From SAASYAN docs
Assure Deployment Guide - Palo Alto NGF
Create LDAP service account
- Create an LDAP service account in AD (can be called svc_assure for easy identification). It should be able to query AD users and group memberships.
Create AD groups
- Create a security group in AD (can be called Assure_Admins for easy identification) and populate it with the users who need to have administrative privileges on Assure.
- Create a security group in AD per student group (the group name can be prefixed with Assure_ for easy identification). These groups will be used to grant privileges over different student groups. Users placed in these groups will be allowed to log on to Assure and have access to the corresponding student groups.
Generate API key
- Generate an API key on the Palo Alto Networks Next Generation Firewall using the steps below. This API key will be used by Assure to programatically create/remove the override rules.
- To generate the key, you must construct a URL request using the user credentials as follows.
- Make sure that special characters in the password are URL/percent-encoded.
- The result with be an XML block that contains the key. It should look like the following:
- The key must be URL encoded when used in HTTP requests. The key generation operation uses the master key for generating keys. If you have not changed the master key from the default, all firewalls with the same username/password will return the same key. You must change the master key on the device if you want different keys returned for the same username/password combination on two different devices.
- To revoke or change the key, change the password with the associated admin account. As a best practice, set up a separate privileged account for XML API access.
- Note that the user should have all permissions (read and write) on the XML/REST API.
Create Rule Placeholders (OPTIONAL)
- Create the following placeholder rules. Assure will use these to determine where to place the programmatically created override rules in the ruleset. It's best to create these rules in such a way that they will never match any traffic.
Fill out the onboarding form
- Download the onboarding form by clicking on this. Fill out the onboarding form and email it to firstname.lastname@example.org. If you need assistance filling out the form, please contact SAASYAN support.
- SAASYAN support will email you a link to download the preconfigured Assure collector VM along with the login credentials to logon to this VM's console.
- Deploy the Assure collector virtual appliance.
- Make sure your network is configured to allow the Assure Collector VM outbound internet access on TCP port 443 - it uses this port to establish an SSL encrypted tunnel to the hosted Assure back end.
- Once the virtual appliance is deployed and started, use the provided login credentials to logon to its console. The Assure Collector management console will launch and you will have the below screen. Press OK to continue.
- You can perform several actions, as per below. You can either type the number or use the arrow keys to move up and down to select the desired action.
- Select the first option for Interface Configuration and a screen similar to the below will appear:
- Select the interface ens32 or eth0 and you will have two options as per below:
- Select Static IP and enter the needed values for the static IP configuration. Make sure the DNS Nameservers are space separated.
- Create a Syslog Server Profile on the Palo Alto Networks Next Generation Firewall with the following configuration (the name can be Assure and the Syslog Server has to be the IP address of the collector VM):
- Servers Tab
- Custom Log Format Tab
- PAN OS v7.x
- Config: Default
- System: Default
- Threat: k12wsthreat $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $contenttype | $misc |
- Traffic: k12wstraffic $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $bytes_sent | $bytes_received | $elapsed |
- HIP match: Default
- PAN OS v8.x / v9.x
- Config: Default
- System: Default
- Threat: k12wsvulnerability $time_received | $device_name | $type | $subtype | $action | $app | $category | $srcuser | $dstuser | $threatid | $pcap_id | $direction | $serial | $sessionid | ###serialno###$serial###serialno### |
- Traffic: k12wstraffic $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $bytes_sent | $bytes_received | $elapsed | $sessionid | ###serialno###$serial###serialno### |
- URL: k12wsthreat $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $contenttype | $misc | $sessionid | ###serialno###$serial###serialno### |
- Data: Default
- WildFire: Default
- Tunnel: Default
- Authentication: Default
- User-ID: Default
- HIP Match: Default
- Create a Log Forwarding Profile on the Palo Alto Networks Next Generation Firewall and set the Syslog setting on the items below to Assure.
- PAN OS v7.x
- PAN OS v8.x (without Panorama)
- PAN OS v8.x (with Panorama)
- Make sure you tick Panorama when creating each Log Forwarding Profile Match List
- Create a vulnerability protection rule and associate it with the Security Rules that are configured to log to Assure
- Review the policies on the Palo Alto Networks Next Generation Firewall and make sure URL Filtering Policies are set to Alert on all occurrences.
- Review the security rules on the Palo Alto Networks Next Generation Firewall and make sure Security Policy rules are set to Alert on all occurrences and set the log Settings parameters under the Actions tab to:
- Review the security policy on the Palo Alto Networks Next Generation Firewall and make sure it's set to decrypt all traffic that falls under the Search Engine category.
- Similarly, you can set it to decrypt all traffic that falls under the Social Networking and Streaming Media categories.
- Once Assure is online and the initial synchronization is complete, an admin has to login and go the Categories page (using the Admin menu) and change the ratings (by default all 5), exclude some Categories from the reports (by default all are included) and also set the Categories that can be used for Web Overrides (by default all categories).
- With the rating, 1 is the poorest and 10 is the highest.
- We recommend excluding Categories such as Content Delivery Networks, Web Advertisements and other similar ones.
- For the Rating, you can click on the original value (by default 5) to enter a new value between 1 and 10, with 1 being the poorest and 10 being the highest. These are used when calculating the user ratings and web behaviour.
- To exclude a Category from the reports, you can click on the original value (by default No) to switch it to Yes.
- To disallow a Category being used for Web Overrides, you can click on the original value (by default Yes) to switch it to No.