NxtFireGuard Logo

Palo Alto Networks Integration Guide

Overview

This guide explains how to configure your Palo Alto Networks firewall to forward threat logs to NxtFireGuard using the HTTP Server Profile feature.

Prerequisites

  • Administrative access to your Palo Alto Networks firewall
  • NxtFireGuard API credentials (X-AUTH_KEY and X-SENSOR_NAME)
  • Network connectivity from your firewall to threat.collector.nxtfireguard.de on port 443

Endpoint Details

  • URL: https://threat.collector.nxtfireguard.de/paloalto
  • Method: POST
  • Content-Type: application/json

Authentication

Authentication requires two HTTP headers, both obtainable from your NxtFireGuard dashboard:

HeaderDescription
X-AUTH_KEYYour unique API authentication key
X-SENSOR_NAMEIdentifier for your Palo Alto firewall

Request Format

Required Fields

All fields in the request body are required:

{
  "threat_name": "WordPress Login Brute Force Attack",
  "threatid": "18",
  "src": "185.156.73.167",
  "dst": "159.69.13.62",
  "proto": "TCP",
  "subcategory_of_app": "web-applications",
  "thr_category": "brute-force",
  "app": "web-browsing",
  "time_received": "2024/01/15 14:30:45",
  "sport": 50123,
  "dport": 443
}

Field Specifications

FieldTypeDescription
threat_namestringName of the detected threat
threatidstringPalo Alto threat ID
srcstringSource IP address (IPv4 or IPv6)
dststringDestination IP address (IPv4 or IPv6)
protostringNetwork protocol (TCP, UDP, ICMP, etc.)
subcategory_of_appstringApplication subcategory from Palo Alto
thr_categorystringThreat category from Palo Alto
appstringApplication name from Palo Alto
time_receivedstringTimestamp when the threat was detected
sportintegerSource port number (0-65535)
dportintegerDestination port number (0-65535)

Criticality Mapping

NxtFireGuard automatically maps Palo Alto threat severities to our internal criticality scale (0-4). No additional configuration is required on your end.

Palo Alto Configuration

Step 1: Create HTTP Server Profile

  1. Log in to your Palo Alto Networks firewall web interface

  2. Navigate to DeviceServer ProfilesHTTP

  3. Click Add to create a new HTTP Server Profile

  4. Configure the following settings:

    General Settings:

    • Name: NxtFireGuard (or any descriptive name)
    • Location: Select your device group or leave as default

    Tag Registration: (Optional)

    • Leave unchecked unless you have User-ID agent requirements

  5. Click on the Servers tab

Step 2: Add Server Configuration

  1. In the Servers tab, click Add

  2. Configure the server with the following details:

    FieldValue
    NameNFG-API
    Addressthreat.collector.nxtfireguard.de
    ProtocolHTTPS
    Port443
    TLS Version1.2
    Certificate ProfileNone
    HTTP MethodPOST
    Usernameadmin (required by the server profile but not used by us, so you may put a dummy value)
    Passwordyou may put a dummy value or leave empty

paloalto_http_server_profile.png Figure 1: HTTP Server Profile configuration showing the NFG-API server entry with authentication details

  1. Click on the Payload Format tab

Step 3: Configure Payload Format

  1. Select Payload Format tab

  2. Configure the following:

    Pre-defined Formats:

    • Select Default from the dropdown

    URI Format:

    • Enter: /paloalto

    Payload:

    • Use the JSON structure shown in the right panel. The default Palo Alto variables will automatically populate the required fields:
    {
  "threat_name": "$threat_name",
  "threatid": "$threatid",
  "src": "$src",
  "dst": "$dst",
  "proto": "$proto",
  "subcategory_of_app": "$subcategory_of_app",
  "thr_category": "$thr_category",
  "app": "$app",
  "time_received": "$time_received",
  "sport": "$sport",
  "dport": "$dport"
}

    HTTP Headers: Add the following headers:

