SecurityCenter & Palo Alto. Configuration Guide. About this Guide . This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter, Nessus, and Log Correlation Engine (LCE). Covered in this Guide: Audit Scanning - PowerPoint PPT Presentation
SecurityCenter & Palo AltoConfiguration GuideAbout this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter, Nessus, and Log Correlation Engine (LCE).Covered in this Guide:Audit ScanningLog Configuration on PAN-OS (Palo Alto Firewalls)Netflow Configuration (PAN-OS & LCE)LCE Normalized LogsSecurityCenter Dashboard & Reporting
Audit ScanningSecurityCenter & PAN-OSPAN-OS Configuration TasksCreate a service account for SecurityCenter to use.Allow SecurityCenter to connect to management interface.Set up SNMP allowed by local security policies.Service AccountLogin to PAN-OS and navigate to the Device tab.On the left hand side, in the menu items, select AdministratorsClick the ADD button at the bottom of the screenFill out the fields accordingly
PAN-OS Management InterfaceLogin to PAN-OS and navigate to the Device tab.On the left hand side, in the menu items, select Setup & Management TabClick on the icon located in the Management Interface Settings Configure HTTPS/Ping/SNMP management services.Assign the Permitted IP Addresses as necessary
SNMP ConfigurationLogin to PAN-OS and navigate to the Device tab.On the left hand side, in the menu items, select Setup & Operations TabClick the icon to enter SNMP Configuration.Configure the SNMP Settings according to local security policy.
SecurityCenter Configuration Tasks Import Audit File Create Credentials Create Scan PolicyImport Audit FileLogin to SecurityCenter and select Support > Audit FilesClick the button.Provide a name and description for the Audit File setting.Browse the audit file location and select the appropriate file.Click submit to save the file.
Create CredentialsLogin to SecurityCenter and select Support > CredentialsClick the button.SNMP credentials are added here.The API credentials are part of the scan policy.
Create Scan PolicyLogin to SecurityCenter and select Support > Scan PoliciesClick the button.Configure the basic settings as needed. Note: Netstat port scanners are not necessary.Select the audit file previously uploaded.Enable plugin 64095 & 64286 along with other plugins as necessary.Configure PAN-OS settings in Preferences
Log ConfigurationPAN-OS (Palo Alto Firewalls)Log Configuration SettingThe PAN-OS log configuration settings are in 4 places.Device > Server ProfilesDevice > Log SettingsObjects > Log ForwardingPoliciesAll policies are configurablePermit PoliciesDeny Policies
Device > Server ProfilesConfigure the LCE as the Syslog Server.Login to PAN-OS and navigate to the Device tab.On the left hand side, in the menu items, select Server Profiles > SyslogCreate the syslog profileSet the IP, port, log level
Device > Log SettingsSet up LCE to collect device level syslog events.Login to PAN-OS and navigate to the Device tab.On the left hand side, in the menu items, select Log SettingsSystem = Severity Setting Select the syslog server profile for each severity level.
Objects > Log ForwardingLog Forwarding is for security policies to use to forward logs. This can be for traffic based events and deny traffic events.Login to PAN-OS and navigate to the Objects tab.On the left hand side, in the menu items, select Log ForwardingConfigure the setting as desired.
PoliciesLogin to PAN-OS and navigate to the Policies tab.Note: In this example we will use Security policies, but the same concept applies to all typesOn the left hand side, in the menu items, select Security.Double click a Permit policyCheck Log at Session Start|EndSelect the Log Forwarding ServiceDouble click a Deny policyCheck Log at Session Start|EndSelect the Log Forwarding Service
Netflow ConfigurationPAN-OS & LCEPAN-OS SettingsConfigure the LCE as the Syslog Server.Login to PAN-OS and navigate to the Device tab.On the left hand side, in the menu items, select Server Profiles > Netflow Server Apply the applicable server settingsEx: 172.26.32.65 : 9995Navigate to the Network tab.On the left hand side, select InterfacesChoose interface to capture network.Apply Netflow profile
Netflow ClientDownload and install Netflow clientThe lab was built with the following version: TenableNetFlowMonitor-4.0.1-es6.x86_64.rpmSet the LCE Server in the config file/opt/netflow_monitor/tfm.conf
LCE Policy ConfigurationLogin to SecurityCenter as adminSelect Resources > LCE Clients.Authorize the new client, then click Assign PolicyEnsure the port is configured the same on the Palo Alto firewallMore detailed Netflow policies are supported, but are beyond the scope of this guide.Normalized LogsLCENormalized LogsThe Tenable LCE team has normalized a series of log events to support Palo Alto.Paloalto-Allow_TCP_StartPaloalto-Allow_TCP_EndPaloalto-Allow_UDP_StartPaloalto-Allow_UDP_EndPaloalto-Allow_ICMP_StartPaloalto-Allow_ICMP_EndPaloalto-Deny_TCPPaloalto-Deny_UDPPaloalto-Deny_ICMPPaloalto-Deny_TCPPaloalto-Deny_UDPPaloalto-Deny_ICMPPaloalto-Configuration_EditPaloalto-Configuration_DeletePaloalto-Configuration_CommitPaloalto-System_General_MsgPaloalto-Threat_SpywarePaloalto-Threat_URLPaloalto-Threat_VulnerabilityPaloalto-Threat_FilePaloalto-Threat_VirusPaloalto-Authentication_FailedPaloalto-Authentication_Failed_Threshold_ReachedSample Normalized Events
DashboardSecurityCenterDashboard (Published 17 Oct 2013)
Dashboard ComponentsPalo Alto Status - Device Audit Vulnerabilities - This component displays a pass/fail indicator by check type. The Tenable_Palo_Alto_PAN-OS_Best_Practices.audit file has 5 check types, each focusing on a separate part of the configuration audit.Device: The firewall management and base operation settingsUsers: Lists local users in the deviceSecurity: Verifies the security setting of the configurationUpdate: Verifies the update server is configuredReports: The output from several report commands to display the report statusPalo Alto Status - Netflow Summary -This component displays a summary of the top 10 TCP ports identified by Palo Alto native network collector.Palo Alto Status - Netflow By Port- This component displays the session count of the top 10 TCP ports identified by Palo Alto native network collector.Palo Alto Status - Top 10 Events -This component displays count of the top 10 Palo Alto syslog events.Palo Alto Status - Event Trend Summary- This component displays a trend line for the top 10 Palo Alto syslog events.Palo Alto Status - Event Indicator- This indicator component displays a series of Palo Alto syslog event indicators. For Questions ContactCody Dumont