Integrating Palo Alto to Security Analytics
search cancel

Integrating Palo Alto to Security Analytics

book

Article ID: 168263

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Palo Alto is one of the third-party products that can integrate with SA.

Resolution

Palo Alto allows a user to pivot into Security Analytics and investigate the data that was captured.

The following installation instructions add Solera DeepSee integration to the Palo Alto Networks NGFW.

Configuration

1. Log in to the PAN NGFW from the command line
2. Type ‘configure’  to enter configuration mode
3. Create the log link to pivot to your Solera DeepSee system by entering the following text:

  • set deviceconfig system log‐link <Name of LogLink>
  • url https://<IP_Address>/deepsee_reports
  • ctrl‐v  (We need to do this to escape the question mark that will be in the URL)
  • ?
  • #pathString=%2Ftimespan%2F{RECVTIME_YYYY.EN_US}{RECVTIME_MM.EN_US}{RECVTIME_DD.EN_US}T{RECVTIME_HH.EN_US}:{RECVTIME_MM.EN_US}:{RECVTIME_SS.EN_US}%2Fipv4_address%2F{SRC.EN_US}_and_{DST.EN_US}%2Fport%2F{SPORT.EN_US}_and_{DPORT.EN_US}%2F
<Name of Log Link> ‐ This text will be displayed in the NGFW user interface (ie.  
<IP_Address> ‐ This is the IP Address of your Solera DeepSee device


Example:

set device config log‐link Solera_DeepSee url
https://X.X.X.X/deepsee_reports?#pathString=%2Ftimespan%2F{RECVTIME_YYYY.EN_US}‐{RECVTIME_MM.EN_US}‐{RECVTIME_DD.EN_US}T{RECVTIME_HH.EN_US}:{RECVTIME_MM.EN_US}:{RECVTIME_SS.EN_US}%2Fipv4_address%2F{SRC.EN_US}_and_{DST.EN_US}%2Fport%2F{SPORT.EN_US}_and_{DPORT.EN_US}%2F

4. Create the log link to download a pcap of the session from your Solera DeepSee system by entering the following text:

  • set deviceconfig system log‐link <Name of LogLink>
  • url https://<IP_Address>/ws/pcap
  • ctrl‐v  (We need to do this to escape the question mark that will be in the URL)
  • ?
  • method=deepsee&path=%2Ftimespan%2F{RECVTIME_YYYY.EN_US}{RECVTIME_MM.EN_US}{RECVTIME_DD.EN_US}T{RECVTIME_HH.EN_US}:{RECVTIME_MM.EN_US}:{RECVTIME_SS.EN_US}%2Fipv4_address%2F{SRC.EN_US}_and_{DST.EN_US}%2Fport%2F{SPORT.EN_US}_and_{DPORT.EN_US}%2Fdata.pcap
<Name of Log Link> ‐ This text will be displayed in the NGFW user interface  
<IP_Address>  ‐ This is the IP Address of your Solera DeepSee device


Example:

set device config log‐link DeepSee_Pcap url
https://X.X.X.X/ws/pcap?method=deepsee&path=%2Ftimespan%2F{RECVTIME_YYYY.EN_US}‐{RECVTIME_MM.EN_US}‐{RECVTIME_DD.EN_US}T{RECVTIME_HH.EN_US}:{RECVTIME_MM.EN_US}:{RECVTIME_SS.EN_US}%2Fipv4_address%2F{SRC.EN_US}_and_{DST.EN_US}%2Fport%2F{SPORT.EN_US}_and_{DPORT.EN_US}%2Fdata.pcap

5. Exit the command line

Usage

From the NGFW user interface click on the magnifying glass icon for log details. The links you created to connect to the Solera DeepSee system will be located in the Log Links section of the web frame displayed.  
Click the Solera integrated link to either pivot to Solera DeepSee or download the pcap of the session related to the log event.



The time window around the event can be adjusted in the DeepSee UI. By default the time window around the events that are passed into DeepSee with a single point of time are prefixed by 3 minutes and have a suffix of 2 minutes.  In Solera OS version 6x, from the UI navigate to Profile > Preferences to adjust the prefix and suffix to desired values.

User-added image

In Security Analytics version 7.x, from the UI, navigate to the logged in user drop down in the upper right corner and select Account Settings.

User-added image

Powered by Wolken Software