    HeaderValue
    content-typeapplication/json
    X-AUTH_KEY<your-auth-key>
    X-SENSOR_NAME<your-sensor-name>

    To add headers:

    • Click Add in the HTTP Headers section
    • Enter the header name in the HEADERS column
    • Enter the value in the VALUE column
    • Repeat for all three headers

paloalto_payload_format.png Figure 2: Payload Format configuration showing URI format, JSON payload structure, and HTTP headers

  1. Click OK to save the payload format
  2. Click OK to save the HTTP Server Profile

Step 4: Test Server Connection

  1. In the HTTP Server Profile configuration, click Test Server Connection
  2. Verify that the connection is successful
  3. If the test fails, check:
    • Network connectivity to threat.collector.nxtfireguard.de
    • Firewall rules allowing outbound HTTPS traffic
    • Correct authentication credentials

Step 5: Create Log Forwarding Profile

  1. Navigate to ObjectsLog Forwarding

  2. Click Add to create a new profile

  3. Configure the following:

    General Settings:

    • Name: NFG-API (or any descriptive name)
    • Description: (Optional) "Forward threat logs to NxtFireGuard"
    • Log Type: threat
    • Filter: All Logs (or customize based on your requirements)

  4. In the Forward Method section:

    • Expand the HTTP section
    • Check the box next to HTTP
    • Select your previously created HTTP Server Profile: NxtFireGuard

paloalto_log_forwarding_profile.png Figure 3: Log Forwarding Profile Match List showing HTTP forward method with NxtFireGuard profile selected

  1. Click OK to save the Log Forwarding Profile

Step 6: Apply Log Forwarding to Security Policies

  1. Navigate to PoliciesSecurity

  2. Edit the security policies where you want to forward threat logs

  3. In the Actions tab of each policy:

    • Under Log Settings, select your Log Forwarding Profile: NFG-API
    • Ensure Log at Session End is enabled

  4. Click OK to save the policy changes

Step 7: Commit Changes

  1. Click Commit in the top right corner
  2. Review the changes
  3. Click Commit to apply the configuration
  4. Wait for the commit to complete successfully

Verification

Test Log Forwarding

To verify that logs are being forwarded correctly:

  1. Generate a test threat event (e.g., trigger a security rule)
  2. Navigate to MonitorThreat logs in your Palo Alto interface
  3. Verify that the threat was logged
  4. Check your NxtFireGuard dashboard to confirm the threat was received

Troubleshooting

If threats are not appearing in NxtFireGuard:

  1. Check HTTP Server Profile status:

    • Navigate to DeviceServer ProfilesHTTP
    • Select your profile and click Test Server Connection

  2. Verify authentication headers:

    • Ensure X-AUTH_KEY and X-SENSOR_NAME are correct
    • Check for typos or extra spaces in header values

  3. Check system logs:

    • Navigate to MonitorSystem logs
    • Filter for HTTP server profile errors

  4. Verify Log Forwarding Profile:

    • Ensure the profile is attached to active security policies
    • Check that the log type is set to threat

  5. Network connectivity:

    • Verify outbound HTTPS (443) connectivity to threat.collector.nxtfireguard.de
    • Check for any firewall rules blocking the connection

Code Examples

While Palo Alto handles the integration automatically, here is an example for testing the endpoint manually:

cURL

curl -X POST https://threat.collector.nxtfireguard.de/paloalto \
  -H "Content-Type: application/json" \
  -H "X-AUTH_KEY: your_auth_key_here" \
  -H "X-SENSOR_NAME: your_sensor_hostname" \
  -d '{
    "threat_name": "SQL Injection Attempt",
    "threatid": "30001",
    "src": "192.168.1.100",
    "dst": "10.0.0.50",
    "proto": "TCP",
    "subcategory_of_app": "database",
    "thr_category": "code-execution",
    "app": "mysql",
    "time_received": "2024/01/15 14:30:45",
    "sport": 54321,
    "dport": 3306
  }'

Support

For additional assistance or questions about integration:

Related Documentation