本文にスキップ
KYRA MDR KYRA MDR Docs

Palo Alto GlobalProtect Integration

Overview

Palo Alto GlobalProtect provides secure remote access VPN with HIP checking. KYRA MDR collects GlobalProtect logs through PAN-OS syslog. Supports GlobalProtect 5.x and 6.x.

Prerequisites

  • A KYRA MDR Collector installed and running
  • Palo Alto NGFW configured as GlobalProtect gateway/portal
  • Syslog configured on the NGFW
  • GlobalProtect gateway and portal configured

Configuration

GlobalProtect events are forwarded through PAN-OS syslog:

  1. Ensure syslog is configured (see Palo Alto NGFW integration)
  2. Configure log forwarding under Objects > Log Forwarding:
Log TypeForwarding
SystemKYRA-MDR syslog profile
AuthenticationKYRA-MDR syslog profile
GlobalProtectKYRA-MDR syslog profile
HIP MatchKYRA-MDR syslog profile
  1. Apply the log forwarding profile to security policies
  2. Commit the configuration

PAN-OS CLI Configuration

You can configure syslog forwarding and log profiles directly from the PAN-OS CLI:

Terminal window
# Configure a syslog server profile
set shared log-settings syslog kyra-mdr-syslog server kyra-collector \
  server <COLLECTOR_IP> \
  transport TCP \
  port 514 \
  format BSD \
  facility LOG_USER


# Create a log forwarding profile
set shared log-settings profiles kyra-gp-profile \
  match-list gp-auth-logs \
    log-type auth \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


set shared log-settings profiles kyra-gp-profile \
  match-list gp-system-logs \
    log-type system \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


set shared log-settings profiles kyra-gp-profile \
  match-list gp-globalprotect-logs \
    log-type globalprotect \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


set shared log-settings profiles kyra-gp-profile \
  match-list gp-hipmatch-logs \
    log-type hipmatch \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


# Apply the profile to a security policy rule
set rulebase security rules allow-vpn-traffic \
  log-setting kyra-gp-profile


# Commit the configuration
commit

Verify Log Forwarding

Terminal window
# Show syslog server profile
show log-settings syslog


# Show log forwarding profile
show log-settings profiles


# On the KYRA Collector, verify incoming GlobalProtect logs
sudo tcpdump -i any port 514 -A | grep -i "globalprotect"

Collected Log Types

Log TypeDescriptionSecurity Use
GlobalProtect LoginVPN authentication eventsAccess monitoring
GlobalProtect LogoutVPN disconnection eventsSession tracking
HIP CheckHost information profile resultsEndpoint compliance
Gateway SelectionGateway assignment eventsLoad balancing monitoring
Config SyncPortal-gateway config syncConfiguration integrity
SatelliteGlobalProtect satellite eventsSite-to-site VPN monitoring

Troubleshooting

No GlobalProtect logs: Verify the log forwarding profile includes the GlobalProtect log type.

Missing HIP data: HIP Match logs require HIP profiles configured and assigned to policies.

Multi-gateway: Each gateway generates independent logs. Configure syslog on all gateways.

Contact kyra@seekerslab.com for support.