LiveAssurance connects to Palo Alto Network Devices via PAN-OS XML API/HTTPS, SSH and SNMP. LiveAssurance v25.1.0 introduces support for Panorama Log Collector, in addition to the existing support for Panorama devices.
We recommend assigning the Dynamic role of Superuser or Device Administrator to the LiveAssurance user, with standard session timeouts configured. This leverages Palo Alto Networks’ fixed privileges and is a scalable option for future automation scripts to be successfully utilized by the LiveAssurance system.
In the event that a Custom role needs to be defined, it is preferred to include privileges that allow for flexibility and growth when LiveAssurance's Knowledge scripts expand to include more enhanced functionality. However, the following are minimum access requirements and must be enabled within the profile.
If you need assistance creating a user on your Palo Alto Networks device, please refer to Palo Alto’s website.
BlueCat recommends that credentials set for Palo Alto Network devices are left with the default privilege of Superuser, and dynamic-based control. LiveAssurance is read-only and does not make any changes to the device’s configurations or policies. However it does need administrator access to run commands like debug device-server show or debug log-receiver statistics.
The reason we recommend the above role configuration for the user is because as the product continues to expand its knowledge base, the LiveAssurance credentials will need enough flexibility to facilitate any new scripts that may require access to API and SSH commands; which are otherwise strictly defined with custom roles.
Configuring Custom Roles
Should internal policies require that LiveAssurance utilize the minimum available privileges required to collect and analyze data from the devices, we recommend to follow the guidance below in terms of creating custom credentials:
The enabled/disabled options should be set as follows:
Web UI – Disable All
XML API – Operational Requests
Command Line: “deviceadmin”
Enable SNMP Monitoring
Palo Alto Network Configuration (Panorama | Firewall)
Using the Graphical User Interface:
-
Select .
-
Ensure SNMP is enabled on the Management interface.
-
Also be sure the IP address of the LiveAssurance server is in the Permitted IP Addresses list.
-
-
If you are using an Interface other than “Management” for management of the firewall you will need to perform steps to enable the SNMP service on the interface management profile.
-
If so select
-
Select the Interface you use for Management
-
Select
-
Select a management profile with SNMP enabled or create a new profile.
-
-
Select
-
It is recommended to enable SNMPv3 instead of v2c. If your LiveAssurance Server is running 7.0 or higher, SNMPv3 is supported
-
Click SNMP Setup
-
Optional: Specify the physical location of the firewall
-
Optional: Enter the name of the person or group responsible for maintaining the firewall
-
Version: If SNMP v2c is already enabled, we recommend you change to SNMPv3 if your LiveAssurance Server is running 7.0 or newer
-
Click Add, and enter a name of the view group
-
Click Add, and specify a name of the view
-
OID: Specify the OID of the MIB.
-
Option: Select the matching logic
-
Mask: Specify the Mask in hexadecimal format
-
If you want to provide access to all management information, you can use OID 1.3.6.1 and set the Mask to 0xf0
-
For more information see Palo Alto Networks documentation.
-
-
In the Users section, click Add to create a new user
-
Users: Specify a username to identify the SNMP user account.
-
View: Assign the group of views (Step #9) to the user.
-
Auth Password: Specify the authentication password of the user. The firewall uses Secure Hash Algorithm (SHA-1 160) to encrypt the password.
-
Priv Password: Specify the privacy password of the user. The firewall uses the password and Advanced Encryption Standard (AES-128) to encrypt SNMP traps and responses to statistics requests.
-
Click OK
-
Click OK and then Commit your changes
Using the Command Line Interface:
-
Run the following commands:
configure set deviceconfig system service disable-snmp no set deviceconfig system snmp-setting access-setting version v3 views $VIEW_GROUP_NAME view $view_name oid 1.3.6.1 set deviceconfig system snmp-setting access-setting version v3 views $VIEW_GROUP_NAME view $view_name option include set deviceconfig system snmp-setting access-setting version v3 views $VIEW_GROUP_NAME view $view_name mask 0xf0 set deviceconfig system snmp-setting access-setting version v3 users $USER_NAME authpwd $AUTH_PASSWORD set deviceconfig system snmp-setting access-setting version v3 users $USER_NAME privpwd $PRIV_PASSWORD set deviceconfig system snmp-setting access-setting version v3 users $USER_NAME view $VIEW_GROUP_NAME set deviceconfig system snmp-setting snmp-system location $LOCATION set deviceconfig system snmp-setting snmp-system contact $CONTACT_NAMELiveAssurance Server Configuration:
-
Click on Devices icon on the side-panel to the left-hand side of the screen
-
Select Credential Sets, and create a new/modify an existing credential set
-
Select SNMPv3
-
Security Name: Enter the username from the SNMP setup in PAN-OS “Users” step.
-
Select Authentication and privacy
-
Select SHA
-
Select AES128
-
Enter the Privacy Passphrase from the SNMP setup in PAN-OS add Priv. Password step.
-
Enter the Authentication Passphrase from the SNMP setup in PAN-OS add Auth. Password step.
-
Click Add
-
Click on Reports icon on the side-panel to the left-hand side of the screen
-
Select
-
Select one of the managed Palo Alto Networks devices
- Domain: OS
- Metric: CPU
Verification
-
Verify we are able to receive Management-Plane CPU utilization from PAN device