Creating Whitelists

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L7 Applicator
100% helpful (2/2)

MineMeld aggregator nodes support whitelists. If an indicator is on a whitelist, the aggregator nodes will not send matching indicators to downstream nodes. Whitelists can also be shared by multiple aggregators.

 

Aggregator nodes created using stdlib prototypes (stdlib.aggregatorDomain, stdlib.aggregatorURL, stdlib.aggregatorIPv4Generic, stdlib.aggregatorIPv4Outbound, stdlib.aggregatorIPv4Inbound) will whitelist indicators generated by Miner nodes whose name starts with the prefix wl (lowercase).

 

In the following example, a whitelist Miner will be created for an IPv4 aggregator node.

 

1. Creating a static whitelist node

In CONFIG, click + to add a new node. Specify a name starting with "wl" and select stdlib.listIPv4Generic as prototype. Enable Output and then press OK.

 

MineMeld Whitelist Add Node.png

 

2. Connecting the whitelist to the aggregator

In CONFIG, click on the INPUTS field of the selected aggregator. In the dialog add the new whitelist node to the list of INPUTS.

MineMeld Whitelist inboudaggregator.png

 

3. Commit the config

Just press COMMIT in the CONFIG page.

 

4. Adding indicators to the whitelist

In NODES, click on the new whitelist node and select INDICATORS in the menu on the left.

MineMeld Whitelist wlmywhitelist.png

 

Click + to add new indicators. Pressing OK will automatically save the indicator and the list. It could take up to 1 minute for the new indicator to be pushed downstream to the aggregator node.

MineMeld Whitelist Add IPv4 Indicator.png

 

Rate this article:
Comments
L2 Linker

What is the significance of the indicator "share level" in this example.  Does "red" impact the ability of the processor node to share it with numerous ouput nodes?

L7 Applicator

Hi Claudec,

technically share_level is just an additional attribute of indicators. You can use share_level to tag indicators that should be kept confidential and not shared with others. Enforcement of share_level can be done using node input filters. Example: feedHCGreen prototype accepts only indicators with share_level green. Ref: https://github.com/PaloAltoNetworks/minemeld-node-prototypes/blob/master/prototypes/stdlib.yml#L244

L0 Member

Is it possible to create a white list from an IPs address file?

L7 Applicator

Hi @spssspss, that's possible. Would you mind opening  a new discussion under MineMeld Discussions ? I will give you full details there. Thanks !

L4 Transporter

Hi,

I'm dealing with a problem in whitelists.

Following the steps described here, doesn't matter the time I wait, the IP inserted in my wlWhiteList node never is excluded from the IP list in the feed node.

 

The same occours for domains. I have a node called wlDomain. The domain never is removed from the list in my feed node. I don't know if it is a problem with the aggegator or the miner.

 

I noted that the whitelist miner for domains doesn't have the camp "Direction". Is it ok?

 

Thank you

L0 Member

Hello,

   danilo.souza I am also experincing the same thing as you. No matter the wl miner I create, the ips included are still being picked up by the inboundfeedhc and sent to my firewall. I have tried various wl miners and different directions (or no direction). I have my new miner added to the inboundaggreator and waited for over a day. When I check my EDL on the firewall the ips in question are still present, because they are still present in the Output node. 

 

Did you ever figure this out or get an answer. I know I am late to the party, but I just stood Minemeld up last week. 

 

Thanks. 

 

CH

L4 Transporter

Hi @ch199soprano

 

Unfortunately not. I "whitelisted" the IP through Panorama. You have the option to create exceptions there (Objects->External Dynamic Lists->"Your List"->List Entries and Exceptions).

 

But It is not instantaneous. This can take up to one hour (the interval of time the Firewall takes to accomplish the autocommit). 

 

Best Regards

L0 Member

Thanks, I will keep at it. unfortunately we are not using Panaorama so I would hae to Commit excpetions on the firewall which sort of takes away from the whole minmeld setup. Thanks for the response. 

 

CH

L0 Member

Hi,

 

Is there a way using whitelist for the oposite propose, i mean add indicators to an output?

 

Best Regards,

 

Adélio Moreira

L4 Transporter

@adeliomoreira 

 

 

I would like to know this as well.  It appears that the wl - indication works exactly opposite of what you would expect in this scenario?

L1 Bithead

Does anyone have any experience with or know whether it's possible to limit the size of subnets that could be added?


For instance, if someone were to try to add 10.0.0.0/8 -- is there anything that could be done to prevent that?

  • 39818 Views
  • 11 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-09-2019 10:03 AM
Updated by:
Retired Member