Autofocus MineMeld - how to access output node that requires authorisation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Autofocus MineMeld - how to access output node that requires authorisation

L2 Linker

I need to create O365 IP/URL EDLs but when I try to access the output nodes I get "Unauthorised" message unless I sign into AutoFocus in the browser. Needless to say I cannot do the same on a firewall. How do I allow anonymous connections to a feed in Autofocus MineMeld or use authentication when configuring EDL on a firewall? 

19 REPLIES 19

L5 Sessionator

You have to create a "feeduser" and attach it as a TAG to the output nodePicture1.png

 

Picture2.png

 

Picture3.png

 

In the PANOS device:

  • If running PANOS 8.0, enable client authentication and populate user and password fields.
  • If running PANOS 7.1 use the basic auth URL syntax (https://<user>:<password>@domain.com/url)

 

 

Hi, I'm new working on Minemeld. I have an issue, I want to enable authentication for an output node, but above the
FEEDS USERS manager i had the following message: Warning! authentication for output feeds is disabled
How to enable it?

 

Thank you

 download.png

@jonnynux : are you using MineMeld hosted in AutoFocus? AFAIK MM in AutoFocus has Authentication for Output feeds enabled by default.

I'm trying to do this, but I must be missing something.  I have created a feed user and I have added a tag to the user.  I've associated that tab with my feed and that looks good so far.  My questions pertains to the modification of the URL.

 

In the PANOS device use the basic auth URL syntax (https://<user>:<password>@domain.com/url)

 

My firewall is running 7.1, and I cannot figure out the right syntax to use here.  https://user:password@example.com/rest-of-url-copied-from-autofocus generates an unauthorized errror.  I can't test the URL now with a browser because the browser believes I am connecting to a site in example.com.  

 

Could you show an actual URL that I could mimick in my configuration?  That would be a huge help.

 

-Mike

@msemaniuk : I just tested the syntax in a 7.1 PANOS NGFW and it works in my case.

 

https://sxxxxxpp:sxxxxx6@dxxxxxff.paloaltonetworksapp.com/feeds/office365_IPv4s

Are you using MineMeld in AutoFocus?

Yes, it's in autofocus.  I believe I see my syntax problem.  I will give it a try in the morning!

-Mike

I have fixed my formatting issue, but I'm not sure that it is resolving things.  I can test the URL with an 8.1 firewall.  My customer however, cannot get this to work with a 7.1 firewall.  I am going to rebuild my PA-200 as 7.1 so that I can try it personally.  

 

This is my format I am using.

 

https://user:pass@f******.paloaltonetworks-app.com/feeds/the-rest-of-the-url

 

I've also checked it in a browser and I receive an unauthorized notification.  

 

-Mike

Turns out my customer was testing in a browser, and not with the firewall.  He's good to go with the correct formatting of the URL.  Thanks for the help!

 

-Mike

We are trying to get our firewalls to work with Minemeld using Autofocus to load into the firewall via EDLs both URLs and IP lists.  All is configured corretly on the AutoFocus Mimemeld including the username and password and tag for the feeder and this tag is also configured in the output processor.  We do not have an Admin user configured (just the Feed username and password).

 

The problem is the firewall in my opinion:  


We have the Godaddy cert installed and imported as a 'CA' per the AutoFocus Minemeld techncial documentation (https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus_admin_guide/autofocus-a... We have the username and password corectedly installed with the cert in the EDL object.  However we get URL errors when hit the "test" button and cannot pull down the Minemeld list.  We tried re-configuring multipe times to make sure we did not mistype the username and password. We do not see any errors in the firewall system log.  Software is PAN-OS 8.0.5.

 

Any ideas?   

 

Thank you,  Rich (rschunk@paloaltonetworks.com)

After a bit of testing this is what I have found:

 

- setting the Minemeld output processor tag to anonymous allows any access whether the EDL is configured with or w/o client authentication.

 

- setting the Minemeld output processor tag to any results in firewall EDL failure with  a URL access error. Client authentication in EDL profile is correct (there is not much to confgure...), wget shows Minemeld rejecting the request with a 401.

 

- setting the Minemeld output processor to a specic tag mapped to a spefifc Feed user also fails.  Ciient authentication is corectly configured in the EDL object, wget shows Minemeld rejecting the request with a 401.

 

My testing is with a standalone Minemeld (since I can not make edits to the SE demo system) but the customer Minemeld is integrated into AutoFocus per my previous message.  I am having the customer change to anonymous for now but this is not what they want to do for production.

 

Rich

@rschunk : Are you using the EDL object anywhere in the PANOS configuration? The device will fail to fetch the feed if you're not using it. Even the "test" button reports failure which is confusing.

Yes, the EDL is assigned to a security rule and committed in the firewall.

@rschunk, could you, please, dig into the ms.log file in the PANOS device (tail follow yes mp-log ms.log while clicking on the "test" button) and into the MM's web server ( minemeld-web.log ) ?

  • 16198 Views
  • 19 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!