All Apps and Add-ons

Palo Alto App more details needed

Jey2017
New Member

Hi, we are managing Palo Alto firewalls, ASA, Juniper netscreen and Checkpoint firewalls and some endpoints in our environment.

Palo Alto App is built only for Palo Alto products alone? (Firewall and end points devices) or we can use for all products?

Is it useful for validating changes made by the firewall admins?

Kindly advice, Thanks in advance.

Tags (2)
0 Karma
1 Solution

mnatkin_splunk
Splunk Employee
Splunk Employee

Each data source has its own formatting; in the case of Check Point, it also has its own mechanism for ingesting the data. The PAN app is written specifically to support their product, and therefore won't meet your needs in and of itself.

Technical Add-ons (TAs) are designed to quickly and easily ingest and/or map a specific type of data. Each technology may have a TA.

In short, you want to bring in the disparate sources and normalize the language from which to query it. Splunk offers the Common Information Model (available at https://splunkbase.splunk.com/app/1621/) to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. You can then build searches and visualizations with standardized fields and tags to meet your needs that provide a holistic view across your heterogenous environment.

The Splunk Add-on for Cisco ASA is available at https://splunkbase.splunk.com/app/1620/
The community-supported Cisco Security Suite App (which makes use of the ASA Add-on) is available at https://splunkbase.splunk.com/app/525/ and provides searches and visualizations for your Cisco security solutions.

The TA for Check Point is available at https://splunkbase.splunk.com/app/3197/
There's a community App with some visualizations from data pulled through the TA at https://splunkbase.splunk.com/app/2670/

The Juniper Add-On is available at https://splunkbase.splunk.com/app/2847/
This allows you to pull system logs and traffic statistics from Juniper IDP, Juniper NetScreen Firewall, Juniper NSM, Juniper NSM IDP, Juniper SSLVPN, Junos OS, and Juniper SRX using syslog. It also includes a few dashboards.

As mentioned previously, the data from these disparate sources can be queried through the use of CIM. If there are specific dashboard panels and / or searches from any of the above, you may be able duplicate and modify them to search across all your security data sources. Splunk's premium app, Enterprise Security, is expressly designed to to this.

I strongly suggest you also have a look at the Splunk Security Essentials app (available at https://splunkbase.splunk.com/app/3435/ ), which provides working examples of anomaly detection related to entity behavior analysis (UEBA). Each use case includes sample data and actionable searches that can immediately be put to use in your environment.

Your capabilities for auditing changes will be dependent upon the logging level of your technology and reliance on pulling the correct data (in the case of Check Point, you need to ingest both the firewall log (for reporting on firewall activity) and the audit log (for change management). PAN's app does a nice job of guiding you through the process. If memory serves, Cisco and Netscreen both require that system messages be logged and transmitted via syslog.

View solution in original post

0 Karma

mnatkin_splunk
Splunk Employee
Splunk Employee

Each data source has its own formatting; in the case of Check Point, it also has its own mechanism for ingesting the data. The PAN app is written specifically to support their product, and therefore won't meet your needs in and of itself.

Technical Add-ons (TAs) are designed to quickly and easily ingest and/or map a specific type of data. Each technology may have a TA.

In short, you want to bring in the disparate sources and normalize the language from which to query it. Splunk offers the Common Information Model (available at https://splunkbase.splunk.com/app/1621/) to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. You can then build searches and visualizations with standardized fields and tags to meet your needs that provide a holistic view across your heterogenous environment.

The Splunk Add-on for Cisco ASA is available at https://splunkbase.splunk.com/app/1620/
The community-supported Cisco Security Suite App (which makes use of the ASA Add-on) is available at https://splunkbase.splunk.com/app/525/ and provides searches and visualizations for your Cisco security solutions.

The TA for Check Point is available at https://splunkbase.splunk.com/app/3197/
There's a community App with some visualizations from data pulled through the TA at https://splunkbase.splunk.com/app/2670/

The Juniper Add-On is available at https://splunkbase.splunk.com/app/2847/
This allows you to pull system logs and traffic statistics from Juniper IDP, Juniper NetScreen Firewall, Juniper NSM, Juniper NSM IDP, Juniper SSLVPN, Junos OS, and Juniper SRX using syslog. It also includes a few dashboards.

As mentioned previously, the data from these disparate sources can be queried through the use of CIM. If there are specific dashboard panels and / or searches from any of the above, you may be able duplicate and modify them to search across all your security data sources. Splunk's premium app, Enterprise Security, is expressly designed to to this.

I strongly suggest you also have a look at the Splunk Security Essentials app (available at https://splunkbase.splunk.com/app/3435/ ), which provides working examples of anomaly detection related to entity behavior analysis (UEBA). Each use case includes sample data and actionable searches that can immediately be put to use in your environment.

Your capabilities for auditing changes will be dependent upon the logging level of your technology and reliance on pulling the correct data (in the case of Check Point, you need to ingest both the firewall log (for reporting on firewall activity) and the audit log (for change management). PAN's app does a nice job of guiding you through the process. If memory serves, Cisco and Netscreen both require that system messages be logged and transmitted via syslog.

View solution in original post

0 Karma

adonio
SplunkTrust
SplunkTrust

for your questions:
yes, it is built for PAN alone
yes, you can validate changes by PAN admins
read here all the way through docs:
http://pansplunk.readthedocs.io/en/latest/getting_started.html
Splunk also has pre-built app for other products you mentioned, ASA, junipoer etc.
leveraging Splunk CIM (or ES down the road) yuo can ask questions across all firewall as data can be normalized.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!