Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 1

Size: px

Start display at page:

Download "Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 1"

Daniel Summers
6 years ago
Views:

1 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 1 The Scenario Now that your Palo Alto firewall(s) are in place and giving your more visibility into the traffic that is traversing your network, people in your organization are starting to notice. Managers, Directors, and Executives are now expressing interest in seeing numerous different types of information and reports from the data captured by the firewall for their various presentations and reports they have to produce. As the word continues to spread, those requests are on the rise and you are noticing that the same people are asking for the same outputs time and time again. Like with the Field of Dreams, you have built it and they are coming. The Mission Your mission, should you choose to accept it, is to automate the generation and delivery of the various reports that the CIO and the Service Desk Manager are constantly asking you to provide on a daily basis to the point where it a fully automatic process. Of course, each one wants to see different information. The Tools of the Trade Completing this mission will require the creation and linking of the following objects: ü Server Profiles ü Custom Reports ü PDF Summary Reports ü Report Groups ü Schedulers The Target Devices This lab can be performed at either the Panorama (to capture data from multiple firewalls) or an individual firewall level. The steps are identical with the exceptions being that the creation of the Server Profile falls under the Panorama tab in Panorama vice the Device tab within the firewall GUI and you have a few more options to choose from for the data sources for the PDF Summary and Custom Reports. The step by step directions of this lab will be for an individual firewall running PANOS

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 2 The Information You Need To complete these lab steps, you will need the following information readily available: ü IP Address of your

2 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 2 The Information You Need To complete these lab steps, you will need the following information readily available: ü IP Address of your SMTP Gateway ü address for the CIO ü address for the Service Desk Manager ü Desired Name & Address the automated s should originate from The Lab Configuration Steps 1. Server Profiles a. Purpose These server profiles tell the firewall or panorama where the SMTP gateway resides, how to connect to it, and what the envelope of the message should look like (ie To address, From address) b. Location Server Profiles are configured in the Device tab under the Server Profiles group in the left menu. c. Building the CIO s Profile

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 3 i. Name = Just a non-functional administrative label ii. Email Display Name= Name that appears in the from line iii.

3 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 3 i. Name = Just a non-functional administrative label ii. Display Name= Name that appears in the from line iii. From= address the appears to be sent from iv. To= address the is to be delivered to v. Additional Recipient= who is on the CC line for the (Note: I d recommend CC ing the to you so you can confirm its being delivered) vi. Gateway= the SMTP gateway that will send the message (Note: As of PANOS 7.1.7, this only supports non-authenticated SMTP gateways) Since the CIO and Service Desk Manager want different information, we need to create a separate Server Profile for the Service Desk Manager following the same steps. d. Building the Service Desk Manager s Profile 2. Custom Reports a. Purpose A custom report gives you the ability to create your own report starting from either a preconfigured template or from scratch. You can have multiple custom reports created. Once defined, each one will be automatically generated at 2:00AM if the Scheduled box is checked within that report.

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 4 b. Location Custom Reports reside under the Monitor Tab as Manage Custom Reports in the left menu c.

4 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 4 b. Location Custom Reports reside under the Monitor Tab as Manage Custom Reports in the left menu c. Building the CIO s Report Luckily, the report the CIO wants is pretty close to one of the Applications default reports, so we ll use that pre-defined report as a template then customize it to what he wants, which is to only see what high risk applications (which you equate to being category 4 & 5 applications) that are running on the network sorted by the bandwidth they used. i. Click Add in the Manage Custom Reports view. ii. Click Load Template iii. Click Top Applications to highlight it iv. Click Load

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 5 v. Name the report CIO_App_Report vi. Click the Scheduled box vii. Set the Time Frame to be the Last Calendar Day viii.

5 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 5 v. Name the report CIO_App_Report vi. Click the Scheduled box vii. Set the Time Frame to be the Last Calendar Day viii. Change the Sort By to Bytes and Top 25 ix. Under Available Columns, add Risk of App by clicking the green + button then make it the first column by clicking the Top button x. In the Query Builder, add (risk-of-name eq 4) or (risk-of-name eq 5) to include only high risk applications.

column ordering as desired. xii. Once you are happy with the output, Click OK d.

