Configure Palo Alto Panorama for Cloud App Discovery

Copper Contributor

Below are the steps I've taken to integrate PaloAlto Panorama Traffic logs to Cloud App Discovery.

 

In this setup, multiple PA Firewalls are configured forward their logs to Panorama. Check the Palo Alto guides for how this is setup.

 

Your thoughts and feedback is much appreciated. 

 

Follow the Microsoft guide to setup a log collector for MCAS. I've settled with the Docker for Ubuntu on Azure after multiple failed attempts with RHEL 8.1. 

 

For Step 3 - On-premises configuration of your network appliances log into Panorama, make sure Context Panorama on the top left is selected.

  1. Select the Panorama tab and Server Profiles -> Syslog on the left hand menu.
  2. Select Add to create a new Syslog Server Profile
  3. Enter a Name for the Profile - i.e. MCAS Log Collector
  4. Select Add in the Servers tab and provide the details for the collector server, i.e.:Name: MCAS Server Azure
    IP: <<Log Collector IP>>
    Transport: as per your collector config, i.e. TCP
    Port: as per your collector config, i.e. 601
    Format: BSS
    Facility: LOG_USER
  5. Select Ok to save the Syslog Server and Profile.
  6. Go to Collector Groups and select the "default" Collector Group.
  7. Select the Collector Log Forwarding tab, then the Traffic tab.
  8. Select Add and give the Log Setting a name, i.e. MCAS Logs
  9. Set filter to All Logs
  10. Select Add in the Syslog field and select the MCAS Log Collector.
  11. Select Ok, and Ok again, then save and commit your changes.

Done.

 

Follow on with Step 4 - Verify the successful deployment in the Cloud App Security portal in the Microsoft guide.

 

4 Replies

@Marc-R Hello, i followed your guide but there were not any logs appeared on MCAS portal. I have checked from the log collector side and it`s receiving logs from Palo alto. So what is the problem?

@Mahmoud_Eldeep We're having the same issue.  There are thousands of backlogged items in the governance log.  I'm also told we're in the US3 data center which has been plagued with capacity issues.

Hello, I followed your instructions also did a bunch of research but still no joy. Did yours actually work? I got a docker on Windows 10, FTP, PA Firewall, MS Defender Cloud App Discovery but still couldn't make a handshake from the log collector. Any insights I would really appreciate.
Hi Marc, I appreciate it has been a while - how are you tracking with MCAS and Palo integration? Have there been any improvements to make this more seamless?