Ingest Logs from Zscaler Cloud Firewall

Extend Cortex XDR visibility into logs from Zscaler Cloud Firewall.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
If you use Zscaler Cloud Firewall in your network, you can forward your firewall and network logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. Cortex XDR can use the firewall and network logs from Zscaler Cloud Firewall as the sole data source, and can also use these firewall and network logs from Zscaler Cloud Firewall in conjunction with Palo Alto Networks firewall and network logs. For additional endpoint context, you can also use Cortex XDR to collect and alert on endpoint data.
As soon as Cortex XDR starts to receive logs, the app performs these actions:
  • Begins stitching network connection and firewall logs with other logs to form network stories. Cortex XDR can also analyze your logs to raise Analytics alerts and can apply IOC and BIOC rule matching. You can also use queries to search your network connection logs.
  • Creates a Zscaler XQL dataset (
    ) based on the
    fields defined on the Zscaler Cloud Firewall syslog configuration. This enables you to search the logs using XQL Search.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the syslog collector. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format.
To ingest logs from Zscaler Cloud Firewall:
  1. Increase log storage for Zscaler Cloud Firewall logs. For more information, see Allocate Log Storage for Cortex XDR.
  2. Configure NSS log forwarding in Zscaler Cloud Firewall to the Syslog Collector:
    1. In the Zscaler Cloud Firewall application, go to
      Nanolog Streaming Service
    2. In the
      NSS Feeds
      Add NSS Feed
    3. In the
      Add NSS Feed
      screen, configure the fields for the Cortex XDR Syslog Collector.
      The following image displays the fields required to add an NSS feed.
      For more information on configuring the other configurations on the screen, see the Zscaler Cloud Firewall documentation for Adding NSS Feeds for Firewall Logs.
      • SIEM TCP Port
        —Specify the port that you set when activating the Syslog Collector in Cortex XDR. See
        Step 1
      • SIEM IP Address
        —Specify the IP that you set when activating the Syslog Collector in Cortex XDR. See
        Step 1
      • Feed Escape Character
        —Specify the feed escape character as
      • Feed Output Type
      • Feed Output Format
        —Specify the output format using the following:
        %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss-fw CEF:0|Zscaler|NSSFWlog|5.7|%s{action}|%s{rulelabel}|3|act=%s{action} suser=%s{login} src=%s{csip} spt=%d{csport} dst=%s{cdip} dpt=%d{cdport} deviceTranslatedAddress=%s{ssip} deviceTranslatedPort=%d{ssport} destinationTranslatedAddress=%s{sdip} destinationTranslatedPort=%d{sdport} sourceTranslatedAddress=%s{tsip} sourceTranslatedPort=%d{tsport} proto=%s{ipproto} tunnelType=%s{ttype} dnat=%s{dnat} stateful=%s{stateful} spriv=%s{location} reason=%s{rulelabel} in=%ld{inbytes} out=%ld{outbytes} rt=%s{mon} deviceDirection=1 cs1=%s{dept} cs1Label=dept cs2=%s{nwsvc} cs2Label=nwService cs3=%s{nwapp} cs3Label=nwApp cs4=%s{aggregate} cs4Label=aggregated cs5=%s{threatcat} cs5Label=threatcat cs6=%s{threatname} cs6label=threatname cn1=%d{durationms} cn1Label=durationms cn2=%d{numsessions} cn2Label=numsessions cs5Label=ipCat cs5=%s{ipcat} destCountry=%s{destcountry} avgduration=%d{avgduration}
    4. Click
    5. Click
      and activate the change according to the Zscaler Cloud Firewall documentation.

Recommended For You