ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only

 XMC/Control - Palo Alto integration

Jump to Best Answer
Fijs's profile image
Fijs posted 12-24-2021 05:41
Hi all,

I'm trying to get the XMC/Control - PA integration working. Goal is that if PA detects a threat, the host gets quarantined in Control.
PA setup is done, XMC receives the Syslog entry:

PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

But according to the logs, this does not match the regex I've set up in Connect > Distributed IPS:

2021-12-24 13:20:00,268 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

I've the same result with the below 3 regex strings:
-threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
Palo Alto: -threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
PaloAlto: -threatIpAddress $threatIpAddress -threatName $threatName

Not sure which one is correct. I've found some outdated doc (https://manualzz.com/doc/10758310/integration-guide), and the recent doc is not that extensive:
ExtremeConnect Security Configuration

Anyone got this working recently?

I'm using PANOS 10 and XMC/Control 8.5.5.32

Thanks!
Zdeněk Pala's profile image
Zdeněk Pala Best Answer
Hi,

as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.

Z.
Zdeněk Pala's profile image
Zdeněk Pala
Hi.
Share the log message the XMC receives from PA.
Attached document can help also

Z.
Fijs's profile image
Fijs
Hi Zdenek,

Thanks for the doc, this one is more up-to-date :)
The config I already had, seems to be matching the doc, apart from a few details:

- no LLDP active on PA (don't see why this is needed)
- I had not added the PA in XMC devices - is this required?
- I update my regex to match the one in your doc: "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.drop"

Unfortunately the regex is still not matching. Syslog received in XMC /var/log/syslog

<3>Dec 26 22:55:59 PA-VM(X.X.X.X) PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high​


XMC server.log:

2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Severity = true Category = true Type = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Event = true LogManager = false Subnet = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Phrase = false
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high


(IP's are obfuscated)
These 4 lines are repeated quite a lot.

Thanks!
Fijs's profile image
Fijs
Hi Zdenek,

Correct, this matches fine now.
I also tried with "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.$severity", but this does not seem to work.
In the end I used "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.*" so I don't have to make different entries in Connect to for each severity level.
It is however good that we can take different actions based on the severity level.

Thanks again for your help!