Prerequisites

Before proceeding, it is important to make sure the following:

• The NetWitness Platform (Admin Server and Packet Decoder Host) is on version 12.5 or later.

• You are connected to Live Services under the  (Admin) > System > Live Services page.

• The Decoder services are managed by CCM. If CCM does not manage it, you can enable CCM for the particular decoder service. For more information, see the topic Enable or Disable CCM for Individual Decoder Services.

• You must have the Private Key (.pem file), Bucket Authentication (.JSON file), GCP bucket names, local GCP project ID, and Pub/Sub Subscription ID available for configuration:

• The Private Key (.pem file) is used to decrypt the AES key, which is used to decrypt the PCAPs. For more general information on managing and using the Private Key, please refer to Palo Alto's Traffic Replication in Prisma Access documentation https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/traffic-mirroring#traffic-mirroring-and-pcap-support-in-prisma-access.

• The optional Bucket Authentication Key (.JSON file) is used to authenticate access to a bucket in GCP. Creating a Bucket Authentication Key (.JSON file) is a two-step process:

  • Create a service account in GCP with Storage Object Viewer (roles/storage.objectViewer). For more information, see topic Create service accounts.

  • Create a service account key in GCP. For more information, see Create and delete service account keys.

Create Google Cloud Pub/Sub Subscription

The Subscription ID is unique to each Pub/Sub subscription within a project. Each subscription enables users to receive messages from a designated Pub/Sub topic, creating a direct link between the subscription and its corresponding topic. This setup allows for efficient message delivery, ensuring users can manage and retrieve relevant information in real-time.

To create a subscription, use the gcloud tool available on the SASE head nodes.

gcloud pubsub subscriptions create <SUBSCRIPTION ID> --topic-project=<PAN GCP PROJECT ID> --topic=<PAN GCP PUB/SUB TOPIC ID> --message-filter='attributes.bucketId="<PAN GCS BUCKET>"' --enable-message-ordering

Created subscription [projects/<LOCAL GCP PROJECT ID>/subscriptions/<SUBSCRIPTION ID>]

--topic-project is the home project of the topic, where all subscriptions will be received.

--topic is the topic ID.

--message-filter is the subscription filtering criteria based on the message payload. In this case, it retrieves messages containing an attribute that specifies a particular bucket ID, which is required for the integration plugin.

--enable-message-ordering ensures that subscription messages from the topic, which share the same ordering key (in this case, the GCS bucket of interest), are ordered/delivered in the same order they were published. If message ordering is not enabled, it may result in disruptions or breaks in the continuity of the incoming session data.

Any policies specific to custom messages, such as retention, must be determined by the customer according to their needs.

Note: Files in the PAN GCS bucket will have a retention period of three days.

Configure Permissions for Google Cloud Platform

By setting these permissions, the service account will have the necessary access to perform its functions effectively within the Google Cloud Platform (GCP) infrastructure.

To properly configure permissions for the service account used by the plugin, you need to grant the following access and permissions:

1. GCS Bucket and Pub/Sub Topic Read Access

   • Managed by PAN (Palo Alto Networks).

   • GCS Bucket Read Access: Required to retrieve new packets from the GCS bucket.

   • Pub/Sub Topic Read Access: It is necessary to subscribe to the Pub/Sub topic for real-time message processing.

2. Pub/Sub Admin Role

   • The service account must be assigned the "Pub/Sub Admin Role", which grants full permissions (pubsub.*) for managing topics and subscriptions.

   • This role is essential to onboard subscriptions locally within the GCP environment that hosts the NetWitness instance.

3. Cloud API Access for Attached Service Accounts

   • If the service account is directly attached to Decoder VM, it must be granted full access to Cloud APIs to ensure seamless communication with other GCP resources.

Deploy Palo Alto Prisma Integration

You must perform the following tasks to deploy the Palo Alto Prisma Integration on NetWitness Platform.

• Task 1. Map Network Adapter in Decoder for Palo Alto Prisma Integration

• Task 2. Create and Publish Policy for Palo Alto Prisma Integration

• Task 3. Configure Palo Alto Prisma Integration from Policy Details View

• Task 4. Verify Palo Alto Prisma Events Received at Decoder

• Task 5. Verify Events Meta from Palo Alto Prisma in Investigate View

Task 1. Map Network Adapter in Decoder for Palo Alto Prisma Integration

You must select a network adapter (pcap_stream,Pcap File Streamer) and enable Capture Autostart option through which the Decoder captures packets and processes the data.

