Copyright©2008-2016LiveAction,Inc.Allrightsreserved.LiveAction,LiveNX,LiveUX,theLiveActionLogoandLiveActionSoftwarearetrademarksofLiveAction,Inc.Informationsubjecttochangewithoutnotice.
LiveAction,Inc.3500WESTBAYSHOREROADPALOALTO,CA94303
Palo Alto Networks Integration with LiveNX
LIVEACTION,INC.
2|PaloAltoNetworksIntegrationwithLiveNX
1. Introduction
PaloAltoNetwork’sNextGenerationFirewallprovidesextensiveinformationaboutsessions,websitesandusersvisitingthosesites.ThisinformationwhendisplayedthoughLiveAction’sLiveNXcanhelpanetworkorsecurityengineervisualizespecificeventsthathavehappenedataspecifictimeorisoccurringatthepresenttime.
ThisDocumentwillwalktheadministratorthroughtheprocessofsettingupNetFlowExportonthePaloAltoNetworksdeviceandhowtovisualizetheinformationwithinLiveNX
3|PaloAltoNetworksIntegrationwithLiveNX
2. IntegrationArchitecture
TheIntegrationbetweenPaloAltoNetworksdevicesandLiveNXisoverstandardprotocolsofNetFlowandtheSimpleNetworkManagementProtocol(SNMP).PaloAltoNetworksdevicescanexportNetFlowinformationtoLiveNX.Inadditiontothestandardfields,PaloAltoNetworksdevicescanalsoexportApplicationIDandUserIDwithintheNetFlowPackets.
4|PaloAltoNetworksIntegrationwithLiveNX
3. EnablingNetFlowExportonPaloAltoNetworksFirewalls
ToenableNetFlowExportonthePaloAltoNetworksdevice,logintothePaloAltoNetworksWebUI
AndnavigatetoDevice,expandtheSeverProfileaccordion,andselectNetFlow.ClickonAddandenterthecorrectinformationfortheLiveNXseverornode.ToincludetheextraPaloAltoNetworksfields,User-IDandApplicationIDcheckthePAN-OSFieldTypesbox
SelectOKandtheExporterhasbeensetup.Nowweneedtoactivatetheexportoftheflows.Thisisdoneonaninterfacelevel.NownavigatetotheNetworkTab,andInterfaces.SelecttheInterface(s)thatwillbeusedtogeneratetheNetFlowdata.IntheNetFlowProfilesectionaddtheExporterthatwejustsetup.
5|PaloAltoNetworksIntegrationwithLiveNX
Oncecompleted,committheconfiguration.ThePaloAltoNetworksdeviceshouldnowbeexportingflowstoLiveNX.
ThenextstepistoenablethePaloAltoNetworksdevicetousetheMicrosoftActiveDirectorytopulltheUseridtoIPaddressmapping.PaloAltoNetworkscanpullthisinformationfromothersourcesaswell,pleaserefertothePaloAltoNetworksdocumentationtoenabletheothersources.OntheDeviceTab,navigatetoUserIdentificationandinUserMappingselectthegearicon(topright)tosetuptheagent.WearegoingtousetheAgentlessmethodandenableWindowsManagementInterface(WMI).EnterthenameandpasswordthatwillbeusedforWMIconnectivity.WewillpresumethatthisUseridhasalreadybeensetupbyyourADadministratorwiththecorrectsecuritylevel.
6|PaloAltoNetworksIntegrationwithLiveNX
MakesurethatyoualsoenableServerMonitoring,ClientProbingandNTLM.NextclickOKandthenintheServerMonitoringsectionaddthedomaincontrollersthatneedtobeaccessedbythisPaloAltoNetworksDevice.ThislistmaybedifferentdependingontheADarchitectureandgeographiclocation,asADsecurityauditlogsarelocaltothedomaincontrollersthatareusedforauthentication.
7|PaloAltoNetworksIntegrationwithLiveNX
OnceyouhaveaddedtheUserIdentificationserver,nowyoumustenableUserididentificationontheZones,toaccomplishthisnavigatetoNetwork,ZonesandediteachoftheZonesthatyouwanttheUseridtobedisplayon.
8|PaloAltoNetworksIntegrationwithLiveNX
Nowcommitthechanges,andwehavefinishedsettingupthePaloAltoNetworksdevice.
