Presentation is loading. Please wait.

Presentation is loading. Please wait.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

Published byCameron Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when."— Presentation transcript:

1 SecurityCenter & Palo Alto Configuration Guide

2 About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter, Nessus, and Log Correlation Engine (LCE). Covered in this Guide: o Audit Scanning o Log Configuration on PAN-OS (Palo Alto Firewalls) o Netflow Configuration (PAN-OS & LCE) o LCE Normalized Logs o SecurityCenter Dashboard & Reporting

3 Audit Scanning SecurityCenter & PAN-OS

4 PAN-OS Configuration Tasks Create a service account for SecurityCenter to use. Allow SecurityCenter to connect to management interface. Set up SNMP allowed by local security policies.

5 Service Account Login to PAN-OS and navigate to the Device tab. On the left hand side, in the menu items, select Administrators Click the “ADD” button at the bottom of the screen Fill out the fields accordingly

6 PAN-OS Management Interface Login to PAN-OS and navigate to the Device tab. On the left hand side, in the menu items, select “Setup” & Management Tab Click on the icon located in the “Management Interface Settings” Configure HTTPS/Ping/SNMP management services. Assign the Permitted IP Addresses as necessary

7 SNMP Configuration Login to PAN-OS and navigate to the Device tab. On the left hand side, in the menu items, select “Setup” & Operations Tab Click the icon to enter SNMP Configuration. Configure the SNMP Settings according to local security policy.

8 SecurityCenter Configuration Tasks Import Audit File Create Credentials Create Scan Policy

9 Import Audit File Login to SecurityCenter and select Support > Audit Files Click the button. Provide a name and description for the Audit File setting. Browse the audit file location and select the appropriate file. Click submit to save the file.

10 Create Credentials Login to SecurityCenter and select Support > Credentials Click the button. SNMP credentials are added here. The API credentials are part of the scan policy.

11 Create Scan Policy Login to SecurityCenter and select Support > Scan Policies Click the button. Configure the basic settings as needed. Note: Netstat port scanners are not necessary. Select the audit file previously uploaded. Enable plugin 64095 & 64286 along with other plugins as necessary. Configure PAN-OS settings in Preferences

12 Log Configuration PAN-OS (Palo Alto Firewalls)

13 Log Configuration Setting The PAN-OS log configuration settings are in 4 places. Device > Server Profiles Device > Log Settings Objects > Log Forwarding Policies o All policies are configurable o Permit Policies o Deny Policies

14 Device > Server Profiles Configure the LCE as the Syslog Server. Login to PAN-OS and navigate to the Device tab. On the left hand side, in the menu items, select Server Profiles > Syslog Create the syslog profile Set the IP, port, log level

15 Device > Log Settings Set up LCE to collect device level syslog events. Login to PAN-OS and navigate to the Device tab. On the left hand side, in the menu items, select Log Settings System = Severity Setting Select the syslog server profile for each severity level.

16 Objects > Log Forwarding Log Forwarding is for security policies to use to forward logs. This can be for traffic based events and deny traffic events. Login to PAN-OS and navigate to the Objects tab. On the left hand side, in the menu items, select Log Forwarding Configure the setting as desired.

17 Policies Login to PAN-OS and navigate to the Policies tab. Note: In this example we will use “Security” policies, but the same concept applies to all types On the left hand side, in the menu items, select Security. Double click a Permit policy o Check Log at Session Start|End o Select the Log Forwarding Service Double click a Deny policy o Check Log at Session Start|End o Select the Log Forwarding Service

18 Netflow Configuration PAN-OS & LCE

19 PAN-OS Settings Configure the LCE as the Syslog Server. Login to PAN-OS and navigate to the Device tab. o On the left hand side, in the menu items, select Server Profiles > Netflow Server o Apply the applicable server settings o Ex: 172.26.32.65 : 9995 Navigate to the Network tab. o On the left hand side, select Interfaces o Choose interface to capture network. o Apply Netflow profile

20 Netflow Client Download and install Netflow client o The lab was built with the following version: TenableNetFlowMonitor-4.0.1-es6.x86_64.rpm Set the LCE Server in the config file o /opt/netflow_monitor/tfm.conf

21 LCE Policy Configuration Login to SecurityCenter as “admin” Select Resources > LCE Clients. Authorize the new client, then click Assign Policy Ensure the port is configured the same on the Palo Alto firewall More detailed Netflow policies are supported, but are beyond the scope of this guide.