To Map the Network Adapter in Decoder for Palo Alto Prisma Integration

1. Log in to the NetWitness Platform.

2. Go to  (Admin) > Services.

3. Select the Packet Decoder service and click  > View > Config.

   

   The Configure view for the Decoder service is displayed with the General tab open.

4. Under the Decoder Configuration section, do the following:

   1. Set the Capture Interface Selected to pcap_stream,Pcap File Streamer network adapter.  (Applicable for 12.4 and 12.4.1)

      Set the Capture Interface Selected to packet_stream,Packet Streamer network adapter. (Applicable for 12.4.2 and above versions)

   2. Enable the Capture Autostart option.

      

5. Click Apply to save the changes.

Task 2. Create and Publish Policy for Palo Alto Prisma Integration

You must create a policy with Palo Alto Prisma Integration plugin and assign it to one or more groups having a decoder service and publish the policy.

Prerequisites

• Ensure that the Palo Alto Prisma Integration plugin type is available at the SASE Integration Plugin tab.

• Ensure that the group with one or more decoder services is created.

Supported Hosts

• Packet Decoder

• Packet Hybrid

To create and publish a policy for Palo Alto Prisma Integration

1. Go to  (Configure) > Policies.

2. In the policies panel, click Content.

3. Click Policies.

   The available policies are displayed.

4. Click + Create New to add a new policy.

5. In the New Policy panel, do the following:

   1. Enter a unique policy name.

   2. (Optional) Enter a description for the policy.

      

6. Click Next.

7. In the Available Content, select the plugin type and click + to add the Palo Alto Prisma Integration plugin to the policy.

   Note: You can add only one SASE Integration Plugin to any particular policy.

   

8. Enable the subscription (if required) by clicking the subscribed toggle. Once the content is subscribed to, the updates are pushed automatically.

   

9. Click Next.

10. If there are no unassigned groups available, click  to save the policy and redirect you to the Create Content Group screen.

11. In the New Group panel, do the following:

    • Enter the name of the group.

    • (Optional) Enter the description for the group.

      

12. Click Next.

13. In the Define Group, click + to assign services to the group.

    

    Note: 
    • A service is disabled if it is assigned to another group.
    • A service is disabled if it is not managed by Policy-based Centralized Content Management.

14. Click Next.

    

15. In the Assign Policies, click + to assign policies to a group. You can assign only one policy to any particular group.

    

16. Click Save and Publish to save and publish the settings.

    

Important: Ensure that you always publish the policy after adding the Palo Alto Prisma Integration plugin to the policy to deploy the plugin to the Decoder service.

Note: You can also publish a policy from the Policy Details screen. For more information on publishing a policy from the Policy Details screen, refer to the View a Policy topic.

For more information on Policies, see Manage Policies.

For more information on Groups, see Manage Groups.

Next, go to the policy details view and perform the Palo Alto Prisma Integration settings. For more information, see Task 3. Configure Palo Alto Prisma Integration from Policy Details View.

Task 3. Configure Palo Alto Prisma Integration from Policy Details View

Administrators can configure the Palo Alto Prisma Integration to capture the network data from the decoder service within a policy, which sends the data to NetWitness. The data is then processed by NetWitness so that it can provide a comprehensive view of network traffic and malicious activity. Analysts can use this data to monitor network traffic, identify threats, and investigate any malicious behavior.

Prerequisites

Before you begin configuring the Palo Alto Prisma Integration, ensure that you have the following details:

• Ensure there is a policy created with the Palo Alto Prisma Integration plugin, and the policy is associated with the group that has a Decoder service configured, and the policy is published.

• You must have the Private Key (.pem file), optional Bucket Authentication (.JSON file), GCP bucket names, local GCP project ID, and Pub/Sub Subscription ID available for configuration.

To Configure the Palo Alto Prisma Integration

1. Go to  (Configure) > Policies.

2. In the policies panel, click Content.

3. In the left panel, click Policies.

4. Do one of the following:

   1. Click the policy name containing the Palo Alto Prisma plugin type to view the policy details.

   2. Click a row to view details about the selected policy and click View Details.

5. Click More > SASE Integration Plugin tab.

   

   Important: The Configuration button will be disabled when the policy status is Unpublished, Failed, or N/A. For more information, see Filter Policies.

6. Select the Palo Alto Prisma Integration plugin type and click  Configuration.

   The Configuration dialog is displayed.

   

7.       In the Add Private Key for Decryption section, do the following:

   1. In the Private Key area, click or drag and drop the (.pem) file to upload.

   2. Click Continue to add the bucket configuration.

      The Private Key (.pem file) is used to decrypt the AES key, which is used to decrypt the PCAPs.