6 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 6 xi. Click Run Now to confirm you are seeing the data you want, going back and adjusting column ordering as desired. xii. Once you are happy with the output, Click OK d. Building the Service Desk Manager s Report The Service Desk Manager wants to see information about files being

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 7 downloaded. i. Click Add in the Manage Custom Reports view. ii. Name the report SDM_File_Activity_Report iii.

7 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 7 downloaded. i. Click Add in the Manage Custom Reports view. ii. Name the report SDM_File_Activity_Report iii. Pick the Database of Data Filtering Log iv. Click the Scheduled box v. Set the Time Frame to be the Last Calendar Day vi. Change the Sort By to Count and Top 50 vii. Under Available Columns, highlight the Filename, Application, Source Address, Destination User, Destination Address columns by shiftclicking them then clicking the green + button. Order these columns however you d like. viii. In the Query Builder, add (subtype eq file) and (direction eq server-toclient) to include only high risk applications. ix. Click Run Now to confirm you are seeing the data you want, going back and adjusting column ordering as desired.

8 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 8 x. Once you are happy with the output, Click OK 3. PDF Summary Reports a. Purpose PDF Summary Reports provide a means of capturing a dashboard snapshot of up to 18 summary widgets into a single page pdf report. You can have multiple PDF Summary Reports defined. Once defined, each one will be automatically generated at 2:00AM to cover the previous calendar day s worth of activity. b. Location PDF Summary Reports reside under the Monitor Tab as Manage PDF Summary in the left menu.

9 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 9 c. Building the CIO s Summary Report The CIO cares mostly about high level information, so we need a PDF Summary that provides trend information. i. Click Add in the Manage PDF Summary view. ii. Name the report CIO_Summary iii. Within each the 6 widget categories select the following: 1. Threat Reports a. Top attackers by countries b. Top victims by countries c. High risk user Top applications d. High risk user Top threats e. High Risk user Top URL categories 2. Application Reports a. Top application categories b. Top technology categories c. Top applications d. Top denied applications 3. Trend Reports a. Check all 3 options 4. Traffic Reports a. Top destination countries

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 10 b. Top source countries 5. URL Filtering reports a. Top url categories 6. Custom Reports a. Leave all unchecked iv. Click OK d.

10 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 10 b. Top source countries 5. URL Filtering reports a. Top url categories 6. Custom Reports a. Leave all unchecked iv. Click OK d. Building the Service Desk Manager s Summary Report The Service Desk Manager cares mostly about more tactical level information, so we need a PDF Summary that provides more of that focus. i. Click Add in the Manage PDF Summary view. ii. Name the report SDM_Summary iii. Within each the 6 widget categories select the following: 1. Threat Reports a. Top attackers b. Top victims c. Top spyware threats d. Top viruses e. Top vulnerabilities

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 11 2. Application Reports a. Top HTTP tunneled applications b. Top denied applications 3. Trend Reports a. Leave all unchecked 4.

11 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls Application Reports a. Top HTTP tunneled applications b. Top denied applications 3. Trend Reports a. Leave all unchecked 4. Traffic Reports a. Top users b. Top sources c. Top destinations d. Top unknown TCP connections e. Top unknown UDP connections 5. URL Filtering reports a. Top websites b. Top URL categories c. Top URL users d. Top URL user behavior e. Top blocked websites f. Top blocked URL user behavior 6. Custom Reports a. Leave all unchecked

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 12 4. Report Groups iv. Click OK a.

12 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls Report Groups iv. Click OK a. Purpose Report groups allow you to assemble a combination of reports (including custom and PDF Summary reports) into a single pdf file to facilitate distribution. You can have multiple report groups configured. b. Location Report Groups reside under the Monitor Tab under the PDF Reports heading as Report Groups in the left menu c. Building the CIO s Report Group This will be a collection of reports, including both predefined reports as well the custom report and the summary report we just created specifically for the

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 13 CIO. i. Click Add in the Report Groups view. ii. Name the group CIO_Reports iii. Check the box for the Title Page iv.

