All Apps and Add-ons
Highlighted

Why am I encountering Issues with Palo Alto lookups and permissions with a deployment?

Splunk Employee
Splunk Employee

Hello there,

I am having issues with an deployment in which when using a non-admin role for a user, when I search using, let's say the Search app, I have the following output:

• The limit has been reached for log messages in info.csv. 69 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
• [idx-i-1] The lookup table 'applookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'app
lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classificationlookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'classification
lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'classificationlookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification
lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'endpointactionslookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'endpointseveritylookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'panvendoractionlookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan
vendoractionlookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'panvendorinfolookup' does not exist. It is referenced by configuration 'pan:aperture'.
• [idx-i-1] The lookup table 'pan
vendorinfolookup' does not exist. It is referenced by configuration 'pan:config'.
• [idx-i-1] The lookup table 'panvendorinfolookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'pan
vendorinfolookup' does not exist. It is referenced by configuration 'pan:system'.
• [idx-i-1] The lookup table 'panvendorinfolookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan
vendorinfolookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'sanctionedsaaslookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'sanctionedsaaslookup' does not exist. It is referenced by configuration 'pan:traffic'.

Does anyone know what this is related to?

0 Karma
Highlighted

Re: Why am I encountering Issues with Palo Alto lookups and permissions with a deployment?

Splunk Employee
Splunk Employee

Palo Alto App version: 6.0.1 / SplunkTApaloalto: 6.0.2

0 Karma
Highlighted

Re: Why am I encountering Issues with Palo Alto lookups and permissions with a deployment?

Explorer

Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.

View solution in original post

0 Karma
Highlighted

Re: Why am I encountering Issues with Palo Alto lookups and permissions with a deployment?

Splunk Employee
Splunk Employee

Hey qi3ber,

I just checked adjusted the "Lookup table files" and "Lookup definitions" and they had permissions assigned to only the app, not everyone as required.

That did the job although it seems that the permissions were not cascade down to the objects when assigned the read permission to the app itself (this is the SplunkTApaloalto throught "Manage Apps"). Is this the normal behaviour?

Thanks!

M.

0 Karma