One of the most common use cases for MineMeld is generating feeds to be used on PAN-OS as External Dynamic Lists. Using the MineMeld powerful engine, you can create External Dynamic Lists to track on AutoFocus the IP addresses, URLs and domains used by ransomware, known APT groups and active malware campaigns. You can also create External Dynamic Lists to track the IPs and URLs used by Microsoft Office365, or used as tor exit nodes, or used by CDNs and cloud services.
In this article we provide a step-by-step guide on how to configure authentication on AutoFocus/MineMeld generated feeds. We will also cover how to configure External Dynamic Lists objects on PAN-OS 7.1 and later. In this long article there are 3 main sections:
Note for community MineMeld
Even if this guide has been written for MineMeld running on AutoFocus, the same steps can be applied to the community version of MineMeld.
Note that on the community version of MineMeld feeds authentication is disabled by default. You have 2 options:
Configuring the authentication on MineMeld generated feeds is a simple, 3 steps process:
Let's start with creating a new feed user. On the MineMeld user interface click on the Admin tab:
In the Admin tab, click on the circle icon on the left to select the Feeds Users tab:
Then click on the plus icon in the bottom right corner to add a new user to the list:
In the Add User dialog, specify the username of the new feed user and the password (1). These are the credentials that will be used by PAN-OS to access the feed. Once done, click on the Ok button (2😞
Click on the Access field of the new user to specify the access tags associated with the user. The user will have access to all the feeds generated by MineMeld outputs tagged with these access tags:
Type in the Tags box (1) to associate one or more tags to the user. You can also create new tags, just type the new tag in the Tags box and press space. Click on Ok button (2) when done:
Now we have created a new feed user and associate one or more access tags to it. We should now associate at least one of these access tags to a MineMeld output to let the feed user actually have access to the feed generated by the output. Click on the Nodes tab:
Click on the output you want PAN-OS to connect to.
The output should be based on one of the stdlib.feed* prototypes to be able to generate the feed in EDL format.
Click on the Tags field in the Status tab of the output to bring up the Tags dialog:
Add the access tag we created earlier to the Tags list (1) and click Ok (2). From now on, all the feeds users associated to this tag will be able to access the EDL generated by this output. There are 2 special tags you can associate with an output:
Take note of the URL in the Feed Base Url field of the output. This is the URL that should be configured inside the PAN-OS EDL object.
Now that you have configured authentication on the MineMeld generated feeds, it's time to create a PAN-OS External Dynamic List to connect to the MineMeld output. The process on PAN-OS 8.0 and later has the following steps:
First thing, download the certificate of the CA of the AutoFocus/MineMeld SSL certificate from the following link: https://certs.godaddy.com/repository/gd-class2-root.crt
Note for community MineMeld
If you have enabled authentication on feeds, you should provide and install on MineMeld an SSL certificate signed by a valid CA. The CA can be internal or public. Refer to the article How to Generate New MineMeld HTTPS Cert or to this thread (link) for the instructions.
On PAN-OS, click on the Device tab (1), select Cerificates (2) in the left bar and then click on Import (3):
Specify the Certificate Name (1), in Certificate File (2) select the CA certificate file you just downloaded (check the beginning of this section for the URL if you missed it) and click OK (3):
Now that we have uploaded the certificate, we can proceed to the next step that is creating a Certificate Profile to verify the AutoFocus/MineMeld SSL server certificate. Click on the Device tab (1), click on Certificate Profile (2) in the left bar and click on Add (3):
Specify the Name (1). We should now add the CA certificate to the list of CA certificates trusted by this Certificate Profile, click Add (2):
Select the CA certificate (1) and press OK (2):
Click OK to save the Certificate Profile:
Now we can finally create the External Dynamic List Object. Click on the Objects tab (1), select External Dynamic Lists (2) on the left bar and click Add (3😞
In the External Dynamic Lists dialog, specify the name of the new External Dynamic List (1), select the type of indicators contained in the new External Dynamic List (2) and copy the Feed Base URL of the MineMeld output we noted down at the end of the previous section (3😞
Now, select the Certificate Profile we created before (1). As soon as you specify the Certificate Profile, the Client Authentication section appears (2) and you will be able to specify the username and password of the feed user we created on MineMeld in the previous section. Press OK (3) to create the External Dynamic List.
|Done!! You just created a new External Dynamic List Object to point to one of the feeds generated by MineMeld. To add a second, third, ... External Dynamic Lists you don't need to do all the steps again and again but instead you can just reuse the Certificate Profile we have created.|
PAN-OS 7.1 doesn't support configuration of Basic Authentication for External Dynamic Lists from the Web User Interface. We should instead embed the credentials inside the URL.
Click on the Objects tab (1), select External Dynamic Lists on the left bar (2) and click Add (3):
Type the name of the new External Dynamic List (1), select the type of indicators (2) and specify the URL (3) embedding the credentials inside the URL. Example: if the username is edluser and password test123 the URL would be https://edluser:test123@<minemeld hostname>/feeds/<feed name>. Press Ok (4😞
Done!! You just created a new External Dynamic List Object to point to one of the feeds generated by MineMeld.