All Apps and Add-ons

Threat PCAP configuration

clark1clark1
Engager

I need guidance on how to configure Palo Alto panorama / firewalls to allow for requests for Threat PCAPs in PA Splunk app.

I submitted a TAC case to PA asking if splunk only needed to communicate with Panorama and its seems that is not the case because these are file exports. So do I need to configure a API access on each firewall and ensure network connectivity to each from Splunk in order for the splunk app to retrieve PCAPs?

Please see my original question below and PA TAC response.


Question:
"We are configuring Panorama to accept API calls from splunk in order to export Threat PCAP files. We need to know if Splunk only needs to communicate with Panorama to download those files or if it needs to communicate to each individual firewall managed by Panorama."

TAC RESPONSE:
I'll summarize some information from our XML API guide as well as provide a link below. In short, it is not possible to use Panorama to export threat packet captures. The only API calls that can be redirected from a Panorama to a firewall are operational commands (type=op) using the target parameter. Unfortunately the threat packet capture export is an export command (type=export) and so it couldn't be redirected.

Check out page 32 of the PDF you can export here which also mentions just operational commands being able to be redirected: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

Personally, I've dealt with this in the past in my own scripts by pivoting on the serial number that is returned within a threat log entry, which I then get the IP using the "show devices connected" operational command on the Panorama, followed by doing a query directly to the firewall's IP address with the export command. I can't comment on whether something like this would be possible within Splunk's engine as opposed to something written in a separate script. Should you have an SME for the Splunk side that's familiar with how they can do API calls, I'd refer them to the XML API guide above or I'd also be happy to discuss further if they have any other ideas as far as options.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...