All Apps and Add-ons

Palo Alto App configuration procedure

albertoperez
Explorer

Hi,
Please, could anybody explain the configuration steps for Palo Alto App?

The installation is like the rest of the apps, but the initial customization is not explained anywhere, and I think it´s very important to know what logging level in Palo Alto we need to enable and how it´s the concrete Splunk customization to locate its Out of the Box source type.

Thanks in advance.

0 Karma

albertoperez
Explorer

Hi, I don´t remember how, but I got this document with the steps you need to follow for the integration.

### ### ### ### ### ### ### ### ### ### ### ###

Splunk for Palo Alto Networks App

Description:

Field extractions and sample reports,

and dashboards for the Palo Alto

Networks Firewall

Splunk Version: 4.0.x and Higher

App Version: 1.0.1

Last Modified: Feb - 2011

Authors: Will Hayes - Splunk, Inc.

Karandeep Bains - Splunk, Inc.

For support, contact: bd-labs@splunk.com

### ### ### ### ### ### ### ### ### ### ### ###

*** Installing ***

To install this app:
- Unpack this file into $SPLUNK_HOME/etc/apps
- Restart Splunk

*** Configuring ***

To get the firewall data into Splunk:

  • Configure a port on the Splunk server to listen for UDP or TCP traffic. If you do not know how to do this, refer to the online documentation here:

http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPorts

Important: When you configure the input port, you must set the sourcetype of the firewall data to pan_log. Otherwise, the app will not work.

If you are using UDP input, you will also need to add:

no_appending_timestamp = true

to the UDP stanza in your inputs.conf file. For example:

[udp://5155]
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true

  • Next, configure the firewall device to direct log traffic to the Splunk server on the network port that you specified.

*** Source types ***

As Splunk indexes your Palo Alto Networks firewall data, the app will rename the sourcetypes to pan_threat, pan_traffic, pan_config, and pan_system depending on the logging facility.

*** Search macros ***

The dashboards rely on the search macros for views. These macros are defined in $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.

You should only edit the base macros. If you already have data that has been indexed as a different sourcetype, add your sourcetype to the definition. For example:

definition = sourcetype="pan_traffic" OR sourcetype="foo" OR sourcetype="bar"

Important: All other macros should not be edited.

*** Lookups ***

Lookups are provided for the threat_id and app field to provide additional information about threats and applications on the network.

*** Summary indexing ***

If you are indexing large volumes of data, you should use summary indexing for the views. This feature requires an Enterprise License.

  • Use the Manager link to enable these searches:

SI - PAN - Traffic - DataCube
SI - PAN - Traffic - DataCube 2
SI - PAN - Threat - DataCube
SI - PAN - Threat - DataCube 2
SI - PAN - Web Activity - DataCube
SI - PAN - Web Activity - DataCube2

There are six scheduled searches create a cache for the dashboards every 5 minutes. If you need to change the run schedule of any of the searches, you can edit its properties using Manager.

  • Rename:

$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/macros.conf.summary

to

$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/macros.conf

  • Restart Splunk

Note:
- After restart, it can take up to 5 minutes for new data to show up.
- For older data, you can use the backfill feature of splunk to backfill the summary index:

http://www.splunk.com/base/Documentation/latest/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_...

Known issues with Summary Indexed data:
- Drilldown does not work with summary indexed data.
- Filtering does not work with summary indexed data.

We hope to have these issues resolved in future releases of the app.

0 Karma

dodit7175
New Member

Did you ever get this question answered? I have the same issue.

0 Karma

kbains
Splunk Employee
Splunk Employee

I recommend emailing bd-labs@splunk.com with your question.