article MineMeld to Implement NAC Application (DAGPusher) in General Articles

article MineMeld to Implement NAC Application (DAGPusher) in General Articles https://live.paloaltonetworks.com/t5/general-articles/minemeld-to-implement-nac-application-dagpusher/ta-p/203006 <H2>Introduction</H2> <P>The most common way to share indicators with a PAN-OS device is by using its External Dynamic List feature. MineMeld hosts a WEB server that can be used to generate feeds for URL, Domain and IP indicators to be consumed by a NGFW. One of the drawbacks of this approach is it being synchronous. The PANOS device polls at regular intervals the feed. This means that a recently received indicator might not be available for enforcement in the NGFW until the next poll is executed (typically 60 minutes)</P> <P> </P> <P>For host-based (/32) IPv4 indicators, MineMeld features an async node that leverages the <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/register-ip-addresses-and-tags-dynamically" target="_self">Dynamic Address Group</A> PANOS feature. This node will "push" indicator changes to the device as soon as they reach the output.</P> <UL> <LI>UPDATE messages will be converted into "register" API calls</LI> <LI>WITHDRAW messages will be converted into "unregister" API calls</LI> </UL> <P> </P> <P>This article explores all the rich features of the DAGPusher MineMeld node in the contexts of a <A href="https://en.wikipedia.org/wiki/Network_Access_Control" target="_self">NAC</A> application.</P> <P> </P> <H2>Overview of the DAGPusher node</H2> <P>The DAGPusher node is, basically, a multi-instance API Client to the User-ID API entry point provided by any PANOS or PANORAMA device. The User-ID API entry point allows an external party (in this case MineMeld) map IP addresses with abstract data, for example:</P> <UL> <LI><STRONG>username</STRONG>: the basis of the <A href="https://www.paloaltonetworks.com/technologies/user-id" target="_self">PANOS User-ID technology</A>. IP addresses are mapped with a user-name ID and policies can be constructed based on this extended information instead of based on the value of the IP's themselves.</LI> <LI><STRONG>tags</STRONG>: multiple tags can be attached to an IP. Then groups of IP's can be created by collecting all IP addresses having a common set of tags. These groups can be used in the policies. This is, for example, the basis for the <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/device/device-vm-information-sources" target="_self">VM Information Sources</A> PANOS feature.</LI> </UL> <P>Each indicator reaching the DAGPusher node is processed, attributes extracted, and a call to the User-ID API is made to "register" or "unregister" these IP's with a collection of tags related to the indicator's attributes.</P> <P> </P> <P>The DAGPusher node instantiates a new User-ID client for each managed device. This way the indicators can be pushed to many devices at once. The DAGPusher node also supports using PANORAMA as proxy to the devices.</P> <P> </P> <P>The current version of the DAGPusher node only supports host-based IPv4 indicators. Take in mind that all the following indicators types will be discarded by the node and not pushed down to the PANOS devices:</P> <UL> <LI>non-IPv4 indicators (that includes IPv6, URL, Domain, etc.)</LI> <LI>IPv4 indicators with the format <ip-address>/<masklen> where masklen is not 32</LI> <LI>IPv4 indicators with the format <ip-address-begin>-<ip-address-end> (ranges) where begin and end are not equal.</LI> </UL> <P>The configuration attributes for the DAGPusher node are:</P> <UL> <LI><SPAN class="pl-s"><STRONG>tag_prefix</STRONG> (string)</SPAN>: a char sequence that will be used as prefix for any tag value pushed to the devices (defaults to <FONT face="courier new,courier"><SPAN class="pl-s"><SPAN class="pl-pds">'</SPAN>mmld_<SPAN class="pl-pds">'</SPAN></SPAN></FONT>)</LI> <LI><SPAN class="pl-s"><STRONG>tag_watermark</STRONG> (string)</SPAN>: the value of a tag that will be attached to any indicator pushed by the DAGPusher node. This way, a NGFW administrator can backtrace any given tagged IP back to MineMeld as responsible for it (defaults to <SPAN class="pl-s"><SPAN class="pl-pds">'</SPAN>pushed<SPAN class="pl-pds">'</SPAN></SPAN>)</LI> <LI><SPAN class="pl-s"><STRONG>persistent_registered_ips</STRONG> (boolean): true if the tags pushed by the node should survive a device reboot (defaults to <FONT face="courier new,courier">'true'</FONT>)<BR /></SPAN></LI> <LI><SPAN class="pl-s"><STRONG>tag_attributes</STRONG> (list of strings): The collection of indicator attributes that should be extracted and converted into tags. The resulting tag value will be calculated as <tag_prefix>+"_"+<indicator attribute name>+"_"+<indicator attribute value> (defaults to <FONT face="courier new,courier">[<SPAN class="pl-pds">'</SPAN>confidence<SPAN class="pl-pds">'</SPAN>, <SPAN class="pl-pds">'</SPAN>direction<SPAN class="pl-pds">'</SPAN>]</FONT>)</SPAN></LI> </UL> <H2><SPAN class="pl-s">Creating a poor man's NAC application</SPAN></H2> <P><SPAN class="pl-s">Next sections of this article will provide a step by step guide to create a datacenter NAC application with the following specifications:</SPAN></P> <UL> <LI><SPAN class="pl-s">The enforcer of the policy should be a NGFW placed at the Internet Gateway</SPAN></LI> <LI><SPAN class="pl-s">Only traffic sourced by windows servers should be able to consume the application "ms-update"</SPAN></LI> <LI><SPAN class="pl-s">Only traffic sourced by linux servers should be able to consume the applications "yum" and "apt-get"</SPAN></LI> <LI><SPAN class="pl-s"><SPAN class="pl-s">A procedure must be provided to allow temporary (4 hours) full access to Internet to a third party device identified by its IP.<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="nac_schema.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14032i32FC848EDFC3D18F/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="nac_schema.png" alt="nac_schema.png" /></span></SPAN></SPAN> <P> </P> </LI> </UL> <P> </P> <H3>Step 1: Creating a new DAGPusher prototype</H3> <P>First step is to create a MineMeld node prototype based on the DAGPusher class that suits our needs. Basically we need to configure the DAGPusger class in such a way that it:</P> <UL> <LI>Attaches an operating system TAG to the registered IP address (that will be used to discriminate between Windows and Linux)</LI> <LI>Attaches an "temporary authorization" TAG to these IP addresses that should be allowed to traverse the NGFW</LI> </UL> <P>To achieve this we will create a new prototype using the standard lib DAGPusher one as base and defining the <FONT face="courier new,courier"><SPAN class="pl-s">tag_attributes</SPAN></FONT> configuration element.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_pusher_prototype.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14036i228F0A9A3183AB1A/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_pusher_prototype.png" alt="dag_pusher_prototype.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_pusher_new.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14037i25BF98233FB69062/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_pusher_new.png" alt="dag_pusher_new.png" /></span></P> <P> </P> <P>In the new node prototype window we specify values for  <FONT face="courier new,courier">tag_prefix</FONT>, <FONT face="courier new,courier">tag_watermark</FONT> and <FONT face="courier new,courier">tag_attributes</FONT> to look like in the following screenshot.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="poorman-prototype.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14038iE94EC80F47CBBE7B/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="poorman-prototype.png" alt="poorman-prototype.png" /></span></P> <P> </P> <H3>Step 2: Setting up the graph</H3> <P>With this prototype in the library we're ready to setup a couple of nodes we'll use to achieve our poor man's NAC application:</P> <UL> <LI>A DAGPusher node based on the prototype we just created and</LI> <LI>A LocalDB miner that we'll use to host the indicators (our NAC database)</LI> </UL> <P>Let's start by cloning the existing <FONT face="courier new,courier">stdlib.localDB</FONT> prototype into a miner node.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="local_db_prototype.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14051i925447A89994133A/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="local_db_prototype.png" alt="local_db_prototype.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="local_db_prototype_clone.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14053i4BF8911F29476F9A/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="local_db_prototype_clone.png" alt="local_db_prototype_clone.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="local_db_prototype_poor-man-store.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14054i1A1FC6EF5B68CB7C/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="local_db_prototype_poor-man-store.png" alt="local_db_prototype_poor-man-store.png" /></span></P> <P> </P> <P> </P> <P>Now, let's clone the <FONT face="courier new,courier">poor-man-dagpusher</FONT> prototype we created before as an output node and connect it directly to the <FONT face="courier new,courier">poor-man-store</FONT> miner node.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="poor-man-prototype-preclone.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14055i61A444F120237527/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="poor-man-prototype-preclone.png" alt="poor-man-prototype-preclone.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="poor-man-prototype-clone.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14056i29270A59CA1A3298/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="poor-man-prototype-clone.png" alt="poor-man-prototype-clone.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="poor-man-prototype-clone-final.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14057i53D180D643565878/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="poor-man-prototype-clone-final.png" alt="poor-man-prototype-clone-final.png" /></span></P> <P> </P> <P> </P> <P>At this point we shoud have a basic graph connecting a miner with an outputter. Let's commit this graph.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="poor-man-commit.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14058iE0AE8BA12CD582D4/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="poor-man-commit.png" alt="poor-man-commit.png" /></span></P> <P> </P> <P> </P> <H3>Step 3: Adding our PAN-OS device as a "handled device" to the DAGPusher node</H3> <P>The DAGPusher works on a database of "handled devices". In other words: the set of PANOS devices that should be notified each time a new IPv4 reaches the node (either for registering-update or unregistering-whitdraw)</P> <P> </P> <P>The MineMeld WEBUI provides a tab in the DAGPusher node to allow the administrator maintain the list of handled devices. Let's navigate to the node's WEBUI component and add a PANOS device.