Sending Palo Alto Networks firewall alerts to Slack
source link: https://rowelldionicio.com/sending-palo-alto-networks-firewall-alerts-to-slack/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Sending Palo Alto Networks firewall alerts to Slack
February 5, 2023 By Rowell Leave a Comment
Aren’t you tired of getting lost in logs? Email is the worst way to get logs too. No one reads them. I have a folder with over 190k unread emails about various logs but it’s hard to go through.
If your organization is like mine, we heavily utilize Slack. It would be great if specific logs could be delivered to a Slack channel.
My goal is to configure my Palo Alto Networks firewall to send specific logs from my domain email address through Gmail.
To make this work properly and to prevent spam, I’ll be setting up my Gmail SMTP Relay through Google Workspace.
Within Gmail, I’ll configure the SMTP Relay to allow emails from specific IP addresses, but alternatively authentication can be used.
Set up Gmail SMTP Relay
The Gmail SMTP Relay service is important for sending with an organizational email address. We want to be sure this is done correctly so that spam isn’t sent from our email domain. Within Google Workspace, we use SMTP Relay.
The benefit of using Gmail SMTP Relay is to ensure you’re allowing authorized emails from 3rd party devices such as our firewall but it can be used for devices such as printers, scanners, and more.
The Gmail SMTP Relay allows you to send emails from your devices through smtp-relay.gmail.com.
You’ll need administrator access to your Google Workspace. Then head over to Routing. Scroll down to SMTP relay service and click on Add Rule.
Gmail smtp relay service
After giving this service a name (I’ve named it SMTP Relay), we have some options to select. If you’d like to use an email address in your organization then select “Only addresses in my domains” for the first option.
Under Authentication, we have two options:
- Only accept mail from specified IP addresses
- Require SMTP Authentication
For simplicity, I will use option 1. In the screenshot, I’ve added specific IP addresses that emails will come from. But I’ve blurred out the whole IP address.
Using IP address is less secure but I just want to set up something simple.
Then the third option is to Require TLS Authentication.
settings for smtp relay service
Set up Slack
Now that we’ve taken care of the SMTP Relay Service, let’s head over to our Slack channel and set up an email address to send to.
To create generate an email address for the channel that will receive alerts. Click on the down arrow to get channel details. Then click on Integrations and click on “Send emails to this channel” at the bottom.
generate slack channel email address
You’ll be prompted to confirm setting up an email address. Click on “Get Email Address.”
Then copy the email address that was automatically generated for you and save it. You can always go back to this section to find out what your Slack channel email address is.
Here’s an example of an email alert inside of the Slack channel.
Palo Alto Networks Firewall
Let’s log into our Palo Alto Networks firewall and click on Device on the top navigation menu. We need to configure an Email Server Profile so we can send alerts to the email address that was generated for our Slack channel.
Create a new Email Server Profile, give it a name, an Email Display Name, and the from email address you want these alerts to come from.
In the To field, paste in the Slack channel email address.
The email gateway must be set to smtp-relay.gmail.com.
In our Gmail SMTP Relay configuration earlier we decided to use IP address as a way to authenticate the sender. That means we’ll set the Type in the Email Server Profile to Unauthenticated SMTP and use port 587.
Click on Test Connection and you should get a notification in your Slack channel. If you don’t receive a test notification then head over to the troubleshooting section below.
Log Settings
Next step is to set up specific logs to be sent to our Slack email address. Under the device navigation click on Log Settings on the left.
For the types of logs you want to be notified on we will add Email as a Forward Method. For example, for System and Configuration click Add. Give the forwarder a name and filter on the types of alerts you’d want forwarded.
Then add the Email Server profile we created earlier under the Email Forward section.
You’ll repeat this step for each type of log section.
Be sure to commit your configuration to the firewall.
Troubleshooting
If you’ve happened to fail the Test Connection under the Email Server Profile configuration you’ll want to re-look at your Gmail SMTP Relay Service options and allowing the correct IP address and correct authentication (if being used.)
From the sending device side, try using port 25 or port 587.
Google has an Email Log Search where you can find out if there’s a reason for emails not being forwarded to your Slack channel.
Verify email is making it through successfully using Google’s Email Log Search.
Here’s an example of what a blocked message looks like.
You’ll be able to view messages that were delivered as well. If you click on the subject you can view more details along with the destination email address it is being sent to.
Do you have any questions? Let me know in the comments below.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK