Security

Reply
New Contributor

CPPM IEE with PAN

Hi Guys,

 

I read the Tech note for that part and it is mostly with SRX. I get that the concept is the same with PAN firewall but I'm having issues getting the first step to work.

I start the ingress logger service and the other service right below that one but I don't see anything coming to my access tracker. I collected logs for ClearPass and I only see this in the "ingressproc.log" file:

 

2017/10/30 16:26:31 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
2017/10/30 16:26:31 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
2017/10/30 16:26:31 ERROR Failed to read events, cause=Get http://localhost:9200/logstash-*/_search?pretty=true: dial tcp 127.0.0.1:9200: getsockopt: connection refused
2017/10/30 18:18:01 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
2017/10/30 18:18:01 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
2017/10/30 18:18:01 ERROR Failed to read events, cause=Get http://localhost:9200/logstash-*/_search?pretty=true: dial tcp 127.0.0.1:9200: getsockopt: connection refused

 

 

Anyone have any experience with this? I already added CP as a syslog target on my PAN.

Moderator

Re: CPPM IEE with PAN

So which parts of the config have you completed..

 

Defined in source Event-Source?

Defined which Dictionary it will use?

Is this a new Dictionary/Existing....

have you defined a new Event Service Policy?

.

.

.

.

 

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: CPPM IEE with PAN

Danny,

 

- started the service is CPPM

- Enabled Dictionaries

- Added PAN as an event source

- Created a service

- Added CPPM as a syslog target in PAN

I'm hoping to see any entries in access tracker so I can work on my policy and have it trigger and action.

Moderator

Re: CPPM IEE with PAN

How did you define the PANW syslogs.... for Threat/Traffic?

 

Take a look at my Arcsight SIEM Integration Guide on the Aruba support site in the CPPM TechNote folder, it shows you how to setup Syslog on the PANW, this might be useful for you.

 

Also, ensure you use this PANW IEE Dictionary

 

PANW_Threat_Dictionary_Bundle_v1.zip


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: