Palo Alto Global Logs and InsightIDR

We are looking into populating some of the dashboard cards and various data sets with our VPN solution, Palo Alto GlobalProtect. We have the management software, Panorama, forwarding the logs it ingests from the individual firewalls to IDR using the “Palo Firewall & VPN” event source

However, none of the VPN “solutions” within IDR are populating. Doing some research, it seems like Palo doesn’t separate those logs out until a later OS level than we are currently using (8.1).

Is there a way we can parse that data out from within IDR via IP range or a key field within the logs?

Any suggestions?


Hey @jeremy_bullock,

If the logs coming into IDR have the information you are looking for within the log, then you can extract them for easy querying with two methods. The easiest is to use the Custom Data Parser in order to extract the values you want and assign a keyword for future querying. Once the rule is created it will do this automatically for all logs coming in that you have selected, so this is probably the best option to go with.

The other option is to use regex capture groups within your query. This is a bit more difficult and only works in a dashboard or while you are actively in log search. I’ll post the links to both below.

1 Like

Thanks, I’ll check this out. This may help with another use case as well. (Multiple devices ingesting on one event source).

Our org is going thru the Proof of Concept right now, so we’re noticing some of the built-in ‘cards’ are asking for VPN sources (the Ingress Locations on the Home page) but they aren’t populating with our current event source setup. (Palo Firewall & VPN)

Not a problem, for additional visibility, you can definitely create your own custom cards in order to go after log data that you have parsed out yourself and/or with the custom data parser. I have used both methods I mentioned before for separating log data from Fortigate logs that were lumped into a single stream in order to separate by location. So step 1 is to get the data into IDR, step 2 is to get the logs parsed and structured either by the query itself or the custom data parser. Best of luck with your Proof of Concept!

@jeremy_bullock One thing I would also like to mention is that the GlobalProtect authentication logs should already be parsed out for you. Are these VPN authentications not showing up for you? In InsightIDR’s Log Search, they go into the Ingress Authentication log set.

To elaborate on this topic, you would forward all of the logs from the Panorama to the “firewall” event source in InsightIDR. That event source should parse out all of the different types of logs that might come from the Panorama: Firewall Activity, IDS Alerts (from Wildfire), Web Proxy, and Ingress Authentication (from GlobalProtect). On your older Panorama, if I remember correctly, the GlobalProtect logs are part of the “System” logging category. If the VPN authentications are not parsing out, you will want to verify that you have configured the Panorama to forward all System logs with a severity of Informational and higher (Palo puts the authentication logs into the Information severity level).

If you like, you can also review these settings with the Sales Engineering that you are working with for your Proof of Concept.

I hope this helps!

Awesome, thanks! I’m getting a few logs under Ingress Auth now, though not as many as I see in Panorama, so it seems like I may be missing some setup within the Palo side.

Oh, that is interesting. I am glad some VPN logs are making it in now.

Another thing for you to know is that logs are only parsed out as “ingress authentication” when the source_ip is a public IP address. There is a setting in the product that you might want to check just to make sure it is not configured incorrectly. In InsightIDR, go to Settings → Public IP Ranges. You would only enter IP address ranges here if you are using them internally instead of using private IP address ranges. Adding IP address ranges as Public IP Ranges will tell InsightIDR to treat those ranges as private and no longer consider them as public. This is not a common thing to do any longer, so most people should not have anything entered in the Public IP Ranges section.

If you have not configured any ranges in the Public IP Ranges setting, I think it will be worth it to look at the Panorama log forwarding profile.