9|PaloAltoNetworksIntegrationwithLiveNX
4. AddingthePaloAltoNetworksDevice(s)toLiveNX
OpentheLiveNXJavaClientandlogintothesystem.NavigatetoFile->AdddeviceandtheAddDeviceWizardwillstart.Thisisa9stepwizardthatwillaskandinterrogatethedevicetofindtheInterfacesandotherinformationaboutthesystem.YoumusthavetheIPaddressofAnyLayer3interfacethatwillbeexportingFlowdata,andtheManagementIPaddress.YoumustalsohavetheSNMPcommunitystringthatwillbeusedtocollecttheinterfaceTable.
SelectNextandLiveNXwillnowgothroughandfindtheinterfacesinthePaloAltoNetworks.OnceyouhaveselectedtheinterfacesthatNetFlowwillbeexportedfromclicknext,andasLiveNXwillnotknowofanyVLANSdefinedwithinthePaloAltoNetworksselectNext.
10|PaloAltoNetworksIntegrationwithLiveNX
NowwecanchangethePollingRate,leaveitatOneminute,andselectFlowsandclicknexttoreviewtheconfigurationandthenselectFinish.
11|PaloAltoNetworksIntegrationwithLiveNX
12|PaloAltoNetworksIntegrationwithLiveNX
ThedevicewillnowappearontheMainScreenandshouldbegreenmeaningthatLiveNXhascontactedthedevice.Next,weneedtorunthedevicesetupagain.ThisisanissuewithretrievingtheIPaddressesfromtheinterfaces.PaloAltoNetworksdevicesdonotupdatetheInterfaceMIBtablewithIPAddresses,andthereforeLiveNXcannotassociatetheflowdatawiththecorrectinterfaceor,connectittothecorrectnetworks.Thisisremediedbymodifyingthedevice.RightClickonthePaloAltoNetworksdeviceandopenEditDeviceSettings.
13|PaloAltoNetworksIntegrationwithLiveNX
TheDeviceWizardwillstartandthistimewearegoingtochangetheDevicetypetoNonSNMPdevice,selectNextandtheInterfaceTablewillbepresented
14|PaloAltoNetworksIntegrationwithLiveNX
EntertheIPAddressesoftheInterfacesthatwillbeexportingtheflowsandselectFinish
TheDevicewillnowconnecttothecorrectnetworks.IfthePaloAltoNetworksisrunninginLayer2mode,entertheManagementIPaddress.
15|PaloAltoNetworksIntegrationwithLiveNX
5. Reports
LiveNXcurrentlyhasarichsetofreportsandvisualaidsthatcanhelpthenetwork/securityengineertoviewtrafficthatistraversingthePaloAltoNetworksdeviceandbeabletounderstandtheapplicationsandusersthatmaybeeffectingthestabilityofthenetwork.Let’sstartwithasetofVisualAids…ThefirstistomonitorthePaloAltoNetworksdeviceitselfandseewhatflowareactiveinreal-time.FromthemainscreenintheJavaClient,changetheflowdisplaytoFirewall.ThiswilldisplayallflowstraversingthePaloAltoNetworks
Nowifwedoubleclickontothedevicewewillnowseeareal-timedisplayofalltheflowsthePaloAltoNetworksdeviceisexporting.Thisviewisupdatedeveryminuteandcanbeusedtofindspecificflowsandusethattodrilldownintomorespecificreports.
16|PaloAltoNetworksIntegrationwithLiveNX
Ifweselectaspecificflow,itcanbeaddedtothesearchfilter,andthenonlyinformationdestinedtothatapplicationorIPaddresscanbedisplayed.Orwecandrilldownintomorespecificreports,likeTopAnalysis,orInterfaceBandwidthreports
17|PaloAltoNetworksIntegrationwithLiveNX
Byrightclickingonspecificcolumnsinthisdisplaywecandrilldownandlookatspecificissuesthatcouldbehappening,ifwechoosetheSourceIPAddresswecandrilldowntotheinterfacereportandseetheamountoftrafficthatisbeinggeneratedthatistraversingthroughthefirewallbythatspecificaddress,orbyrightclickingontheAPP-ID(PaloAltoNetworks)wecanchoosethesamereportandseetheamountoftrafficthatisspecificapplicationisgenerating
18|PaloAltoNetworksIntegrationwithLiveNX
FromLiveNX’sFlowReportswecanalsolookatalltheapplicationsandthebandwidtheachisconsuming.OpenFlowReportsandchoosetheApplicationreport,choosethePaloAltoNetworksdeviceandmaketheGraphtypeFirewall,selectthetimeframeandexecutethereport.
19|PaloAltoNetworksIntegrationwithLiveNX
FromthisviewwecanalsodrilldoneonspecificapplicationsandgathermoreinformationonNetworkActivity.
20|PaloAltoNetworksIntegrationwithLiveNX
6. UseCases
Let’slookatsomespecificusecasesthatcanhelpsolvespecificissuesthatmaybegeneratedwithinanorganization.
1)WhatwasDone?Inthisspecificusecase,weneedtounderstandwhatanemployeedidduringaspecifictimeperiodandwhatapplicationswereusedandifanylargeamountsofdatawastransferredoutsidetheofthecompany’sinfrastructure.InformationthatwehavearetheUsersIDandthetimeframethattheeventhappened.InLiveNXwecanrunFlowreportsonthetimeframeandthenastheUser’sIDappearsinthereportswecanusetheassociatedIPaddresstoaddtothefliterlist.Executethereportandnowwehavealltheexternalactivityforthatuserovertheselectedtimeperiod.
ButnotonlycanweseewhatexternalappsandsystemsweretouchedwecanalsoseealltheinternalactivityfromthataddresswhiletheuserwasassociatedwiththatIPaddress.SelectAllDevicesandthetimeframe,setthegraphtoBasicFlowandexecutethereport.
21|PaloAltoNetworksIntegrationwithLiveNX
2)DataLeakageReportofalargeDataLeakagehasoccurred.Yourmissionasanetwork/securityengineeristotryandfindoutwho,whatandwhenitoccurred.YouknowtheApplication,butyoudon’tknowwhodidit,orwhenitwasdone.Howdoyoufigureitout?Thefirststepistolookattheapplicationsgoingthroughthefirewall(s)overaperiodoftime.NavigatetoFlowreportsinLiveNX,selecttheperiodoftimethatyouwanttomonitor,selectthefirewallthatyouwilluseasthesource,selectgraphtypetobefirewallandexecutethereport
22|PaloAltoNetworksIntegrationwithLiveNX
Fromthisreportwecandrilldownintotheapplicationwerethedataleakagewasreported.SoifwerightclickontheapplicationandthendrilldownandruntheTopAnalysiswecannowseetheindividualflowsoverthisspecifictimeframeandtheusersthatgeneratedthetraffic.InthisexamplewewilllookforsomethinggoingtoFacebook,whileit’snotadataexporttoolthesameprincipleapplies.
23|PaloAltoNetworksIntegrationwithLiveNX
3)ShadowIT/CloudApplicationVisibilityThecloudistransformingthewaybusinessisdone.ButtheITteamsdonotalwayshavevisibilityofthesebusinesscriticalapplicationsandyettheyarestillresponsibleformakingsuretheseapplicationsareperformingwellandmeetinguser’sneeds.
ThefirststepistocollectinformationfromtheInternetedgesacrossyournetwork.ScheduleaweeklyreporttoprovideyoualistofCloudapplicationsonanongoingbasis.
24|PaloAltoNetworksIntegrationwithLiveNX
Fromthisreport,youcanseethelistofCloudapplicationsandtheamountoftrafficeachapplicationisconsumingyourresources.Networkcongestioncanbeanissueformanybusinessestoday.Youwanttobesurethatcriticalapplicationsarenotimpactedwhencompetingwithrecreationaltraffic.InthenewInternet-basedworld,itisimportanttoidentifywhichapplicationsareonyournetworkandwhereyourresourcesarebeingconsumedtoalignwithyourbusinesspolicy.
25|PaloAltoNetworksIntegrationwithLiveNX
7. Conclusion
CombiningPaloAltoNetworksNextGenerationFirewallsandLiveAction’sLiveNXgivesbothnetworkengineersandSecurityEngineersmorevisibilityintotrafficthatisinthenetwork,andexitingasegmentortheperimeterofthenetwork.