Infoblox Deployment Guide - Infoblox NIOS Integration with ... · PaloAlto_Security_Sync Serves as...

DEPLOYMENT GUIDE

Infoblox NIOS Integration with Palo Alto Networks Firewall using the Outbound REST API

© July 2019 Infoblox Inc. All Rights Reserved. Infoblox NIOS Integration with PAN Firewall using the Outbound REST API

2

TABLE OF CONTENTS

Introduction ...................................................................................................................... 3

Prerequisites ..................................................................................................................... 3

Static and Dynamic Address Groups .................................................................................. 3

Known Limitations ............................................................................................................. 3

Best Practices .................................................................................................................... 3

Workflow .......................................................................................................................... 4

Infoblox Community Website Templates ........................................................................... 4

Extensible Attributes ......................................................................................................... 4

Session Variables ............................................................................................................... 5

Supported Notifications ..................................................................................................... 5

Palo Alto Firewall Configuration for Static Address Groups ................................................ 6

Palo Alto Firewall Configuration for Dynamic Address Groups ........................................... 9

Infoblox NIOS Configuration ............................................................................................ 13

Verify Security Ecosystem License is Installed ........................................................................... 13

Add/Upload Templates ............................................................................................................. 14

Modify Templates ..................................................................................................................... 14

Add a Rest API Endpoint ........................................................................................................... 15

Add a Notification ..................................................................................................................... 16

Validate Configuration .............................................................................................................. 18

Appendix ......................................................................................................................... 19

References ....................................................................................................................... 19


3

Introduction The Outbound REST API integration framework from Infoblox provides a mechanism to create updates for both IPAM data (networks, hosts, leases) and DNS threat data into additional ecosystem solutions. Infoblox and Palo Alto Firewall together enable security and incident response teams to leverage the integration of vulnerability scanners and DNS security to enhance visibility, manage assets, ease compliance and automate remediation. Thus, improving your security posture while maximizing your ROI in both products.

Prerequisites The following are prerequisites for Outbound API notifications:

Infoblox:

1. NIOS 8.4 or higher 2. Security Ecosystem License 3. Outbound API integration templates 4. Prerequisites for the templates (ex. configured and set extensible attributes) 5. Pre-configured required services: DNS, DHCP, RPZ, Threat Analytics 6. NIOS API user with the following permissions (access via API only):

• All Host – RW

• All DHCP Fixed Addresses/Reservations – RW

• All IPv4 Networks - RW

Palo Alto Firewall:

1. Installed and configured Palo Alto firewall 2. User credentials for the Palo Alto firewall (user requires access to Address and Address group

objects)

Static and Dynamic Address Groups To simplify the creation of security policies, addresses that require the same security settings can be combined into address groups. An address group can be static or dynamic. Depending on your needs, you may decide that one is better for you (or both). A static address group can include address objects that are static, other dynamic address groups, or both. A dynamic address group populates its members dynamically via tag-based filters.

Known Limitations The current templates support DNS Firewall (RPZ), Threat Insight (DNS Tunneling), Advanced DNS Protection (ADP), Host IPv4 & IPv6, Fixed Address IPv4 & IPv6 and Lease events. Any additional templates created later will be added to the community site.

When force rebooting the firewall, it may cause IP to tag mappings loss.

Best Practices Outbound API templates are available on the Infoblox community site. After registering an account, (https://community.infoblox.com) you can subscribe to the relevant groups and forums. For production systems it is highly recommended to set the log level for an end point to Info or higher (Warning, Error). Please refer to the NIOS Administration guide about other best practices, limitations and any detailed information on how to develop notification templates.


4

Workflow Use the following workflow in order to enable, configure and test outbound notifications:

• Install the Security Ecosystem license if not already installed.

• Check that necessary services DHCP, DNS, RPZ, Threat Analytics are configured.

• Create Extensible Attributes.

• Create or download appropriate templates from the Infoblox community website (https://community.infoblox.com): Palo Alto Dynamic Assets, Palo Alto Dynamic Security, Palo Alto Static Assets, Palo Alto Static Security, PaloAlto_login, PaloAlto_logout, and Palo Alto Session.

• Add/upload the notification templates.

• Add a REST API Endpoint.

• Add Notifications.

• Emulate an event, then check the debug log and/or verify changes on the REST API Endpoint.

