https://live.paloaltonetworks.com/t5/general-topics/minemeld-indicators-number-not-equal-firewall-dag-members-list/m-p/345727#M95579 <P>As I keep on looking for a solution, I tried using a more common EDL.</P> <P>&nbsp;</P> <P>As of now, the firewall is getting the right number of indicators, with no difference with the values gathered by Minemeld.</P> <P>&nbsp;</P> <P>I'm therefore wondering if there is a bug with the DAG Pusher prototype... Has anyone got this kind of issue in the past ?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 27 Aug 2020 15:29:23 GMT GREMAUDO 2020-08-27T15:29:23Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-indicators-number-not-equal-firewall-dag-members-list/m-p/339194#M95578 <P>Hi everyone,</P> <P>&nbsp;</P> <P>I tried to reference all the Windows RODC (<EM>Read-Only Domain Controllers</EM>) using a custom script. The script is working fine : it queries our Active Directory, and returns a JSON list of RODC. Each indicator listed by the script looks like this :</P> <LI-CODE lang="markup">{ "indicator": "ip.add.re.ss", "value": { "comment": "This is a comment", "confidence": 100, "type": "IPv4", "share_level": "green" } }</LI-CODE> <P>&nbsp;</P> <P>I then used an import script found here : <A href="https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785" target="_blank">https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785</A> which works fine too : it imports all the indicators (around 130) into the configured miner in Minemeld :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GREMAUDO_0-1594979428303.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26876iA9CF5AB68B48DE52/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="GREMAUDO_0-1594979428303.png" alt="GREMAUDO_0-1594979428303.png" /></span></P> <P>&nbsp;</P> <P>I then send these indicators directly to some output nodes :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GREMAUDO_1-1594979557569.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26877i413746BDA6059C09/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="GREMAUDO_1-1594979557569.png" alt="GREMAUDO_1-1594979557569.png" /></span></P> <P>&nbsp;</P> <P>I used a classic Output feed (as a test output). For populating the firewall, I used the DAG Pusher prototype, one that used our Panorama (CrfRodcDAG) and another one for testing purposes that sends the indicators directly to a firewall (CrfRodcDAG_Test). If we focus on the latter, here is it's configuration :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GREMAUDO_2-1594979751746.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26878iCAD52B7C32ED997F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="GREMAUDO_2-1594979751746.png" alt="GREMAUDO_2-1594979751746.png" /></span></P> <P>&nbsp;</P> <P>The firewall has a Dynamic Address Group configured, that matches the MineMeld tag "MM_RODC" :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GREMAUDO_3-1594979868103.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26879i85A25C7CE3E983C6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="GREMAUDO_3-1594979868103.png" alt="GREMAUDO_3-1594979868103.png" /></span></P> <P>&nbsp;</P> <P>At first, it looked like everything worked fine :</P> <UL> <LI>If a new RODC was found, it was added after a short timer in the firewall.</LI> <LI>If a RODC was deleted, it was suppressed from the DAG</LI> </UL> <P>&nbsp;</P> <P>However, after a few more tests in Minemeld, I restarted the MineMeld engine several times. And I began having some discrepancies between Minemeld and the firewall : MM still had 130 indicators, but the firewall only got 22, then 90, sometimes 126, then after a few seconds, dropped down to zero... The only way I found to stabilise the situation was to clear all registered IPs from the firewall, and then restart MineMeld engine. But again, if the MineMeld machine restarts or receives modifications, it "breaks" the whole system...</P> <P>&nbsp;</P> <P>For instance, right now, MineMeld lists 129 indicators, while only 36 are listed by the Firewall...</P> <P>&nbsp;</P> <P>I check with PAN support if the issue could be with the firewall, but they saw nothing suggesting that.</P> <P>&nbsp;</P> <P>Do you have any idea on the possible cause of this issue ?</P> <P>&nbsp;</P> <P>Kind regards.</P> Fri, 17 Jul 2020 10:07:37 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-indicators-number-not-equal-firewall-dag-members-list/m-p/339194#M95578 GREMAUDO 2020-07-17T10:07:37Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-indicators-number-not-equal-firewall-dag-members-list/m-p/345727#M95579 <P>As I keep on looking for a solution, I tried using a more common EDL.</P> <P>&nbsp;</P> <P>As of now, the firewall is getting the right number of indicators, with no difference with the values gathered by Minemeld.</P> <P>&nbsp;</P> <P>I'm therefore wondering if there is a bug with the DAG Pusher prototype... Has anyone got this kind of issue in the past ?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 27 Aug 2020 15:29:23 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-indicators-number-not-equal-firewall-dag-members-list/m-p/345727#M95579 GREMAUDO 2020-08-27T15:29:23Z