So I tried using the CEF format you linked and it didn't work for me. I am able to get threat traffic to pass with the default log format on the PA, but for some reason I can't use any of the attributes to match an enforcement policy. I've tried:
- rule_name
- Application
- sourceuser
I'm only using the PANW-Threat-Syslog-c dictionary, because that's the only one that works. I tried bulding a Traffic dictionary using the Threat-Syslog-c as a reference, but it won't bring in any attirbutes in the access tracker just event and date, not PA attributes.
If I understand correctly I should be able to use the Threat dictionary for general traffic classification as well, because it is passing my application level traffic in the access tracker. I'm not actually generatic threat traffic right now on the Palo Alto.
In my screenshots, for testing, I have log forwarding set up on a specifc PA firewall rule that matches just my username. I'm then trying to take a traffic classification (google-base) and add an attribute to my endpoint as a result. As you can see from the screenshots all of my traffic is just being classified under the default enforcement profile, which is just a placeholder, of pan-update-node.
Is this intended behavior or should I have a traffic dictionary on the CPPM side to process this ingress information?
Thanks for your help Danny!