Infoblox Community Website Templates Outbound API notifications template is an essential part of the configuration. Templates fully control the integration and steps required to execute the outbound notifications. Detailed information on how to develop templates can be found in the NIOS Administrator guide. Infoblox does not distribute any templates with the NIOS releases (out-of-box). Templates are available on the Infoblox community website. Templates may require additional extensible attributes to be created, parameters, or WAPI credentials defined. The required configuration should be provided with a template. Do not forget to apply changes required by the template before testing a notification.

Extensible Attributes Name Description Type

PaloAlto_Asset_Sync Serves as toggle to turn on/off sync for Asset events.

List (true,false)

PaloAlto_Security_Sync Serves as toggle to turn on/off sync for Security events.

List (true,false)

PaloAlto_Security_SyncedAt Update timestamp on a security event. This attribute is created on the specific IP by the WAPI call when not present.

String

PaloAlto_Asset_SyncedAt Update timestamp on an asset event. This attribute is created on the specific IP by the WAPI call when not present.

String

PaloAlto_Asset_Tag Dynamic Only - Tag that attaches to an IP in a Dynamic Address Group.

String


5

PaloAlto_Security_Tag Dynamic Only - Tag that attaches to an IP in a Dynamic Address Group

String

PaloAlto_Timeout Dynamic Only - Starting with PAN-OS 9.0 a tag can contain an optional timeout attribute. Default is 0 (never expires) or a timeout value in seconds for the tag. Maximum timeout is 2592000 (30 days). In older versions of PAN, this attribute cannot be accessed and IPs never timeout.

Integer

Session Variables Name Description

Host_Allow The static address group object which needs to be populated on the firewall for allowed hosts. This should be the same as the address group object created through the Palo Alto configuration. Set a default value (Iblox_Host_Allow).

Host_Deny The static address group object which needs to be populated on the firewall for denied hosts. This should be the same as the address group object created through the Palo Alto configuration. Set a default value (blox_Host_Deny).

Supported Notification A notification can be considered as a link between a template, an endpoint and an event. In the notification properties, you can define the event triggers for the notification, the template to execute, and the external endpoint. The Palo Alto templates support a subset of available notifications (refer to the Limitations section in this guide for more details). In order to simplify the deployment, create required notifications and use the relevant filters. It is highly recommended to configure deduplication for RPZ events and exclude a feed that is automatically populated by Threat Analytics. Supported modification events that occur in real time include editing the PaloAlto_Asset_Tag of an IP. This will remove the old tag from the IP and map the new tag to the IP.

Notification Description

DNS RPZ DNS queries that are malicious or unwanted

DNS Tunneling Data exfiltration that occurs on the network

Advanced DNS Protection DNS queries that are malicious or unwanted

Object Change Fixed Address IPv4 Added/Deleted fixed/reserved IPv4 objects

Object Change Host Address IPv4 Added/Deleted Host IPv4 objects

Object Change Fixed Address IPv6 [Dynamic Only] Added/Deleted fixed/reserved IPv6 objects

Object Change Host Address IPv6 [Dynamic Only] Added/Deleted Host IPv6 objects


6

Lease Lease events

Palo Alto Firewall Configuration for Static Address Groups A static address group can include address objects that are static, dynamic address groups, or it can be a combination of both address objects and dynamic address groups.

1. Use the Palo Alto credentials created as per the prerequisite section. 2. For a Static Address Group, you will need to create a dummy address to fill it with initially. Navigate

to Objects à Addresses. Click Add at the bottom of the screen. Enter a name, set the type to IP Netmask, and enter 10.0.0.0/24 for the IP.

3. Navigate to Objects à Address Groups. Click Add at the bottom of the screen. 4. Give the Address Group a comprehensible name, such as Iblox_Host_Allow. Set the type to

Static. Click Add and select the dummy address you just created. Click OK.

5. Repeat with a deny group. Add the dummy IP 10.0.0.0 to the group.


7

6. Navigate to Policies à Security. We need to create one policy for each of the Address Groups

we just created so that PAN knows how to handle inbound IPs. Click Add at the bottom of the screen.

7. Under the General tab, give the policy a comprehensible name. It can be the same name as the

Address Group or different.


8

8. Under the Source tab, check the Any box for the Source Zone.

9. Under the Destination tab, select Any from the dropdown for the Destination Zone. Click on Add

for the Destination Address and select the appropriate Address Group created earlier for allowed IPs.


