Palo Alto Networks Knowledgebase: ESM as a Syslog sender: Integration with PAN-OS to receive user mappings

ESM as a Syslog sender: Integration with PAN-OS to receive user mappings

Created On 02/07/19 23:34 PM - Last Updated 02/07/19 23:34 PM
Advanced Endpoint Protection Traps

Integrating ESM and PAN-OS to retrieve user mappings from syslog message

New user mappings can be created by parsing the syslog messages received by the PAN-OS integrated User-ID Agent. PAN-OS can be configured as a syslog listener as shown in the PAN-OS Administration guide (GUIDE).

In this article, we will see how to integrate Endpoint Security Manager (ESM) with PAN-OS. A logon event is generated on the ESM when the user logs on to their endpoint on which Traps agent has been installed. ESM will be configured to send syslog messages to PAN-OS as soon as a user logs on to their endpoint.

ESM Console (Monitor > Agent > Health)

In the below example, notice that a user has logged on to their endpoint and ESM has received a heartbeat from the Traps agent with many details, including the IP and username of the endpoint.

Screen Shot 2018-07-10 at 10.16.19 PM.png

On the ESM Console, under Settings > ESM > Syslog, configure the following:

  • Select Enable Syslog check box.
  • Configure Palo Alto Networks Firewall IP Address of the interface used to collect user mappings.
  • If Communication Protocol is selected as UDP, then the Syslog Port to be configured is 514, else if the Communication protocol is TCP with SSL, then, the Syslog Port to be configured is 6514. It is best practice to select TCP with SSL as your communication protocol.
  • Select the Syslog Protocol as LEEF.

Save the configurations.

Screen Shot 2018-07-10 at 10.20.52 PM.png


Screen Shot 2018-07-10 at 10.21.09 PM.png


On the Firewall

On your Palo Alto Networks next-generation firewall, do the following:

Under Device > User Identification > User Mapping, in the Palo Alto Networks User-ID Agent Setup > Syslog Filters, add the following Syslog Parse Profile:

  • Provide Syslog Parse Profile Name
  • Select Type as Regex Identifier
  • Event Regex as "Service is alive"
  • Username Regex as "duser=([a-zA-Z0-9\_]+)"
  • Address Regex as "dst=([A-F0-9a-f:.]+)"

Screen Shot 2018-07-10 at 6.13.02 PM.png

Under Server Monitoring, add a Syslog Sender (in this example, it will be the IP Address of the ESM)

  • Provide a name for User Identification Monitored Server
  • Select Type as "Syslog Sender"
  • Enter the IP Address of ESM
  • Select Connection Type (either as UDP or SSL)
  • Select the Syslog Parse Profile created in the previous step.

Commit the configuration.

Note: If the Connection Type is SSL, ensure that SSL/TLS Service Profile is configured with the firewall's certificate. This is the certificate the firewall uses when it communicates with the ESM. Also, ensure that the SSL/TLS Profile is selected as Syslog Service Profile.

Screen Shot 2018-07-10 at 6.14.22 PM.png


Screen Shot 2018-07-10 at 10.36.03 PM.png


Screen Shot 2018-07-10 at 10.36.24 PM.png


Also, ensure that the User-ID Syslog Listener-SSL service is enabled on the Interface Management Profile. This is the profile that is associated to the interface on the firewall that is used to collect user mappings.


Screen Shot 2018-07-10 at 10.38.33 PM.png


When the user logs on to their endpoint, the Traps agent sends out a heartbeat to the ESM. ESM will forward this as a Syslog message to the firewall.


Screen Shot 2018-07-10 at 6.06.07 PM.png


Screen Shot 2018-07-10 at 6.04.57 PM.png


The firewall receives the Syslog message and parses the Username and IP address of the user that logged on to the endpoint. IP/User mappings are created on the firewall. 


Screen Shot 2018-07-10 at 10.42.45 PM.png


Using the above technique, ESM and PAN-OS can be integrated and User mappings can be retrieved from the Syslog message. 

  • Print
  • Copy Link

Choose Language