From SAASYAN docs
Jump to: navigation, search

Assure Deployment Guide - Palo Alto NGF

Create LDAP service account

  • Create an LDAP service account in AD (can be called svc_assure for easy identification). It should be able to query AD users and group memberships. Make sure the "password never expires" option is set and also the "user must change password at next logon" option is not set.

Create AD groups

  • Create a security group in AD (can be called Assure_Admins for easy identification) and populate it with the users who need to have administrative privileges on Assure.
  • Create a security group in AD per student group (the group name can be prefixed with Assure_ for easy identification). These groups will be used to grant privileges over different student groups. Users placed in these groups will be allowed to log on to Assure and have access to the corresponding student groups.

Generate API key

  • Generate an API key on the Palo Alto Networks Next Generation Firewall using the steps below. This API key will be used by Assure to programatically create/remove the override rules.
  • To generate the key, you must construct a URL request using the user credentials as follows.
  • Make sure that special characters in the password are URL/percent-encoded.
  • The result with be an XML block that contains the key. It should look like the following:
API key generation.png
  • The key must be URL encoded when used in HTTP requests. The key generation operation uses the master key for generating keys. If you have not changed the master key from the default, all firewalls with the same username/password will return the same key. You must change the master key on the device if you want different keys returned for the same username/password combination on two different devices.
  • To revoke or change the key, change the password with the associated admin account. As a best practice, set up a separate privileged account for XML API access.
  • Note that the user should have all permissions (read and write) on the XML/REST API.
API permissions for user.png

Create Rule Placeholders (OPTIONAL)

  • Create the following placeholder rules. Assure will use these to determine where to place the programmatically created override rules in the ruleset. It's best to create these rules in such a way that they will never match any traffic.

Fill out the onboarding form

  • Download the onboarding form by clicking on this. Fill out the onboarding form and email it to If you need assistance filling out the form, please contact SAASYAN support.
  • SAASYAN support will email you a link to download the preconfigured Assure collector VM along with the login credentials to logon to this VM's console.
  • Deploy the Assure collector virtual appliance.
  • Make sure your network is configured to allow the Assure Collector VM outbound internet access on TCP port 443 - it uses this port to establish an SSL encrypted tunnel to the hosted Assure back end.
  • Once the virtual appliance is deployed and started, use the provided login credentials to logon to its console. The Assure Collector management console will launch and you will have the below screen. Press OK to continue.
You can perform several actions, as per below. You can either type the number or use the arrow keys to move up and down to select the desired action.
Select the first option for Interface Configuration and a screen similar to the below will appear:
Select the interface ens32 or eth0 and you will have two options as per below:
Select Static IP and enter the needed values for the static IP configuration. Make sure the DNS Nameservers are space separated.

Firewall Configuration

  • Create a Syslog Server Profile on the Palo Alto Networks Next Generation Firewall with the following configuration (the name can be Assure and the Syslog Server has to be the IP address of the collector VM):
Servers Tab
Syslog Server Profile - Servers.png
Custom Log Format Tab
PAN OS v7.x
Config: Default
System: Default
Threat: k12wsthreat $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $contenttype | $misc |
Traffic: k12wstraffic $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $bytes_sent | $bytes_received | $elapsed |
HIP match: Default
Syslog Server Profile - Custom Log Format.png
PAN OS v8.x / v9.x
Config: Default
System: Default
Threat: k12wsvulnerability $time_received | $device_name | $type | $subtype | $action | $app | $category | $srcuser | $dstuser | $threatid | $pcap_id | $direction | $serial | $sessionid | ###serialno###$serial###serialno### |
Traffic: k12wstraffic $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $bytes_sent | $bytes_received | $elapsed | $sessionid | ###serialno###$serial###serialno### |
URL: k12wsthreat $receive_time | $device_name | $type | $subtype | $action | $app | $category | $proto | $srcuser | $src | $sport | $dst | $dport | $contenttype | $misc | $sessionid | ###serialno###$serial###serialno### |
Data: Default
WildFire: Default
Tunnel: Default
Authentication: Default
User-ID: Default
HIP Match: Default
Syslog Server Profile - Custom Log Format - v8.x.png
  • Create a Log Forwarding Profile on the Palo Alto Networks Next Generation Firewall and set the Syslog setting on the items below to Assure.
PAN OS v7.x
Log Forwarding Profile.png
PAN OS v8.x (without Panorama)
Log Forwarding Profile - v8.x.png
PAN OS v8.x (with Panorama)
Make sure you tick Panorama when creating each Log Forwarding Profile Match List
Log Forwarding Profile (Panorama) - v8.x.png
  • Create a vulnerability protection rule (Objects tab under Security Profiles) and associate it with the Security Rules that are configured to log to Assure. If you already have a Vulnerability Protection Profile, make sure you add a new rule under the same profile, otherwise create the profile first
  • Make sure the vulnerability profile is being used in the security rules. It can be made a part of the Security Profile Group (in case used) or assigned individually to the security rules (actions tab)
  • Review the policies on the Palo Alto Networks Next Generation Firewall and make sure URL Filtering Policies are set to Alert on all occurrences.
  • Review the security rules on the Palo Alto Networks Next Generation Firewall and make sure Security Policy rules are set to Alert on all occurrences and set the log Settings parameters under the Actions tab to:
Log Settings - 2.png
  • Review the security policy on the Palo Alto Networks Next Generation Firewall and make sure it's set to decrypt all traffic that falls under the Search Engine category.
Decryption Policy Rule - 1.png
Decryption Policy Rule - 2.png
Decryption Policy Rule - 3.png
Decryption Policy Rule - 4.png
Decryption Policy Rule - 5.png
  • Similarly, you can set it to decrypt all traffic that falls under the Social Networking and Streaming Media categories.

Web Categories

  • Once Assure is online and the initial synchronization is complete, an admin has to login and go the Categories page (using the Admin menu) and change the ratings (by default all 5), exclude some Categories from the reports (by default all are included) and also set the Categories that can be used for Web Overrides (by default none).
  • For custom Categories, we recommend using meaningful ones as they will be visible to the Assure users and Categories like Custom-Allow-Categ01 may not mean anything to the users.
  • With the Rating, 1 is the poorest and 10 is the highest. We recommend setting the default ratings from the onset and we can guide you to set default ones at onboarding time.
  • We recommend excluding Categories such as Content Delivery Networks, Web Advertisements and other similar ones.
  • For the Rating, you can click on the original value (by default 5) to enter a new value between 1 and 10, with 1 being the poorest and 10 being the highest. These are used when calculating the user ratings and web behaviour.
  • To exclude a Category from the reports, you can click on the original value (by default No) to switch it to Yes.
  • To allow a Category being used for Web Overrides, you can click on the original value (by default No) to switch it to Yes.