Palo Alto Networks Panorama
What is Panorama?
Palo Alto Panorama monitors, configures, and automates management of multiple Palo Alto firewalls. Panorama manages network security with a single security rule base for firewalls that includes configuration management, threat prevention, URL filtering, application awareness, user identification, sandboxing, file blocking, access control, and data filtering.
Why Should You Use the Panorama Connector?
Panorama is a centralized management system that provides global visibility and control over multiple Palo Alto next-generation firewalls. You can use this visibility to:
ensure assets are managed per your security policies
find vulnerabilities quickly and remediate
How Does This Connector Work?
Lucidum executes read-only requests to the Panorama API and ingests only meta-data about Panorama assets. Lucidum does not retrieve any data stored on your assets.
Configuring the Connector in Lucidum
Field | Description | Example |
|---|---|---|
URL | The URL of the Palo Alto Panroma API | https://panfirewall/api |
User name of an account with access to the Palo Alto Prisma Cloud APIs. | User name of an admin account with “Operational Requests” enableld for Panorama APIs. | lucidum_api |
Password | Password for account. | ******************* |
Verify SSL | For future use. | N/A |
Configuring Syslog Forwarding to Lucidum
Palo Alto Panorama API might not return all network traffic information. To allow Lucidum to ingest all network traffic information, Lucidum recommends forwarding the Palo Alto Network logs to a central file storage (for example, an AWS S3 bucket). Lucidum’s file connector can then ingest the log data from file storage.
To configure syslog forwarding for Palo Alto Networks, refer to the documentation below:
Source Documentation
Creating Account to Access APIs
Create an administrator role (for example, called “Lucidum_API_Role”) and assign it XML API > Operational Requests. https://docs.pal`oaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access#ide6063ba8-2b0b-42eb-98c2-eb4914061722
Create an administrator account to use with Lucidum. Select role-based and the role you created. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-a-firewall-administrator-account#ideef650af-9943-401a-ab08-3a5dcad2bc21
Required Role
The account that Lucidum uses to access the API for Panorama must have at least this role
Administrator account with access to XML API > Operational Requests
API Documentation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api
Syslog Forwarding
Parameters
URL (required) - The URL of the Palo Alto Panorama API. For example, https://10.2.20.29
User Name and Password (optional) - The credentials for a user account that has the permissions to fetch assets for an Admin account with the “Operational Requests” role (fully enabled, NOT read-only) under the "XML/REST API" section. Instructions for associating this role with an Admin account can be found here. Also, make sure to enable the API as described here
Verify SSL (required, default is false) - Verify the SSL certificate or not.
Notes
Palo Alto Panorama API may not include all network traffic information. Lucidum recommends forwarding the PAN logs to a central file storage (e.g., AWS S3 bucket), then Lucidum’s file connector will collect the logs from the file storage. To configure PAN Syslog forwarding, refer to the documentation below:
References (Internal Use Only)
Palo Alto Panorama API document (returns are in XML format)
Get VPN login devices and users (optional): https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-manage-globalprotect-users-api
GET 'https://<firewall>/api/?type=op&cmd=<show><global-protect-gateway><current-user/></global-protect-gateway></show>&key=<apikey>'Get PAN firewall devices: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-use-cases/query-a-firewall-from-panorama-api
GET "https://<panorama>/api/?type=op&cmd=<show><devices><all></all></devices></show>"Get Hipmatch logs log-type=hipmatch https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-request-types/retrieve-logs-api/api-log-retrieval-parameters
Get VPN logs (log-type=globalprotect and received_time within last day): https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/retrieve-logs-api/example-use-the-api-to-retrieve-traffic-logs
First, create the query job and get the job ID:
GET "https://<firewall>/api/?type=log&log-type=globalprotect&nlogs=1000&skip=0&query=(receive_time geq '2022/08/22 08:00:00')"Then, use the job ID to fetch the job logs:
GET "https://<firewall>/api/?type=log&action=get&job-id=<job_id>". Query execution may take quite a long time. At first you will get the job ID. You can make multiple get job-id requests until the job status becomes “FIN”.CODE<response status="success"><result> <job> <tenq>17:35:05</tenq> <tdeq>17:35:05</tdeq> <tlast>03:00:00</tlast> <status>FIN</status> <id>384</id> <cached-logs>1152</cached-logs> </job>From the results, we only need the logs with
eventid in ['gateway-connected', 'gateway-getconfig', 'gateway-register'] and status == 'success'. And we can increase theskipvalue to get paging results.
Reference: https://avleonov.com/2016/12/17/retrieving-palo-alto-ngfw-security-events-via-api/
PAN OS Rest API: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/access-the-rest-api
From the device endpoint, get the firewall’s IP address and vsys name
Then query the firewall’s different objects with the IP address and vsys name, for example,
- CODE
session.get('https://10.76.250.247/restapi/v10.1/Network/VLANs?location=vsys&vsys=vsys1').json()
Traffic Log Fields: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html
Threat Log Fields: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html
HIP Match Log Fields: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields
System/VPN Log Fields: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html
PAN VPN Log (from API)
{'@logid': '264312',
'domain': '0',
'receive_time': '2022/09/07 00:43:56',
'serial': '001801053658',
'seqno': '7169757',
'actionflags': '0x0',
'is-logging-service': 'no',
'type': 'GLOBALPROTECT',
'subtype': '0',
'config_ver': '0',
'time_generated': '2022/09/07 00:44:10',
'high_res_timestamp': '1970-01-01T00:00:00.000+00:00',
'dg_hier_level_1': '1407',
'dg_hier_level_2': '167',
'dg_hier_level_3': '41',
'dg_hier_level_4': '3481',
'device_name': 'TWNPFW0101',
'vsys_id': '1',
'vsys': 'vsys1',
'eventid': 'gateway-connected',
'status': 'success',
'stage': 'connected',
'tunnel_type': 'IPSec',
'portal': 'WFH-GP-Gateway-Secondary',
'srcuser': 'tu\\jw3105490',
'srcregion': 'TW',
'machinename': 'TWAIOSEWD0T028',
'public_ip': '180.177.38.74',
'public_ipv6': '0.0.0.0',
'private_ip': '192.168.149.7',
'private_ipv6': '0.0.0.0',
'hostid': 'ddfa0cef-e251-4814-9ee4-2472d532c2b6',
'serialnumber': 'JL8K7K2',
'client_ver': '5.2.9',
'client_os': 'Windows',
'client_os_ver': 'Microsoft Windows 10 Pro , 64-bit',
'repeatcnt': '1',
'login_duration': '0',
'error_code': '0',
'response_time': '0',
'priority': 'manual only'}
PAN GlobalProtect VPN Syslog (not the log from API):
Nov 24 16:34:10 ra1-sjc2.inet.lucidum.io 1,2020/11/24 16:34:10,016201004721,
SYSTEM,globalprotect,0,2020/11/24 16:34:10,,globalprotectgateway-auth-succ,
GP-Gateway-SJC-N,0,0,general,informational,
"GlobalProtect gateway user authentication succeeded.
Login from: 24.6.3.50, Source region: US,
User name: admin@lucidum.io, Auth type: SAML,
Client OS version: Apple Mac OS X 10.15.7.",699469,0x0,0,0,0,0,,ra1-sjc2
Jan 6 00:24:09 ra1-las1.inet.lucidum.io 1,2022/01/06 00:24:08,016201004795,
GLOBALPROTECT,0,2305,2022/01/06 00:24:08,vsys1,gateway-getconfig,configuration,,,
test@lucidum.io,US,SL-1001,72.68.181.166,0.0.0.0,10.254.241.59,0.0.0.0,
f32ae07b-037c-4140-a2dc-7afa8510b388,R9132VJG,5.2.3,Windows,"Microsoft Windows 10 Pro , 64-bit",
1,,,"",success,,0,,0,GP-Gateway,725019,0x0,0,0,0,0,,ra1-las1,1PAN Device Response:
{
"@name":"013201026515",
"serial":"013201026515",
"connected":"yes",
"unsupported-version":"no",
"wildfire-rt":"no",
"hostname":"US-LAS-PFW02",
"ip-address":"10.202.250.253",
"ipv6-address":"unknown",
"mac-addr":null,
"uptime":"10 days, 12:03:49",
"family":"5200",
"model":"PA-5220",
"sw-version":"9.1.11",
"app-version":"8610-7534",
"av-version":"4184-4697",
"device-dictionary-version":null,
"wildfire-version":"692527-695832",
"threat-version":"8610-7534",
"url-db":"paloaltonetworks",
"url-filtering-version":"20220813.20150",
"logdb-version":"9.1.22",
"vpnclient-package-version":null,
"global-protect-client-package-version":"5.2.8",
"prev-app-version":"8609-7533",
"prev-av-version":"4183-4696",
"prev-threat-version":"8609-7533",
"prev-wildfire-version":"692526-695831",
"prev-device-dictionary-version":null,
"domain":null,
"slot-count":"0",
"type":null,
"tag":null,
"ha":{
"state":"passive",
"peer":{
"serial":"013201026501"
}
},
"vpn-disable-mode":"no",
"operational-mode":"normal",
"high-speed-mode":"no",
"certificate-status":null,
"certificate-subject-name":"013201026515",
"certificate-expiry":"2032/02/25 19:50:39",
"connected-at":"2022/08/19 12:59:08",
"custom-certificate-usage":"no",
"multi-vsys":"no",
"vsys":{
"entry":{
"@name":"vsys1",
"display-name":"vsys1",
"shared-policy-status":null,
"shared-policy-md5sum":"09e9abf86d71d579810f85620f4defe1",
"shared-policy-version":"22841"
}
},
"last-masterkey-push-status":"Unknown",
"last-masterkey-push-timestamp":null,
"express-mode":"no",
"device-cert-present":"None",
"device-cert-expiry-date":"N/A"
}