      Note: 
      • Private keys must have a valid private key format extension (.pem).
      • The size of the Private Key (.pem file) must not exceed 8 MB.

      Important: You only need to upload the private key once when configuring the bucket for the first time. For subsequent bucket configurations, the private key is not required. When you click on the  Configuration option, you will be taken directly to the Add Bucket Configuration screen.

      

8.  In the Add Bucket Configuration section, do the following:

   1. Select the decoder service from the Decoder drop-down list.

      Note: A bucket can only be configured with one decoder at a time.

   2. Enter the Google Cloud Project ID which is a user-defined unique identifier for a Google Cloud project.
   3. Enter the Publish/Subscribe (Pub/Sub) Subscription ID. The Subscription ID is specific to a Pub/Sub subscription within a project. Each subscription allows users to receive messages from a specific Pub/Sub topic, effectively linking the subscription to that topic.

   4. Enter the GCP bucket name from which the decoder needs to fetch the data. For example, us-east-gcp-bucket.

   5. (Optional) In the Bucket Authentication area, click or drag and drop the (.JSON) file to upload. Bucket Authentication is used to authenticate access to a bucket in GCP. 
      (Optional) Service account can be attached directly to the Decoder VM housing the integration.
      
      

      Note: 
      • Bucket names must be more than two characters and can only contain lowercase letters, numeric characters, dashes ( - ), underscores ( _ ), and dots ( . ). Spaces are not allowed.
      • The Bucket Authentication must have a valid bucket authentication key format extension (.JSON).
      • The size of the Bucket Authentication (.JSON file) must not exceed 8 MB.

      Note: By default, the values for partition.total is 1, and partition.segment is 0. It will be pushed to the Decoder along with the changes in the Configuration modal. You can view these values in the Decoder Explore page.

   6. Click Continue.

      

9. Click + Add New Bucket to add new buckets, which navigates to the Add Bucket Configuration section. Follow step 8 to configure the bucket details.

   Note: You can configure the number of buckets based on the total number of decoders added to the particular policy.

   

10. (Optional) Click Change Private Key to change the private key. It navigates you to the Add Private Key for Decryption section, click  and then upload a new private key (.pem file) and click Save.

11. If you want to modify the existing bucket configuration, perform the following steps:
    • Click Edit will navigate to the Edit Bucket Configuration Section.
    • Modify the details and click Save.

    Note: You cannot edit or change the decoder for a bucket configuration. If you need to change the decoder, you must delete the existing bucket configuration and add a new one.

    

12. Click  (Delete) to remove the bucket configuration permanently.

13. Review the bucket configuration details and click Save Configuration.
    
    To verify if the configuration was completed successfully, ensure that the Config Status column displays Configured for the Palo Alto Prisma Integration.
    

14. Restart the Decoder service, go to the Services view, select the Decoder service, and click  > Restart.

15. A Confirmation dialog request is displayed. To restart the service, click Yes.

16. (Optional) Navigate to the System view of the Decoder service and check if the Decoder is capturing the data.

    This option ensures the decoder has already started capturing the packets.

    

 

Task 4. Verify Palo Alto Prisma Events Received at Decoder

You can analyze the Palo Alto Prisma events that have been received by the Decoder and verify their accuracy.

To verify the Palo Alto Prisma Events Received at Decoder

1. Log in to the NetWitness Platform.

2. Go to   (Admin) > Services.

3. Select the Packet Decoder service and click  > View > Stats.

4. Under the Key Stats section, check the values for Capture Rate, Max Capture Rate, Total Captured, Total Dropped, and Total Packets for the decoder service.

   

Task 5. Verify Events Meta from Palo Alto Prisma in Investigate View

To verify Palo Alto Prisma events, you must first aggregate the Decoder service into the Concentrator and then go to the Investigate > Events page to view the Palo Alto Prisma events.

• Add the Decoder Service in the Concentrator

• Verify from the Investigate > Events View

Add the Decoder Service in the Concentrator

1. Log in to the NetWitness Platform.

2. Go to (Admin) > Services.

3. In the Services list, select the Concentrator service.

4. Click  > View > Config.

   The Services Config View of the Concentrator is displayed.

5. Select the Sources tab.

6. Click  and select Available Services.

   The Available Services dialog is displayed.

7. Select the Decoder service and click OK.

   The service authentication dialog box is displayed.

   Note: The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.

8. Enter the Username and Password for the service.

9. Click OK.

10. Click Apply.

Verify from the Investigate > Events View

1. Go to Investigate > Events.

2. Select the Concentrator Service from the Services selection drop-down list.

3. Click  to load the Palo Alto Prisma events data.