All Apps and Add-ons

Palo Alto: Adaptive Response: Tag to Dynamic Address List requires commit?

hcheang
Path Finder

Hello,

I am using Palo Alto App for Splunk and its adaptive response feature.
We have done some troubleshooting and testing and based on what we have accomplished so far, I have few questions:

  1. Commit required

According to documents,
"The IP is tagged on the firewall immediately, however, it can take up to 60 seconds for the tagged IP addresses to show up in the corresponding Dynamic Address Group in the security policy. This delay is intentional to prevent accidental DoS scenarios."

We've waited couple minutes or more but we found that admin has to initiate "commit" for the IP to be included in the Group.

This is the command we tried:

index=pan_logs sourcetype=pan:threat host=$PA_FIREWALL$ category=malware vendor_action=allowed dest_zone=internal
| stats count by src_ip
| pantag device="$PA_FIREWALL$" action=add tag="SplunkBlock" ip_field="src_ip"
  1. Change is not visible

We are getting Palo Alto logs from the device and for config type logs, following custom format is used:

$receive_time $admin $host $client $cmd $result $path $before-change-detail $after-change-detail

Strangely, we do not see any log related to the IP being added to the tag or to the group.
Is this expected behaviour? or are we missing some field in syslog setting?

Thanks!

0 Karma

shirishkamat84
Path Finder

the firewall account used by the TA, is it available on the firewall?
is the Firewall having the required tags and DAG where you need to populate the IP.

We made this working by creating the required policies on PANORAMA and made the changes there, which pushed the policies to the serial mentioned in the command. something like this:

index=pan_logs sourcetype="pan:threat" dest_hostname="www.apple.com" | stats dc(dest_ip) by dest_ip | pantag panorama="" serial="" action="add" ip_field="dest_ip" tag="Splunk_block"

0 Karma

hcheang
Path Finder

Yes, we have created separate account specific for this feature with correct capabilities.
IP is tagged correctly and is added to the group correctly but the issue is that it requires a manual commit.

The only difference I see is the use of Panorama which we do not have.
If I am readying your answer correctly, the dest_ip is added to this DAG as soon as the query is completed? Without any further action?

We have given the "commit" capability to the account as well but still, we need to commit the changes manually for new IP to be added to the group.

0 Karma

alikapucu
Explorer

Is it possible to use multiple serial number or Is there any way to push an ip address to multiple firewallS

0 Karma

khalidewaidah
Explorer

I have tried  to run paloalto adaptive response but I face below error 

""PAN : Tag to Dynamic Address/User Group" - Adaptive response action could not be dispatched.Unexpected token M in JSON at position 0"

 

Kindly , help me if you have experience on that . 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...