This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Minemeld Feed Password OR api security

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Minemeld Feed Password OR api security

Go to solution
Kimwii
L1 Bithead

‎12-07-2016 01:16 AM

Hi we have used minemeld for some monthes and i figured out that i want to tighten the security even more.

The question that then arose was the posibility to generate an api key or an user based authentication for my output indicators

 

I don't know or think it matters but we run minemeld in two datacenters with mirroring and global loadbalancing.
The servers are placed in one of our DMZ Zones.
We have agents on our internal network that pulls the feeds from ether node x or y in DMZ (active active)
And it is this string i want to have tighter security on.

 

m1.PNG

 

Feed map if it matters

m2.PNG

 

1 person had this problem.
1 accepted solution

Accepted Solutions

Go to solution
lmori
L7 Applicator

‎12-07-2016 04:16 AM - edited ‎02-10-2017 12:12 AM

Hi @Kimwii,

as usual documentation is lagging, but you can enable authentication on feeds following this procedure

 

IMPORTANT: after step 1 all the feeds will become unreachable as authentication will be enabled but no user/tag is defined.

 

1 - create an API config file in /opt/minemeld/local/config/api/ with FEEDS_AUTH_ENABLED set to True:

$ sudo -u minemeld sh -c 'echo "FEEDS_AUTH_ENABLED: True" > /opt/minemeld/local/config/api/30-feeds-auth.yml'

2 - on the WebUI in the ADMIN > FEEDS USERS section add a user with username, password and some tags in the ACCESS section. Tags will be used to determine which feeds this user will have access to:

Screen Shot 2016-12-07 at 13.08.54.png

3 - In NODES select one of the output nodes and click on tags to access tags to the feed:

Screen Shot 2016-12-07 at 13.10.23.png

 

NOTES ON ACCESS TAGS

  • all the admin users have access to all the feeds
  • a feed user has access to a feed if the feed has at least one tag in common with the user
  • if the feed has the tag any, any authenticated user has access to the feed
  • if the feed has the tag anonymous, the feed is accessible to non-authenticated users

View solution in original post

15 REPLIES 15

Go to solution
lmori
L7 Applicator

‎12-07-2016 04:16 AM - edited ‎02-10-2017 12:12 AM

Hi @Kimwii,

as usual documentation is lagging, but you can enable authentication on feeds following this procedure

 

IMPORTANT: after step 1 all the feeds will become unreachable as authentication will be enabled but no user/tag is defined.

 

1 - create an API config file in /opt/minemeld/local/config/api/ with FEEDS_AUTH_ENABLED set to True:

$ sudo -u minemeld sh -c 'echo "FEEDS_AUTH_ENABLED: True" > /opt/minemeld/local/config/api/30-feeds-auth.yml'

2 - on the WebUI in the ADMIN > FEEDS USERS section add a user with username, password and some tags in the ACCESS section. Tags will be used to determine which feeds this user will have access to:

Screen Shot 2016-12-07 at 13.08.54.png

3 - In NODES select one of the output nodes and click on tags to access tags to the feed:

Screen Shot 2016-12-07 at 13.10.23.png

 

NOTES ON ACCESS TAGS

  • all the admin users have access to all the feeds
  • a feed user has access to a feed if the feed has at least one tag in common with the user
  • if the feed has the tag any, any authenticated user has access to the feed
  • if the feed has the tag anonymous, the feed is accessible to non-authenticated users

Go to solution
andrew.stanton
L2 Linker
In response to lmori

‎01-24-2017 01:15 PM

How feed users would authenticate is not covered by this explanation.  Based on browser development tools I see some cookies for my admin authenticated session which grants me access to the feeds.  But if I open new browser I of course get "Unauthorized".  I can copy the cookies from my browser sessions for a curl or wget, but I need a permanent access key.  What authentication mechanism/process is being used for feed admins?

0 Likes Likes

Go to solution
lmori
L7 Applicator
In response to andrew.stanton

‎01-24-2017 01:18 PM

Feed users should Basic Auth to authenticate to feeds.

 

luigi

Go to solution
andrew.stanton
L2 Linker
In response to lmori

‎01-24-2017 01:36 PM

Thanks

 

So with curl, basic auth is the default:

 

curl https://<hostname>/feeds/<feed_url> -u <username>

(enter password via prompt, or append password to username with colon <username:password>

0 Likes Likes

Go to solution
tajman
L1 Bithead
In response to andrew.stanton

‎09-29-2017 08:08 AM

I'm hoping someone can help me with implementing basic auth for a feed for use with EDL object on my firewall.