22 Normalized Logs LCE

23 Normalized Logs The Tenable LCE team has normalized a series of log events to support Palo Alto. Paloalto-Allow_TCP_Start Paloalto-Allow_TCP_End Paloalto-Allow_UDP_Start Paloalto-Allow_UDP_End Paloalto-Allow_ICMP_Start Paloalto-Allow_ICMP_End Paloalto-Deny_TCP Paloalto-Deny_UDP Paloalto-Deny_ICMP Paloalto-Deny_TCP Paloalto-Deny_UDP Paloalto-Deny_ICMP Paloalto-Configuration_Edit Paloalto-Configuration_Delete Paloalto-Configuration_Commit Paloalto-System_General_Msg Paloalto-Threat_Spyware Paloalto-Threat_URL Paloalto-Threat_Vulnerability Paloalto-Threat_File Paloalto-Threat_Virus Paloalto-Authentication_Failed Paloalto- Authentication_Failed_Threshold_ Reached

24 Sample Normalized Events

25 Dashboard SecurityCenter

26 Dashboard (Published 17 Oct 2013)

27 Dashboard Components Palo Alto Status - Device Audit Vulnerabilities - This component displays a pass/fail indicator by check type. The Tenable_Palo_Alto_PAN-OS_Best_Practices.audit file has 5 check types, each focusing on a separate part of the configuration audit. Device: The firewall management and base operation settings Users: Lists local users in the device Security: Verifies the security setting of the configuration Update: Verifies the update server is configured Reports: The output from several report commands to display the report status Palo Alto Status - Netflow Summary - This component displays a summary of the top 10 TCP ports identified by Palo Alto native network collector. Palo Alto Status - Netflow By Port - This component displays the session count of the top 10 TCP ports identified by Palo Alto native network collector. Palo Alto Status - Top 10 Events - This component displays count of the top 10 Palo Alto syslog events. Palo Alto Status - Event Trend Summary - This component displays a trend line for the top 10 Palo Alto syslog events. Palo Alto Status - Event Indicator - This indicator component displays a series of Palo Alto syslog event indicators.

28 For Questions Contact Cody Dumont cdumont@tenable.com

Download ppt "SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when."

Similar presentations

Presumed Asbestos Training Programme. Introduction Getting Started The Interface Top Tool Bar Creating a New Site Type I Survey Type II Survey Type III.

Presumed Asbestos Training Programme. Introduction Getting Started The Interface Top Tool Bar Creating a New Site Type I Survey Type II Survey Type III.
Welcome to WebCRD.

Welcome to WebCRD.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.
BlackBoard Online Submission Annual Assessment Updates 2010-2011.

BlackBoard Online Submission Annual Assessment Updates
DVG-N5402SP.

DVG-N5402SP.
User Responsibility A “How To” Guide for SecurityCenter.

User Responsibility A “How To” Guide for SecurityCenter.
Thick v Thin Access Points Lab Last Update 2014.07.12 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Thick v Thin Access Points Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Vulnerability Types And How to Use Them.

Vulnerability Types And How to Use Them.
Submitting Book Chapters via Manuscript Central A Short Guide for Wiley-VCH Authors.

Submitting Book Chapters via Manuscript Central A Short Guide for Wiley-VCH Authors.
DWR-113 FAQ’s 3G WiFi Router.

DWR-113 FAQ’s 3G WiFi Router.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
MagicInfo Pro Server Software All control, content, and scheduling is performed within the MagicInfo Pro Server software previously installed. Before.

MagicInfo Pro Server Software All control, content, and scheduling is performed within the MagicInfo Pro Server software previously installed. Before.
Getting started on informaworld™ How do I register my institution with informaworld™? How is my institution’s online access activated? What do I do if.

Getting started on informaworld™ How do I register my institution with informaworld™? How is my institution’s online access activated? What do I do if.
Introduction to our On-Line Self Service Center at WWW.CILINC.COM.

Introduction to our On-Line Self Service Center at
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
AQS Web Quick Reference Guide Changing Raw Data Values Using Maintenance 1. From Main Menu, click Maintenance, Sample Values, Raw Data 2. Enter monitor.

AQS Web Quick Reference Guide Changing Raw Data Values Using Maintenance 1. From Main Menu, click Maintenance, Sample Values, Raw Data 2. Enter monitor.
Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett 6.03.09 Revised for Firmware Update.

Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett Revised for Firmware Update.

Similar presentations

Ads by Google