Presentation is loading. Please wait.

Presentation is loading. Please wait.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

Published byAdrian Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when."— Presentation transcript:

1 SecurityCenter & Palo Alto Configuration Guide

2 About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when using SecurityCenter Continuous View, Nessus, and Log Correlation Engine (LCE). Covered in this Guide: o Audit Scanning o Log Configuration on PAN-OS (Palo Alto Firewalls) o NetFlow Configuration (PAN-OS & LCE) o LCE Normalized Logs o SecurityCenter Dashboard & Reporting

3 Audit Scanning SecurityCenter & PAN-OS

4 PAN-OS Configuration Tasks Create a service account for SecurityCenter to use. Allow SecurityCenter to connect to the management interface. Set up SNMP to be allowed by local security policies.

5 Service Account Login to PAN-OS and navigate to the Device tab On the left-hand side, in the menu items, select Administrators Click the “ADD” button at the bottom of the screen Fill out the fields accordingly

6 PAN-OS Management Interface Login to PAN-OS and navigate to the Device tab. On the left-hand side, in the menu items, select “Setup” & Management Tab Click on the icon located in the “Management Interface Settings” Configure HTTPS/Ping/SNMP management services. Assign the Permitted IP Addresses as necessary

7 SNMP Configuration Login to PAN-OS and navigate to the Device tab On the left hand side, in the menu items, select “Setup” & Operations Tab Click the icon to enter SNMP Configuration Configure the SNMP Settings according to local security policy

8 SecurityCenter Configuration Tasks Import Audit File Create Credentials Create Scan Policy

9 Import Audit File Login to SecurityCenter and select Scans > Audit Files Click the button. Enter a search term to locate the appropriate audit file template. Select the appropriate template from the results. Provide a name and description for the audit file in the search window. Click submit to save the file.

10 Create Credentials Login to SecurityCenter and select Scans > Credentials Click the button SNMP credentials are added here The API credentials are part of the scan policy.

11 Create Scan Policy Login to SecurityCenter and select Scans > Policies Click the button. Click the Advanced Scan icon. Configure the basic settings as needed. Note: Netstat port scanners are not necessary. Under Compliance, select the audit file that was previously uploaded. Under Plugins, enable plugins 64095 & 64286, along with other plugins as necessary. Under Authentication, configure the PAN-OS settings

12 Log Configuration PAN-OS (Palo Alto Firewalls)

13 Log Configuration Settings The PAN-OS log configuration settings are in four places. Device > Server Profiles Device > Log Settings Objects > Log Forwarding Policies o All policies are configurable o Permit Policies o Deny Policies

14 Device > Server Profiles Configure the LCE as the syslog server Login to PAN-OS and navigate to the Device tab. On the left-hand side, in the menu items, select Server Profiles > Syslog Create the syslog profile Set the IP address, port, and log level

15 Device > Log Settings Set up the LCE to collect device level syslog events Login to PAN-OS and navigate to the Device tab On the left-hand side, in the menu items, select Log Settings System = Severity Setting Select the syslog server profile for each severity level

16 Objects > Log Forwarding Log Forwarding is for security policies to use to forward logs. This can be for traffic based events and deny traffic events. Login to PAN-OS and navigate to the Objects tab. On the left-hand side, in the menu items, select Log Forwarding. Configure the setting as desired.

17 Policies Login to PAN-OS and navigate to the Policies tab. Note: In this example we will use “Security” policies, but the same concept applies to all types On the left-hand side, in the menu items, select Security. Double-click a Permit policy o Check Log at Session Start|End o Select the Log Forwarding Service Double-click a Deny policy o Check Log at Session Start|End o Select the Log Forwarding Service

18 Netflow Configuration PAN-OS & LCE

19 PAN-OS Settings Configure the LCE as the Syslog Server. Login to PAN-OS and navigate to the Device tab. o On the left-hand side, in the menu items, select Server Profiles > Netflow Server o Apply the applicable server settings o Ex: 172.26.32.65 : 9995 Navigate to the Network tab. o On the left-hand side, select Interfaces o Choose the interface for which to capture network traffic. o Apply NetFlow profile

20 NetFlow Client Download and install the Tenable NetFlow client o The lab was built with the following version: TenableNetFlowMonitor-4.2.0-es6.x86_64.rpm Set the LCE Server o /opt/netflow_monitor/set-server-ip.sh o Answer the prompts with the correct information for your environment. o When complete, the NetFlow Monitor daemons will automatically start.

21 LCE Policy Configuration Login to SecurityCenter as “admin” Select Resources > LCE Clients. Click to Authorize and Assign Policy.

