This topic describes how to deploy the Palo Alto Prisma Integration using the NwConsole for users who are not utilizing the Centralized Configuration Management.
Prerequisites
Before you begin configuring the Palo Alto Prisma Integration, ensure that you have the following details:
-
The NetWitness Platform (Admin Server and Packet Decoder Host) is on version 12.4 or later.
-
The Decoder services are not managed by CCM. If CCM manages it, you can disable CCM for the particular decoder service. For more information, see topic Enable or Disable CCM for Individual Decoder Services.
-
You must have the Private Key (.pem file), Bucket Authentication (.JSON file), and GCP bucket names available for configuration:
-
The Private Key (.pem file) is used to decrypt the AES key, which is used to decrypt the PCAPs. For more general information on managing and using the Private Key, please refer to Palo Alto's Traffic Replication in Prisma Access documentation https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/traffic-mirroring#traffic-mirroring-and-pcap-support-in-prisma-access.
-
The Bucket Authentication Key (.JSON file) is used to authenticate access to a bucket in GCP. Creating a Bucket Authentication Key (.JSON file) is a two-step process:
-
Create a service account in GCP with Storage Object Viewer (roles/storage.objectViewer). For more information, see topic Create service accounts.
-
Create a service account key in GCP. For more information, see Create and delete service account keys.
-
You must perform the following tasks to deploy the Palo Alto Prisma Integration on NetWitness Platform.
Task 1. Map Network Adapter in Decoder for Palo Alto Prisma Integration
You must select a network adapter (pcap_stream,Pcap File Streamer) and enable Capture Autostart option through which the Decoder captures packets and processes the data.
To Map the Network Adapter in Decoder for Palo Alto Prisma Integration
-
Log in to the NetWitness Platform.
-
Go to (Admin) > Services.
-
Select the Packet Decoder service and click > View > Config.
The Configure view for the Decoder service is displayed with the General tab open.
-
Under the Decoder Configuration section, do the following:
-
Set the Capture Interface Selected to pcap_stream,Pcap File Streamer network adapter.
-
Enable the Capture Autostart option.
-
-
Click Apply to save the changes.
-
To restart the Decoder service, go to the Services view, select the Decoder service, and click > Restart.
-
A Confirmation dialog request is displayed. To restart the service, click Yes.
-
(Optional) Navigate to the System view of the Decoder service and check if the Decoder is capturing the data.
This option ensures the decoder has already started capturing the packets.
Task 2. Deploy the Palo Alto Prisma Integration Plugin on Decoder
You can search for the SASE integration Plugin from the Live Content view and deploy it on the decoder services using NWconsole.
Prerequisites
-
Ensure that the Palo Alto Prisma Integration content type is available in the Live Content view.
-
You must have the Private Key (.pem file), Bucket Authentication (.JSON file), and GCP bucket names available for configuration.
Supported Hosts
-
Packet Decoder
-
Packet Hybrid
To deploy the Palo Alto Prisma Integration Plugin on Decoder
-
Log in to the NetWitness Platform.
-
Go to (Configure) > Live Content.
-
Select the SASE Integration Plugin from the Resource Types drop-down list in the Search Criteria panel.
Note: To narrow the results further, you can use the different options available in the Search Criteria panel.
-
Click Search.
The available SASE Integration plugins are displayed.
-
In the Matching Resources panel, select Show Results > Grid.
-
Select the Palo Alto Prisma Integration plugin checkbox and click Package > Create.
The resource bundle gets downloaded to your local system.
-
Extract the resource bundle to view the nw-pa-monitor.zip package.
-
SSH to the Packet Decoder host.
-
Create a directory by running the following command:
mkdir /opt/paloalto
-
Copy the nw-pa-monitor.zip package, Bucket Authentication Key (.Json) file, and Bucket Private Key (.pem) file to the newly created /opt/paloalto directory.
-
Connect to the NwConsole utility with the following command: NwConsole
-
Log in to the Decoder service using the following command, entering the password when prompted.
> login localhost:56004:ssl admin netwitness
Successfully logged in to localhost:56004 as session 1561
-
Navigate to the following directory: cd /decoder/hosted
-
Run the following command to install the plugin:
upload /opt/paloalto/nw-pa-monitor.zip
Note: When the installation is completed, ensure that a success message appears.
-
Navigate to the Paloalto directory: cd /etc/netwitness/ng/hosted/paloalto
-
Run the following command to create an instance:
sh configure-pa-instance.sh
-
Enter the values in the following fields:
-
Instance name: Enter the instance name. Only alpha-numeric characters are allowed, and spaces are not allowed. For example, paloalto.
-
Bucket name: Enter a valid GCP bucket name. For example, panw-tm-dec-632773000-us-east4
Note: Bucket names can only contain lowercase letters, numeric characters, dashes ( - ), underscores ( _ ), and dots ( . ). Spaces are not allowed.
-
Bucket Auth File Location: Specify the path where the Bucket Authentication Key (.json) file is kept. For example, /opt/paloalto/bucket_auth_key.json. The Bucket Authentication Key (.JSON file) is used to authenticate access to a bucket in GCP.
-
Key file (Private Auth File) Location: Specify the path where the Bucket Private Key (.pem) file is kept. For example, /opt/paloalto/bucket_priv_key.pem. The Private Key (.pem file) is used to decrypt the AES key, which is used to decrypt the PCAPs.
-
-
Type yes to use the Trusted authentication mechanism to log in to NwConsole; if you type no, you need to specify decoder credentials (username and password).
Note: NetWitness recommends that you use a trusted authentication mechanism for communication with the decoder service, where the option is enabled by default.
-
Type yes to enable the instance.
The instance is now configured successfully.
The instance should start at this point, and the user can investigate the events further on the Events page for their analysis.
Task 3. Verify Palo Alto Prisma Events Received at Decoder
You can analyze the Palo Alto Prisma events that have been received by the Decoder and verify their accuracy.
To verify the Palo Alto Prisma Events Received at Decoder
-
Log in to the NetWitness Platform.
-
Go to (Admin) > Services.
-
Select the Packet Decoder service and click > View > Stats.
-
Under the Key Stats section, check the values for Capture Rate, Max Capture Rate, and Total Captured packets for the decoder service.
Task 4. Verify Events Meta from Palo Alto Prisma in Investigate View
To verify Palo Alto Prsima events, you must first aggregate the Decoder service into the Concentrator and then go to the Investigate > Events page to view the Palo Alto Prisma events.
Add the Decoder Service in the Concentrator
-
Log in to the NetWitness Platform.
-
Go to (Admin) > Services.
-
In the Services list, select the Concentrator service.
-
Click > View > Config.
The Services Config View of the Concentrator is displayed.
-
Select the Sources tab.
-
Click and select Available Services.
The Available Services dialog is displayed.
-
Select the Decoder service and click OK.
The service authentication dialog box is displayed.
Note: The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.
-
Enter the Username and Password for the service.
-
Click OK.
-
Click Apply.
Verify from the Investigate > Events View
-
Go to Investigate > Events.
-
Select the Concentrator Service from the Services selection drop-down list.
-
Click to load the Palo Alto Prisma events metadata.