We are in the process of ingesting Palo Alto logs from a separate organization’s network into our instance of Spunk Enterprise Security (on-prem) which resides on another network. Connectivity between both of our organizations is facilitated through an interconnection provided by a product called Equinix. This way, data and file interchanges between our organizations are secure over the internet.
I’m trying to determine a performance and cost-efficient method of ingesting the other organization’s logs into our network. We’re ingesting our internal organization Palo Alto FW logs by forwarding these to a syslog server, and they’re sent to our Spunk indexers from there. How different would the log ingestion mechanism for an external org’s Palo Alto logs be?
I’ve done something similar a while back with Palo Alto logs. We ended up having the logs sent to a NAT address on the Internet which was then routed to a Heavy Forwarder in the DMZ. That HF could only send data over port 2035 to our indexers. The HF did not have the GUI enabled for security reasons and access was very limited to the box itself. If I remember correctly, we did have a cert installed also. Hope that helps.
Can you install a collection point in the other org’s infra? Are you trying to forward UDP syslog over the VPN? I would be concerned about data loss if the VPN goes down and major data loss with home run logging with anything UDP.
HEC or you can use newer Splunk UF’s http input, which does traditional s2s (requires LB_CHUCK_BREAKER in props.conf), but over HEC so you can pass it through a LB/reverse proxy using an HEC token.
Equinix serves as a network edge virtualization platform which connects multiple different organizations - sort of provides a centralized hub for ingress and egress traffic through its own Palo Alto NGFW. So, if Org 1 wants exchange files or data with Org 2, this exchange would be facilitated via Equinix.
Ahh ok, that is an interesting approach. I’m assuming that you didn’t leverage any type of cloud or data center interconnection (e.g. Equinix) from the source of the Palo Alto logs to your organization?
Some of the key steps we’re taking to establish connectivity between our org (Org 1) and the separate org (Org 2) include advertising CIDR ranges to Equinix (data center interchange) via BGP. In the case, I’m wondering where the Palo Alto logs would initially be routed to…
I mentioned in another post, but new forwarders have an traditional splunk s2s (splunk2splunk) option that goes over HEC (requires HEC token and LB_CHUNK_BREAKER in props on the forwarder’s inputs). This way you aren’t forced to convert it to HEC first and you can use a LB/reverse proxy in the DMZ for the indexer HEC side to keep from exposing Splunk directly.
While the Palo Alto → syslog (w/ UF) —> Splunk indexer is fairly straightforward, I guess I’m primarily concerned with the security implications of this approach since the logs would be forwarded over the internet (Org 1 → Org 2)
I am not familiar with Equinix, but you do state that “data and file interchanges between our organizations are secure over the internet”. Do you not trust Equinix? Regardless, you want to make sure you secure your environment.
Edit: I would make sure that that syslog-ng and the UF are over on the org 1 side.