Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM IEE with PAN

This thread has been viewed 3 times

  • 1.  CPPM IEE with PAN

    Posted Oct 30, 2017 09:30 PM

    Hi Guys,

     

    I read the Tech note for that part and it is mostly with SRX. I get that the concept is the same with PAN firewall but I'm having issues getting the first step to work.

    I start the ingress logger service and the other service right below that one but I don't see anything coming to my access tracker. I collected logs for ClearPass and I only see this in the "ingressproc.log" file:

     

    2017/10/30 16:26:31 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
    2017/10/30 16:26:31 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
    2017/10/30 16:26:31 ERROR Failed to read events, cause=Get http://localhost:9200/logstash-*/_search?pretty=true: dial tcp 127.0.0.1:9200: getsockopt: connection refused
    2017/10/30 18:18:01 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
    2017/10/30 18:18:01 ERROR Failed to perform request=http://localhost:9200/logstash-*/_search?pretty=true
    2017/10/30 18:18:01 ERROR Failed to read events, cause=Get http://localhost:9200/logstash-*/_search?pretty=true: dial tcp 127.0.0.1:9200: getsockopt: connection refused

     

     

    Anyone have any experience with this? I already added CP as a syslog target on my PAN.



  • 2.  RE: CPPM IEE with PAN

    Posted Oct 30, 2017 10:33 PM

    So which parts of the config have you completed..

     

    Defined in source Event-Source?

    Defined which Dictionary it will use?

    Is this a new Dictionary/Existing....

    have you defined a new Event Service Policy?

    .

    .

    .

    .

     

     



  • 3.  RE: CPPM IEE with PAN

    Posted Oct 31, 2017 12:31 AM

    Danny,

     

    - started the service is CPPM

    - Enabled Dictionaries

    - Added PAN as an event source

    - Created a service

    - Added CPPM as a syslog target in PAN

    I'm hoping to see any entries in access tracker so I can work on my policy and have it trigger and action.



  • 4.  RE: CPPM IEE with PAN

    Posted Oct 31, 2017 01:40 AM

    How did you define the PANW syslogs.... for Threat/Traffic?

     

    Take a look at my Arcsight SIEM Integration Guide on the Aruba support site in the CPPM TechNote folder, it shows you how to setup Syslog on the PANW, this might be useful for you.

     

    Also, ensure you use this PANW IEE Dictionary

     

    PANW_Threat_Dictionary_Bundle_v1.zip