DAGPusher new setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DAGPusher new setup

L1 Bithead

Hello,

 

I finished the setup of DAGPusher and DAG in Panorama.

The list of indicators is populated in the MineMeld DAGPusher but my DAG in Panorama is not populated.

In the MineMeld logs I can see following:

2018-02-23T14:18:23 (17217)dag._device_pusher_died ERROR: dagPusher-LIST - exception in greenlet for 10.10.10.10, respawning in 60 seconds

Traceback (most recent call last):

  File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/minemeld/ft/dag.py", line 495, in _device_pusher_died

    g.get()

  File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/gevent/greenlet.py", line 251, in get

    raise self._exception

PanXapiError: 000123456789 not connected

 

Any idea what could cause this?

 

Thanks,

Pascal

10 REPLIES 10

L5 Sessionator

Hi @pverar,

 

could you, please, share with us the process you followed to configure the DAG Pusher output? The error message seems to relate to a non-existand device with serial number "000123456789" connected to Panorama. And, obviously, that is not a valid Palo Alto Networks device serial number.

I should have mentioned as a comment that the IP and serial are modified in my post, you should not focus on that part.
The connection with the Panorama server seems correct since I see the web calls in the system log:

'User pantool logged in via Web from 10.10.10.1 using https'

 

Following actions were taken to set it up:

1. from prototype 'stdlib.dagPusher' a new prototype was created, in the new prototype a tag was added as well

2. from prototype 'stdlib.dagPusher'  a clone was done to create a new node where I selected the newly created prototype from step 1 + selected an existing input miner which we feed with IP's we want to block

3. The newly dagPusher node created in step 2 was updated in the handled devices tab, the Panorama server has been added here

4. In the node view connection graph I can see that the newly created dagPusher node from step 2 has received the indicators so all looks correct so far

5. In Panorama a new tag was created corresponding to the tag added to the prototype in step 1

6. In Panorama a new shared dynamic address group has been created with match criteria the tag created in step 5

7. This newly created shared dynamic address group is used in a device group policy which is pushed to a specific VSYS.

 

Thanks to let me know if I missed a step and if you would have any idea why the API call is failing...

Nobody an idea?

I took a packet capture on the MineMeld host and there I see the connection to the Panorama server being established, 3-way handshake setup + data exchange.

So from this point all looks correct but my dynamic address group is not populated -> cause is the failing API call for me:

 

Traceback (most recent call last):
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/gevent/greenlet.py", line 327, in run
result = self._run(*self.args, **self.kwargs)
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/minemeld/ft/dag.py", line 276, in _run
self._init_resync()
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/minemeld/ft/dag.py", line 234, in _init_resync
for a, atags in self._get_all_registered_ips():
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/minemeld/ft/dag.py", line 92, in _get_all_registered_ips
cmd_xml=False
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pan/xapi.py", line 886, in op
self.__type_op(cmd, vsys, extra_qs)
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pan/xapi.py", line 909, in __type_op
raise PanXapiError(self.status_detail)
PanXapiError: 000702964134 not connected
<DevicePusher at 0x7f37ce9c5550> failed with PanXapiError

2018-02-28T13:37:42 (17217)dag._device_pusher_died ERROR: dagPusher-LIST - exception in greenlet for 10.10.10.10, respawning in 60 seconds
Traceback (most recent call last):
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/minemeld/ft/dag.py", line 495, in _device_pusher_died
g.get()
File "/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/gevent/greenlet.py", line 251, in get
raise self._exception
PanXapiError: 000702964134 not connected

L5 Sessionator

@pverar, let me try reproduce your setup to provide feedback

@pverar, I've finished building a LAB with Panorama (8.0) and a PANOS device (8.0) and the DAG Pusher just works for me out of the box.

 

May I suggest you to re-create the DAG Pusher node?

  • Delete your current DAG Pusher node
  • Commit configuration
  • Clone the DAG Pusher node into the graph and connected to your sources
  • Commit configuration
  • Used Node's WebUI to attatch your PANOS devices using Panorama's hostname (or IP address) and a connected target serial number

@xhoms, thanks for the test and feedback, appreciated!!

I executed the steps as you described them but the result is not better, still stuck with the same API error 😞

@pverar would you, please, attempt to perform the following curl call for me? (adapted to your environment)

 

It is, basically, the API call that the DAGPusher performs. Curious to see if there is an error message provided by Panorama that is breaking the node state.

https://panorama/api/?key=LUFRPT14MW5xOEo1R----------nemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&cmd=<uid-message>
  <version>2.0</version>
  <type>update</type>
  <payload>
    <register>
      <entry ip="172.16.214.200">
        <tag>
          <member>WebAppServer</member>
        </tag>
      </entry>
    </register>
  </payload>
</uid-message>
&type=user-id&target=015351-----7497

@xhoms, it is becoming more clear now!

I get following error -> <response status = 'error' code = '403'><result><msg>Invalid credentials.</msg></result></response>

Although with those credentials I could launch the curl to receive a key without any problem (have to add -k to the curl command due to the cert)...

When I try to login with the same credentials in the Panorama webui this is working fine as well, the user has Superuser privileges assigned.

You have an idea what the reason could be?

 

@pverar, I've used the default admin user that is assigned to a SuperUser role as well. No idea. You could try ro create a new role granting access to the XML API and attach the user to this role to see if there is any change in the behavior.

 

Another option, now that we've narrowed down the issue to the PANORAMA component, is to open a support ticket. MineMeld is "community supported" but PANORAMA does have official support from Palo Alto Networks.

@xhoms, I tried with the default admin account, had to change the password since I could not generate a key while using the password which was currently set, some characters seem to cause the issue.
When I used a simple password I could generate the key and test the curl, same result with the standard admin account as before. (FYI, running version 8.0.6-h3)

 

I will open a support ticket for that, I keep you posted!

Thanks for your time!

  • 8686 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!