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_node.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14063iF2FED1CE25B9A953/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_node.png" alt="dag_node.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_node_devices.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14064i751BD144BA3A43F7/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_node_devices.png" alt="dag_node_devices.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_node_devices_add.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14065iD7072E1EEAECAB38/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_node_devices_add.png" alt="dag_node_devices_add.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_node_devices_add_final.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14066iA6C2C9E8A713D18B/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_node_devices_add_final.png" alt="dag_node_devices_add_final.png" /></span></P> <P> </P> <P>This change does not requiere any configuration commit. The DAGPusher node will, automatically, instantiate a new API Client object with the provided credentials and network information. We're ready to operate our brand new poor man's NAC application.</P> <H2>Operating the poor man's NAC application</H2> <P>We're going to perform the following three tasks:</P> <UL> <LI>Add a windows server in the NAC's database</LI> <LI>Add a linux server in the NAC's database</LI> <LI>Add a temporary entry (4 hours) in the NAC database corresponding to a visitor's device.</LI> </UL> <P>To perform all these tasks we'll use the indicator tab provided by the WEBUI to the nodes based on the <FONT face="courier new,courier">localDB</FONT> class. Just navigate to the node and open the indicators tab.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="indicator_add.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14067iC402501B739466D2/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="indicator_add.png" alt="indicator_add.png" /></span></P> <P> </P> <P>The first entry we'll add is the one corresponding to the windows server. As it is a "permanent" entry, we'll chose the "Disable Expiration" option in the TTL field. Attach an "os" attribute to the indicator defining this entry as a windows server (remember that we created a DAGPusher prototype that will extract the "os" and "authorized" attributes from the indicators).</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="indicator_add_attributes.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14068i38E4ED61D7845253/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="indicator_add_attributes.png" alt="indicator_add_attributes.png" /></span></P> <P> </P> <P> </P> <P>Addig an indicator to a node based on the localDB class does not requiere a commit. That means that, if everything is OK in our setup, we should be able to see the registered IP in out PANOS device.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="panos_cli_objects.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14069iE4B9277C2E93B52F/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="panos_cli_objects.png" alt="panos_cli_objects.png" /></span></P> <P> </P> <P> </P> <P>Let's repeat the task but with a Linux server this time.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="linux_server.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14070i6313E07628310626/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="linux_server.png" alt="linux_server.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cli_linux.png" style="width: 471px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14071iCF961ED783BFEEA0/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="cli_linux.png" alt="cli_linux.png" /></span></P> <P> </P> <P> </P> <P>Our last step is to create a timed entry (4 hours) for a visitor. This time, instead of chosing the "Disable expiration" option, we'll define a TTL of 14400 (4 hours = 14400 seconds). And we'll attach an "authorized" attribute this time.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="visitor.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14072iC79E70C84B0069B4/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="visitor.png" alt="visitor.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="visitor_cli.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14073iA14B8E1586D9E372/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="visitor_cli.png" alt="visitor_cli.png" /></span></P> <P> </P> <P> </P> <P> </P> <P>The localDB miner will take care of the expiration. After 14400 seconds, the visitor's entry will be aged out, a WHITDRAW message generated down the graph and an "unregister" message will be send by the DAGPusher node to the handled device.</P> <P> </P> <H2>Configuring the PAN-OS device to use the pushed objects</H2> <P>For the pushed objects to be usable into policies, a Dynamic Address Group (DAG) must be created. For this excercise we'll create three DAG's:</P> <UL> <LI>Windows Servers (contain the tag "mm_os_windows")</LI> <LI>Linux Servers (contain the tag "mm_os_linux") and</LI> <LI>Guest Servers (contain the tag "mm_authorized_yes")</LI> </UL> <P>The Dynamic Address Groups are created the same way Regular Address Groups are created. Just that they're of type "dynamic" and based on a tag query ("and", "or" accepted).</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dag_windows_servers.