I have configured the syslogminer node as per https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
I have checked the firewall is sending syslog for threat events on TCP 13514, BSD format, LOG_USER facility and I can see the events coming into Minemeld by running tcpdump -i eth0 port 13514. It shows the traffic and ack going back:
00:16:15.486176 IP x.x.x.15.56790 > dev-minemeld01.13514: Flags [P.], seq 3360:3920, ack 1, win 115, options [nop,nop,TS val 21990724 ecr 124658], length 560 00:16:15.486195 IP dev-minemeld01.13514 > x.x.x.15.56790: Flags [.], ack 3920, win 2799, options [nop,nop,TS val 138910 ecr 21990724], length 0
There is nothing relevant in the rsyslog.log file:
Mar 17 23:57:59 dev-minemeld01 rsyslogd: [origin software="rsyslogd" swVersion="8.17.0" x-pid="770" x-info="http://www.rsyslog.com"] start Mar 17 23:57:59 dev-minemeld01 rsyslogd: rsyslogd's groupid changed to 104 Mar 17 23:57:59 dev-minemeld01 rsyslogd: rsyslogd's userid changed to 101
The miner shows "no metrics yet" in the stats tab.
What am I missing?
... View more
I have a use case where you would want to enforce no split tunnel and possibly no other internet access while connected with a profile to sensitive internal resources. Additionally, you would want to offer a second profile with lower privileges with split tunnel for local internet access. In this instance, the additional restriction for disabling split tunnel only when connecting to sensitive resources does not work with a single user-id and profile with user based rules. You need the ability to choose your access level and it seems the only way is to use different GP gateways - possibly on the same public IP depending how this is supported.
... View more