Extreme Networks

Fijs · ‎12-24-2021

Hi all,

I'm trying to get the XMC/Control - PA integration working. Goal is that if PA detects a threat, the host gets quarantined in Control.
PA setup is done, XMC receives the Syslog entry:

PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

But according to the logs, this does not match the regex I've set up in Connect > Distributed IPS:

2021-12-24 13:20:00,268 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

I've the same result with the below 3 regex strings:
-threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
Palo Alto: -threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
PaloAlto: -threatIpAddress $threatIpAddress -threatName $threatName

Not sure which one is correct. I've found some outdated doc (https://manualzz.com/doc/10758310/integration-guide), and the recent doc is not that extensive:
ExtremeConnect Security Configuration

Anyone got this working recently?

I'm using PANOS 10 and XMC/Control 8.5.5.32

Thanks!

Zdeněk_Pala · ‎12-27-2021

Hi,

as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.

Z.

Regards Zdeněk Pala

View solution in original post

Fijs · ‎12-28-2021

Hi Zdenek,

Correct, this matches fine now.
I also tried with "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.$severity", but this does not seem to work.
In the end I used "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.*" so I don't have to make different entries in Connect to for each severity level.
It is however good that we can take different actions based on the severity level.

Thanks again for your help!

Zdeněk_Pala · ‎12-27-2021

Hi,

as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.

Z.

Regards Zdeněk Pala

Fijs · ‎12-26-2021

Hi Zdenek,

Thanks for the doc, this one is more up-to-date 🙂
The config I already had, seems to be matching the doc, apart from a few details:

- no LLDP active on PA (don't see why this is needed)
- I had not added the PA in XMC devices - is this required?
- I update my regex to match the one in your doc: "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.drop"

Unfortunately the regex is still not matching. Syslog received in XMC /var/log/syslog

<3>Dec 26 22:55:59 PA-VM(X.X.X.X) PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

XMC server.log:

2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Severity = true Category = true Type = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Event = true LogManager = false Subnet = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Phrase = false
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high

(IP's are obfuscated)
These 4 lines are repeated quite a lot.

Thanks!

Zdeněk_Pala · ‎12-25-2021

Hi.
Share the log message the XMC receives from PA.
Attached document can help also

Z.

Regards Zdeněk Pala

Extreme Networks

XMC/Control - Palo Alto integration

XMC/Control - Palo Alto integration