Copyright©2008-2016LiveAction,Inc.Allrightsreserved.LiveAction,LiveNX,LiveUX,theLiveActionLogoandLiveActionSoftwarearetrademarksofLiveAction,Inc.Informationsubjecttochangewithoutnotice.

LiveAction,Inc.3500WESTBAYSHOREROADPALOALTO,CA94303

Palo Alto Networks Integration with LiveNX

LIVEACTION,INC.

2|PaloAltoNetworksIntegrationwithLiveNX

1. Introduction

PaloAltoNetwork’sNextGenerationFirewallprovidesextensiveinformationaboutsessions,websitesandusersvisitingthosesites.ThisinformationwhendisplayedthoughLiveAction’sLiveNXcanhelpanetworkorsecurityengineervisualizespecificeventsthathavehappenedataspecifictimeorisoccurringatthepresenttime.

ThisDocumentwillwalktheadministratorthroughtheprocessofsettingupNetFlowExportonthePaloAltoNetworksdeviceandhowtovisualizetheinformationwithinLiveNX

3|PaloAltoNetworksIntegrationwithLiveNX

2. IntegrationArchitecture

TheIntegrationbetweenPaloAltoNetworksdevicesandLiveNXisoverstandardprotocolsofNetFlowandtheSimpleNetworkManagementProtocol(SNMP).PaloAltoNetworksdevicescanexportNetFlowinformationtoLiveNX.Inadditiontothestandardfields,PaloAltoNetworksdevicescanalsoexportApplicationIDandUserIDwithintheNetFlowPackets.

4|PaloAltoNetworksIntegrationwithLiveNX

3. EnablingNetFlowExportonPaloAltoNetworksFirewalls

ToenableNetFlowExportonthePaloAltoNetworksdevice,logintothePaloAltoNetworksWebUI

AndnavigatetoDevice,expandtheSeverProfileaccordion,andselectNetFlow.ClickonAddandenterthecorrectinformationfortheLiveNXseverornode.ToincludetheextraPaloAltoNetworksfields,User-IDandApplicationIDcheckthePAN-OSFieldTypesbox

SelectOKandtheExporterhasbeensetup.Nowweneedtoactivatetheexportoftheflows.Thisisdoneonaninterfacelevel.NownavigatetotheNetworkTab,andInterfaces.SelecttheInterface(s)thatwillbeusedtogeneratetheNetFlowdata.IntheNetFlowProfilesectionaddtheExporterthatwejustsetup.

5|PaloAltoNetworksIntegrationwithLiveNX

Oncecompleted,committheconfiguration.ThePaloAltoNetworksdeviceshouldnowbeexportingflowstoLiveNX.

ThenextstepistoenablethePaloAltoNetworksdevicetousetheMicrosoftActiveDirectorytopulltheUseridtoIPaddressmapping.PaloAltoNetworkscanpullthisinformationfromothersourcesaswell,pleaserefertothePaloAltoNetworksdocumentationtoenabletheothersources.OntheDeviceTab,navigatetoUserIdentificationandinUserMappingselectthegearicon(topright)tosetuptheagent.WearegoingtousetheAgentlessmethodandenableWindowsManagementInterface(WMI).EnterthenameandpasswordthatwillbeusedforWMIconnectivity.WewillpresumethatthisUseridhasalreadybeensetupbyyourADadministratorwiththecorrectsecuritylevel.

6|PaloAltoNetworksIntegrationwithLiveNX

MakesurethatyoualsoenableServerMonitoring,ClientProbingandNTLM.NextclickOKandthenintheServerMonitoringsectionaddthedomaincontrollersthatneedtobeaccessedbythisPaloAltoNetworksDevice.ThislistmaybedifferentdependingontheADarchitectureandgeographiclocation,asADsecurityauditlogsarelocaltothedomaincontrollersthatareusedforauthentication.

7|PaloAltoNetworksIntegrationwithLiveNX

OnceyouhaveaddedtheUserIdentificationserver,nowyoumustenableUserididentificationontheZones,toaccomplishthisnavigatetoNetwork,ZonesandediteachoftheZonesthatyouwanttheUseridtobedisplayon.

8|PaloAltoNetworksIntegrationwithLiveNX

Nowcommitthechanges,andwehavefinishedsettingupthePaloAltoNetworksdevice.

