Skip to main content
Skip table of contents

Palo Alto Networks Panorama

What is Panorama?

Palo Alto Panorama monitors, configures, and automates management of multiple Palo Alto firewalls. Panorama manages network security with a single security rule base for firewalls that includes configuration management, threat prevention, URL filtering, application awareness, user identification, sandboxing, file blocking, access control, and data filtering.

Why Should You Use the Panorama Connector?

Panorama is a centralized management system that provides global visibility and control over multiple Palo Alto next-generation firewalls. You can use this visibility to:

  • ensure assets are managed per your security policies

  • find vulnerabilities quickly and remediate

How Does This Connector Work?

Lucidum executes read-only requests to the Panorama API and ingests only meta-data about Panorama assets. Lucidum does not retrieve any data stored on your assets.

Configuring the Connector in Lucidum

Field

Description

Example

URL

The URL of the Palo Alto Panroma API

 https://panfirewall/api

User name

User name of an admin account with “Operational Requests” enableld for Panorama APIs.

lucidum_api

Password

Password for account.

*******************

Proxy

If you are using a proxy server to allow this connector to communicate with on-premises devices, enter the IP address: port for the proxy server, usually 192.168.255.6:3128

192.168.255.6:3128

Configuring Syslog Forwarding to Lucidum

Palo Alto Panorama API might not return all network traffic information. To allow Lucidum to ingest all network traffic information, Lucidum recommends forwarding the Palo Alto Network logs to a central file storage (for example, an AWS S3 bucket). Lucidum’s file connector can then ingest the log data from file storage.

To configure syslog forwarding for Palo Alto Networks, refer to the documentation below:

Source Documentation

Creating Account to Access APIs

Required Role

The account that Lucidum uses to access the API for Panorama must have at least this role

  • Administrator account with access to XML API > Operational Requests

API Documentation

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api

Syslog Forwarding

Parameters

  • URL (required) - The URL of the Palo Alto Panorama API. For example, https://10.2.20.29

  • User Name and Password (optional) - The credentials for a user account that has the permissions to fetch assets for an Admin account with the “Operational Requests” role (fully enabled, NOT read-only) under the "XML/REST API" section. Instructions for associating this role with an Admin account can be found here. Also, make sure to enable the API as described here

  • Verify SSL (required, default is false) - Verify the SSL certificate or not. 

Notes

References (Internal Use Only)

PAN OS API.pdf

PAN VPN Log (from API)

JSON
{'@logid': '264312',
 'domain': '0',
 'receive_time': '2022/09/07 00:43:56',
 'serial': '001801053658',
 'seqno': '7169757',
 'actionflags': '0x0',
 'is-logging-service': 'no',
 'type': 'GLOBALPROTECT',
 'subtype': '0',
 'config_ver': '0',
 'time_generated': '2022/09/07 00:44:10',
 'high_res_timestamp': '1970-01-01T00:00:00.000+00:00',
 'dg_hier_level_1': '1407',
 'dg_hier_level_2': '167',
 'dg_hier_level_3': '41',
 'dg_hier_level_4': '3481',
 'device_name': 'TWNPFW0101',
 'vsys_id': '1',
 'vsys': 'vsys1',
 'eventid': 'gateway-connected',
 'status': 'success',
 'stage': 'connected',
 'tunnel_type': 'IPSec',
 'portal': 'WFH-GP-Gateway-Secondary',
 'srcuser': 'tu\\jw3105490',
 'srcregion': 'TW',
 'machinename': 'TWAIOSEWD0T028',
 'public_ip': '180.177.38.74',
 'public_ipv6': '0.0.0.0',
 'private_ip': '192.168.149.7',
 'private_ipv6': '0.0.0.0',
 'hostid': 'ddfa0cef-e251-4814-9ee4-2472d532c2b6',
 'serialnumber': 'JL8K7K2',
 'client_ver': '5.2.9',
 'client_os': 'Windows',
 'client_os_ver': 'Microsoft Windows 10 Pro , 64-bit',
 'repeatcnt': '1',
 'login_duration': '0',
 'error_code': '0',
 'response_time': '0',
 'priority': 'manual only'}

PAN GlobalProtect VPN Syslog (not the log from API):

CODE
Nov 24 16:34:10 ra1-sjc2.inet.lucidum.io 1,2020/11/24 16:34:10,016201004721,
SYSTEM,globalprotect,0,2020/11/24 16:34:10,,globalprotectgateway-auth-succ,
GP-Gateway-SJC-N,0,0,general,informational,
"GlobalProtect gateway user authentication succeeded. 
Login from: 24.6.3.50, Source region: US, 
User name: admin@lucidum.io, Auth type: SAML, 
Client OS version: Apple Mac OS X 10.15.7.",699469,0x0,0,0,0,0,,ra1-sjc2

Jan  6 00:24:09 ra1-las1.inet.lucidum.io 1,2022/01/06 00:24:08,016201004795,
GLOBALPROTECT,0,2305,2022/01/06 00:24:08,vsys1,gateway-getconfig,configuration,,,
test@lucidum.io,US,SL-1001,72.68.181.166,0.0.0.0,10.254.241.59,0.0.0.0,
f32ae07b-037c-4140-a2dc-7afa8510b388,R9132VJG,5.2.3,Windows,"Microsoft Windows 10 Pro , 64-bit",
1,,,"",success,,0,,0,GP-Gateway,725019,0x0,0,0,0,0,,ra1-las1,1

PAN Device Response:

JSON
               {
                  "@name":"013201026515",
                  "serial":"013201026515",
                  "connected":"yes",
                  "unsupported-version":"no",
                  "wildfire-rt":"no",
                  "hostname":"US-LAS-PFW02",
                  "ip-address":"10.202.250.253",
                  "ipv6-address":"unknown",
                  "mac-addr":null,
                  "uptime":"10 days, 12:03:49",
                  "family":"5200",
                  "model":"PA-5220",
                  "sw-version":"9.1.11",
                  "app-version":"8610-7534",
                  "av-version":"4184-4697",
                  "device-dictionary-version":null,
                  "wildfire-version":"692527-695832",
                  "threat-version":"8610-7534",
                  "url-db":"paloaltonetworks",
                  "url-filtering-version":"20220813.20150",
                  "logdb-version":"9.1.22",
                  "vpnclient-package-version":null,
                  "global-protect-client-package-version":"5.2.8",
                  "prev-app-version":"8609-7533",
                  "prev-av-version":"4183-4696",
                  "prev-threat-version":"8609-7533",
                  "prev-wildfire-version":"692526-695831",
                  "prev-device-dictionary-version":null,
                  "domain":null,
                  "slot-count":"0",
                  "type":null,
                  "tag":null,
                  "ha":{
                     "state":"passive",
                     "peer":{
                        "serial":"013201026501"
                     }
                  },
                  "vpn-disable-mode":"no",
                  "operational-mode":"normal",
                  "high-speed-mode":"no",
                  "certificate-status":null,
                  "certificate-subject-name":"013201026515",
                  "certificate-expiry":"2032/02/25 19:50:39",
                  "connected-at":"2022/08/19 12:59:08",
                  "custom-certificate-usage":"no",
                  "multi-vsys":"no",
                  "vsys":{
                     "entry":{
                        "@name":"vsys1",
                        "display-name":"vsys1",
                        "shared-policy-status":null,
                        "shared-policy-md5sum":"09e9abf86d71d579810f85620f4defe1",
                        "shared-policy-version":"22841"
                     }
                  },
                  "last-masterkey-push-status":"Unknown",
                  "last-masterkey-push-timestamp":null,
                  "express-mode":"no",
                  "device-cert-present":"None",
                  "device-cert-expiry-date":"N/A"
               }

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.