Prerequisites
Before proceeding, it is important to make sure the following:
-
The NetWitness Platform (Admin Server and Packet Decoder Host) is on version 12.4 or later.
-
You are connected to Live Services under the (Admin) > System > Live Services page.
-
The Decoder services are managed by CCM. If CCM does not manage it, you can enable CCM for the particular decoder service. For more information, see the topic Enable or Disable CCM for Individual Decoder Services.
-
You must have the Private Key (.pem file), Bucket Authentication (.JSON file), and GCP bucket names available for configuration:
-
The Private Key (.pem file) is used to decrypt the AES key, which is used to decrypt the PCAPs. For more general information on managing and using the Private Key, please refer to Palo Alto's Traffic Replication in Prisma Access documentation https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/traffic-mirroring#traffic-mirroring-and-pcap-support-in-prisma-access.
-
The Bucket Authentication Key (.JSON file) is used to authenticate access to a bucket in GCP. Creating a Bucket Authentication Key (.JSON file) is a two-step process:
-
Create a service account in GCP with Storage Object Viewer (roles/storage.objectViewer). For more information, see topic Create service accounts.
-
Create a service account key in GCP. For more information, see Create and delete service account keys.
-
You must perform the following tasks to deploy the Palo Alto Prisma Integration on NetWitness Platform.
Task 1. Map Network Adapter in Decoder for Palo Alto Prisma Integration
You must select a network adapter (pcap_stream,Pcap File Streamer) and enable Capture Autostart option through which the Decoder captures packets and processes the data.
To Map the Network Adapter in Decoder for Palo Alto Prisma Integration
-
Log in to the NetWitness Platform.
-
Go to (Admin) > Services.
-
Select the Packet Decoder service and click > View > Config.
The Configure view for the Decoder service is displayed with the General tab open.
-
Under the Decoder Configuration section, do the following:
-
Set the Capture Interface Selected to pcap_stream,Pcap File Streamer network adapter.
-
Enable the Capture Autostart option.
-
-
Click Apply to save the changes.
-
To restart the Decoder service, go to the Services view, select the Decoder service, and click > Restart.
-
A Confirmation dialog request is displayed. To restart the service, click Yes.
-
(Optional) Navigate to the System view of the Decoder service and check if the Decoder is capturing the data.
This option ensures the decoder has already started capturing the packets.
Task 2. Create and Publish Policy for Palo Alto Prisma Integration
You must create a policy with Palo Alto Prisma Integration plugin and assign it to one or more groups having a decoder service and publish the policy.
Prerequisites
-
Ensure that the Palo Alto Prisma Integration plugin type is available at the SASE Integration Plugin tab.
-
Ensure that the group with one or more decoder services is created.
Supported Hosts
-
Packet Decoder
-
Packet Hybrid
To create and publish a policy for Palo Alto Prisma Integration
-
Go to (Configure) > Policies.
-
In the policies panel, click Content.
-
Click Policies.
The available policies are displayed.
-
Click + Create New to add a new policy.
-
In the New Policy panel, do the following:
-
Enter a unique policy name.
-
(Optional) Enter a description for the policy.
-
-
Click Next.
-
In the Available Content, select the plugin type and click + to add the Palo Alto Prisma Integration plugin to the policy. To add all content based on the resource type, click .
-
Enable the subscription (if required) by clicking the subscribed toggle. Once the content is subscribed to, the updates are pushed automatically.
-
Click Next.
-
If there are no unassigned groups available, click to save the policy and redirect you to the Create Content Group screen.
-
In the New Group panel, do the following:
-
Enter the name of the group.
-
(Optional) Enter the description for the group.
-
-
Click Next.
-
In the Define Group, click + to assign services to the group.
Note:
- A service is disabled if it is assigned to another group.
- A service is disabled if it is not managed by Policy-based Centralized Content Management.
-
Click Next.
-
In the Assign Policies, click + to assign policies to a group. You can assign only one policy to any particular group.
-
Click Save and Publish to save and publish the settings.
IMPORTANT: Ensure that you always publish the policy after adding the Palo Alto Prisma Integration plugin to deploy the plugin to the Decoder service.
Note: You can also publish a policy from the Policy Details screen. For more information on publishing a policy from the Policy Details screen, refer to the View a Policy topic.
For more information on Policies, see Manage Policies.
For more information on Groups, see Manage Groups.
Next steps, go to the policy details view and perform the Palo Alto Prisma Integration settings. For more information, see Task 3. Configure Palo Alto Prisma Integration from Policy Details View
Task 3. Configure Palo Alto Prisma Integration from Policy Details View
Administrators can configure the Palo Alto Prisma Integration to capture the network data from the decoder service within a policy, which sends the data to NetWitness. The data is then processed by NetWitness so that it can provide a comprehensive view of network traffic and malicious activity. Analysts can use this data to monitor network traffic, identify threats, and investigate any malicious behavior.