9|PaloAltoNetworksIntegrationwithLiveNX

4. AddingthePaloAltoNetworksDevice(s)toLiveNX

OpentheLiveNXJavaClientandlogintothesystem.NavigatetoFile->AdddeviceandtheAddDeviceWizardwillstart.Thisisa9stepwizardthatwillaskandinterrogatethedevicetofindtheInterfacesandotherinformationaboutthesystem.YoumusthavetheIPaddressofAnyLayer3interfacethatwillbeexportingFlowdata,andtheManagementIPaddress.YoumustalsohavetheSNMPcommunitystringthatwillbeusedtocollecttheinterfaceTable.

SelectNextandLiveNXwillnowgothroughandfindtheinterfacesinthePaloAltoNetworks.OnceyouhaveselectedtheinterfacesthatNetFlowwillbeexportedfromclicknext,andasLiveNXwillnotknowofanyVLANSdefinedwithinthePaloAltoNetworksselectNext.

10|PaloAltoNetworksIntegrationwithLiveNX

NowwecanchangethePollingRate,leaveitatOneminute,andselectFlowsandclicknexttoreviewtheconfigurationandthenselectFinish.

11|PaloAltoNetworksIntegrationwithLiveNX

12|PaloAltoNetworksIntegrationwithLiveNX

ThedevicewillnowappearontheMainScreenandshouldbegreenmeaningthatLiveNXhascontactedthedevice.Next,weneedtorunthedevicesetupagain.ThisisanissuewithretrievingtheIPaddressesfromtheinterfaces.PaloAltoNetworksdevicesdonotupdatetheInterfaceMIBtablewithIPAddresses,andthereforeLiveNXcannotassociatetheflowdatawiththecorrectinterfaceor,connectittothecorrectnetworks.Thisisremediedbymodifyingthedevice.RightClickonthePaloAltoNetworksdeviceandopenEditDeviceSettings.

13|PaloAltoNetworksIntegrationwithLiveNX

TheDeviceWizardwillstartandthistimewearegoingtochangetheDevicetypetoNonSNMPdevice,selectNextandtheInterfaceTablewillbepresented

14|PaloAltoNetworksIntegrationwithLiveNX

EntertheIPAddressesoftheInterfacesthatwillbeexportingtheflowsandselectFinish

TheDevicewillnowconnecttothecorrectnetworks.IfthePaloAltoNetworksisrunninginLayer2mode,entertheManagementIPaddress.

15|PaloAltoNetworksIntegrationwithLiveNX

5. Reports

LiveNXcurrentlyhasarichsetofreportsandvisualaidsthatcanhelpthenetwork/securityengineertoviewtrafficthatistraversingthePaloAltoNetworksdeviceandbeabletounderstandtheapplicationsandusersthatmaybeeffectingthestabilityofthenetwork.Let’sstartwithasetofVisualAids…ThefirstistomonitorthePaloAltoNetworksdeviceitselfandseewhatflowareactiveinreal-time.FromthemainscreenintheJavaClient,changetheflowdisplaytoFirewall.ThiswilldisplayallflowstraversingthePaloAltoNetworks

Nowifwedoubleclickontothedevicewewillnowseeareal-timedisplayofalltheflowsthePaloAltoNetworksdeviceisexporting.Thisviewisupdatedeveryminuteandcanbeusedtofindspecificflowsandusethattodrilldownintomorespecificreports.

16|PaloAltoNetworksIntegrationwithLiveNX

Ifweselectaspecificflow,itcanbeaddedtothesearchfilter,andthenonlyinformationdestinedtothatapplicationorIPaddresscanbedisplayed.Orwecandrilldownintomorespecificreports,likeTopAnalysis,orInterfaceBandwidthreports

17|PaloAltoNetworksIntegrationwithLiveNX

Byrightclickingonspecificcolumnsinthisdisplaywecandrilldownandlookatspecificissuesthatcouldbehappening,ifwechoosetheSourceIPAddresswecandrilldowntotheinterfacereportandseetheamountoftrafficthatisbeinggeneratedthatistraversingthroughthefirewallbythatspecificaddress,orbyrightclickingontheAPP-ID(PaloAltoNetworks)wecanchoosethesamereportandseetheamountoftrafficthatisspecificapplicationisgenerating

18|PaloAltoNetworksIntegrationwithLiveNX

FromLiveNX’sFlowReportswecanalsolookatalltheapplicationsandthebandwidtheachisconsuming.OpenFlowReportsandchoosetheApplicationreport,choosethePaloAltoNetworksdeviceandmaketheGraphtypeFirewall,selectthetimeframeandexecutethereport.

19|PaloAltoNetworksIntegrationwithLiveNX

FromthisviewwecanalsodrilldoneonspecificapplicationsandgathermoreinformationonNetworkActivity.

20|PaloAltoNetworksIntegrationwithLiveNX

6. UseCases

Let’slookatsomespecificusecasesthatcanhelpsolvespecificissuesthatmaybegeneratedwithinanorganization.

1)WhatwasDone?Inthisspecificusecase,weneedtounderstandwhatanemployeedidduringaspecifictimeperiodandwhatapplicationswereusedandifanylargeamountsofdatawastransferredoutsidetheofthecompany’sinfrastructure.InformationthatwehavearetheUsersIDandthetimeframethattheeventhappened.InLiveNXwecanrunFlowreportsonthetimeframeandthenastheUser’sIDappearsinthereportswecanusetheassociatedIPaddresstoaddtothefliterlist.Executethereportandnowwehavealltheexternalactivityforthatuserovertheselectedtimeperiod.

ButnotonlycanweseewhatexternalappsandsystemsweretouchedwecanalsoseealltheinternalactivityfromthataddresswhiletheuserwasassociatedwiththatIPaddress.SelectAllDevicesandthetimeframe,setthegraphtoBasicFlowandexecutethereport.

21|PaloAltoNetworksIntegrationwithLiveNX

2)DataLeakageReportofalargeDataLeakagehasoccurred.Yourmissionasanetwork/securityengineeristotryandfindoutwho,whatandwhenitoccurred.YouknowtheApplication,butyoudon’tknowwhodidit,orwhenitwasdone.Howdoyoufigureitout?Thefirststepistolookattheapplicationsgoingthroughthefirewall(s)overaperiodoftime.NavigatetoFlowreportsinLiveNX,selecttheperiodoftimethatyouwanttomonitor,selectthefirewallthatyouwilluseasthesource,selectgraphtypetobefirewallandexecutethereport

22|PaloAltoNetworksIntegrationwithLiveNX

Fromthisreportwecandrilldownintotheapplicationwerethedataleakagewasreported.SoifwerightclickontheapplicationandthendrilldownandruntheTopAnalysiswecannowseetheindividualflowsoverthisspecifictimeframeandtheusersthatgeneratedthetraffic.InthisexamplewewilllookforsomethinggoingtoFacebook,whileit’snotadataexporttoolthesameprincipleapplies.

23|PaloAltoNetworksIntegrationwithLiveNX

3)ShadowIT/CloudApplicationVisibilityThecloudistransformingthewaybusinessisdone.ButtheITteamsdonotalwayshavevisibilityofthesebusinesscriticalapplicationsandyettheyarestillresponsibleformakingsuretheseapplicationsareperformingwellandmeetinguser’sneeds.

ThefirststepistocollectinformationfromtheInternetedgesacrossyournetwork.ScheduleaweeklyreporttoprovideyoualistofCloudapplicationsonanongoingbasis.

24|PaloAltoNetworksIntegrationwithLiveNX

Fromthisreport,youcanseethelistofCloudapplicationsandtheamountoftrafficeachapplicationisconsumingyourresources.Networkcongestioncanbeanissueformanybusinessestoday.Youwanttobesurethatcriticalapplicationsarenotimpactedwhencompetingwithrecreationaltraffic.InthenewInternet-basedworld,itisimportanttoidentifywhichapplicationsareonyournetworkandwhereyourresourcesarebeingconsumedtoalignwithyourbusinesspolicy.

25|PaloAltoNetworksIntegrationwithLiveNX

7. Conclusion

CombiningPaloAltoNetworksNextGenerationFirewallsandLiveAction’sLiveNXgivesbothnetworkengineersandSecurityEngineersmorevisibilityintotrafficthatisinthenetwork,andexitingasegmentortheperimeterofthenetwork.