🌐 Managing External Services with Palo Alto Networks Firewalls

1. Overview

Palo Alto Networks firewalls can integrate with various external services to enhance functionality, including:

• Authentication Services: LDAP, RADIUS, TACACS+, SAML, Kerberos, MFA.
• Monitoring and Logging: Syslog, SNMP, NetFlow, HTTP(S) destinations.
• Update Services: DNS, content updates, license retrieval.

Proper configuration ensures secure and efficient communication between the firewall and these external services.

2. Configuring External Authentication Services

To use external authentication services:

1. Create a Server Profile:
   • Navigate to Device > Server Profiles and select the appropriate type (e.g., LDAP, RADIUS).
   • Click Add and configure the server details.
2. Create an Authentication Profile:
   • Go to Device > Authentication Profile .
   • Click Add , name the profile, and select the previously created server profile.
   • Define user groups and other settings as needed.
3. Apply the Authentication Profile:
   • Assign the profile to administrative accounts or services like GlobalProtect.

For detailed steps, refer to the External Authentication Services documentation.

3. Setting Up Network Access for External Services

By default, the firewall uses the management (MGT) interface for external services. To use a data interface:

1. Configure the Data Interface:
   • Navigate to Network > Interfaces and select the desired interface.
   • Set the interface type to Layer3 .
   • Assign a static IP address and configure the security zone.
2. Set Service Routes:
   • Go to Device > Setup > Services and click Service Route Configuration .
   • Select Customize and specify the data interface for services like DNS, Palo Alto Networks Services, etc.
3. Configure Security Policies and NAT:
   • Create security policies to allow traffic from the internal zone to the external zone.
   • If using private IP addresses, configure NAT policies for outbound traffic.

Detailed guidance is available in the Set Up Network Access for External Services documentation.

4. Integrating with External Monitoring Services

To forward logs and monitor the firewall using external services:

• Syslog: Send logs to a syslog server for centralized logging.
• SNMP: Monitor firewall statistics and receive traps.
• NetFlow: Export flow data to a NetFlow collector.
• HTTP(S): Forward logs to HTTP-based services like ServiceNow.

Configuration involves creating server profiles and log forwarding profiles, then applying them to policies or log settings.

For comprehensive instructions, see the Use External Services for Monitoring documentation.

5. Example: Configuring Syslog Forwarding (Continued)

2. Create a Log Forwarding Profile:
   • Navigate to Objects > Log Forwarding and click Add .
   • Enter a descriptive Name for the profile.
   • Under the Match List section, click Add to specify log types and associated syslog server profiles:
     • Log Type: Select the type of log (e.g., Traffic, Threat, URL Filtering).
     • Filter: Define any filters to match specific logs (optional).
     • Syslog: Choose the syslog server profile created earlier.
   • Repeat the above step for each log type you wish to forward.
   • Click OK to save the log forwarding profile.
3. Apply the Log Forwarding Profile to Security Policies:
   • Go to Policies > Security and select the desired policy rule.
   • Click the Actions tab.
   • Under Log Forwarding , select the log forwarding profile you created.
   • Ensure that Log at Session Start and/or Log at Session End are enabled as needed.
   • Click OK to apply the changes to the policy.
4. Configure Log Settings for System, Config, HIP Match, and Correlation Logs:
   • Navigate to Device > Log Settings .
   • For each log type (System, Config, HIP Match, Correlation):
     • Click the corresponding Edit icon.
     • In the dialog box, select the appropriate severity levels.
     • Under Syslog , add the syslog server profile.
     • Click OK to save the settings.
5. Commit the Configuration:
   • After all configurations are complete, click Commit in the upper-right corner to apply the changes.
6. Verify Log Forwarding:
   • Check the syslog server to ensure it is receiving logs from the firewall.
   • Use the firewall's Monitor > Logs section to view logs and confirm they are being forwarded as configured.

For detailed guidance on configuring syslog monitoring, refer to the official documentation: Configure Syslog Monitoring .