topic Re: XMC/Control - Palo Alto integration in ExtremeCloud IQ- Site Engine Management Center

XMC/Control - Palo Alto integration

Fijs — Fri, 24 Dec 2021 13:32:02 GMT

Hi all,

I'm trying to get the XMC/Control - PA integration working. Goal is that if PA detects a threat, the host gets quarantined in Control.
PA setup is done, XMC receives the Syslog entry:

PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

But according to the logs, this does not match the regex I've set up in Connect > Distributed IPS:

2021-12-24 13:20:00,268 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

I've the same result with the below 3 regex strings:
-threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
Palo Alto: -threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
PaloAlto: -threatIpAddress $threatIpAddress -threatName $threatName

Not sure which one is correct. I've found some outdated doc (https://manualzz.com/doc/10758310/integration-guide), and the recent doc is not that extensive:
ExtremeConnect Security Configuration

Anyone got this working recently?

I'm using PANOS 10 and XMC/Control 8.5.5.32

Thanks!

Re: XMC/Control - Palo Alto integration

Zdeněk_Pala — Sat, 25 Dec 2021 14:46:28 GMT

Hi.
Share the log message the XMC receives from PA.
Attached document can help also

Z.

Re: XMC/Control - Palo Alto integration

Fijs — Mon, 27 Dec 2021 00:52:32 GMT

Hi Zdenek,

Thanks for the doc, this one is more up-to-date 🙂
The config I already had, seems to be matching the doc, apart from a few details:

- no LLDP active on PA (don't see why this is needed)
- I had not added the PA in XMC devices - is this required?
- I update my regex to match the one in your doc: "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.drop"

Unfortunately the regex is still not matching. Syslog received in XMC /var/log/syslog

<3>Dec 26 22:55:59 PA-VM(X.X.X.X) PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

XMC server.log:

2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Severity = true Category = true Type = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Event = true LogManager = false Subnet = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Phrase = false
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

(IP's are obfuscated)
These 4 lines are repeated quite a lot.

Thanks!

Re: XMC/Control - Palo Alto integration

Zdeněk_Pala — Mon, 27 Dec 2021 11:19:18 GMT

Hi,

as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.

Z.

Re: XMC/Control - Palo Alto integration

Fijs — Tue, 28 Dec 2021 17:28:56 GMT

Hi Zdenek,

Correct, this matches fine now.
I also tried with "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.$severity", but this does not seem to work.
In the end I used "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.*" so I don't have to make different entries in Connect to for each severity level.
It is however good that we can take different actions based on the severity level.

Thanks again for your help!