In some cases you might face the need to create a policy rule in a Palo Alto Networks next generation firewall that targets a large list of IP addresses that shares a common schema.
Using a set of wildcard masks could ease the description of these lists. For example, the first case fits within the wildcard mask 192.168.0.7/255.255.0.255 and the second example in the wildcard mask "10.10.0.0/255.255.1.0"
A miner extension available at https://github.com/PaloAltoNetworks/wildcardip-miner can be used to generate these lists of IP's from user provided wildcard masks.
In this article you'll find all the steps needed to deploy MineMeld and configure a Palo Alto Networks NGFW using the wildcard extension miner.
First, visit https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld and select the article (from the top right) about installing and running MineMeld appropriate to your environment. Note, if using the VMWare desktop instructions (https://live.paloaltonetworks.com/t5/MineMeld-Articles/Running-MineMeld-on-VMWare-desktop/ta-p/72038) you can go ahead with the "Super fast setup" but please download the cloud-init ISO and mount it on first boot. Assuming an IP comes via DHCP and you have internet access, your VM will automatically be updated to the latest version of Minemeld.
Make note of MineMelds IP address (from an ifconfig) and login from your browser (defaults to username: admin / password: minemeld)
MineMeld introduced support for external extensions in the version 0.9.32. You can install them either localy or from a GitHub repository. To use the GitHub (recommended) option you must access to the repo URL available in its main page ("Clone or Download" button)
The URL for the repo is https://github.com/PaloAltoNetworks/wildcardip-miner.git. Use this URL in the "Install Extension From Git" option in MineMeld's WebUI (accessible through the "System" menu)
Once the extension is successfully downloaded, the next step is to activate it.
The wildcard extension provides an example prototype that must be customized for our needs. The following is the sequence of tasks needed to add a node:
All these tasks are performed under the "Configuration" main menu in MineMeld.
Once we reach the prototype library, use the "search" field to find the wildcard prototype provided by the extension.
Click over the prototype to display its contents and to be able to access the "new" and "clone" operations. In this case we need to create a "new" prototype that suits our needs.
Clicking on "new" will show the YAML prototype editor.
This example creates a wildcard that will generate IP address objects that will match addresses .1 to .15 in a list of networks 192.168.[0-255].0. The meaning of the rest of the attributes in the prototype is:
Once the new prototype is added to the library, we can generate a node out of it using the "Clone" procedure.
Next task is to attach an output node to our recently created wildcard miner. Take note of the name provided to the miner because it will be used in the output creation.
Clone the stdlib.feedHCGreen prototype from the list as a node and configure the willdcard miner as its input.
At this moment, configuration should look like the following screen capture. Commit the new configuration.
Once the configuration is commited a new graph will be available in the "Nodes" main menu.
The number of indicators (256) corresponds is the result of the expansion of the wildcard mask provided in the prototype (192.168.0.0/255.255.0.240)
The details panel of the output contains the URL link to the feed. Clicking in it will provide the resulting list of the wildcard expansion.
At this moment in time is important to note that you have been able to see the feed contents because the browser have a session cookie with the MineMeld WebUI. You can verify it by opening a new "incognito mode" window in your browser and attempting to access the URL from there. You should receive an authentication error in this case.
Before we keep going on, you must replace the original MineMeld SSL self-signed certificates with a valid ones issued by your local CA. The article How to Generate New MineMeld HTTPS Cert explains how to use a NGFW or Panorama as a local CA.
MineMeld feed authentication framework contains the following elements:
Feed Users are created from the "Admin" main menu.
And access tags created clicking on the user's "Access" cell.
Next task is to attach this recently created access tag to the feed. The way to do this is by navigating to the feed node and clicking in its access cell.
All these changes apply at runtime. No commit is needed. We're ready for the next step.
NGFW from Palo Alto Networks feature a dynamic object called "External Dynamic List" (EDL) that can be used to consume the feed generated by MineMeld.
The following components are needed to successfuly complete the EDL configuration:
User and password fields will not appear until you select one certificate profile. For PANOS 7.1 or before you must use the https://<username>:<password>@url syntax instead.
Final EDL configuration should look like the following screenshot.
Once configuration is commited, list entries should appear (provided that you are consuming this EDL anywhere in your NGFW configuration)
Imagine that you're asked to extend the previous case removing the ".5" nodes from the list. This could be described like substract the list created by "192.168.0.5/255.255.0.255" from the list created by "192.168.0.0/255.255.0.240".
This can be achieved easily with the "whitelist" feature of the stdlib.aggregatorIPv4Generic processor. We just need to add a new wildcard miner with the mask "192.168.0.5/255.255.0.255", give it a name starting with "wl_" (whitelist) and combine it with the miner from the previous exercice.
If you take a look to the feed output, you'll notice the "aggregator magic". It now describes the address spectrum as a list of ranges. For each network you have two ranges: