From SAASYAN docs
Jump to: navigation, search

Advance Deployment Guide

Generate API key

  • Generate an API key on the Palo Alto Networks Next Generation Firewall using the steps below. This API key will be used by Advance to inject UserID - IP Address mappings into the Palo Alto Next Generation Firewall.
  • To generate the key, you must construct a URL request using the administrative credentials as follows.
http(s)://hostname/api/?type=keygen&user=username&password=password
  • Make sure that special characters in the password are URL/percent-encoded.
  • The result with be an XML block that contains the key. It should look like the following:
API key generation.png
  • The key must be URL encoded when used in HTTP requests. The key generation operation uses the master key for generating keys. If you have not changed the master key from the default, all firewalls with the same username/password will return the same key. You must change the master key on the device if you want different keys returned for the same username/password combination on two different devices.
  • To revoke or change the key, change the password with the associated admin account. As a best practice, set up a separate admin account for XML API access.

Fill out the onboarding form

  • Download the onboarding form by clicking on this. Fill out the onboarding form and email it to support@saasyan.com.au. If you need assistance filling out the form, please contact SAASYAN support.
  • If you're using a self signed certificate on the Palo Alto Next Generation firewall, please email the public key to support@saasyan.com.au.
  • SAASYAN support will email you a link to download the preconfigured Advance VM along with the login credentials to logon to this VM's console if needed.
  • Deploy the Advance virtual appliance.
  • Make sure your network is configured to allow the Advance Virtual Appliance outbound internet access on TCP port 443 - it uses this port to activate and renew its license information.
  • SAASYAN support will also provide you with a link to download NXLOG from.

Configure the DHCP Servers

  • Deploy NXLOG on the DHCP servers that serve the BYOD network segments in your environment.
  • Run the registry editor, navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DHCPServer\Parameters], right click on "DhcpLogFilesMaxSize" then modify the value from 46 to 2bc in Hexadecimal. You can also double click on "DhcpLogFilesMaxSize" to modify its value.
  • Configure NXLOG to forward logs to the Advance Virtual Appliance. Use the following configuration as template:
Windows DHCP server (Windows 2008 R2 and newer):
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
   Module xm_syslog
</Extension>

#Saasyan Advance config 

<Input advance-dhcp-watchfile>
   Module im_file
   File 'c:\\windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log'
   InputType   LineBased
   Exec $Message = $raw_event;
   #Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;
   SavePos TRUE  
   ReadFromLast TRUE
   PollInterval 1
   Exec $Message = $raw_event; $SyslogFacilityValue = 17;
</Input>

<Processor advance-dhcp-filewatcher_transformer>
   Module pm_transformer
   # Uncomment to override the program name
   # Exec $SourceName = 'PROGRAM NAME';
   Exec $Hostname = hostname();
   OutputFormat syslog_rfc5424
</Processor>

<Output advance-dhcp-out>
   Module      om_tcp
   Host        10.20.1.46
   Port        5514
</Output>

<Route advance-dhcp-1>
   Path        advance-dhcp-watchfile => advance-dhcp-filewatcher_transformer => advance-dhcp-out
</Route>

Configure the NPS / Radius Servers

  • Deploy NXLOG on the NPS / Radius servers that serve the BYOD network segments in your environment.
  • Run the following if you're using Windows 2012R2 NPS to grant the local system account access to the local security log:
wevtutil set-log security /ca:'O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-18)'
  • Enable success audit logging on Windows Radius / NPS server (EventID 6272):
  1. On a server running NPS, click Start, right-click Command Prompt, and then click Run as administrator.
  2. At the command prompt, type auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable and press ENTER.
  • Configure NXLOG to forward logs to the Advance Virtual Appliance. Use the following configuration as template:
Windows NPS / Radius server (Windows 2008 R2 and newer):
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
   Module xm_syslog
</Extension>

#Saasyan Advance config 

<Input advance-nps-in>
    Module      im_msvistalog
    Query <QueryList>\
      <Query Id="0" Path="Security">\
        <Select Path="Security">*[System[(EventID=6272)]]</Select>\
      </Query>\
    </QueryList>
</Input>

<Processor advance-nps-transformer>
   Module pm_transformer
   # Uncomment to override the program name
   # Exec $SourceName = 'PROGRAM NAME';
   Exec  $SyslogFacilityValue = 16;
   Exec $Hostname = hostname();
   #OutputFormat syslog_rfc5424
   Exec $raw_event = replace($raw_event, "\r\n", " ");
   Exec $raw_event = replace($raw_event, "\r", " ");
</Processor>

<Output advance-nps-out>
   Module      om_tcp
   Host        10.20.1.46
   Port        5514
   Exec to_syslog_snare();
</Output>

<Route advance-nps-1>
    Path        advance-nps-in => advance-nps-transformer => advance-nps-out
</Route>