Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
anurag.n.srivas Absent Member.
Absent Member.
1406 views

Use Cases for Palo Alto Firewall

Hello All,

My organization is planning to integrate Palo Alto Firewall with Arcsight.

So, just want to know, what are the possible Use Cases which can be built for Palo Alto Firewall for a better analysis and alerting of events coming from the Firewall.

Appreciate your Response.

Thanks,

Anurag Srivastava

0 Likes
Reply
11 Replies
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Use Cases for Palo Alto Firewall

First, start by familiarizing yourself with the Palo Alto CEF formatting guide, and which data points are available for your use:

PAN has 5 major categories of events, and they can cover different use case areas:

1) TRAFFIC - This will line up with standard out-of-the-box ArcSight FW use cases, but you'll want to extend the out of the box content to include APP-ID, USER-ID and CONTENT-ID fields. E.g. Instead of querying for port 53, now you can run a report where traffic type = "DNS", and it will include DNS traffic that has been tunneled over another port.

2) THREAT - This will also line up with some of the out-of-the-box IDS/IPS intrusion content fairly easily, but once again you'll want to include the application/user/content-awareness data points of an NG-FW. You can now run a report for the user who is causing the most high-severity IPS signatures quite easily.

If you also use WILDFIRE, those alerts will fall under the THREAT category, and they will be probably your single most critical events, particularly those ones that are deemed 'malicious'.

3) CONFIG - making sure you cover off your configuration change monitoring, reviewing changes every time someone hits 'commit'. As of PAN 5.x you can also include the fields for before/after change values: cs1Label=Before Change Detail cs1=$before-change-detail cs2Label=After Change Detail cs2=$after-change-detail


There's a bug with the default CEF format though: I've submitted a ticket to Palo Alto and i've written instructions on how to fix the bug in the comments here -> https://live.paloaltonetworks.com/docs/DOC-7088#comment-7682

4) SYSTEM - alert on critical error messages

5) HIP - haven't used this feature set too much - if you have some good use cases here, please feel free to share back.

0 Likes
Reply
Absent Member.. Mostafa_Soliman Absent Member..
Absent Member..

Re: Use Cases for Palo Alto Firewall

Hi Richard,

I have noticed something related to the System messages, the field Message having all the event parsed into it, is that a normal behavior for the CEF format ? it makes differentiating between events very difficult as all the event is described in one field.

Kind Regards,

Mostafa

0 Likes
Reply
mhutchison Absent Member.
Absent Member.

Re: Use Cases for Palo Alto Firewall

That is not normal Mostafa. It means the events are not being parsed correctly. You need to check to see if the format is correct for the version of PAN you are running.

0 Likes
Reply
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Use Cases for Palo Alto Firewall

Martin is correct - it very likely means that the events are not being parsed correctly. If you can share an example of the parsing, we can tell you if it's being parsed properly or not.

EDIT: Please see correction below.

0 Likes
Reply
Absent Member.. Mostafa_Soliman Absent Member..
Absent Member..

Re: Use Cases for Palo Alto Firewall

Thanks a lot guys, I will check with my customer the current version of PAN-OS implementer at their environment and revert back.

I will also try to get a sample of logs, raw and normalized for the system events.

Can you also provide me with a good normalized System event so I can compare ? I have checked in the CEF format for the system that msg=$opaque , so usually what does $opaque stand for in PAN terms ?

Cheers,

Mostafa

0 Likes
Reply
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Use Cases for Palo Alto Firewall

Mostafa, I have to backtrack on what I said above: for SYSTEM events, $opaque is indeed the full description of the event, and the subtokens within it are not as 'fully parsed' as one might hope.

I've uploaded an extract of the official PAN documentation describing what all the fields that PAN can generate represent here ->

Forther to that, this doc shows the message format of the $opaque fields in the Description column, and description of the parameters that should be fully parsed out in the Parameters column ->

0 Likes
Reply
Absent Member.. Mostafa_Soliman Absent Member..
Absent Member..

Re: Use Cases for Palo Alto Firewall

Hi Richard,

thanks a lot for sharing that, and the edit.

Mainly the reason I am integrating system logs is to get a visibility into the users who logs on via GlobalProtect (VPN), but if the message having all the details it will be difficult to build a session list with the required information (username, IP, geo location, and login/logout time)

Were you able to do anything to make the events are better parsed, or how are you handling the systems events ?

Cheers,

Mostafa

0 Likes
Reply
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Use Cases for Palo Alto Firewall

I haven't done anything with these logs yet and won't be able to for another few weeks. Definitely though, it's a good opportunity for a parser override/extension.

0 Likes
Reply
Priyanka Absent Member.
Absent Member.

Re: Use Cases for Palo Alto Firewall

Hi Anurag,

Have you built any use cases for Palo Alto firewall, as we are also integrating same in our environment, kindly suggest what all use cases can be built for Palo Alto firewall.

Regards,

Priyanka Sharma

0 Likes
Reply
abhishekm Frequent Contributor.
Frequent Contributor.

Re: Use Cases for Palo Alto Firewall

Hi Anurag & Priyanka,

I require Palo Alto firewall model & version details.

To integrate the successful usecase in arcsight you need to understand scope Palo Alto firewall in your infrastructure.

as in what functionality Palo Alto is performing as firewall.

here are the sample usecases we suggest to integrate the customers.

Use Case:

1 URL Control Web Access & Monitoring

2 tracks threats using IPS and network antivirus/anti-spyware.

3 Detection of Anomalous Ports, Services and Unpatched Hosts/Network Devices

4 Monitoring for suspicious outbound connectivity and data transfers by using firewall logs,

  Web proxy logs and network flows; detecting exfiltration and other suspicious external connectivity.

5 Validating intrusion detection system/intrusion prevention system (IDS/IPS) if functionality availed by Firewall.

If anything specific you want know regarding this you can write me back on abhimahadik06@gmail.com.

0 Likes
Reply
abhishekm Frequent Contributor.
Frequent Contributor.

Re: Use Cases for Palo Alto Firewall

Aburag,

1 You can set up dashboard or real time rule on the basis of URL category as if URL coming in malicious or pornographic category.

There will be rule triggered in Arcsight.

2 you can develope the threat intelligence mechanism with the help of Dshield & Zues website & integrate by using flex connector.

Just to give you background to understand how it functions.

Dshield & Zeus websites are maintaining the track of suspicious domain & blacklisted IP addresses.

This is  tracked with help of data from various organisation who does research & analysis on internet Strom's & malwares & sensors located to analyse public traffic.

As this list is generated every day on their website.

You can fetch this data in Arcsight by using flex connectors & insert in active list.

Whenever there is any inbound or outbound traffic will hit on firewall that will be correlated with help of rules defined on Arcsight manager.

So that you can keep track of every single traffic flowing through the firewall.

This is very interesting Use Case & customers like to have such mechanism in their infrastructure.

Regards

Abhishek Mahadik

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.