This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- XMC/Control - Palo Alto integration
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
XMC/Control - Palo Alto integration
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-24-2021 05:32 AM
Hi all,
I'm trying to get the XMC/Control - PA integration working. Goal is that if PA detects a threat, the host gets quarantined in Control.
PA setup is done, XMC receives the Syslog entry:
PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high
But according to the logs, this does not match the regex I've set up in Connect > Distributed IPS:
2021-12-24 13:20:00,268 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high
I've the same result with the below 3 regex strings:
-threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
Palo Alto: -threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
PaloAlto: -threatIpAddress $threatIpAddress -threatName $threatName
Not sure which one is correct. I've found some outdated doc (https://manualzz.com/doc/10758310/integration-guide), and the recent doc is not that extensive:
ExtremeConnect Security Configuration
Anyone got this working recently?
I'm using PANOS 10 and XMC/Control 8.5.5.32
Thanks!
I'm trying to get the XMC/Control - PA integration working. Goal is that if PA detects a threat, the host gets quarantined in Control.
PA setup is done, XMC receives the Syslog entry:
PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high
But according to the logs, this does not match the regex I've set up in Connect > Distributed IPS:
2021-12-24 13:20:00,268 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.X -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high
I've the same result with the below 3 regex strings:
-threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
Palo Alto: -threatIpAddress $threatIpAddress -threatName $threatName -severity $severity
PaloAlto: -threatIpAddress $threatIpAddress -threatName $threatName
Not sure which one is correct. I've found some outdated doc (https://manualzz.com/doc/10758310/integration-guide), and the recent doc is not that extensive:
ExtremeConnect Security Configuration
Anyone got this working recently?
I'm using PANOS 10 and XMC/Control 8.5.5.32
Thanks!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-27-2021 03:19 AM
Hi,
as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.
Z.
as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.
Z.
Regards
Zdeněk Pala
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-28-2021 09:28 AM
Hi Zdenek,
Correct, this matches fine now.
I also tried with "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.$severity", but this does not seem to work.
In the end I used "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.*" so I don't have to make different entries in Connect to for each severity level.
It is however good that we can take different actions based on the severity level.
Thanks again for your help!
Correct, this matches fine now.
I also tried with "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.$severity", but this does not seem to work.
In the end I used "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.*" so I don't have to make different entries in Connect to for each severity level.
It is however good that we can take different actions based on the severity level.
Thanks again for your help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-27-2021 03:19 AM
Hi,
as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.
Z.
as you can see in the Example the RegEx expects the severity to be "drop". The severity is "high" in your messages from Palo Alto.
If you change the RegEx to "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.high" then it will match.
Z.
Regards
Zdeněk Pala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-26-2021 04:52 PM
Hi Zdenek,
Thanks for the doc, this one is more up-to-date 🙂
The config I already had, seems to be matching the doc, apart from a few details:
- no LLDP active on PA (don't see why this is needed)
- I had not added the PA in XMC devices - is this required?
- I update my regex to match the one in your doc: "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.drop"
Unfortunately the regex is still not matching. Syslog received in XMC /var/log/syslog
Thanks for the doc, this one is more up-to-date 🙂
The config I already had, seems to be matching the doc, apart from a few details:
- no LLDP active on PA (don't see why this is needed)
- I had not added the PA in XMC devices - is this required?
- I update my regex to match the one in your doc: "PaloAlto:.-threatIpAddress.$threatIpAddress.-threatName.$threatName.-severity.drop"
Unfortunately the regex is still not matching. Syslog received in XMC /var/log/syslog
<3>Dec 26 22:55:59 PA-VM(X.X.X.X) PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high
XMC server.log:
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Severity = true Category = true Type = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Event = true LogManager = false Subnet = true
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Phrase = false
2021-12-26 22:56:02,402 DEBUG [com.enterasys.netsight.api.eventlog.EventAlarmDef] matchEventEntry: Matches = false for event with message =PaloAlto: -threatIpAddress X.X.X.Y -threatName "HTTP /etc/passwd Access Attempt(35107)" -severity high
(IP's are obfuscated)
These 4 lines are repeated quite a lot.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-25-2021 06:46 AM
