Security

Reply
Moderator
Posts: 473
Registered: ‎11-09-2012

NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

[ Edited ]
Teams,
 
Following the release of ClearPass Policy Manager 6.6 I’ve published a NEW TechNote covering a brand new feature we call “The Ingress Event Engine"
 
In this TechNote read how you setup and configure the IEE to be able to parse syslog and turn that into an actionable event , i.e. Trigger a CoA for an endpoint showing as under Threat.
 
 
Customer & Partners you can find the document on the support site located here  CPPM TechNote - Ingress Event Engine V1.0.pdf
 
 
Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎06-01-2015

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Hey Danny,

 

This is great!  We've set it up here, but are having dictionary related issues with the Palo Alto.  I have a ticket open and am using the PANW-Threat-Syslog-C provided by TAC, but it's not working.  I've also tried the original PANW-Threat-Syslog and this shows event logs in the tracker between the Palo Alto and Clearpass, but no specific data is being logged.  

 

Any thoughts?

 

Thanks 

Moderator
Posts: 473
Registered: ‎11-09-2012

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Sorry to hear your havif issues. Can you try these dictionaries please. We might also have to review your syslog setup on the PANW.

 

Here is the PANW syslog for THREAT.... and TRAFFIC in that order......

 


CEF:0|Palo Alto Networks|PAN-OS|6.0.6|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest

 


CEF:0|Palo Alto Networks|PAN-OS|6.0.6|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno

 

 HTH


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎06-01-2015

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Sure, I'll look this over.  I did get the threat dictionary working to some extent.  Traffic is logging, but not matching my specific application enforcement policy.  

 

Thanks!

Occasional Contributor II
Posts: 11
Registered: ‎06-01-2015

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

So I tried using the CEF format you linked and it didn't work for me.  I am able to get threat traffic to pass with the default log format on the PA, but for some reason I can't use any of the attributes to match an enforcement policy.  I've tried:

- rule_name

- Application

- sourceuser

 

I'm only using the PANW-Threat-Syslog-c dictionary, because that's the only one that works.  I tried bulding a Traffic dictionary using the Threat-Syslog-c as a reference, but it won't bring in any attirbutes in the access tracker just event and date, not PA attributes.

 

If I understand correctly I should be able to use the Threat dictionary for general traffic classification as well, because it is passing my application level traffic in the access tracker.  I'm not actually generatic threat traffic right now on the Palo Alto.    

 

In my screenshots, for testing, I have log forwarding set up on a specifc PA firewall rule that matches just my username.  I'm then trying to take a traffic classification (google-base) and add an attribute to my endpoint as a result.  As you can see from the screenshots all of my traffic is just being classified under the default enforcement profile, which is just a placeholder, of pan-update-node.  

 

Is this intended behavior or should I have a traffic dictionary on the CPPM side to process this ingress information?

 

Thanks for your help Danny!

Moderator
Posts: 473
Registered: ‎11-09-2012

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

[ Edited ]

OK - Great. All we are really only interested in seeing  'Does the Event Service, parse the inbound syslog?", and we can clearly see that it does. 

 

Do me a favour, do a (Event:PANW-Threat:category  EXISTS   ), and see if it triggers.....please.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎06-01-2015

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Okay so I changed the enforcement profile to your requested settings.  I'm just using pan-update as my default profile and pan-enforcement for my enforcement profile for testing.  If Event:PANW-Threat:category EXISTS it should return PAN-Enforcement and so far it's not, even though the acccess tracker shows the traffic is passing the category attribute.  I'm wondering if there is some sort of issue with the dictionary matching the rule?  

 

I'll have more time to test this on Tuesday.  Thank you so much for your help and quick response! I do have a TAC case open on this and will be talking to them on Tuesday.  I'll update them on what we've found.

 

Thanks again!

Moderator
Posts: 473
Registered: ‎11-09-2012

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Truly what a bummer..!!!!!

 

I'm going to ask two more favours, at some point go to Admin/Sys Manager/Server Config.... disable / enable the Ingress Event Processing.

ClearPass_Policy_Manager_-_Aruba_Networks.jpg

 

and I want you in the services to stop/start the Ingress jobs.

ClearPass_Policy_Manager_-_Aruba_Networks1.jpg

 

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎06-01-2015

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Went ahead and ran through these steps.  Events stopped coming in all together.  I'm not sure why.  I had this happen the other night as well and it started back up.  I've double checked ingress processing is enabled along with the services.  Also made sure my Palo Alto is set to forward logs.  It seems like sometimes the events just stop coming in, even though I'm passing plenty of traffic through my Palo Alto.  One thing I had to do to get this working at all is add two event sources.  It will not process traffic with the syslog-c dictionary unless both are enabled.  I've tested with one or the other and restarted services several times. 

 

It seems as though I have things working intermittendly.  I bet I'll have logs coming through tomorrow at some point, but they may stop again.  Particularly when I turned ingress processing off then on.

 

Thanks for all of your help.  I'll keep testing this, espeically when I'm back at work next week!  Very cool feature and some awesome possibilites we can do with this.

 

Thanks!

 

 

Occasional Contributor II
Posts: 11
Registered: ‎06-01-2015

Re: NEW TechNote: ClearPass Policy Manager Ingress Event Engine [IEE]

Okay traffic is passing now and still not matching the enforcement profile.  I went ahead and tested this with my Publisher server as well (because I'm doing ingress on subscriber as it has lower CPU usage).  I ran into the same issues.  

 

I tested using Event:username EXISTS and was able to trigger the enforcement condition, but using any of the EVENT:PANW-threat attributes will not trigger the rule.  I'm still wondering if it's dictionary related, or maybe the pre-build EVENT:PAWN-threat enforcement rule attributes don't match whats coming through on the access tracker exactly?  

 

I'll keep testing different things as I can.  I'll also look at a PAN 7.1 custom CEF log filter.

 

Thanks again for the help!

Search Airheads
Showing results for 
Search instead for 
Did you mean: