Minemeld Indicators Number not equal Firewall DAG Members List

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Minemeld Indicators Number not equal Firewall DAG Members List

Hi everyone,

 

I tried to reference all the Windows RODC (Read-Only Domain Controllers) using a custom script. The script is working fine : it queries our Active Directory, and returns a JSON list of RODC. Each indicator listed by the script looks like this :

{
	"indicator": "ip.add.re.ss",
	"value": {
		"comment": "This is a comment",
		"confidence": 100,
		"type": "IPv4",
		"share_level": "green"
	}
}

 

I then used an import script found here : https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785 which works fine too : it imports all the indicators (around 130) into the configured miner in Minemeld :

GREMAUDO_0-1594979428303.png

 

I then send these indicators directly to some output nodes :

GREMAUDO_1-1594979557569.png

 

I used a classic Output feed (as a test output). For populating the firewall, I used the DAG Pusher prototype, one that used our Panorama (CrfRodcDAG) and another one for testing purposes that sends the indicators directly to a firewall (CrfRodcDAG_Test). If we focus on the latter, here is it's configuration :

GREMAUDO_2-1594979751746.png

 

The firewall has a Dynamic Address Group configured, that matches the MineMeld tag "MM_RODC" :

GREMAUDO_3-1594979868103.png

 

At first, it looked like everything worked fine :

  • If a new RODC was found, it was added after a short timer in the firewall.
  • If a RODC was deleted, it was suppressed from the DAG

 

However, after a few more tests in Minemeld, I restarted the MineMeld engine several times. And I began having some discrepancies between Minemeld and the firewall : MM still had 130 indicators, but the firewall only got 22, then 90, sometimes 126, then after a few seconds, dropped down to zero... The only way I found to stabilise the situation was to clear all registered IPs from the firewall, and then restart MineMeld engine. But again, if the MineMeld machine restarts or receives modifications, it "breaks" the whole system...

 

For instance, right now, MineMeld lists 129 indicators, while only 36 are listed by the Firewall...

 

I check with PAN support if the issue could be with the firewall, but they saw nothing suggesting that.

 

Do you have any idea on the possible cause of this issue ?

 

Kind regards.

Highlighted
L0 Member

As I keep on looking for a solution, I tried using a more common EDL.

 

As of now, the firewall is getting the right number of indicators, with no difference with the values gathered by Minemeld.

 

I'm therefore wondering if there is a bug with the DAG Pusher prototype... Has anyone got this kind of issue in the past ?

 

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!