Hi,
I am going to create a rule on the Siem side about policies created and deleted in Palo alto. Is there a rule you have used or prepared before?
Thank you
I think there are no predefined rules for Palo Alto firewall.
From the official guide i see that it can monitor "Configuration Change" for Palo Alto so basically every change, but not something specifically for policies.
https://help.fortinet.com/fsiem/5-2-6_ESCG_HTML/FortiSIEM/User-guide/Palo-Alto-Firewall-Configuratio...
Hi @adem_netsys
You should start by checking out the event types available for Palo Alto (ADMIN > Device Support > Event Types). Find the relevant event type for you and make sure you are receiving the event.
Then you could simply clone a rule such as FortiGate: Admin User Deleted. Then replace the event type as required. For example:
be sure to also change the incident name under actions.
I hope it helps!
User | Count |
---|---|
2061 | |
1175 | |
770 | |
448 | |
343 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.