contains Confidential and Proprietary Information
5
Event Interoperability Standard
Screen Shot
Shown below is a screenshot of the ‘Active Channel’ page on the ArcSight CEF Server
showing the events generated by a Palo Alto Networks Device.
Events
The different log types for which syslogs are generated include TRAFFIC, THREAT,
CONFIG, SYSTEM, and HIP MATCH. For the SYSTEM events, the $eventid field
captures the specific event associated with that log. Refer to the ‘System Logs’ document
for a listing of all the events grouped by the system area.
Device Event Mapping to ArcSight Data Fields
Information contained within vendor-specific event definitions is sent to the ArcSight
SmartConnector, and then mapped to an ArcSight data field.
Definitions of Prefix Fields and their values for syslog messages generated by Palo Alto
Networks firewalls. The Extension Dictionary that lists Palo Alto Networks-specific event
definitions and their mapping to ArcSight CEF data fields.
Prefix fields
CEF Name
Data type
Meaning
Palo Alto Networks
Value
Version
Integer
Identifies the version of
the CEF format.
Device Vendor
String
Device Vendor
‘Palo Alto Networks’
Device Product
String
Device Product
‘PAN-OS’
Device Version
String
Device Version
Configurable. E.g. ‘4.0.0’
Signature ID
String
Unique identifier per
event-type
Value is event-type
specific:
ArcSight Technical Note – Contains Confidential and Proprietary Information
Represents a humanreadable and
understandable
description of the event.
Value is event-type
specific.
Traffic:$type
Threat:$type
Config:$type
System: $type $eventid
HIP Match:$type $hiptype
Severity
Integer
Reflects the importance of
the event. Only numbers
from 0 to 10 are allowed,
where 10 indicates the
most important event.
$number-of-severity
Always 1 for traffic, config,
and HIP events.
Extension Dictionary
CEF Key Name
Full Name
Data
Type
Length
Meaning
Palo Alto
Networks Value
Field
act
deviceAction
String
63
Action mentioned in
the event.
Value is eventtype specific:
Traffic : $action
Threat: $action
Config: $cmd
app
ApplicationProto
col
String
31
Application level
protocol, example
values are: HTTP,
HTTPS, SSHv2, Telnet,
POP, IMAP, IMAPS,
etc.
cat
deviceEventCat
egory
String
1023
Represents the
category assigned by
the originating device.
Devices oftentimes
use their own
categorization schema
to classify events.
cn1
deviceCustomN
umber1
Long
SessionID
ArcSight Technical Note – Contains Confidential and Proprietary Information
$app
$sessionid
7
Event Interoperability Standard
CEF Key Name
Full Name
Data
Type
Length
Meaning
cn1Label
deviceCustomN
umber1 Label
String
1023
SessionID
cn2
deviceCustomN
umber2
Long
cn2Label
deviceCustomN
umber2Label
String
cn3
deviceCustomN
umber3
Long
cn3Label
deviceCustomN
umber3Label
String
cnt
baseEventCount
Integer
cs1
deviceCustomSt
ring1
String
1023
Rule
cs1Label
deviceCustomSt
ring1Label
String
1023
Rule
cs2
deviceCustomSt
ring2
String
1023
URL Category
cs2Label
deviceCustomSt
ring2Label
String
1023
URL Category
cs3
deviceCustomSt
ring3
String
1023
Vsys
cs3Label
deviceCustomSt
ring3Label
String
1023
Virtual System
Packets
1023
$packets
Packets
Elapsed time
1023
Palo Alto
Networks Value
Field
$elapsed
Elapsed time in
seconds
A count associated
with this event. How
many times was this
same event observed?
ArcSight Technical Note – Contains Confidential and Proprietary Information
$repeatcnt
$rule
$category
$vsys
8
Event Interoperability Standard
CEF Key Name
Full Name
Data
Type
Length
Meaning
cs4
deviceCustomSt
ring4
String
1023
Srczone
cs4Label
deviceCustomSt
ring4Label
String
1023
Source Zone
cs5
deviceCustomSt
ring5
String
1023
Dstzone
cs5Label
deviceCustomSt
ring5Label
String
1023
Destination Zone
cs6
deviceCustomSt
ring6
String
1023
LogProfile
cs6Label
deviceCustomSt
ring6Label
String
1023
LogProfile
destinationService
Name
String
1023
The service which is
targeted by this event.
Palo Alto
Networks Value
Field
$from
$to
$logset
Value is eventtype specific:
Config: $client
destinationTransla
ted Address
IPv4
Address
Identifies the
translated destination
that the event refers
to in an IP network.
The format is an IPv4
address.Example:
“192.168.10.1”
$natdst
destinationTransla
tedPort
Integer
Port after it was
translated; for
example, a firewall.
Valid port numbers
are 0 to 65535.
$natdport
deviceDirection
String
Any information about
what direction the
communication that
was observed has
taken.
$direction
deviceExternalId
String
A name that uniquely
identifies the device
generating this event.
$serial
255
Serial Number of the
device.
deviceInboundInte
rface
String
15
Interface on which the
packet or data entered
the device.
$inbound_if
deviceOutboundIn
terface
String
15
Interface on which the
packet or data left the
device.
$outbound_if
ArcSight Technical Note – Contains Confidential and Proprietary Information
9
Event Interoperability Standard
CEF Key Name
Full Name
Data
Type
dpt
destinationPort
dst
duser
dvchost
Meaning
Palo Alto
Networks Value
Field
Integer
The valid port
numbers are between
0 and 65535.
$dport
destinationAddr
ess
IPv4
Address
Identifies destination
that the event refers
to in an IP network.
The format is an IPv4
address.Example:
“192.168.10.1”
$dst
destinationUser
Name
String
Identifies the
destination user by
name. This is the user
associated with the
event's destination. Email addresses are
also mapped into the
UserName fields. The
recipient is a
candidate to put into
destinationUserName.
Value is eventtype specifc:
The format should be
a fully qualified
domain name
associated with the
device node, when a
node is
available.Examples:
“host.domain.com” or
“host”.
Value is eventtype specific:
Total bytes (rx and tx)
$bytes
deviceHostNam
e
String
Length
1023
100
flexNumber1
flexNumber1Label
String
Total bytes
flexString1
String
Flags
flexString1Label
String
Flags
flexString2
String
Module
Traffic: $dstuser
Threat:$dstuser
Config: $admin
Config: $host
$flags
Value is eventtype specific:
System:$module
flexString2Label
fname
String
filename
String
Module
1023
Name of the file.
Value is eventtype specific:
System: $object
in
bytesIn
Integer
Number of bytes
transferred inbound.
Inbound relative to
the source to
destination
relationship, meaning
that data was flowing
from source to
ArcSight Technical Note – Contains Confidential and Proprietary Information
$bytes_received
10
Event Interoperability Standard
CEF Key Name
Full Name
Data
Type
Length
Meaning
Palo Alto
Networks Value
Field
destination.
msg
Message
String
out
bytesOut
Integer
proto
transportProtoc
ol
String
rt
receiptTime
Time
Stamp
shost
sourceHostNam
e
String
1023
31
1023
An arbitrary message
giving more details
about the event. Multiline entries can be
produced by using \n
as the new-line
separator.
Value is eventtype specific:
Number of bytes
transferred outbound.
Outbound relative to
the source to
destination
relationship, meaning
that data was flowing
from destination to
source.
$bytes_sent
Identifies the Layer-4
protocol used. The
possible values are
protocol names such
as TCP or UDP.
$proto
The time at which the
event related to the
activity was received.
The format isMMM dd
yyyy HH:mm:ssor
milliseconds since
epoch (Jan 1st 1970).
$cef-formattedreceive_time
Identifies the source
that an event refers to
in an IP network. The
format should be a
fully qualified domain
name associated with
the source node, when
a node is
available.Examples:
“host.domain.com” or
“host”.
Value is eventtype specific:
Threat: $misc
System: $fmt
Config: $path
HIP Match:
$machinename
sourceTranslatedA
ddress
Ipv4
Address
Identifies the
translated source that
the event refers to in
an IP network. The
format is an Ipv4
address. Example:
“192.168.10.1”
$natsrc
sourceTranslatedP
ort
Integer
Port after it was
translated by for
example a firewall.
Valid port numbers
are 0 to 65535.
$natsport
ArcSight Technical Note – Contains Confidential and Proprietary Information
11
Event Interoperability Standard
CEF Key Name
Full Name
Data
Type
spt
sourcePort
src
Length
Meaning
Palo Alto
Networks Value
Field
Integer
The valid port
numbers are 0 to
65535.
$sport
sourceAddress
Ipv4
Address
Identifies the source
that an event refers to
in an IP network. The
format is an Ipv4
address.Example:
“192.168.10.1”
$src
start
startTime
Time
Stamp
The time when the
activity the event
referred to started.
The format isMMM dd
yyyy HH:mm:ssor
milliseconds since
epoch (Jan 1st 1970).
$cef-formattedtime_generated
start
startTime
Time
Stamp
The time when the
activity the event
referred to started.
The format isMMM dd
yyyy HH:mm:ssor
milliseconds since
epoch (Jan 1st 1970).
$cef-formattedtime_generated
suser
sourceUserNam
e
String
Identifies the source
user by name. E-mail
addresses are also
mapped into the
UserName fields. The
sender is a candidate
to put into
sourceUserName.
$srcuser
1023
ArcSight Technical Note – Contains Confidential and Proprietary Information