Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
on 03-12-2019 06:45 AM - edited on 12-14-2021 06:01 AM by jforsythe
Note: Palo Alto Networks made an end-of-life announcement about the MineMeld™ application in AutoFocus™ on August 1, 2021. Please read this article to learn about our recommended migration options.
An easy way to use MineMeld is installing the binary packages on an Ubuntu 16.04 instance.
Note: Binary packages are only available for 64 bits architectures.
Ubuntu Server LTS 16.04 (64 bits)
First thing you should harden your new instance. MineMeld won't take of this for you. A good tutorial is this one.
Update all the packages of the instance before installing.
sudo apt update && sudo apt dist-upgrade -y
You can use the following commands to configure iptables to allow sessions on ports used by MineMeld. Also these rules drop all IPv6 traffic, if you are running MineMeld in an IPv6 network make sure you change the suggested rules.
sudo apt install -y iptables-persistent
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 13514 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"
Add the MineMeld repo GPG key to the APT trusted keyring:
wget -qO - https://minemeld-updates.panw.io/gpg.key | sudo apt-key add -
Double check the GPG key fingerprint, to make sure it is matching the official MineMeld GPG key (fingerprint should match characters in bold):
apt-key adv --fingerprint DD0DA1F9
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.W74MaAG3pI --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --fingerprint DD0DA1F9
pub 4096R/DD0DA1F9 2016-07-15
Key fingerprint = E558 CE6E 3968 0F31 8F6C BFAC B401 E02E DD0D A1F9
uid Palo Alto Networks, MineMeld Team <minemeld@paloaltonetworks.com>
[...]
Add the MineMeld APT repo to the system list and update the apt cache:
sudo add-apt-repository "deb http://minemeld-updates.panw.io/ubuntu xenial-minemeld main"
sudo apt update
MineMeld requires nginx and redis. We have to install them before installing MineMeld package to avoid configuration conflicts:
sudo apt install -y nginx redis-server
Install the MineMeld infrastructure package via apt. This will also automatically trigger the download of the latest MineMeld packages.
sudo apt install -o Dpkg::Options::="--force-overwrite" -y minemeld
We should restart the instance to make sure all the configurations are applied and all the services are started in the right order:
sudo shutdown -r now
Check if the 3 MineMeld services are up and running:
$ sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf status
minemeld-engine RUNNING pid 3727, uptime 0:08:50
minemeld-traced RUNNING pid 3728, uptime 0:08:50
minemeld-web RUNNING pid 3729, uptime 0:08:50
minemeld-supervisord-listener RUNNING pid 3730, uptime 0:08:50
Done! Check the Quick Tour article to get started.
