Transcript SecurityCenter_and_PaloAlto_Config_Guide_v3

SecurityCenter & Palo Alto
Configuration Guide
About this Guide
• This guide provides an overview of how to get
the most from Palo Alto firewalls when using
SecurityCenter, Nessus, and Log Correlation
Engine (LCE).
• Covered in this Guide:
Audit Scanning
o Log Configuration on PAN-OS (Palo Alto Firewalls)
o Netflow Configuration (PAN-OS & LCE)
o LCE Normalized Logs
o SecurityCenter Dashboard & Reporting
o
Audit Scanning
SecurityCenter & PAN-OS
PAN-OS Configuration Tasks
• Create a service account for SecurityCenter to
use.
• Allow SecurityCenter to connect to management
interface.
• Set up SNMP allowed by local security policies.
Service Account
• Login to PAN-OS and
navigate to the Device tab.
• On the left hand side, in the
menu items, select
Administrators
• Click the “ADD” button at the
bottom of the screen
• Fill out the fields accordingly
PAN-OS Management Interface
• Login to PAN-OS and
navigate to the Device tab.
• On the left hand side, in the
menu items, select “Setup” &
Management Tab
• Click on the
icon located
in the “Management Interface
Settings”
• Configure
HTTPS/Ping/SNMP
management services.
• Assign the Permitted IP
Addresses as necessary
SNMP Configuration
• Login to PAN-OS and
navigate to the Device tab.
• On the left hand side, in the
menu items, select “Setup” &
Operations Tab
• Click the
icon to enter
SNMP Configuration.
• Configure the SNMP Settings
according to local security
policy.
SecurityCenter Configuration Tasks
• Import Audit File
• Create Credentials
• Create Scan Policy
Import Audit File
• Login to SecurityCenter and
select Support > Audit Files
• Click the
button.
• Provide a name and
description for the Audit File
setting.
• Browse the audit file location
and select the appropriate
file.
• Click submit to save the file.
Create Credentials
• Login to SecurityCenter and
select Support > Credentials
• Click the
button.
• SNMP credentials are added
here.
• The API credentials are part
of the scan policy.
Create Scan Policy
• Login to SecurityCenter and
select Support > Scan Policies
• Click the
button.
• Configure the basic settings as
needed. Note: Netstat port scanners are
not necessary.
• Select the audit file previously
uploaded.
• Enable plugin 64095 & 64286
along with other plugins as
necessary.
• Configure PAN-OS settings in
Preferences
Log Configuration
PAN-OS (Palo Alto Firewalls)
Log Configuration Setting
• The PAN-OS log configuration settings are in 4
places.
• Device > Server Profiles
• Device > Log Settings
• Objects > Log Forwarding
• Policies
All policies are configurable
o Permit Policies
o Deny Policies
o
Device > Server Profiles
• Configure the LCE as the
Syslog Server.
• Login to PAN-OS and
navigate to the Device tab.
• On the left hand side, in the
menu items, select Server
Profiles > Syslog
• Create the syslog profile
• Set the IP, port, log level
Device > Log Settings
• Set up LCE to collect device
level syslog events.
• Login to PAN-OS and
navigate to the Device tab.
• On the left hand side, in the
menu items, select Log
Settings
• System = Severity Setting
• Select the syslog server
profile for each severity level.
Objects > Log Forwarding
• Log Forwarding is for security
policies to use to forward
logs. This can be for traffic
based events and deny traffic
events.
• Login to PAN-OS and
navigate to the Objects tab.
• On the left hand side, in the
menu items, select Log
Forwarding
• Configure the setting as
desired.
Policies
• Login to PAN-OS and
navigate to the Policies tab.
• Note: In this example we will use “Security” policies,
but the same concept applies to all types
• On the left hand side, in the
menu items, select Security.
• Double click a Permit policy
o
Check Log at Session Start|End
o
Select the Log Forwarding Service
• Double click a Deny policy
o
Check Log at Session Start|End
o
Select the Log Forwarding Service
Netflow Configuration
PAN-OS & LCE
PAN-OS Settings
• Configure the LCE as the Syslog
Server.
• Login to PAN-OS and navigate to the
Device tab.
o
On the left hand side, in the menu
items, select Server Profiles >
Netflow Server
o
Apply the applicable server settings
o
Ex: 172.26.32.65 : 9995
• Navigate to the Network tab.
o
On the left hand side, select
Interfaces
o
Choose interface to capture network.
o
Apply Netflow profile
Netflow Client
• Download and install Netflow client
o
The lab was built with the following version:
TenableNetFlowMonitor-4.0.1-es6.x86_64.rpm
• Set the LCE Server in the config file
o
/opt/netflow_monitor/tfm.conf
LCE Policy Configuration
• Login to SecurityCenter as “admin”
• Select Resources > LCE Clients.
• Authorize the new client, then click Assign Policy
• Ensure the port is configured
the same on the Palo Alto
firewall
• More detailed Netflow policies
are supported, but are beyond
the scope of this guide.
Normalized Logs
LCE
Normalized Logs
• The Tenable LCE team has normalized a series
of log events to support Palo Alto.
• Paloalto-Allow_TCP_Start
• Paloalto-Allow_TCP_End
• Paloalto-Allow_UDP_Start
• Paloalto-Allow_UDP_End
• Paloalto-Allow_ICMP_Start
• Paloalto-Allow_ICMP_End
• Paloalto-Deny_TCP
• Paloalto-Deny_UDP
• Paloalto-Deny_ICMP
• Paloalto-Deny_TCP
• Paloalto-Deny_UDP
• Paloalto-Deny_ICMP
•
•
•
•
•
•
•
•
•
•
•
Paloalto-Configuration_Edit
Paloalto-Configuration_Delete
Paloalto-Configuration_Commit
Paloalto-System_General_Msg
Paloalto-Threat_Spyware
Paloalto-Threat_URL
Paloalto-Threat_Vulnerability
Paloalto-Threat_File
Paloalto-Threat_Virus
Paloalto-Authentication_Failed
PaloaltoAuthentication_Failed_Threshold_
Reached
Sample Normalized Events
Dashboard
SecurityCenter
Dashboard (Published 17 Oct 2013)
Dashboard Components
Palo Alto Status - Device Audit Vulnerabilities - This component displays a pass/fail
indicator by check type. The Tenable_Palo_Alto_PAN-OS_Best_Practices.audit file has 5
check types, each focusing on a separate part of the configuration audit.
• Device: The firewall management and base operation settings
• Users: Lists local users in the device
• Security: Verifies the security setting of the configuration
• Update: Verifies the update server is configured
• Reports: The output from several report commands to display the report status
Palo Alto Status - Netflow Summary - This component displays a summary of the top 10
TCP ports identified by Palo Alto native network collector.
Palo Alto Status - Netflow By Port - This component displays the session count of the top
10 TCP ports identified by Palo Alto native network collector.
Palo Alto Status - Top 10 Events - This component displays count of the top 10 Palo Alto
syslog events.
Palo Alto Status - Event Trend Summary - This component displays a trend line for the top
10 Palo Alto syslog events.
Palo Alto Status - Event Indicator - This indicator component displays a series of Palo Alto
syslog event indicators.
For Questions Contact
Cody Dumont
[email protected]