Palo Alto CONFIG Events - Client IP Mapping Bug

Document created by rkent on Aug 25, 2015
Version 1Show Document
  • View in full screen mode

Description of Issue:

 

The PAN-OS guides have a bug in the CEF format string for CONFIG events, whereby they map the client IP (the IP address of the client from which the configuration change is made) is mapped to the ArcSight DeviceHostName field. The DeviceHostName field is supposed to contain the hostname of the PAN Firewall itself.

 

Here's the screenshot of the bug highlighted in the latest 6.1 CEF guide:
PAN-OS_6.1_CONFIG_bug.png

If you consult the Palo Alto Syslog Field Descriptions page (Syslog Field Descriptions), it provides the following description for the '$host' value, showing that it's the IP address of the Client IP that made the config change (not the IP of the PAN Firewall that was changed):

 

PAN-OS_CONFIG_bug.png

 

Solution:

 

Update the CEF config string to map the PAN value 'host' into the ArcSight field 'src' instead of 'dvchost':

 

CEF CONFIG Format String version

Without workaround

With Workaround

  1. 4.1

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype

$result|$type|1|rt=$cef-formatted-receive_time

deviceExternalId=$serial dvchost=$host cs3Label=Virtual System

cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client

msg=$path externalId=$seqno

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype

$result|$type|1|rt=$cef-formatted-receive_time

deviceExternalId=$serial src=$host cs3Label=Virtual System

cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client

msg=$path externalId=$seqno

  1. 5.0

CEF:0|Palo Alto Networks|PAN-OS|5.0.0|$result|$type|1|rt=$cefformatted-receive_time

deviceExternalId=$serial dvchost=$host

cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin

destinationServiceName=$client msg=$path externalId=$seqno

cs1Label=Before Change Detail cs1=$before-change-detail

cs2Label=After Change Detail cs2=$after-change-detail

CEF:0|Palo Alto Networks|PAN-OS|5.0.0|$result|$type|1|rt=$cefformatted-receive_time

deviceExternalId=$serial src=$host

cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin

destinationServiceName=$client msg=$path externalId=$seqno

cs1Label=Before Change Detail cs1=$before-change-detail

cs2Label=After Change Detail cs2=$after-change-detail

  1. 6.0

CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cefformatted-receive_time

deviceExternalId=$serial dvchost=$host

cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin

destinationServiceName=$client msg=$path externalId=$seqno

cs1Label=Before Change Detail cs1=$before-change-detail

cs2Label=After Change Detail cs2=$after-change-detail

CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cefformatted-receive_time

deviceExternalId=$serial src=$host

cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin

destinationServiceName=$client msg=$path externalId=$seqno

cs1Label=Before Change Detail cs1=$before-change-detail

cs2Label=After Change Detail cs2=$after-change-detail

  1. 6.1

CEF:0|Palo Alto Networks|PAN-OS|6.1.0|$result|$type|1|rt=$cefformatted-receive_time

deviceExternalId=$serial dvchost=$host

cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin

destinationServiceName=$client msg=$path externalId=$seqno

cs1Label=Before Change Detail cs1=$before-change-detail

cs2Label=After Change Detail cs2=$after-change-detail

CEF:0|Palo Alto Networks|PAN-OS|6.1.0|$result|$type|1|rt=$cefformatted-receive_time

deviceExternalId=$serial src=$host

cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin

destinationServiceName=$client msg=$path externalId=$seqno

cs1Label=Before Change Detail cs1=$before-change-detail

cs2Label=After Change Detail cs2=$after-change-detail

 

NB: Grey text in italics is optional

 

 

Palo Alto Networks PAN-OS 6.1 [CEF Configuration Guide] (August 2015)

Palo Alto Networks PAN-OS 6.0 [CEF Configuration Guide] (May 2014)

Palo Alto Networks PAN-OS 5.0 [CEF Configuration Guide] (May 2014)

 

I've filed a ticket with Palo Alto Support for the docs to be updated: 00369785

Attachments

    Outcomes