FortiNAC. Palo Alto Networks Integration. Version 8.x Date: 8/29/2018. Rev: B

Transcription

1 FortiNAC Palo Alto Networks Integration Version 8.x Date: 8/29/2018 Rev: B

2 FORTINET DOCUMENT LIBRARY FORTINET VIDEO GUIDE FORTINET KNOWLEDGE BASE FORTINET BLOG CUSTOMER SERVICE & SUPPORT FORTINET COOKBOOK FORTINET TRAINING AND CERTIFICATION PROGRAM NSE INSTITUTE FORTIGUARD CENTER FORTICAST END USER LICENSE AGREEMENT Wednesday, August 29, 2018

3 Contents Palo Alto Integration 1 Implementation 5 Syslog Management 11 Enable And Disable Events 14 Events For The System 14 Events For A Specific Group 14 Add or Modify Alarm Mapping 15 Palo Alto Networks Integration iii

4 Palo Alto Integration When the Palo Alto Networks User Agent is configured in FortiNAC as a pingable device, FortiNAC sends a message to Palo Alto Networks firewall each time a host connects to the network or the host IP address changes, such as when a host is moved from the Registration VLAN to a Production VLAN. A message is also sent when one user logs off a host and a new user logs on to that same host while the host is still on-line. All messages include User ID and IP Address. This information identifies the user to Palo Alto Networks allowing it to apply user specific policies. There are several scenarios that generate messages to Palo Alto Networks, as described below and in the flow diagram: A host is registered to a specific user; the owner logs onto the network with the host. FortiNAC sends User ID and IP Address. A host has no associated owner and is registered as a device; a user logs onto the network with this host. If this yields a logged on user, FortiNAC sends User ID and IP Address. Palo Alto Networks Integration 1

5 Palo Alto Integration If a host is registered to a specific user, when a different user logs onto the machine, that new user's user ID is sent to Palo Alto Networks with the host IP Address. When a user who is not registered as the host's owner logs out of the host, the User ID of the host's owner is sent to Palo Alto Networks with the host IP address, even though the owner did not actually log onto the network. When a user logs out of a host that has no owner, FortiNAC notifies Palo Alto Networks that the user has logged out. 2 Palo Alto Networks Integration

6 Palo Alto Integration Note: If a user is logged in remotely, such as through Remote Desktop, and there is no Per- sistent Agent installed on the host, login and logout information are not provided to Palo Alto Net- works. Palo Alto Networks Integration 3

7 Palo Alto Integration 4 Palo Alto Networks Integration

8 Palo Alto Integration Implementation Figure 1: FortiNAC - Palo Alto Networks Integration To integrate with the Palo Alto Networks User Agent you should be aware of and configure the following items: Palo Alto Networks Palo Alto Networks firewall must be Version 4.0 or higher. Palo Alto Networks User-ID Agent must be Version 4.0 or higher. For Palo Alto Windows User-ID Agent versions prior to 7.0.4, the XML API must be enabled to allow communication with FortiNAC. In the Win- dows User-ID Agent under User Identification > Setup make sure Enable User-ID XML API is set to Yes. This option is configured on the Agent Setup dialog under the Agent Service tab. FortiNAC Note: FortiNAC cannot integrate with Windows User-ID Agent versions and higher because the Enable User-ID XML API option is not available. To configure the integration of FortiNAC with the Windows User-ID Agent for Agent Versions prior to 7.0.4, do not select the Use Integrated Agent check box. Specify the XML API Port value to match the port you have configured the Windows User-ID agent to use. The agent uses port 5007 by default. FortiNAC cannot integrate with the Windows User-ID Agent Version or later. If you cannot use an earlier version of the agent, you can instead configure FortiNAC to integrate with the firewall directly. If you are not using the Windows User-ID Agent and your firewall is version 6.0 or later, you must configure FortiNAC to integrate directly with the firewall. Select the Use Integrated Agent check box and enter port 443 in the XML API Port field. Enter the API Key value. The key can be retrieved manually or via the Retrieve button. Note: Direct integration of FortiNAC with versions of the firewall prior to 6.0 is not supported. Hosts that will be affected by or managed by the Palo Alto Networks User Agent must have a logged-on User. If no user is associated with the host, only the IP Address is sent to the Palo Alto Networks User Agent. The User Agent cannot apply a policy without a User ID. Registration methods such as the Persistent Agent, Device Profiler, or login scripts can be set to register hosts as devices, but then it is the user's login/logout that triggers that messages be sent from FortiNAC to Palo Alto. Add the Palo Alto Networks User Agent as a pingable device in FortiNAC. See the instructions below for the steps. Palo Alto Networks Integration 5