22 Normalized Logs LCE

23 Normalized Logs The Tenable LCE team has normalized a series of log events to support Palo Alto. Paloalto-Allow_TCP_Start Paloalto-Allow_TCP_End Paloalto-Allow_UDP_Start Paloalto-Allow_UDP_End Paloalto-Allow_ICMP_Start Paloalto-Allow_ICMP_End Paloalto-Deny_TCP Paloalto-Deny_UDP Paloalto-Deny_ICMP Paloalto-Deny_TCP Paloalto-Deny_UDP Paloalto-Deny_ICMP Paloalto-Configuration_Edit Paloalto-Configuration_Delete Paloalto-Configuration_Commit Paloalto-System_General_Msg Paloalto-Threat_Spyware Paloalto-Threat_URL Paloalto-Threat_Vulnerability Paloalto-Threat_File Paloalto-Threat_Virus Paloalto-Authentication_Failed Paloalto- Authentication_Failed_Threshold_ Reached

24 Sample Normalized Events

25 Dashboard SecurityCenter

26 Dashboard

27 Dashboard Components Palo Alto Status - Device Audit Vulnerabilities - This component displays a pass/fail indicator by check type. The Tenable_Palo_Alto_PAN-OS_Best_Practices.audit file has five check types, each focusing on a separate part of the configuration audit. Device: The firewall management and base operation settings Users: Lists local users in the device Security: Verifies the security setting of the configuration Update: Verifies the update server is configured Reports: The output from several report commands to display the report status Palo Alto Status - Netflow Summary - This component displays a summary of the top 10 TCP ports identified by Palo Alto native network collector. Palo Alto Status - Netflow By Port - This component displays the session count of the top 10 TCP ports identified by Palo Alto native network collector. Palo Alto Status - Top 10 Events - This component displays count of the top 10 Palo Alto syslog events. Palo Alto Status - Event Trend Summary - This component displays a trend line for the top 10 Palo Alto syslog events. Palo Alto Status - Event Indicator - This indicator component displays a series of Palo Alto syslog event indicators.

28 For Questions Contact Cody Dumont cdumont@tenable.com

Download ppt "SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when."

Similar presentations

Welcome to WebCRD.

Welcome to WebCRD.
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
HELP GUIDE NEW USER REGISTRATION (SLIDE 2) TAKING A QUIZ (SLIDE 8) REVIEWING A QUIZ (SLIDE 17) GROUP MEMBERSHIP (SLIDE 26) CREATING QUIZZES (SLIDE 31)

HELP GUIDE NEW USER REGISTRATION (SLIDE 2) TAKING A QUIZ (SLIDE 8) REVIEWING A QUIZ (SLIDE 17) GROUP MEMBERSHIP (SLIDE 26) CREATING QUIZZES (SLIDE 31)
DVG-N5402SP.

DVG-N5402SP.
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.

Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.
Vulnerability Types And How to Use Them.

Vulnerability Types And How to Use Them.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Teacher Development Broward County Public Schools Matching Aspiring Teachers with Teacher Mentors Office of Talent Development formerly known as HRD.

Teacher Development Broward County Public Schools Matching Aspiring Teachers with Teacher Mentors Office of Talent Development formerly known as HRD.
Guide to MCSE 70-290, Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.

Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.
DWR-113 FAQ’s 3G WiFi Router.

DWR-113 FAQ’s 3G WiFi Router.
TIMS LOGIN AND APPLICATION INFORMATION Spring 2012 1.

TIMS LOGIN AND APPLICATION INFORMATION Spring
Start the slide show by clicking on the Slide Show option in the above menu and choose View Show”. or – hit the F5 Key.

Start the slide show by clicking on the "Slide Show" option in the above menu and choose "View Show”. or – hit the F5 Key.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) Chapter Two Deploying Windows Servers.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Two Deploying Windows Servers.
MagicInfo Pro Server Software All control, content, and scheduling is performed within the MagicInfo Pro Server software previously installed. Before.

MagicInfo Pro Server Software All control, content, and scheduling is performed within the MagicInfo Pro Server software previously installed. Before.
Getting started on informaworld™ How do I register my institution with informaworld™? How is my institution’s online access activated? What do I do if.

Getting started on informaworld™ How do I register my institution with informaworld™? How is my institution’s online access activated? What do I do if.
Introduction to our On-Line Self Service Center at WWW.CILINC.COM.

Introduction to our On-Line Self Service Center at
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
Ch 8. The Control Panel Window –Category View The Control Panel Window –Small icons View.

Ch 8. The Control Panel Window –Category View The Control Panel Window –Small icons View.

Similar presentations

Ads by Google