All Apps and Add-ons

Palo Alto: Adaptive Response: Tag to Dynamic Address List requires commit?

hcheang
Path Finder

Hello,

I am using Palo Alto App for Splunk and its adaptive response feature.
We have done some troubleshooting and testing and based on what we have accomplished so far, I have few questions:

  1. Commit required

According to documents,
"The IP is tagged on the firewall immediately, however, it can take up to 60 seconds for the tagged IP addresses to show up in the corresponding Dynamic Address Group in the security policy. This delay is intentional to prevent accidental DoS scenarios."

We've waited couple minutes or more but we found that admin has to initiate "commit" for the IP to be included in the Group.

This is the command we tried:

index=pan_logs sourcetype=pan:threat host=$PA_FIREWALL$ category=malware vendor_action=allowed dest_zone=internal
| stats count by src_ip
| pantag device="$PA_FIREWALL$" action=add tag="SplunkBlock" ip_field="src_ip"
  1. Change is not visible

We are getting Palo Alto logs from the device and for config type logs, following custom format is used:

$receive_time $admin $host $client $cmd $result $path $before-change-detail $after-change-detail

Strangely, we do not see any log related to the IP being added to the tag or to the group.
Is this expected behaviour? or are we missing some field in syslog setting?

Thanks!

0 Karma

shirishkamat84
Path Finder

the firewall account used by the TA, is it available on the firewall?
is the Firewall having the required tags and DAG where you need to populate the IP.

We made this working by creating the required policies on PANORAMA and made the changes there, which pushed the policies to the serial mentioned in the command. something like this:

index=pan_logs sourcetype="pan:threat" dest_hostname="www.apple.com" | stats dc(dest_ip) by dest_ip | pantag panorama="" serial="" action="add" ip_field="dest_ip" tag="Splunk_block"

0 Karma

hcheang
Path Finder

Yes, we have created separate account specific for this feature with correct capabilities.
IP is tagged correctly and is added to the group correctly but the issue is that it requires a manual commit.

The only difference I see is the use of Panorama which we do not have.
If I am readying your answer correctly, the dest_ip is added to this DAG as soon as the query is completed? Without any further action?

We have given the "commit" capability to the account as well but still, we need to commit the changes manually for new IP to be added to the group.

0 Karma

alikapucu
Explorer

Is it possible to use multiple serial number or Is there any way to push an ip address to multiple firewallS

0 Karma

khalidewaidah
Explorer

I have tried  to run paloalto adaptive response but I face below error 

""PAN : Tag to Dynamic Address/User Group" - Adaptive response action could not be dispatched.Unexpected token M in JSON at position 0"

 

Kindly , help me if you have experience on that . 

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...