13 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 13 CIO. i. Click Add in the Report Groups view. ii. Name the group CIO_Reports iii. Check the box for the Title Page iv. Title the group Firewall Reports for the CIO v. Add the following reports to the group by first selecting them then clicking Add in the middle of the window 1. CIO_Summary 2. CIO_App_Report 3. SaaS Application Usage 4. Risky-users vi. Click OK to save the group d. Building the Service Desk Manager s Report Group The service desk manager wants to see everything the CIO sees plus their own specific data. To accomplish this, we will clone the CIO_Reports report group and then add the Service Desk Manager s specific info to it.

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 14 i. Select the CIO_Reports report group by clicking the box next to the name and then click the Clone button. ii.

14 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 14 i. Select the CIO_Reports report group by clicking the box next to the name and then click the Clone button. ii. Open the newly created CIO_Reports-1 iii. Change the Name of the group to SDM_Reports iv. Check the box for the Title Page v. Title the group Firewall Reports for the Service Desk Mgr vi. Add the following reports to the 4 reports already present in the group by first selecting them then clicking add in the middle of the window 1. SDM_Summary 2. SDM_File_Activity_Report 3. Spyware-infected-hosts 4. Botnet 5. Top-url-user-behavior 6. Top-viruses 7. Top-vulnerabilities 8. Top-victims 9. Top-spyware-threats

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 15 5. Email Schedulers vii. Click OK to save the group a.

15 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls Schedulers vii. Click OK to save the group a. Purpose schedulers create linkages between report groups and profiles to automatically deliver the reports outlined in the selected report group to the recipients defined in the profile at the designated schedule. You can have multiple schedulers configured. b. Location Schedulers reside under the Monitor Tab under the PDF Reports heading as Scheduler in the left menu.

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 16 c. Building the CIO s Scheduler i. Click Add in the Email Scheduler view. ii. Name the group CIO_Report_Sender iii.

16 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 16 c. Building the CIO s Scheduler i. Click Add in the Scheduler view. ii. Name the group CIO_Report_Sender iii. Select CIO_Reports as the Report Group iv. Select CIO_ as the Profile v. Select Daily as the Recurrence vi. You may hit the Send Test button if you d like, but be sure to coordinate this with the recipients beforehand so they know to expect the in their inbox.

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 17 vii. Click OK d. Building the Service Desk Manager s Scheduler i. Click Add in the Email Scheduler view. ii.

17 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 17 vii. Click OK d. Building the Service Desk Manager s Scheduler i. Click Add in the Scheduler view. ii. Name the group SDM_Report_Sender iii. Select SDM_Reports as the Report Group iv. Select SDM_ as the Profile v. Select Daily as the Recurrence vi. You may hit the Send Test button if you d like, but be sure to coordinate this with the recipients beforehand so they know to expect the in their inbox. The Results vii. Click OK What followers are screen shots of one of the s and PDFs generated by the CIO_Report_Sender Scheduler.

18 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 18

19 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 19

20 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 20

21 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 21

22 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 22 (*Note: User identities on this screen shot redacted for privacy.)

23 Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 23 The Next Steps If you want to test this on your own and do not have access to a lab environment to do so, you have a couple options: a. Contact your Sun Management Account Rep to get pricing on a lab bundle. The newly released PA-220 and VM-50 appliances are excellent platforms for testing things such as this and there are specific part numbers for lab equipment that are more heavily discounted than the same appliance for use in production. If you are unsure who your Account Rep is or do not have one yet, you can reach out to sales@sunamangement.net for assistance. b. Reach out through the free Fuel Users Group ( which at the time this lab is being written is offering limited free access to a virtual lab environment, which they refer to as their Virtual Test Lab, in which you can practice the steps outlined above. (Note: The Fuel Users Group may alter or discontinue offering their Virtual Test Lab at any time) If you feel Sun Management brings value to you and your organization with these labs, please keep us in mind for other network and network security related requirements. We are here to help you. Thank you for your business. Please direct any questions/comments/feedback on this lab exercise to: education@sunmanagement.net Lab Author: William J Kintz Sun Management s Chief Instructor and Director of Engineering Last Modified: Mar 7, 2017

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1 Overview Denial of Service (DoS) and Distributed Denial of Service (DDoS) types of attack are attempts to disrupt network