Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adem_netsys
Contributor

Palo Alto Create Policy to SIEM

Hi,

 

I am going to create a rule on the Siem side about policies created and deleted in Palo alto. Is there a rule you have used or prepared before?

 

Thank you

3 REPLIES 3
dbu
Staff
Staff

I think there are no predefined rules for Palo Alto firewall. 

From the official guide i see that it can monitor "Configuration Change" for Palo Alto so basically every change, but not something specifically for policies.

https://help.fortinet.com/fsiem/5-2-6_ESCG_HTML/FortiSIEM/User-guide/Palo-Alto-Firewall-Configuratio...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Richie_C
Staff
Staff

Hi @adem_netsys 

 

You should start by checking out the event types available for Palo Alto (ADMIN > Device Support > Event Types). Find the relevant event type for you and make sure you are receiving the event.

 

 

Then you could simply clone a rule such as FortiGate: Admin User Deleted. Then replace the event type as required. For example:

 

PAN-Rule.JPG

 

be sure to also change the incident name under actions.

 

I hope it helps!

Take a backup before making any changes
adem_netsys

Thank you @Richie_C 

 

I solved the issue.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors