SecurityCenter & Palo Alto
Post on 23-Feb-2016
109 Views
Preview:
DESCRIPTION
Transcript
SecurityCenter & Palo AltoConfiguration Guide
About this Guide
•This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter, Nessus, and Log Correlation Engine (LCE).
•Covered in this Guide:o Audit Scanningo Log Configuration on PAN-OS (Palo Alto Firewalls)o Netflow Configuration (PAN-OS & LCE)o LCE Normalized Logso SecurityCenter Dashboard & Reporting
Audit ScanningSecurityCenter & PAN-OS
PAN-OS Configuration Tasks
•Create a service account for SecurityCenter to use.
•Allow SecurityCenter to connect to management interface.
•Set up SNMP allowed by local security policies.
Service Account
• Login to PAN-OS and navigate to the Device tab.
• On the left hand side, in the menu items, select Administrators
• Click the “ADD” button at the bottom of the screen
• Fill out the fields accordingly
PAN-OS Management Interface
• Login to PAN-OS and navigate to the Device tab.
• On the left hand side, in the menu items, select “Setup” & Management Tab
• Click on the icon located in the “Management Interface Settings”
• Configure HTTPS/Ping/SNMP management services.
• Assign the Permitted IP Addresses as necessary
SNMP Configuration
• Login to PAN-OS and navigate to the Device tab.
• On the left hand side, in the menu items, select “Setup” & Operations Tab
• Click the icon to enter SNMP Configuration.
• Configure the SNMP Settings according to local security policy.
SecurityCenter Configuration Tasks
• Import Audit File• Create Credentials• Create Scan Policy
Import Audit File
• Login to SecurityCenter and select Support > Audit Files
• Click the button.• Provide a name and
description for the Audit File setting.
• Browse the audit file location and select the appropriate file.
• Click submit to save the file.
Create Credentials
• Login to SecurityCenter and select Support > Credentials
• Click the button.• SNMP credentials are added
here.• The API credentials are part
of the scan policy.
Create Scan Policy
• Login to SecurityCenter and select Support > Scan Policies
• Click the button.• Configure the basic settings as
needed. Note: Netstat port scanners are not necessary.
• Select the audit file previously uploaded.
• Enable plugin 64095 & 64286 along with other plugins as necessary.
• Configure PAN-OS settings in Preferences
Log ConfigurationPAN-OS (Palo Alto Firewalls)
Log Configuration Setting
•The PAN-OS log configuration settings are in 4 places.
•Device > Server Profiles•Device > Log Settings•Objects > Log Forwarding•Policies
o All policies are configurableo Permit Policieso Deny Policies
Device > Server Profiles
• Configure the LCE as the Syslog Server.
• Login to PAN-OS and navigate to the Device tab.
• On the left hand side, in the menu items, select Server Profiles > Syslog
• Create the syslog profile• Set the IP, port, log level
Device > Log Settings
• Set up LCE to collect device level syslog events.
• Login to PAN-OS and navigate to the Device tab.
• On the left hand side, in the menu items, select Log Settings
• System = Severity Setting • Select the syslog server
profile for each severity level.
Objects > Log Forwarding
• Log Forwarding is for security policies to use to forward logs. This can be for traffic based events and deny traffic events.
• Login to PAN-OS and navigate to the Objects tab.
• On the left hand side, in the menu items, select Log Forwarding
• Configure the setting as desired.
Policies
• Login to PAN-OS and navigate to the Policies tab.
• Note: In this example we will use “Security” policies, but the same concept applies to all types
• On the left hand side, in the menu items, select Security.
• Double click a Permit policyo Check Log at Session Start|Endo Select the Log Forwarding Service
• Double click a Deny policyo Check Log at Session Start|Endo Select the Log Forwarding Service
Netflow ConfigurationPAN-OS & LCE
PAN-OS Settings
• Configure the LCE as the Syslog Server.
• Login to PAN-OS and navigate to the Device tab.
o On the left hand side, in the menu items, select Server Profiles > Netflow Server
o Apply the applicable server settingso Ex: 172.26.32.65 : 9995
• Navigate to the Network tab.o On the left hand side, select Interfaceso Choose interface to capture network.o Apply Netflow profile
Netflow Client
•Download and install Netflow cliento The lab was built with the following version: TenableNetFlowMonitor-4.0.1-es6.x86_64.rpm
•Set the LCE Server in the config fileo /opt/netflow_monitor/tfm.conf
LCE Policy Configuration
• Login to SecurityCenter as “admin”• Select Resources > LCE Clients.• Authorize the new client, then click Assign Policy
• Ensure the port is configured the same on the Palo Alto firewall
• More detailed Netflow policies are supported, but are beyond the scope of this guide.
Normalized LogsLCE
Normalized Logs
•The Tenable LCE team has normalized a series of log events to support Palo Alto.• Paloalto-Allow_TCP_Start• Paloalto-Allow_TCP_End• Paloalto-Allow_UDP_Start• Paloalto-Allow_UDP_End• Paloalto-Allow_ICMP_Start• Paloalto-Allow_ICMP_End• Paloalto-Deny_TCP• Paloalto-Deny_UDP• Paloalto-Deny_ICMP• Paloalto-Deny_TCP• Paloalto-Deny_UDP• Paloalto-Deny_ICMP
• Paloalto-Configuration_Edit• Paloalto-Configuration_Delete• Paloalto-Configuration_Commit• Paloalto-System_General_Msg• Paloalto-Threat_Spyware• Paloalto-Threat_URL• Paloalto-Threat_Vulnerability• Paloalto-Threat_File• Paloalto-Threat_Virus• Paloalto-Authentication_Failed• Paloalto-
Authentication_Failed_Threshold_Reached
Sample Normalized Events
DashboardSecurityCenter
Dashboard (Published 17 Oct 2013)
Dashboard Components
Palo Alto Status - Device Audit Vulnerabilities - This component displays a pass/fail indicator by check type. The Tenable_Palo_Alto_PAN-OS_Best_Practices.audit file has 5 check types, each focusing on a separate part of the configuration audit.• Device: The firewall management and base operation settings• Users: Lists local users in the device• Security: Verifies the security setting of the configuration• Update: Verifies the update server is configured• Reports: The output from several report commands to display the report statusPalo Alto Status - Netflow Summary - This component displays a summary of the top 10 TCP ports identified by Palo Alto native network collector.Palo Alto Status - Netflow By Port - This component displays the session count of the top 10 TCP ports identified by Palo Alto native network collector.Palo Alto Status - Top 10 Events - This component displays count of the top 10 Palo Alto syslog events.Palo Alto Status - Event Trend Summary - This component displays a trend line for the top 10 Palo Alto syslog events.Palo Alto Status - Event Indicator - This indicator component displays a series of Palo Alto syslog event indicators.
For Questions ContactCody Dumont
cdumont@tenable.com
top related