9 Palo Alto Integration FortiNAC and the Palo Alto Networks User Agent communicate via SSL. SSL certificates on the Palo Alto Networks User Agent Server are auto- matically imported into the.keystore file on your FortiNAC Control Server or Server. In Event Management, the event Communication Lost With Palo Alto User Agent is automatically enabled. This event is generated when the Palo Alto Networks User Agent cannot be reached. The Palo Alto Networks User Agent is not being notified when hosts connect to the network, therefore, policies may not be applied. See Enable And Disable Events on page 14 to disable the event if necessary. In Event to Alarm Mappings, you can map the Communication Lost With Palo Alto User Agent event to an alarm if you wish to be notified when Network Sentry and the Palo Alto Networks User Agent are no longer communicating. See Add or Modify Alarm Mapping on page Palo Alto Networks Integration

10 Palo Alto Integration Add Pingable Figure 2: Add Pingable - Palo Alto Networks User Agent 1. Click Network Devices > Topology. 2. Select the Container icon. 3. Right-click the container and select Add Pingable Device. 4. Use the table of field definitions below to enter the data for the Palo Alto Networks User Agent. 5. Click OK to save. Palo Alto Networks Integration 7

11 Palo Alto Integration Field Definitions - Palo Alto Networks User Agent Field Definition Element Tab Container Name IP Address Physical Address Container in the Topology View tree where this device is stored. Name of the device IP address of the device The MAC address of the device. Appears in the view only when the device is a pingable. Device Type Incoming Events SSO Agent XML API Port Domain Name Use Integrated Agent API Key Apply to Group Role Description Note Contact Status Polling Poll Interval Poll Now Lists all available device types. Select Firewall or Server. Lists the security appliances available when either Syslog or Security Events is selected. Select Not Applicable. The third party agent communicating with the same authenication credentials as FortiNAC, utilizing the ability to unify credentials across multiple products (e.g., Single Sign-On). Displayed when Palo Alto User Agent is selected in the SSO Agent field. Port on the Palo Alto User Agent configured to receive messages from external devices. This port must match the XML API port configured on the Palo Alto User Agent. See Add Palo Alto User Agent As A Pingable. Displayed when Palo Alto User Agent is selected in the SSO Agent field. Fully Qualified Domain Name for your network users' domain. This is sent with the logged in User ID to Palo Alto. Allows you to integrate directly with the firewall when FortiNACdoes not integrate with the Windows User-ID Agent. The authorization key that allows a user to send user mapping data to the firewall. Can be retrieved from the firewall manually, or by providing the credentials for an administrator account on the firewall when prompted via the Retrieve button. Select this check box to apply the Palo Alto SSO options only to the selected Host group in the drop-down list. If you do not select the check box, the SSO options are applied to all Host groups. The Role for this device. Available roles appear in the drop-down list. Description of the device entered by the Administrator. User specified notes about the device. Enable or disable contact status polling for the selected device. Determines how often the device should be polled for communication status. Time is stored in minutes. Polls the device immediately for contact status. 8 Palo Alto Networks Integration

12 Palo Alto Integration Field Last Successful Poll Last Attempted Poll Definition Date and time that the device was last polled successfully. Date and time that the device was last polled. Palo Alto Networks Integration 9

