Palo Alto Globalprotect / VPN Dashboards?

TheSplunkDude · ‎03-15-2020

With everyone working remotely nowadays, does anyone want to share their content on what a good PAN Global Protect dashboard could look like?
I know there's the Palo Alto Networks app that relies on the PAN data model, for those of us that don't use that app:
What panels do you like to have on your dashboard?
What's your favorite visualization for VPN connections?
Does anyone have some good SPL around duration time and data transferred during a session?

Just so it doesn't seem like I'm asking someone to build me a dashboard.
My panels contain "Total number of users connected today", "Number of users connect to each gateway", " Number of users per department connected to VPN"

Also, when is Palo Alto going to parse out the whole VPN event (OS, host, etc) that they dump into the system logs?

Thanks in advance.

elhugohefner · ‎05-07-2020

Not a dashboard but here is something that I am running. Basically if they are on vpn and have an entry I give them credit for an hour. Then I pass that along to AD to get some information like department based on Ad info. Nice way to see who really is on vpn or not

index="paloalto" src_zone=globalprotect action=success | eval hour_min=strftime(_time, "%D %H:00") | table hour_min , user, dvc_name src_ip | eval user=mvindex(split(user,"\"),-1) | rename hour_min as Time dvc_name as "Palo Alto Device" src_ip as vpn_ip | dedup user, Time|ldapfilter domain=default search="(sAMAccountNAme=$user$)" attrs="displayName,StreetAddress,Department,name" | table Time, "Palo Alto Device", vpn_ip, displayName, department, streetAddress, user , name,

dking8921 · ‎05-07-2020

I tried running this command (with my correct index) and I just get zero matches no matter the length of time I put in. I have the LDAP add on and the Palo Alto App, is there anything else I need to do to use this? Thanks for sharing.

Is this using the new GlobalProtect categories on 9.1.x? I didn't upgrade to that yet, maybe that's why.

elhugohefner · ‎05-07-2020

Check where the ldapfilter domain has your correct configuration in the ldap config on your search head.
|ldapfilter domain=(yourdefined connector)

Here is the link to get you the info to put in after the =

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/ConfiguretheSplunkSupportingAdd-onfor...

to4kawa · ‎05-07-2020

sAMAccountName is correct.
typo?

please check line by line.

mikesaia · ‎04-23-2020

My team has actually been working on this. Not sure if anyone has made progress. We could probably share what we have thrown together. One issue we ran into is we are running PanOS 7.1, 8.1 and 9.1. And 9.1 hosts some of our VPN Gateways. PanOS 9, introduced new Global Protect logging that the Splunk Palo app; doesn't extract. 🙂

dking8921 · ‎04-30-2020

If there are any snippets you can share, I'd be grateful. The one thing I haven't sorted out yet is how to create a "duration" report so my boss can see how long people are connecting for. I'm a one man Splunker in a small gov entity so I just haven't the time to really dig into building my own searches like this.

pastorlibre · ‎04-23-2020

If you could share anything that would be awesome.. We built something but it's not really the most ideal as it is a rolling 12 hour number and not really current

markhill1 · ‎04-23-2020

I'd be keen on seeing what you have as well, and contributing to its development.
I have actually started looking into changing the GP VPN dash (VPN Ops) in this app to display what it already has, but without the underlying data model that it uses from the Palo App.
Remote Work Insights. https://splunkbase.splunk.com/app/4952/

pastorlibre · ‎03-17-2020

Yes! this is exactly what I am struggling with.. I am trying to build something but so far no luck...

Palo Alto Globalprotect / VPN Dashboards?

other

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes