Dynamic Address Group (DAG) PAN-OS / DAGPusher prototype

cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic Address Group (DAG) PAN-OS / DAGPusher prototype

L4 Transporter

 

Hi guys,

 

I'm trying to use the the DAGPusher prototype but, unhappily, I'm dealing with some problems. May be some of you could help me with it.

 

My scenario:

 

I use a generic miner to extract IPv4 (/32) from a specific location (that is working). Then it is sent to the DAGPusher node (that is working). Now I want to push them to Firewall/Panorama (it is not working).

 

My configuration:

 

In my local DAGPusher prototype, I use the configuration showed in figure 1 (green arrow). You can see that I only set the "tag_prefix":"agencias" parameter.

 

The status tab (figure 3) in the node cloned from this prototype, I have the indicators been received. Fine! And the Handled_Device tab show the Firewall destination (figure 2). Although I have multiplus devices and manage all of them through Panorama I choose to test DAGPusher with only one of them, at first.

 

Monitoring the traffic log I can see that my MM VM is trying to communicate with the device, and this traffic is allowed.

 

In Panorama I created a shared DAG with only one match: 'agencias' (figure 3).

 

Status/Questions:

 

At this point my DAG is not populated. Through the CLI, using the command "show object registered-ip all" I got nothing.
Could you guys identify something wrong? The syntax and the tags I used are corrects?
The fact that I created a shared DAG in Panorama could be the problem? Can I populate a shared DAG only in one Firewall?

 

 

Thank you in advanced.
Best regards.

16 REPLIES 16

Hi @danilo.souza,

 

is it possible that you're targetting a Panorama instead of a PANOS device to push User-ID REGISTER messages?

 

Panorama does not implemente the User-ID API. That is a PANOS only feature. You can use Panorama as an API Gateway to reach the PANOS Device API. But, in any case, the REGISTER/UNREGISTER messages generated by the DAG Pusher output node must be targetted to a PANOS Device (or to a list of devices)

Hi @xhoms

 

No, I'm not targeting Panorama. I created the shared DAG in Panorama, but I'm pushing the IP to a specific Firewall. I used the command below (from the MM machine) to generate the key (for both users).

 

-----------------

curl -k -X GET 'https://firewall/api/?type=keygen&user=user&password=xxxxxxx'

----------------

 

After your comment, I check out if Panorama would generate a different api key (for both users), so I repeated the proccess.

 

-----------------

curl -k -X GET 'https://panorama/api/?type=keygen&user=user&password=xxxxxxx'

----------------

 

I got the same keys. So the keys are double checked.

Hi @danilo.souza,

 

I'm afraid you'll have to sort out the access to the UserID entry point in the PANOS Device API with Palo Alto Networks TAC before trying to deploy the DAG Pusher node in MineMeld

Hi @xhoms

 

I opened a ticket at PaloAlto and resolved the problem with the api key ("Invalid Credentials").

 

Inicially, I generated my keys through a Curl command from the MM machine. With the PaloAlto support, I used the browser and can confirm that the keys are barely different. I don't want speculate but I think my problem was an issue with Curl when generating my keys.

 

Later, I can detail the procedure followed to generate the new keys.

 

But, the problem is not resolved yet. I can't populate my DAG using the DAGPusher, but I can do that manually. In the figure below you can see that I uploaded two IPs. To do that, I used (in the browser ) the line below:

 

----------

https://PANORAMA/api/?key=LUFRPT04OG---------VkJQbm9qTT0=&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="152.XXX.XXX.121"><tag><member>mm_loc_agencias</member></tag></entry></register></payload></uid-message>&type=user-id&target=FIREWALL_SERIAL_NUMBER

-----------

 

 

DAG populatedDAG populated

 

Using the same user (login/password, not api key) in MM, I can't see new IPs populating my DAG. My indicator in the DAGPusher node is showed in the figure below.

 

Indicator in DAGPusherIndicator in DAGPusher

I am using the tag prefix "mm_" in DAGPusher and the miner attachs the tag "loc_agencias" to the indicator. My DAG is prepared to match "mm_loc_agencias".

 

Can you visualize any error in the precedures/parameters I am following/setting in my configuration.

 

Best regards.

Hi @danilo.souza,

 

could you go back to message https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Dynamic-Address-Group-DAG-PAN-OS-DAGPusher... and execute the debug commants shown there to troubleshoot the UserID API from PANOS' foint of view?

Hi @xhoms

 

I executed the procedure, but you explicited lines with a successful registration and unregistration IP. Wich logs should I observe to get the details of a failed attempt to register an IP?

 

Best regards.

The solution is to create "tags" that associate to the vsys under the address group. This is created in each vsys.

 

jmora_0-1607074750176.png

 

jmora_1-1607074806192.png

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!