13 Palo Alto Integration 10 Palo Alto Networks Integration

14 Syslog Management You can choose to send output from IPS/IDS devices to FortiNAC. Syslog Files that you create and store under Syslog Management are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output. Default Syslog Files Default files include: FireEye FortiOS4 FortiOS5 Palo Alto Networks Firewall Sourcefire IPS StoneGate IPS TippingPoint SMS Top Layer IPS Each of these files has corresponding events in the events list. You can add configurations for other Syslog files if they conform to either the CSV, CEF or TAG/VALUE formats. See Syslog Inbound File Formats for format requirements. Events And Alarms When those new Syslog configurations are added, corresponding events and alarms are created in the Events List. See Events And Alarms List for a complete list of events that can be tracked. Note: If a syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore a single host could generate multiple events and alarms. Device Model You must model any device that sends Syslog information to FortiNAC in the Topology view. See Add A Pingable Device for detailed instructions. Navigation To access the Syslog Management View select System > Settings > System Communication > Syslog Files. Palo Alto Networks Integration 11

15 Syslog Files Field Definitions Figure 3: Syslog Management Field Definition Table Configuration Enable Buttons Enables or disables the selected Syslog file. If a file is disabled it is not used when processing inbound syslog messages. Table Columns Name Enabled Label The name of the syslog file. This is a unique name for this syslog definition. This value is required. A green check mark indicates that the file is enabled. A red circle indicates that the file is disabled. The label for the Event or Alarm that will be generated. This value is required. Message format for the Syslog file. Supported formats include: CSV Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields. Format TAG/VALUE Message is series of fields each with a tag and a value. For example, the message could contain the following : cip= cip is the tag indicating that this is the IP address of the user causing the problem is the value associated with that tag. CEF Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src= src is the tag indicating that this is the IP address of the user causing the problem is the value associated with that tag. Delimiter Character used to separate the fields in the syslog message. Options include: space, comma (,) and pipe ( ). This field is not available for the TAG/VALUE format. A space is used as the delimiter. 12 Palo Alto Networks Integration

16 Field IP Tag/Column Definition Name of the field or number of the column containing the source IP Address. This value is required. Filter Tag/ Column Filter Value Severity Tag/Column Low Severity Values Medium Severity Values High Severity Values Event Tag/ Column Event Format Name of the field or number of the column containing the filter. This value is required. The value contained in the filter column or field. Only entries that contain matching data will be used. This value is required. Name of the field or number of the column containing the severity. This value is required. Entries containing one of these matching values in the severity field or column cause a Low Severity event to be generated. For CSV format, multiple values are entered separated by commas. Entries containing one of these matching values in the severity column will cause a Medium Severity event to be generated. For CSV format, multiple values are entered separated by commas. Entries containing one of these matching values in the severity field or column cause a High Severity event to be generated. For CSV format, multiple values are entered separated by commas. Names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format. Message that is displayed when the event is generated. The text is generated from the items listed in the Event Tag field in the order they appear. Right Mouse Click Menu Options Add Delete Modify Show Audit Log Opens the Add Syslog Files dialog. Deletes the selected action. Opens the Modify Security Action window for the selected action. Opens the Admin Auditing Log showing all changes made to the selected item. For information about the Admin Audting Log, see Admin Auditing. Note: You must have permission to view the Admin Auditing Log. See Add An Admin Profile. Enable Disable Enables the syslog file. Disables the syslog file. Buttons Export Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF or RTF. Low, Medium and High severity levels are not included in the exported data. See Export Data. Palo Alto Networks Integration 13