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14074iF534CA2E96B79113/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="dag_windows_servers.png" alt="dag_windows_servers.png" /></span></P> <P> </P> <P> </P> <P>Repeat for Linux_Servers and Guest_Servers.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="linux_other.png" style="width: 300px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14075i0CBAB676546BCF5C/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="linux_other.png" alt="linux_other.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="guest_other.png" style="width: 364px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14076iB00F8158B5A08F08/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="guest_other.png" alt="guest_other.png" /></span></P> <P> </P> <P> </P> <P>Now let's use these DAGs into our poor man's NAC security policies.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="policy.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14077iCF63A24DCF409D36/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="policy.png" alt="policy.png" /></span></P> <P> </P> <P> </P> <P>After committing the configuration changes you'll be able to confirm the DAG membership using the NGFW's WEBUI.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="guest-servers.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14078iA60B0C77672AF9A5/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="guest-servers.png" alt="guest-servers.png" /></span></P> <P> </P> <P> </P> <P>If you followed the steps then you'll remember that, for the Guest Server entry in the LocalDB miner, we attached the attribute "os" with a value "windows" alongside the attribute "authorized". This means that the Guest Server is also registered as a Windows Server so it will be able to receive updates during the 4 hours it was granted access to the network.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Windows-server.png" style="width: 403px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14079iCBBCA02B5762D9D4/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="Windows-server.png" alt="Windows-server.png" /></span></P> <P> </P> <P> </P> <P> </P> <H2>Annex 1: Using PAN-OS API Key instead of user and password</H2> <P>The DAGPusher node supports using the PANOS API Key. But, unfortunatelly, the current WEB UI component does not expose it. This means we need to hack the configuration file of the DAGPusher node.</P> <P> </P> <P>First of all let's create a handled device in our DAGPusher node with a fake username and password.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fake_node.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14033iFA128768E7D6620E/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="fake_node.png" alt="fake_node.png" /></span></P> <P> </P> <P>The device list for the node is maintained in a YAML file inside the MineMeld's configuration folder (defaults to /opt/minemeld/local/config). The filename should have the value <nodename>_device_list.yml. In this example it will be "dagPusherWithAPIKey_device_list.yml".</P> <P> </P> <P>We just have to edit the file to:</P> <UL> <LI>assign null to both the <FONT face="courier new,courier">api_username</FONT> and <FONT face="courier new,courier">api_password</FONT> attributes</LI> <LI>attach a new attribute called <FONT face="courier new,courier">api_key</FONT> with the corresponding value for our device</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="configuration_file.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14035i8ABF35577DB93EAB/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="configuration_file.png" alt="configuration_file.png" /></span></P> <P> </P> <P>The node should detect the file modification and reload the device list. But, if you want to be sure it is readed, just restart the engine.</P> <H2>Annex 2: Bulk upload of indicators</H2> <P>You may need to upload a bulk list of entries to the LocalDB miner (the NAC database in our example). The LocalDB miner features an API that is explained in the annex 2 of the article <A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-as-an-Incident-Response-Platform/ta-p/174690" target="_self">Using MineMeld as an Incident Response Platform</A>.</P> <P> </P> <P>You can leverage the API or use the script created by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a> that implements the client side of the LocalDB API and that can use text formated input file as source.</P> <P> </P> <P>(Script available at <A href="https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785" target="_self">https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785</A>)</P> Wed, 19 Feb 2025 12:17:18 GMT xhoms 2025-02-19T12:17:18Z MineMeld to Implement NAC Application (DAGPusher) https://live.paloaltonetworks.com/t5/general-articles/minemeld-to-implement-nac-application-dagpusher/ta-p/203006 <P>Use MineMeld DAGPusher to create a basic NAC application</P> Wed, 19 Feb 2025 12:17:18 GMT https://live.paloaltonetworks.com/t5/general-articles/minemeld-to-implement-nac-application-dagpusher/ta-p/203006 xhoms 2025-02-19T12:17:18Z Re: Using MineMeld to implement a poor man's NAC application (DAGPusher) https://live.paloaltonetworks.com/t5/general-articles/minemeld-to-implement-nac-application-dagpusher/tac-p/226754#M157 <P>Update: DagPusher node now handles IPv6 indicators.</P> Fri, 10 Aug 2018 20:33:25 GMT https://live.paloaltonetworks.com/t5/general-articles/minemeld-to-implement-nac-application-dagpusher/tac-p/226754#M157 ksteves1 2018-08-10T20:33:25Z