Prerequisites
Before you begin configuring the Palo Alto Prisma Integration, ensure that you have the following details:
-
Ensure there is a policy created with the Palo Alto Prisma Integration plugin, and the policy is associated with the group that has a Decoder service configured, and the policy is published.
-
You must have the Private Key (.pem file), Bucket Authentication (.JSON file), and GCP bucket names available for configuration.
To Configure the Palo Alto Prisma Integration
-
Go to (Configure) > Policies.
-
In the policies panel, click Content.
-
In the left panel, click Policies.
-
Do one of the following:
-
Click the policy name containing the Palo Alto Prisma plugin type to view the policy details.
-
Click a row to view details about the selected policy and click View Details.
-
-
Click the SASE Integration Plugin tab.
IMPORTANT: The Configuration button will be disabled when the policy status is Unpublished, Failed, or N/A. For more information, see Filter Policies.
-
Select the Palo Alto Prisma Integration type and click Configuration.
The Configuration dialog is displayed.
-
In the Add Private Key for Decryption section, do the following:
-
In the Private Key area, click or drag and drop the (.pem) file to upload.
-
Click Continue to add the bucket configuration.
The Private Key (.pem file) is used to decrypt the AES key, which is used to decrypt the PCAPs.
Note:
• Private keys must have a valid private key format extension (.pem).
• The size of the Private Key (.pem file) must not exceed 8 MB.IMPORTANT: You only need to upload the private key once when configuring the bucket for the first time. For subsequent bucket configurations, the private key is not required. When you click on the Configuration option, you will be taken directly to the Add Bucket Configuration screen.
-
-
In the Add Bucket Configuration section, do the following:
-
Select the decoder service from the Decoder drop-down list.
Note: A bucket can only be configured with one decoder at a time.
-
Enter the GCP bucket name from which the decoder needs to fetch the data. For example, us-east-gcp-bucket.
-
In the Bucket Authentication area, click or drag and drop the (.JSON) file to upload. Bucket Authentication is used to authenticate access to a bucket in GCP.
Note:
• Bucket names must be more than two characters and can only contain lowercase letters, numeric characters, dashes ( - ), underscores ( _ ), and dots ( . ). Spaces are not allowed.
• The Bucket Authentication must have a valid bucket authentication key format extension (.JSON).
• The size of the Bucket Authentication (.JSON file) must not exceed 8 MB. -
Click Continue.
-
-
Click + Add New Bucket to add new buckets, which navigates to the Add Bucket Configuration section. Follow step 8 to configure the bucket details.
Note: You can configure the number of buckets based on the total number of decoders added to the particular policy.
-
(Optional) Click Change Private Key to change the private key. It navigates you to the Add Private Key for Decryption section, click and then upload a new private key (.pem file) and click Save.
-
Click Edit if you want to modify the existing bucket configuration.
Note: You cannot edit or change the decoder for a bucket configuration. If you need to change the decoder, you must delete the existing bucket configuration and add a new one.
-
Click (Delete) to remove the bucket configuration permanently.
-
Review the bucket configuration details and click Save Configuration.
To verify if the configuration was completed successfully, ensure that the Config Status column displays Configured for the Palo Alto Prisma Integration.
Task 4. Verify Palo Alto Prisma Events Received at Decoder
You can analyze the Palo Alto Prisma events that have been received by the Decoder and verify their accuracy.
To verify the Palo Alto Prisma Events Received at Decoder
-
Log in to the NetWitness Platform.
-
Go to (Admin) > Services.
-
Select the Packet Decoder service and click > View > Stats.
-
Under the Key Stats section, check the values for Capture Rate, Max Capture Rate, and Total Captured packets for the decoder service.
Task 5. Verify Events Meta from Palo Alto Prisma in Investigate View
To verify Palo Alto Prisma events, you must first aggregate the Decoder service into the Concentrator and then go to the Investigate > Events page to view the Palo Alto Prisma events.
Add the Decoder Service in the Concentrator
-
Log in to the NetWitness Platform.
-
Go to (Admin) > Services.
-
In the Services list, select the Concentrator service.
-
Click > View > Config.
The Services Config View of the Concentrator is displayed.
-
Select the Sources tab.
-
Click and select Available Services.
The Available Services dialog is displayed.
-
Select the Decoder service and click OK.
The service authentication dialog box is displayed.
Note: The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.
-
Enter the Username and Password for the service.
-
Click OK.
-
Click Apply.
Verify from the Investigate > Events View
-
Go to Investigate > Events.
-
Select the Concentrator Service from the Services selection drop-down list.
-
Click to load the Palo Alto Prisma events data.