Environment:
Windows
Splunk 5.0.4
Splunk for Palo Alto Networks 3.3.1
I am looking to install the Splunk for Palo Alto networks in an environment where Splunk has no access to the outside world. That being said, geolocation, wildfire, and pretty much everything that needs to talk to a third party will not work.
Are there steps I can take to disable the attempts to query the outside world? Attempts to access disallowed locations are logged/alerted on, and I would like to remove as much noise as possible.
I also get the following errors when I access the app because I have not installed the geolocation modules (because they wouldn’t work anyway). And the start page just hangs at "Loading...". How do I prevent these pop-ups? And is there a workaround for the PAN Overview page?
Hi jeffa,
You can prevent the app from making attempts to access the internet with the following steps:
If you never set a WildFire API key during app setup, you can skip this step.
To remove the API key, edit the app.conf
file at:
SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/app.conf
If you see a couple lines in the file that look like the following, remove them:
[credential::wildfire_api_key:]
password = string of characters
The map on the overview dashboard leverages Google maps and geoIP lookups, both of which require the Internet. You can remove the map by modifying the dashboard file. Removing the map also removes the dependencies that are causing the error messages.
First, copy the file from the default
directory to the local
directory:
Copy from SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/data/ui/views/pan_overview_switcher_maps.xml
to SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/data/ui/views/pan_overview_switcher_maps.xml
This ensures your changes are not overwritten when you upgrade the app.
Now modify the file you created in the local
directory like this:
panel_row2_col2
with panel_row2_col1
. There should be two instances of this string to replace.Save the file and restart Splunk.
NOTE: Because your new pan_overview_switcher_maps.xml
file overrides the default one, if you upgrade the app, you may not see the overview dashboard in the new app version, because you will always see your modified overview dashboard. If any changes are made to the default dashboard file in subsequent versions, just repeat the process on the new version of the default dashboard.
Hi jeffa,
You can prevent the app from making attempts to access the internet with the following steps:
If you never set a WildFire API key during app setup, you can skip this step.
To remove the API key, edit the app.conf
file at:
SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/app.conf
If you see a couple lines in the file that look like the following, remove them:
[credential::wildfire_api_key:]
password = string of characters
The map on the overview dashboard leverages Google maps and geoIP lookups, both of which require the Internet. You can remove the map by modifying the dashboard file. Removing the map also removes the dependencies that are causing the error messages.
First, copy the file from the default
directory to the local
directory:
Copy from SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/data/ui/views/pan_overview_switcher_maps.xml
to SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/data/ui/views/pan_overview_switcher_maps.xml
This ensures your changes are not overwritten when you upgrade the app.
Now modify the file you created in the local
directory like this:
panel_row2_col2
with panel_row2_col1
. There should be two instances of this string to replace.Save the file and restart Splunk.
NOTE: Because your new pan_overview_switcher_maps.xml
file overrides the default one, if you upgrade the app, you may not see the overview dashboard in the new app version, because you will always see your modified overview dashboard. If any changes are made to the default dashboard file in subsequent versions, just repeat the process on the new version of the default dashboard.