9

10. Under the Actions tab, select Allow for the Action Setting. It should be the default. Click OK.

11. Repeat for the deny group policy. For this policy, under the Destination tab, set the Destination

Address to your deny group Iblox_Host_Deny, and under the Actions tab, set the Action Setting to Deny. All other settings can remain the same as the first policy.

12. Click Commit in the upper right corner of the screen. This will activate your newly created Policies and Address Groups on the running configuration of the firewall.

Palo Alto Firewall Configuration for Dynamic Address Groups A dynamic address group populates its members dynamically using tag-based filters. Dynamic address


10

groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall. Create appropriate policies in the firewall to allow or deny IP addresses. A policy requires an existing address group object as part of the policy creation process.

1. Use the Palo Alto credentials created as per the prerequisite section. 2. Navigate to Objects à Address Groups. Click Add at the bottom of the screen. 3. Give the Dynamic Address Group a comprehensible name, such as DynamicAllow. Give it an

optional Description. Set the type to Dynamic. To add match criteria, you can either click on Add Match Criteria and select existing Tags to match the group with, or you can type them in manually by putting single quotes around each criterion and separating with “and” or “or”. Use ‘allow’ for the Match Criteria. Give the group optional Tags by typing them manually or selecting existing ones. Click OK.

4. Repeat with a deny group. Use ‘deny’ for the Match Criteria.


11

5. Navigate to Policies à Security. We need to create one policy for each of the Address Groups we just created so that PAN knows how to handle inbound IPs. Click Add at the bottom of the screen.

6. Under the General tab, give the policy a comprehensible name. It can be the same name as the

Address Group or different.


12

7. Under the Source tab, check the Any box for the Source Zone.

8. Under the Destination tab, select Any from the dropdown for the Destination Zone. Click on Add

for the Destination Address and select the appropriate Address Group created earlier for allowed IPs.

9. Under the Actions tab, select Allow for the Action Setting. It should be the default. Click OK.


13

10. Repeat for the deny group policy. For this policy, under the Destination tab, set the Destination

Address to your deny group DynamicDeny, and under the Actions tab, set the Action Setting to Deny. All other settings can remain the same as the first policy.

11. Click Commit in the upper right corner of the screen. This will activate your newly created Policies and Address Groups on the running configuration of the firewall.

Infoblox NIOS Configuration

Verify Security Ecosystem License is Installed Security Ecosystem license is a Grid Wide license. Grid wide licenses activate services on all appliances in the same Grid. To check if the license was installed go to Grid à Licenses à Grid Wide.


14

Add/Upload Templates 1. In order to upload/add templates navigate to Grid à Ecosystem à Templates and click on the

+ or + Add Template buttons. a. [Dynamic] In order for all features of the Dynamic Address Groups to work, you need

these five templates: Palo Alto Dynamic Assets, Palo Alto Dynamic Security, PaloAlto_login, PaloAlto_logout, and Palo Alto Session.

b. [Static] In order for all features of the Static Address Groups to work, you will need these templates: Palo Alto Static Assets, Palo Alto Static Security, PaloAlto_login, PaloAlto_logout and Palo Alto Session.

2. In the Add Template window add the PaloAlto_login template. 3. Click the Select button on the Add Template window. 4. Click the Select button on the Upload window. The standard file selection dialog will be opened. 5. Select the file and click the Upload button on the Upload window. 6. Add all other necessary templates depending on your needs for Static, Dynamic, or both groups.

Modify Templates NIOS provides the ability to modify the templates via the web interface.

1. Navigate to Grid à Ecosystem à Templates, and then click the hamburger icon next to the template you want to modify.

2. Click the Edit button to open the Template window. 3. The template editor is a simple interface for making changes to templates. It is recommended to

only use the template editor to make minor changes. You can also edit, cut, and paste template snippets from a text editor of your choice. Note: You cannot delete a template if it is used by an endpoint or by a notification.


15

Add a Rest API Endpoint A REST API Endpoint is a remote system which receives changes based on a notification and a configured template. A Grid, for example, can not only send notifications, it can also receive the notifications from itself (ex. for testing purposes).

1. To add REST API Endpoints, go to Grid àEcosystemà Outbound Endpoint and click + or + Add REST API Endpoint buttons.

2. The Add REST API Endpoint Wizard window will open. The URI and Name are the required fields. Enter the complete URI including http or https (ex. https://172.0.0.10).

3. Specify Auth Username, Auth Password (Palo Alto Firewall credentials), WAPI Integration Username and WAPI Integration Password (NIOS credentials).

4. Be aware that Test Connection only checks communication (establishes TCP connection with a remote system) with the URI. It does not check the authentication/authorization credentials.

5. It is recommended to send notifications from a Grid Master Candidate if there is one available

instead of Grid Master. 6. Under the Session Management tab, set the Log Level to Debug for debug purposes during initial

configuration.


16

Add a Notification A notification is a link between a template, an endpoint, and an event. In the notification you define the event which triggers the notification, executed template, and the API endpoint of which the Grid will establish a connection. The Palo Alto templates support all available notifications. In order to simplify the deployment, create only required notifications and use relevant filters. It is highly recommended to configure deduplication for RPZ events and exclude a feed automatically populated by Threat Analytics. Note: when testing notifications using Test Rule, rules for that notification apply.

An endpoint and a template must be added before you can add a notification.

1. Navigate to Grid àEcosystem à Notification and click + or + Add Notification Rule.

2. Enter a name to identify the notification type and select the target endpoint.


17

3. Click Next, select an event type, and define the rule. Rules act as a filter. Only when they are true

will the template execute. You can choose to match all rules or any of multiple. Note: For optimal performance, it is best practice to make the rule filter as narrow as possible.

4. Click Next. Select the relevant template. Select Save & Close.


18

Validate Configuration You can now emulate an event for which a notification was added. Go to GridàEcosystemàNotifications and click on the hamburger icon next to a notification and select Test Rule. You can click in the Test Rule wizard and edit the attributes as needed.

It is possible to view the debug log in two different ways. You can either go to GridàEcosystemàOutbound Endpoints or GridàEcosystemàNotifications and click on the hamburger icon and select View Debug Log. Depending on the browser the debug log will be downloaded or opened in a new tab; you may need to check your popup blocker settings.


19

Appendix Alternatively curl commands can be used to create Palo Alto objects.

Dynamic Address Groups commands:

1. Command to register tag to an IP: curl -k https://[firewall]/api/?key=[key]&type=user-id&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="[IP-address]"><tag><member>[tag]</member></tag></entry></register></payload></uid-message>

For example:

https://172.0.0.10/api/?key=xxxxx&type=user-id&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="10.0.0.1"><tag><member>allow</member></tag></entry></register></payload></uid-message>

2. Command to unregister tag from an IP: curl -k https://[firewall]/api/?key=[key]&type=user-id&cmd=<uid-message><version>2.0</version><type>update</type><payload><unregister><entry ip="[IP-address]"><tag><member>[tag]</member></tag></entry></unregister></payload></uid-message>

Static Address Groups commands:

1. Command to add address to list of addresses: curl -k https://[firewall]/api/?key=[key]&type=config&action=set&xpath=/config/shared/address/entry[@name='[address name']&element=<ip-netmask>[addressIP]/32</ip-netmask>

For example:

https://172.0.0.10/api/?key=xxxxx&type=config&action=set&xpath=/config/shared/address/entry[@name='10.0.0.0']&element=<ip-netmask>10.0.0.0/32</ip-netmask>

2. Commands to add address to static address group: curl -k https://[firewall]/api/?key=[key]&action=set&xpath=/config/shared/address-group/entry[@name='[address group name’]&element=<static><member>[addressIP]</member></static>

curl -k https://172.0.0.10/api/?key=xxxxx&action=set&xpath=/config/shared/address-group/entry[@name='IBlox_Host_Allow’]&element=<static><member>10.0.0.0 </member></static>

3. Commit to firewall: curl -k https://[firewall]/api/?key=[key]& type=commit&cmd=<commit><force></force></commit>

References https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf#

http://api-lab.paloaltonetworks.com/registered-ip.html

Infoblox is leading the way to next-level DDI with its Secure Cloud-Managed Network Services. Infoblox brings next-level security, reliability and automation to on-premises, cloud and hybrid networks, setting customers on a path to a single pane of glass for network management. Infoblox is a recognized leader with 50 percent market share comprised of 8,000 customers, including 350 of the Fortune 500.

Corporate Headquarters | 3111 Coronado Dr. | Santa Clara, CA | 95054

+1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | [email protected] | www.infoblox.com

© 2018 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All other marks are the property of their respective owner(s).

Infoblox Deployment Guide - Infoblox NIOS Integration with ... · PaloAlto_Security_Sync Serves as...

Documents

Transcript of Infoblox Deployment Guide - Infoblox NIOS Integration with ... · PaloAlto_Security_Sync Serves as...