How to ingest Palo Alto logs from external organization into our on-prem Splunk instance?

Hello,

We are in the process of ingesting Palo Alto logs from a separate organization’s network into our instance of Spunk Enterprise Security (on-prem) which resides on another network. Connectivity between both of our organizations is facilitated through an interconnection provided by a product called Equinix. This way, data and file interchanges between our organizations are secure over the internet.

I’m trying to determine a performance and cost-efficient method of ingesting the other organization’s logs into our network. We’re ingesting our internal organization Palo Alto FW logs by forwarding these to a syslog server, and they’re sent to our Spunk indexers from there. How different would the log ingestion mechanism for an external org’s Palo Alto logs be?

Any help would be greatly appreciated!

Have you looked at https://splunkbase.splunk.com/app/491/

What exactly does this Equinix product do? If its basically just a VPN, I’d just use syslog as you are using for your existing Palo Alto logs.

I’ve done something similar a while back with Palo Alto logs. We ended up having the logs sent to a NAT address on the Internet which was then routed to a Heavy Forwarder in the DMZ. That HF could only send data over port 2035 to our indexers. The HF did not have the GUI enabled for security reasons and access was very limited to the box itself. If I remember correctly, we did have a cert installed also. Hope that helps.

I would highly recommend Splunk’s HTTP Event Collector here, and then use a PA log forwarding profile to ship them to the Splunk HTTP Event Collector.

Honestly your best option for security would be a vpn, it’s how we’re doing it. Palo Alto → syslogNG with splunk UF → vpn → splunk indexer

Can you install a collection point in the other org’s infra? Are you trying to forward UDP syslog over the VPN? I would be concerned about data loss if the VPN goes down and major data loss with home run logging with anything UDP.

HEC or you can use newer Splunk UF’s http input, which does traditional s2s (requires LB_CHUCK_BREAKER in props.conf), but over HEC so you can pass it through a LB/reverse proxy using an HEC token.

Wouldn’t this app just provide dashboards and saved searches for us to use rather than provide an method for log ingestion?

Equinix serves as a network edge virtualization platform which connects multiple different organizations - sort of provides a centralized hub for ingress and egress traffic through its own Palo Alto NGFW. So, if Org 1 wants exchange files or data with Org 2, this exchange would be facilitated via Equinix.

Ahh ok, that is an interesting approach. I’m assuming that you didn’t leverage any type of cloud or data center interconnection (e.g. Equinix) from the source of the Palo Alto logs to your organization?

Some of the key steps we’re taking to establish connectivity between our org (Org 1) and the separate org (Org 2) include advertising CIDR ranges to Equinix (data center interchange) via BGP. In the case, I’m wondering where the Palo Alto logs would initially be routed to…

This could definitely work since we have a HF where HEC can be configured.

So, what I’m thinking is Palo Alto → Splunk HF (HEC) → Splunk Indexers.

I never realized that ingesting PA logs via HEC was an option…

If you look at the documentation, it goes over the recommended way to get the PA data into Splunk. https://splunk.paloaltonetworks.com/universal-forwarder.html

Now, it doesn’t matter if they are on different networks if Splunk can communicated with the UFs.

The App would give you dashboards and such, but you should at least use the add-on for correct parsing.

I mentioned in another post, but new forwarders have an traditional splunk s2s (splunk2splunk) option that goes over HEC (requires HEC token and LB_CHUNK_BREAKER in props on the forwarder’s inputs). This way you aren’t forced to convert it to HEC first and you can use a LB/reverse proxy in the DMZ for the indexer HEC side to keep from exposing Splunk directly.

Agreed, that makes sense.

While the Palo Alto → syslog (w/ UF) —> Splunk indexer is fairly straightforward, I guess I’m primarily concerned with the security implications of this approach since the logs would be forwarded over the internet (Org 1 → Org 2)

Well, you would want to secure your environment: https://docs.splunk.com/Documentation/Splunk/8.2.4/Security/AboutsecuringyourSplunkconfigurationwithSSL

I am not familiar with Equinix, but you do state that “data and file interchanges between our organizations are secure over the internet”. Do you not trust Equinix? Regardless, you want to make sure you secure your environment.

Edit: I would make sure that that syslog-ng and the UF are over on the org 1 side.