17 Enable And Disable Events Use the Event Management window to select which events will be logged. Events For The System 1. Click Logs > Event Management. The Event Management view appears. 2. Use the Filters to locate the appropriate event. Refer to Event Management for Filter field definitions. 3. To enable an event, select one or more events and click the Options button. Select one of the following: a. Internal Logs only to an internal events database. b. External Logs only to an external host. c. Internal & External Logs both to an internal events database and an external host. Note: Any event that is logged is enabled. 4. To disable an event, select one or more events and click the Options button. Select Disable Logging. Note: To log events on an external log host, you must first add the log host to FortiNAC. See Log Events To An External Log Host for instructions. Events For A Specific Group Logging events for a specific group limits the number of times the event is generated. The event will only be generated for members of the selected group. 1. Click Logs > Event Management. The Event Management view appears. 2. Use the Filters to locate the appropriate event. Refer to Event Management for Filter field definitions. 3. Select one or more events and click the Options button. Choose one of the logging options to enable the event. 4. Click the Modify Group button. 5. Click in the Group drop-down box and select the Group for which this event will be enabled. 6. Click OK. 14 Palo Alto Networks Integration

18 Add or Modify Alarm Mapping Figure 4: Add Mapping 1. Select Logs > Event to Alarm Mappings. 2. Click Add or double-click on an existing mapping to modify it. 3. Refer to the field definitions table below for detailed information about each field. 4. The new mapping is enabled by default. If you wish to disable it, remove the check mark from the Enabled check box. 5. In the Apply To section, select the element affected by this mapping. You can apply mappings to all elements, a single group of elements, or specific elements. Note: Available selections vary depending upon the selected Trigger Event. 6. Click the box and select an element from the drop-down list. 7. If you choose to Apply To a Group, you can select a group from the list or use the icons next to the group field to add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for all features that make use of that group. See Add Groups for additional information. Palo Alto Networks Integration 15

19 8. Select the Notify Users settings. 9. If you choose to Notify Users, you can select an Admin Group from the list or use the icons next to the Group field to add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for all features that make use of that group. See Add Groups for additional information. 10. Select the Trigger Rule for the event from the drop-down list. Rules determine when an Event triggers the creation of an Alarm. 11. If you enable the Action option, select the Action to take when the event occurs and the alarm is asserted. These are basic actions that FortiNAC executes on a given alarm. 12. Action parameters display. Select the Primary Task from the drop-down list. 13. For some actions there is a secondary task. If desired, click the Enable box in the Run Secondary Task section, select Min, Hr, or Day and enter the corresponding value. 14. Click OK. The new mapping is saved and appears in the Event/Alarm Map View. Table 1: Add/Modify Alarm Mapping Field Definitions Field Definition Alarm Definition Enabled Trigger Event Alarm to Assert Severity Clear on Event If checked, the alarm mapping is enabled. Default = Enabled. Event that causes the alarm. Whenever this event occurs, its associated alarm is generated. The alarm is automatically listed when you select the event. The alarm generated when the event occurs. Sets the severity of the alarm. Select one of the values from the drop-down list: Critical, Informational, Minor, and Warning. This value may be changed for existing Alarm and Event mappings. To automatically clear the alarm when a specific event occurs, select this check box. Select the event that, when generated, causes this alarm to be removed. If you leave the check box unchecked, you must manually clear the alarm. Default = Unchecked (Disabled) Send Alarm to External Log Hosts The alarm is sent to an external log host when the trigger event occurs, select this check box. See Log Receivers for details on configuring an external log host. Default = Unchecked (Disabled) 16 Palo Alto Networks Integration

20 Field Definition You can specify a particular command line script to be executed when this alarm is triggered. These command line scripts are for advanced use, such as administrator-created Perl scripts. First, write the script that is to be used as the alarm action. Store the script in this directory: /home/cm/scripts Send Alarm to Custom Script Apply To If there are no scripts in the directory, this field is not available. Click the check box to enable the option and select the correct script from the drop-down list. The arguments that are automatically passed to the script are as follows: type EndStation. User or Network Device name name of element ip IP address mac MAC address user userid msg message from alarm All Applies this mapping to all elements. Group Applies this mapping to a single group of elements. Specific Applies this mapping to the element that you select from a list. Notify Users Notify Send Send SMS If checked, the administrators in the selected group are notified when an alarm occurs. If checked, the administrators in the selected group are sent an when the alarm occurs. Administrators must have an address configured in the Modify User dialog to receive this . If checked, the administrators in the selected group are sent an SMS message when an alarm occurs. Administrators must have a Mobile Number and Mobile Provider configured to receive this SMS message. Trigger Rules One Event to One Alarm All Events to One Alarm Every occurrence of the event generates a unique alarm. The first occurrence of the event generates a unique alarm. Each subsequent occurrence of the event does not generate an alarm, as long as the alarm persists when subsequent events occur. When the alarm clears, the next occurrence of the event generates another unique alarm. Palo Alto Networks Integration 17

