pskl.us

Integrate your Aruba Wireless User Data with your Palo Alto Firewall

by on Jun.27, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your Aruba Wireless Controller into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and an Aruba Wireless controller (obviously)
  • A Linux box to run this script.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain. The account you provide to the agent needs permission to read the event logs on the Domain Controllers. It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add). Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents. (From the WebUI, Device -> User Identification -> User-ID Agents). The port number is 5007.


5) Install the PAN::API Perl Module on your Linux box. On RHEL, you can drop it into /usr/lib/perl5/site_perl. The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

6)  Copy the pa-uid-aruba.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Rev 0.1
#
# Rev 0.2 – 7/2/12 – Removed double-backslash from posted usernames
#
# Collects username:IP pairings from your Aruba wireless controller(s) and loads the data
# into the Palo Alto Firewall’s UserID agents.
#
# Requires the PAN:API PERL module and the snmpwalk binaries.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# This script uses plain-text SNMP to extract data from your Aruba controller.  Be sure to
# use a secure, dedicated link between your management box and your controllers for this application.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Aruba boxes
@ArubaControllers=(“aruba-master”, “aruba-local”);

# Credentials
$ArubaCommunity=”indiapaleale”;

# Palo Alto Agents.

$PA_UID_Agent_1=”auth-1.bucknell.edu”;
$PA_UID_Agent_2=”auth-2.bucknell.edu”;

# Maximum number of submissions per session (100 seems to work well).
$XMLSize=100;

# Uncomment this line if you want debugging output.
$debug=yes;

# End of Configuration Section ###########################

use PAN::API;

foreach $switch ( @ArubaControllers ) {

@ArubaUsers=`/usr/bin/snmpwalk -v 2c -c $ArubaCommunity $switch 1.3.6.1.4.1.14823.2.2.1.4.1.2.1.3`;

foreach $line ( @ArubaUsers ) {

if ( $line=~/\.(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) = STRING: “(.+)”/ ) {
$users{$1}=$2;
if ( $debug ) { print “From Aruba controller $switch:  $1 >> $2\n” };
$ArubaCount++;
};
};

};

if ( $debug ) { print “Found $ArubaCount IP:Username pairings.\n” };

$auth1=PAN::API::UID->new($PA_UID_Agent_1);
$auth2=PAN::API::UID->new($PA_UID_Agent_2);

foreach $ip ( keys %users ) {

$users{$ip}=~s/\\\\/\\/g;
$auth1->add(‘login’,”$users{$ip}”,”$ip”);
$auth2->add(‘login’,”$users{$ip}”,”$ip”);

$count++;

if ( $count eq $XMLSize ) {
$count=0;

if ( $debug ) {
print “Submitting $XMLSize entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();
};

};

if ( $debug ) {
print “Submitting the balance of the entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();

# Fin

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

From Aruba controller aruba1:  10.6.123.212 >> archer
From Aruba controller aruba1:  10.6.101.12 >> lana

From Aruba controller aruba1:  10.6.122.47 >> carol
From Aruba controller aruba1:  10.6.122.47 >> cheryl
From Aruba controller aruba1:  10.6.122.61 >> cyril
From Aruba controller aruba1:  10.6.116.131 >> seamus
Found 548 IP:Username pairings.
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting the balance of the entries to the PA-UID Agent boxes

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-aruba.pl script periodically.  Once every 30-60 minutes works well.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.


5 Comments for this entry

  • Prasath

    It was really helpfull…
    I have some queries:
    What are the things we need to configure on controller?
    What is supported version on the controller?

    awaiting for your reply.

  • asska

    thank you guys for that, it’s really helpful.

    Can i run this scripts on Debian, and which modules i have to install.

    Kind regards,

  • Patrick

    FYI, the script needs some updating when running it off of newer AMP servers (64-bit centos installs)

    /usr/bin/snmpwalk is now /opt/airwave/bin/snmpwalk

    If running on Windows, make sure you replace the non-standard ASCII characters copy/pasting from the website.

    When the PerlUserIDXMLAPI is extract the pa-uid-aruba.pl can be run out of the lib directory (ie the API.PM does not need to be copied into the site_perl folder).

  • Alfredo

    Do you have the aruba syslog export filter config from the controller side?

  • Mike

    basic question,
    Are we able to create a vbscript in user PC schedule to run every 30 minutes to send Domain/username and IP to PA UserID agent? if yes can you post code?

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!