1 / 28

SecurityCenter & Palo Alto

SecurityCenter & Palo Alto. Configuration Guide. About this Guide . This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter, Nessus, and Log Correlation Engine (LCE). Covered in this Guide: Audit Scanning

oakes
Download Presentation

SecurityCenter & Palo Alto

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecurityCenter & Palo Alto Configuration Guide

  2. About this Guide • This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter, Nessus, and Log Correlation Engine (LCE). • Covered in this Guide: • Audit Scanning • Log Configuration on PAN-OS (Palo Alto Firewalls) • Netflow Configuration (PAN-OS & LCE) • LCE Normalized Logs • SecurityCenter Dashboard & Reporting

  3. Audit Scanning SecurityCenter & PAN-OS

  4. PAN-OS Configuration Tasks • Create a service account for SecurityCenter to use. • Allow SecurityCenter to connect to management interface. • Set up SNMP allowed by local security policies.

  5. Service Account • Login to PAN-OS and navigate to the Device tab. • On the left hand side, in the menu items, select Administrators • Click the “ADD” button at the bottom of the screen • Fill out the fields accordingly

  6. PAN-OS Management Interface • Login to PAN-OS and navigate to the Device tab. • On the left hand side, in the menu items, select “Setup” & Management Tab • Click on the icon located in the “Management Interface Settings” • Configure HTTPS/Ping/SNMP management services. • Assign the Permitted IP Addresses as necessary

  7. SNMP Configuration • Login to PAN-OS and navigate to the Device tab. • On the left hand side, in the menu items, select “Setup” & Operations Tab • Click the icon to enter SNMP Configuration. • Configure the SNMP Settings according to local security policy.

  8. SecurityCenter Configuration Tasks • Import Audit File • Create Credentials • Create Scan Policy

  9. Import Audit File • Login to SecurityCenter and select Support > Audit Files • Click the button. • Provide a name and description for the Audit File setting. • Browse the audit file location and select the appropriate file. • Click submit to save the file.

  10. Create Credentials • Login to SecurityCenter and select Support > Credentials • Click the button. • SNMP credentials are added here. • The API credentials are part of the scan policy.

  11. Create Scan Policy • Login to SecurityCenter and select Support > Scan Policies • Click the button. • Configure the basic settings as needed. Note: Netstat port scanners are not necessary. • Select the audit file previously uploaded. • Enable plugin 64095 & 64286 along with other plugins as necessary. • Configure PAN-OS settings in Preferences

  12. Log Configuration PAN-OS (Palo Alto Firewalls)

  13. Log Configuration Setting • The PAN-OS log configuration settings are in 4 places. • Device > Server Profiles • Device > Log Settings • Objects > Log Forwarding • Policies • All policies are configurable • Permit Policies • Deny Policies

  14. Device > Server Profiles • Configure the LCE as the Syslog Server. • Login to PAN-OS and navigate to the Device tab. • On the left hand side, in the menu items, select Server Profiles > Syslog • Create the syslog profile • Set the IP, port, log level

  15. Device > Log Settings • Set up LCE to collect device level syslog events. • Login to PAN-OS and navigate to the Device tab. • On the left hand side, in the menu items, select Log Settings • System = Severity Setting • Select the syslog server profile for each severity level.

  16. Objects > Log Forwarding • Log Forwarding is for security policies to use to forward logs. This can be for traffic based events and deny traffic events. • Login to PAN-OS and navigate to the Objects tab. • On the left hand side, in the menu items, select Log Forwarding • Configure the setting as desired.

  17. Policies • Login to PAN-OS and navigate to the Policies tab. • Note: In this example we will use “Security” policies, but the same concept applies to all types • On the left hand side, in the menu items, select Security. • Double click a Permit policy • Check Log at Session Start|End • Select the Log Forwarding Service • Double click a Deny policy • Check Log at Session Start|End • Select the Log Forwarding Service

  18. NetflowConfiguration PAN-OS & LCE

  19. PAN-OS Settings • Configure the LCE as the Syslog Server. • Login to PAN-OS and navigate to the Device tab. • On the left hand side, in the menu items, select Server Profiles > Netflow Server • Apply the applicable server settings • Ex: 172.26.32.65 : 9995 • Navigate to the Network tab. • On the left hand side, select Interfaces • Choose interface to capture network. • Apply Netflow profile

  20. Netflow Client • Download and install Netflow client • The lab was built with the following version: TenableNetFlowMonitor-4.0.1-es6.x86_64.rpm • Set the LCE Server in the config file • /opt/netflow_monitor/tfm.conf

  21. LCE Policy Configuration • Login to SecurityCenter as “admin” • Select Resources > LCE Clients. • Authorize the new client, then click Assign Policy • Ensure the port is configured the same on the Palo Alto firewall • More detailed Netflow policies are supported, but are beyond the scope of this guide.

  22. Normalized Logs LCE

  23. Normalized Logs • The Tenable LCE team has normalized a series of log events to support Palo Alto. • Paloalto-Allow_TCP_Start • Paloalto-Allow_TCP_End • Paloalto-Allow_UDP_Start • Paloalto-Allow_UDP_End • Paloalto-Allow_ICMP_Start • Paloalto-Allow_ICMP_End • Paloalto-Deny_TCP • Paloalto-Deny_UDP • Paloalto-Deny_ICMP • Paloalto-Deny_TCP • Paloalto-Deny_UDP • Paloalto-Deny_ICMP • Paloalto-Configuration_Edit • Paloalto-Configuration_Delete • Paloalto-Configuration_Commit • Paloalto-System_General_Msg • Paloalto-Threat_Spyware • Paloalto-Threat_URL • Paloalto-Threat_Vulnerability • Paloalto-Threat_File • Paloalto-Threat_Virus • Paloalto-Authentication_Failed • Paloalto-Authentication_Failed_Threshold_Reached

  24. Sample Normalized Events

  25. Dashboard SecurityCenter

  26. Dashboard (Published 17 Oct 2013)

  27. Dashboard Components Palo Alto Status - Device Audit Vulnerabilities - This component displays a pass/fail indicator by check type.  The Tenable_Palo_Alto_PAN-OS_Best_Practices.audit file has 5 check types, each focusing on a separate part of the configuration audit. • Device: The firewall management and base operation settings • Users:  Lists local users in the device • Security: Verifies the security setting of the configuration • Update: Verifies the update server is configured • Reports:  The output from several report commands to display the report status Palo Alto Status - NetflowSummary - This component displays a summary of the top 10 TCP ports identified by Palo Alto native network collector. Palo Alto Status - NetflowBy Port - This component displays the session count of the top 10 TCP ports identified by Palo Alto native network collector. Palo Alto Status - Top 10 Events - This component displays count of the top 10 Palo Alto syslog events. Palo Alto Status - Event Trend Summary - This component displays a trend line for the top 10 Palo Alto syslog events. Palo Alto Status - Event Indicator - This indicator component displays a series of Palo Alto syslog event indicators.  

  28. For Questions Contact Cody Dumont cdumont@tenable.com

More Related