In this chapter, we will be taking a look at a few tools that can make managing your firewalls and keeping an eye on the overall health of your organization straightforward. Many organizations have monitoring tools, such as Security Information and Event Management (SIEM), in place that already collect and aggregate information from many systems just to keep track of important incidents or to keep on top of change management. We will learn about a couple of handy add-ons that elevate an admin’s visibility of the system health or network security. We will also look at an interesting and convenient (and free!) tool that aggregates and helps to enforce external threat intelligence feeds. Lastly, we will have a look at the Application Programming Interface (API).

In this chapter, we’re going to cover the following main topics:

• Integrating Palo Alto Networks with Splunk
• Monitoring with Pan(w)achrome
• Threat intelligence with MineMeld...

This chapter will demonstrate several ways to connect the firewall to an external monitoring or management device. Access to a lab environment to install some of these tools can be helpful to gain an insight into what information can be extracted that is most useful to your organization. We will be running one of the tools in a Docker container.

You can find instructions on how to install Docker at their official page: https://docs.docker.com/engine/install/

Splunk is a popular log aggregator and analyzer that can collect logs from many different sources and return information gathered from those logs in a wide variety of dashboards and “single panes of glass.” There are similar and competing products like LogRhythm, Elastic, and Solarwinds, just to name a few. Most will have similar features and varying pricing models. The free version of Splunk is well suited for a very small deployment but for larger deployments, you’ll need to compare and weigh which of the available vendors brings the best value for your money. Try before you buy is probably the best advice here.

To connect a firewall to Splunk, you will first need to set up a syslog-ng server to receive syslog messages from the firewall. Take the following steps to prepare your Splunk instance.

Depending on your flavor of Linux, the following instructions may vary. I’ve included yum (CentOS, RHEL) and...

Some monitoring tools come in very simple packaging, such as the Chrome browser extension Pan(w)achrome (also known as Panachrome). You can install the extension right from the Chrome web store:

1. Open https://chrome.google.com/webstore/category/extensions in the Chrome browser.
2. Search for pan(w)achrome.
3. Click on Add to Chrome, as shown in the following screenshot:

Figure 15.7: Adding the Pan(w)achrome extension to Chrome

4. Once the extension is installed, the icon will appear in your extension quick launch.
5. Click on the icon to go to the landing page, where you can add new firewalls, as shown in the following screenshot:

Figure 15.8: Pan(w)achrome managed devices

6. Click on the Add button and add the firewall by its URL.
7. Select whether you want to authenticate using an API key or username and password.

   The API key can be easily extracted from each firewall using the following...

MineMeld is a tool previously developed by Palo Alto Networks that is currently “community-supported” as Palo Alto replaced it with a licensed product called Cortex XSOAR following the Demisto acquisition.

However, MineMeld is still a very useful tool as it is an extensible threat intelligence processing framework. This means it is able to ingest several threat intelligence feeds and aggregate the information so that you can feed it into the firewall as an additional protection vector, which is pretty cool.

The installation is straightforward, and you can even run it in a Docker container:

sudo docker pull paloaltonetworks/minemeld
sudo docker volume create minemeld-logs
sudo docker volume create minemeld-local
sudo docker run -dit --name minemeld --restart unless-stopped --tmpfs /run -v minemeld-local:/opt/minemeld/local -v minemeld-
logs:/opt/minemeld/log  -p 443:443 -p 80:80 paloaltonetworks/minemeld

MineMeld can...

The API is a universally compatible way of accessing the firewall and executing all sorts of commands, from extracting information to adding and updating runtime information or configuration. If you have external monitoring, you could automate adding blacklisted IPs on the firewall when a security event is triggered, or if an access point supports sending out API commands, it could update user-to-IP mapping on the firewall when a user logs on or off.

To be able to use the API, however, you will always need an API key to authenticate any remote sources making a connection to the firewall. You can generate a key using the following command from the terminal or command line:

curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'

Alternatively, you can search the following URL in a browser:

https://<firewall>/api/?type=keygen&user=<username>&password=<password...

In this chapter, we reviewed a couple of handy tools that can be set up to augment an existing Syslog or SIEM solution. We looked at tools that provide an administrator with some quick and easy ways to perform and automate some management and monitoring tasks without needing to depend on cumbersome monitoring portals. You learned how to access the API section of the firewall and Panorama so that you can easily find the commands you need to set up automation. You are now also able to set up your very own threat intelligence server that can aggregate multiple data flows into easy-to-use security rule objects.

Congratulations, you have made it to the end! I want to thank you for sticking with me all the way here. Hopefully, you’ve learned a lot and have been able to impress a few people left and right with your new skills. It is my sincere hope you thoroughly enjoyed reading this book and will keep it by your side as a trusted companion.