I am using the asset discovery app to run nmap scans on my network. I am able to collect the results based on specific Operating Systems and should be able to export the results. I want to take these results (host IPs) to then push to a dynamic group on a Palo Alto firewall using its API.
Has anyone had any experience doing this? I recall the older version of the PAN App was able to do this, however the results were contained in this app.
Use one of the special commands in the app. For dynamic address groups, you're probably looking for the pantag
command.
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/wiki/Special-Searchbar-Commands
You can remove tags by adding action=rem to the command. If the tag doesn't exist and you try to remove it, you may get an error, but it can be safely ignored.
Brian, Thanks for reaching out. Tags are use in the PAN 6.x stream, just need to upgrade to 6.x to take advantage.
How can I dynamically remove items from the dyn-obj group?
As I am actively scanning and creating a list to be pushed, is there a way to clear out the existing objects on the PAN and then push the new objects compiled from the splunk search without having to know what already exists in the dyn-obj list to begin with?
i have not tried this. but here are some thoughts.
the PAN app accomplishes the config change by way of a custom command, panupdate. this command calls a script, panChange.py. you could:
1) install and configure the PAN app; provide credentials and information on your firewalls
2) create a search that pipes the nmap indexed IP's to panupdate. e.g.
<search to get nmap results> | rename <nmap ip field> AS addrip| panupdate device="<your firewall IP Address>" devicegroup="<device group of your firewall>"
action="add" group="
a big advantage of installing the app is that your firewall credentials are stored encrypted.
if you don't want to install the PAN app and just use the script as your own custom command, you can find it here: https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/master/bin/panChange.py . there are comments in the python script that will help you navigate through the misc options.
if you choose to create your own custom command by copying the panChange.py, you will also need to add a commands.conf and searchbnf.conf file in $SPLUNK_home/etc/apps/
for more detail on custom commands, take a look at: http://blogs.splunk.com/2014/04/14/building-custom-search-commands-in-python-part-i-a-simple-generat...
my syntax seems to work as planned however fails to push to the PANs due to the devicegroup= requirement. I don't have Panaroma but trying to push directly to the PANs itself.
2014-05-01 11:21:09,025 -0600 WARNING panoramaUserUpdate:134 - Traceback (most recent call last):
File "/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panoramaUserUpdate.py", line 129, in getKey
sm = re.search(r"success",result).group(0)
AttributeError: 'NoneType' object has no attribute 'group'
Without the devicegroup, the logs state that I haven't specified the IP address of the Panorama device.
Thank you for responding, this was the detail I was looking for. I'll give it a try this morning when I'm back on the office and let you know how it goes.