Step 1 – Configure Server Profile used to send SYSLOG messages to a destination
Note: The Palo Alto Administrators guide states that by default all log data is forwarded over the MGT interface. In addition, we will have to create a Server Profile for external services the firewall will interact with.
From your web based management console navigate to Device -> Server Profiles -> Syslog. You’ll configure the name, ip address or fqdn of the syslog server, port, and format. Typically syslog messages are sent over UDP to port 514 in a BSD format. IETF format is normally used over TCP/SSL.
Step 2 – Enable Log Forwarding
Navigate to Objects -> Log Forwarding.
We create a Log Forwarding Profile that specify ServerProfiles that we will be sending event logs to in the form of SYSLOG and SNMP messages. You can control a severity threshold to define when messages are forwarded out of the palo alto to your log collector.
Step 3 – Add Log Forwarding Profile to a Security Rule
In this example I have created a security rule that governs DNS traffic that is generated in our LAN and is destined for the Internet. My thought is I would like to receive notice when any user on my network tries to resolve a URL while avoiding our internal DNS servers. I edit this “Deny DNS Out” rule, navigating to the Actions Tab where we specify a Log Forwarding Profile created in step 2.
We can use tshark to view traffic that reaches an interface. In my example I am looking for SYSLOG messages from a firewall destined to my instance of LibreNMS. LibreNMS listens for UDP traffic on port 514 of the eth0 interface from a specific IP address.
We’d like to filter traffic based on source ip address and protocol type.
Specify the interface
Specify the protocol
Specify packet capture count
Write to a file for review
#Use a display filter to limit view to a specific source IP
Here’s the final product
tshark -i eth0 -O UDP -c 100 -w capture.pcap host a.b.c.d
At your central router, Corp, create a pool, specify a DNS server and default gateway that will be provided to clients that are configured using DHCP.
Exclude addresses from the pool before you enable the dhcp pool.
Corp(config)#ip dhcp excluded-address 192.168.10.1
Corp(config)#ip dhcp pool SF_LAN
Corp(dhcp-config)#network 192.168.10.0 255.255.255.0
Configure the remote router to forward DHCP client requests received on the Fast Ethernet 0/0 interface to an IP address, in our case the Corp router that was just configured above.
LA(config)#ip helper-address 172.16.10.5
In a lab environment when you create a serial connection between two routers, keep the following in mind. Modern Cisco ISR routers can autodetect this and set the clock rate to 2000000.
Determine what connection a router has by issuing sh controllers s0/0/0
You may see a DCE cable connection:
Router#sh controllers s0/0/1
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 1000000
Of you may see a DTE cable connection:
Corp#show controllers s0/0/1
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
Remember, a serial connection with a DCE interface requires that a clock rate be set as the other interface will have a DTE connection that receives the clock rate you set.
You can set the clock rate like so:
Router(config)#int serial s0/0/0
Router(config-if)#clock rate 1000000
C:\>dsquery user “OU=FRESHMEN,OU=STUDENTS,DC=GREATSCHOOL,DC=US” -limit 0 | dsget user -samid -display > freshmen.txt
Use this command to list the name and login for all users that belong to a specific OU in a Microsoft Active Directory environment.
C:\> dsquery user "OU=FRESHMEN,OU=STUDENTS,DC=GREATSCHOOL,DC=EDU" -limit 0 | DSMOD user -pwd hardtoguesspassword -mustchpwd yes