 

I've successfully configured authentication on my Minemeld deployment for the feed and added a user and password as well as the necessary tags to restrict access to the feed.  I've also tested feed authentication using curl so I know the Minemeld part is good to go.

 

Now the firewall configuration only has Server Authentication as an option to configure and this is based on a certificate profile.  I've seen other configuration screenshoots that also have a Client Authentication option (Panorama?) but I want to use the basic auth on the firewall.  Is this not possible?

 

I'm missing something, but I'm not sure what.  Any assistance would be greatly appreciated.

0 Likes Likes

Go to solution
xhoms
L5 Sessionator
In response to tajman

‎09-29-2017 08:16 AM

@tajman : The configuration workflow depends on the PANOS release. 

 

For PANOS 8.0 you must create a a new Certificate Profile. A WebUI form in the EDL dialog will allow you to specify the user and password once you chose the Certificate Profile (steps 9 and 10 of documentation)

 

For PANOS 7.1 and before you must use the hxxps:\\user:password@host URL syntax for the EDL

0 Likes Likes

Go to solution
tajman
L1 Bithead
In response to xhoms

‎09-29-2017 08:23 AM

Thank you very much! I was focusing so much on the minemeld portion that I forgot to look at the EDL documentation.

0 Likes Likes

Go to solution
raji_toor
L4 Transporter
In response to tajman

‎02-13-2018 11:57 AM - edited ‎02-14-2018 08:23 AM

Don't know, where i am wrong. I am using firewall issued certificate used on minemeld server. Authentication piece doesn't seem to work, I am using anonymous tag for production but i want to use authentication and eliminate all the warnings. I have feed authentication enabled using command mentioned earlier and a user created with a tag specified, this tag is used in one of the output feeds.

 

image.png

I have tried using both, the root cert(PA) and the cert generated using root(MINEMELD). Result is always blank

image.png

image.png

image.png

0 Likes Likes

Go to solution
xhoms
L5 Sessionator
In response to raji_toor

‎02-13-2018 01:21 PM

@raji_toor, does the host header in the URL (PANOS EDL configuration) matches the Common Name in the MineMeld certificate? That could explain why it doesn't work.

 

Details in PANOS 'less mp-log ms.log' during the EDL refresh might provide troubleshooting info.

0 Likes Likes

Go to solution
raji_toor
L4 Transporter
In response to xhoms

‎02-14-2018 08:37 AM

I see below errors in log

 

----------------------------

Server certificate authentication failed for EDL name<TEST-PASS> ip/fqdn<https://abc.com/feeds/TEST-HC-PASS> Common name of
the server certificate <abc.com> reason(26)<unsupported certificate purpose>
2018-02-14 04:00:29.351 -0800 Error: ebl_fetch_url_from_remote_libcurl(pan_cfg_ebl.c:1783): curl_easy_perform failed, Err(60):Peer certificate cannot be authenticated with given CA certificates
2018-02-14 04:00:29.352 -0800 Error: ebl_fetch_url_from_remote_libcurl(pan_cfg_ebl.c:1865): EDL entry(0x1d24000, 0xf0b3400, 0x30fe5600 vsys1/TEST-PASS, 1, 1 ip) Cert validation failed for EDL name:TEST-HC-PASS

0 Likes Likes

Go to solution
xhoms
L5 Sessionator
In response to raji_toor

‎02-14-2018 11:41 PM

@raji_toor,

 

you might have forgotten to add the SAN section in the certificate (HostName) to have the same value as the CN.  Almost all SSL Client libraries (PANOS EDL client between them) validate the DNS hostname against the SAN section instead of the CN.

(as per RFC 6125, published in '2011 the validator must check SAN first, and if SAN exists, then CN should not be checked)

 

2018-02-15_08-35-22.png

 

 

 

0 Likes Likes

Go to solution
raji_toor
L4 Transporter
In response to xhoms

‎02-15-2018 10:42 AM

@xhoms I added the Host Name and Ip fields but it still doesn't work. However i noticed below message in system logs.

 

event id: tls-edl-auth-failure

Reason: "unsupported certificate purpose"

0 Likes Likes

Go to solution
raji_toor
L4 Transporter
In response to raji_toor

‎02-15-2018 02:09 PM

@xhoms Thanks for pointing out to certs. It was the way CA had been generated was causing the issue.

0 Likes Likes

Go to solution
jsamide
L2 Linker
In response to lmori

‎03-08-2018 12:53 PM

i created an empty file called 30-feeds-auth.yml and then used that command and it said 'command not found'

 

is there another step? 

0 Likes Likes
  • 1 accepted solution
  • 31122 Views
  • 15 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks