I need guidance on how to configure Palo Alto panorama / firewalls to allow for requests for Threat PCAPs in PA Splunk app.
I submitted a TAC case to PA asking if splunk only needed to communicate with Panorama and its seems that is not the case because these are file exports. So do I need to configure a API access on each firewall and ensure network connectivity to each from Splunk in order for the splunk app to retrieve PCAPs?
Please see my original question below and PA TAC response.
"We are configuring Panorama to accept API calls from splunk in order to export Threat PCAP files. We need to know if Splunk only needs to communicate with Panorama to download those files or if it needs to communicate to each individual firewall managed by Panorama."
I'll summarize some information from our XML API guide as well as provide a link below. In short, it is not possible to use Panorama to export threat packet captures. The only API calls that can be redirected from a Panorama to a firewall are operational commands (type=op) using the target parameter. Unfortunately the threat packet capture export is an export command (type=export) and so it couldn't be redirected.
Check out page 32 of the PDF you can export here which also mentions just operational commands being able to be redirected: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api.html
Personally, I've dealt with this in the past in my own scripts by pivoting on the serial number that is returned within a threat log entry, which I then get the IP using the "show devices connected" operational command on the Panorama, followed by doing a query directly to the firewall's IP address with the export command. I can't comment on whether something like this would be possible within Splunk's engine as opposed to something written in a separate script. Should you have an SME for the Splunk side that's familiar with how they can do API calls, I'd refer them to the XML API guide above or I'd also be happy to discuss further if they have any other ideas as far as options.
... View more