pskl.us

Archive for June, 2012

Integrate your SafeConnect NAC with a Palo Alto Firewall

by on Jun.29, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your SafeConnect NAC appliance into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and a SafeConnect NAC box (obviously)
  • MySQL database, configured to receive logging from your SafeConnect Appliance (SafeConnect support can help with the log export configuration on your appliance)
  • A Linux box to run this script.   I suggest using the same box as your MySQL DB, but that’s up to you.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain.  The account you provide to the agent needs permission to read the event logs on the Domain Controllers.  It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add).  Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents.  (From the WebUI, Device -> User Identification -> User-ID Agents).  The port number is 5007.

5) Install MySQL on your Linux box, and configure the SafeConnect appliance for MySQL export to your server.  (The MySQL setup is beyond the scope of this document).  SafeConnect support can assist you with the appliance-side configuration.  Create a MySQL user with permission to read the “clienthist” table from the Linux box where you’ll be running the script.

6) Install the PAN::API Perl Module on your Linux box.  On RHEL, you can drop it into /usr/lib/perl5/site_perl.  The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

7) Copy the pa-uid-safeconnect.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Revsion 0.2
#
# Collects username:IP pairings from your Impulse Point SafeConnect NAC box and and loads the data
# into the Palo Alto Firewall’s UserID agents.  The Palo Alto UserID agent runs on a Windows server;  you’ll
# need two UserID agent boxes to use this script as-written.
#
# Requires the PAN:API and DBI PERL modules.   You’ll also need to setup MySQL log export from your appliance
# to a MySQL database which is maintained on a separate server.  Ask your SafeConnect support rep for
# assistance in setting up the “BackupDB” export.
#
# This script was written for, and tested under, Red Hat Linux.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Your Palo Alto User-ID Agent boxes:

$server1=”pa-uid-agent-1.pskl.us”;
$server2=”pa-uid-agent-2.pskl.us”;

# Your BackupDB MySQL host and user; the specified user needs read access to the “clienthist” table.

$mysql_server=”mysqlbox-14.pskl.us”;
$mysql_username=”MySQL_username”;
$mysql_password=”MySQL_password”;

# How often do you require users to re-authenticate to SafeConnect, in days?
$safeconnect_reauth_time=7;

# Maximum number of submissions to the PA UID Agent per session (100 seems to work well).
$XMLSize=100;

# Enable debugging (yes/no).  Generates a lot of output, use with caution.

$debug=”yes”;

#### End of Configuration Section ####

use DBI();
use PAN::API;

# Create PAN::API Objects

$pa_uid_agent_1=PAN::API::UID->new($server1);
$pa_uid_agent_2=PAN::API::UID->new($server2);

# Connection to your SafeConnect BackupDB instance

my $dbobject = DBI->connect(“DBI:mysql:database=backupDB;host=$mysql_server”,
$mysql_username, $mysql_password, {‘RaiseError’ => 1});

# MySQL query string.  Pulls the last $safeconnect_reauth_time days of data.

$query=<<EOF;
SELECT transDate,currentIpAddress,principal from clienthist where
DATE_SUB(CURDATE(), INTERVAL $safeconnect_reauth_time DAY) <= transDate order by transDate asc;
EOF

my $queryobject = $dbobject->prepare($query);

$queryobject->execute();

while (@row = $queryobject->fetchrow_array()) {

# Only process those entries with a username present..

if ( $row[2] ) {
($username, $groups)=split(“,”, $row[2]);
$ipdb{$row[1]}=$username;
if ( $debug eq “yes” ) {
print “Found pairing:  $row[0] $row[1] –> $username \n”;
};
};
};

# Close the connection to the BackupDB

$queryobject->finish();

$dbobject->disconnect();

# Process collected data

foreach $ip ( keys %ipdb ) {

if ( $ipdb{$ip} eq “null” ) {

# ignore “null” entries – indicates user has policy key installed but has
# not logged in through the web interface

} else {

if ( $debug eq “yes” ) {
print “Processing $ip –> $ipdb{$ip}\n”;
};

# Create the XML entries for this IP:Username pair
$pa_uid_agent_1->add(‘login’,$ipdb{$ip},$ip);
$pa_uid_agent_2->add(‘login’,$ipdb{$ip},$ip);
$count++;

if ( $count eq $XMLSize ) {
# Submit data to the agent in batches of $XMLSize
$count=0;

if ( $debug eq “yes” ) {
print “>> Submitting batch to $server1\n”;
};

$pa_uid_agent_1->submit();

if ( $debug eq “yes” ) {
print “>> Submitting batch to $server2\n”;
};

$pa_uid_agent_2->submit();

};
};
};

# Submit any remaining entries

if ( $debug eq “yes” ) {
print “>> Submitting final batch to $server1\n”;
};

$pa_uid_agent_1->submit();

if ( $debug eq “yes” ) {
print “>> Submitting final batch to $server2\n”;
};

$pa_uid_agent_2->submit();

# Done

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

Found pairing:  2012-06-29 09:18:24 18.42.124.194 –> jdoe01
Found pairing:  2012-06-29 09:18:26 18.42.124.194 –> jdoe01
Found pairing:  2012-06-29 09:19:18 18.42.97.119 –> jdoe02
Found pairing:  2012-06-29 09:19:19 18.42.97.119 –> jdoe02
Found pairing:  2012-06-29 09:19:24 18.42.97.119 –> jdoe07
Found pairing:  2012-06-29 09:20:09 18.42.124.239 –> jdoe02
Found pairing:  2012-06-29 09:20:10 18.42.124.239 –> jdoe07
Found pairing:  2012-06-29 09:20:19 18.42.201.219 –> jdoe31
>> Submitting batch to pa-uid-agent-1.pskl.us
>> Submitting batch to pa-uid-agent-2.pskl.us

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-safeconnect.pl script periodically.  Once every four hours seems about right for an environment where users must re-authenticate once every seven days.  Adjust accordingly.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.

 

2 Comments more...

Integrate your Aruba Wireless User Data with your Palo Alto Firewall

by on Jun.27, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your Aruba Wireless Controller into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and an Aruba Wireless controller (obviously)
  • A Linux box to run this script.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain. The account you provide to the agent needs permission to read the event logs on the Domain Controllers. It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add). Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents. (From the WebUI, Device -> User Identification -> User-ID Agents). The port number is 5007.


5) Install the PAN::API Perl Module on your Linux box. On RHEL, you can drop it into /usr/lib/perl5/site_perl. The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

6)  Copy the pa-uid-aruba.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Rev 0.1
#
# Rev 0.2 – 7/2/12 – Removed double-backslash from posted usernames
#
# Collects username:IP pairings from your Aruba wireless controller(s) and loads the data
# into the Palo Alto Firewall’s UserID agents.
#
# Requires the PAN:API PERL module and the snmpwalk binaries.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# This script uses plain-text SNMP to extract data from your Aruba controller.  Be sure to
# use a secure, dedicated link between your management box and your controllers for this application.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Aruba boxes
@ArubaControllers=(“aruba-master”, “aruba-local”);

# Credentials
$ArubaCommunity=”indiapaleale”;

# Palo Alto Agents.

$PA_UID_Agent_1=”auth-1.bucknell.edu”;
$PA_UID_Agent_2=”auth-2.bucknell.edu”;

# Maximum number of submissions per session (100 seems to work well).
$XMLSize=100;

# Uncomment this line if you want debugging output.
$debug=yes;

# End of Configuration Section ###########################

use PAN::API;

foreach $switch ( @ArubaControllers ) {

@ArubaUsers=`/usr/bin/snmpwalk -v 2c -c $ArubaCommunity $switch 1.3.6.1.4.1.14823.2.2.1.4.1.2.1.3`;

foreach $line ( @ArubaUsers ) {

if ( $line=~/\.(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) = STRING: “(.+)”/ ) {
$users{$1}=$2;
if ( $debug ) { print “From Aruba controller $switch:  $1 >> $2\n” };
$ArubaCount++;
};
};

};

if ( $debug ) { print “Found $ArubaCount IP:Username pairings.\n” };

$auth1=PAN::API::UID->new($PA_UID_Agent_1);
$auth2=PAN::API::UID->new($PA_UID_Agent_2);

foreach $ip ( keys %users ) {

$users{$ip}=~s/\\\\/\\/g;
$auth1->add(‘login’,”$users{$ip}”,”$ip”);
$auth2->add(‘login’,”$users{$ip}”,”$ip”);

$count++;

if ( $count eq $XMLSize ) {
$count=0;

if ( $debug ) {
print “Submitting $XMLSize entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();
};

};

if ( $debug ) {
print “Submitting the balance of the entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();

# Fin

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

From Aruba controller aruba1:  10.6.123.212 >> archer
From Aruba controller aruba1:  10.6.101.12 >> lana

From Aruba controller aruba1:  10.6.122.47 >> carol
From Aruba controller aruba1:  10.6.122.47 >> cheryl
From Aruba controller aruba1:  10.6.122.61 >> cyril
From Aruba controller aruba1:  10.6.116.131 >> seamus
Found 548 IP:Username pairings.
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting the balance of the entries to the PA-UID Agent boxes

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-aruba.pl script periodically.  Once every 30-60 minutes works well.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.

5 Comments more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!