Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
MaryCordova Frequent Contributor.
Frequent Contributor.
1028 views

Activate Palo Alto PAN-OS L1 Package

Jump to solution

Is there an I&W for Palo Alto PAN-OS L1?

 

Im using an L1 I&W for another product and most of the base rules correspond but I need a product specific version to capture non-generic rules as well as the correct Device Group and Device Type.

 

 

 

 

 

 

 

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

New I&W:

First pass .arb:

View solution in original post

0 Likes
11 Replies
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Hey Mary,

Not yet, as far as I know. As usual, the four common areas (user authentication, user management, service installation/changes, and errors, are common for all devices, it's the product-specific (aka "suspicious") events that take the real research. You're on the right track by looking at similar product I&Ws.

Thanks!

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Thanks Prentice!  Couple things:

  1. Are you or John aware of any other customers developing this package?  I dont want to duplicate work
  2. I am currently using the Imperva WAF I&W as that was a copy I had lying around
  3. I'll attach the I&W here
  4. So far I have the following filters built from the attached I&W and which specifically identifies the events used for these filters:
    1. System and Service Changes*: lines 4, 9 (should be made into a single filter?), 11, 13
    2. System and Service Errors*: lines 17 (should be made into a single filter?), 18 (should be made into a single filter?), 25
    3. User/Group Management*: line 31
    4. User/Host Authentication*: lines 49, 50
    5. URL Category*: lines 51-80
    6. *Column O indicates that I have actual events to analyze, P indicates the name that I used for the filter, Q indicates that I have written the filter, R indicates that the actual filter logic is available in I&W for analysis
  5. I expect to have the following additional stimulus response filters created this week:
    1. Various User Auth/Mgmt: lines 27, 29, 31, 37 and others as are possible to generate
  6. What I need to build rules off of filters from above categories 1-4:
    1. Specific string to use for Column F in attached I&W "Device Group"
    2. Specific string to use for Column G in attached I&W "Device Type"
    3. Confirmation that the string to use for Column H should not change
  7. What I need to build rules off of filters from above category 5:
    1. Column values for C-N
    2. I have sent this request over to my team as well since some of this may be site specific alerting based on corporate policy
  8. Attached also is some Palo Alto PAN-OS docs

Let me know if you need anything further, I can do a Webex if you'd like.  Shoot me over an invite anytime. 

-Mary

Core_Filters.JPG

URL_Filters.JPG

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Can't attach docs...here's the upload links:

0 Likes
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Mary,

Looking good so far.

  1. Specific string to use for Column F in attached I&W "Device Group"
  2. Specific string to use for Column G in attached I&W "Device Type"

For these, without overriding them, what do they show up as in ESM?  From there, John or Prentice, do you have an idea for overriding the Device Group or Device Type?  While Palo Alto separates the web content as traffic from the ids as threat, I don't know or recall if it separates the device type.

John, Prentice, do you have any gut reaction to keeping such events separated, IDS is IDS/IPS and Web Proxy Content is .... (drawing a blank for the default device type for web content/proxy traffic)

Mike

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

As far as I know, there isn't anybody working on PAN content for Activate.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Ok, for Device Group and Device Type I've decided the following:

DG=Perimeter

DT=Next-Gen Firewall

0 Likes
Super Contributor.. linhvm Super Contributor..
Super Contributor..

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Hi ,

Could you share the packages? Thank you!

Brgds,
Linh.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

New I&W:

First pass .arb:

View solution in original post

0 Likes
Highlighted
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Updated the .arb file (it's a .zip now but it will import fine).  This is just the basic L1 package with the initial rule-set and filters built for all products; System Errors, System Changes, User Auth, User Mgmt for the Palo Alto appliances themselves.  An L2 package with security posture needs to be developed. 

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

(average user rating 4.5 stars...if I gave myself a 4 that means somebody else thinks I'm a 5...WOOOOOOOO )

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Activate Palo Alto PAN-OS L1 Package

Jump to solution

Brilliant...just saved me a ton of work. Many thanks!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.