21 Field Event Frequency Definition The number of the occurrences of the event generated by the same element within a user specified amount of time determines the generation of a unique alarm. Settings are updated when the Action is configured. Example: Assume the Host Connected event is mapped to an alarm and the frequency is set to 3 times in 10 minutes. Host A connects 3 times in 10 minutes and the alarm is triggered. Host A connects 2 times and host B connects 2 times, there are 4 connections in 10 minutes. No alarm is generated because the hosts are different. Host A connects at minutes 1, 8 and 12. No alarm is triggered because the host did not connect 3 times in 10 minutes. Host A connects at minutes 1, 8, 12, and 14. An alarm is triggered because connections at minutes 8, 12 and 14 fall within the 10 minute sliding window. Event Lifetime The duration of an alarm event without a clearing event within a specified time, determines the generation of a unique alarm. Example: Event A occurs. If Event B (clear event) does not occur within the specified time, an alarm is generated. Actions Action Host Access Action Host Role If checked, the selected action is taken when the alarm mapping is active and the alarm is asserted. Host is disabled and then re-enabled after the specified time has passed. The host's role is changed and then set back to the original role after the specified time has passed. Roles are attributes of the host and are used as filters in User/Host Profiles. Those profiles determine which Network Access Policy, Endpoint Compliance Policy or Supplicant EasyConnect Policy to apply. Note: If roles are based on a user's attribute from your LDAP or Active Directory, this role change is reversed the next time the directory and the FortiNAC database resynchronize. Host Security Action Host is set At Risk and then set to Safe after the specified time has passed. You can specify a particular command line script to be executed as an alarm action. These command line scripts are for advanced use, such as administratorcreated Perl scripts. Command Line Script First, write the script that is to be used as the alarm action. Store the script in this directory: /home/cm/scripts The IP and MAC address arguments that are automatically passed to the script are in the format shown in this example: /home/cm/scripts/testscript :00:00:00:00:00 18 Palo Alto Networks Integration

22 Field User Action Definition An is sent to the user associated with the host. The text of the is entered in the Host Action dialog box. HTML tags may be added to text within the content of the in order to format the text, convert the text to a link, etc. For example, you can add the <b> and </b> tags to text in the message window to bold the selected text in the recipient's message. SMS User Action An SMS Message is sent to the user associated with the host. The text of the message is entered in the SMS User Action dialog box. The recipient must have a Mobile Number and Mobile Provider configured. Allows you to include information specific to the non-compliant host in the or SMS alert message. For example, this message: The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue. %host% is displayed as: %host% The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue: Host: Host Name: TestUser-MacBook-Pro-2 OS: Mac OS X Network Adapters: Connected 3C:07:54:2A:88:6F, ,Concord Fa3/0/46 Disonnected 60:C5:47:8F:B1:66, ,Concord_ Cisco_1131.Fortinetnetworks.com VLAN 4 Palo Alto Networks Integration 19

23 Field Definition Allows you to include information specific to the event in the or SMS alert message. For example, this message: The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue: %event% is displayed as: %event% Port State Action Send Message to Desktop The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue: Host failed Test-Host Tests: Failed :: Anti-Virus :: ClamXav MAC Address: 3C:07:54:2A:88:6F Last Known Adapter IP: Host Location: Concord-3750 Fa3/0/46. Remediation Delayed. The port is disabled and then re-enabled after the specified time has passed. Send a text message to the desktop of a host(s) with the Persistent Agent or Bradford Mobile Agent for Android installed. 20 Palo Alto Networks Integration