Skip to content

mikealanni/paloalto-elasticstack-viz

 
 

Repository files navigation

Palo Alto Networks Firewall Visualization using Elastic Stack

Dashboards

The projects includes nine dashboards, that have been pre-built from the included visualisations.

Overview Dashboard Threat Dashboard Traffic Dashboard
Dashboard - Overview Dashboard - Threats Dashboard - Traffic

In addition to the above, there are dashboards for;

  • Applications
  • Threat Highlights
  • URL Filtering
  • Blocked URLs
  • System Logs & Events
  • Config Overview

By default, the dashboards are configured for the dark theme. Once installed, you can change them to the light theme, add/delete/rearrange individual visualisations or create your own dashboards The dashboards can also be configured to run full-screen and auto-refresh, perfect for office screenboards

Background

This project aims to provide a simple way to extract and visualise syslog data from Palo Alto Networks firewalls. It utilises the free Elastic Stack from www.elastic.co as the base platform data & viz platform, and provides a pipeline configuration and index templates for the following logs;

  • Traffic
  • Threat/URL
  • Config
  • System

A full suite of visualisations and dashboards is included

Elastic Stack

(from the site): What is ELK? "ELK" is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch.

In short, the Elastic Stack provides a simple, scalable & robust platform ingesting syslog entries from a PANW Firewall and displaying the output. The required configuration for LogStash & ElasticSearch is provided here, along with a number of pre-built visualisations for Kibana. You can build your own, additional visualisations using the Kibana interface quite easily. All of the base visualisatons in this project were built in a single day.

Elastic Stack also includes a built-in syslog server, which greatly simplifies the deployment of the solution as a whole. Using only the Elastic Stack pipeline configuration file, we have everything required for an all-in-one solution

Credit

Much of this project was created based on the following pages from awesome people, who should be given much applause;

Tutorial

This project was built on Ubuntu 16.04 LTS, using the latest Elastic Stack 6.1 (with integrated syslog server) and a PA-220 Firewall. nginx was used to secure authentication to Kibana via reverse-proxy

For those unfamilar with any part of this technology stack, I have created a full tutorial on installing & configuring Elastic Stack, including security the platform & installing the visualisations. 📘 The tutorial is available here

Existing Install

Otherwise, if you're comfortable with the technology stack mentioned above, then all you need to do is;

  • Download the files from this repo

    • PAN-OS.conf
    • traffic_template_mapping-v1.json
    • threat_template_mapping-v1.json
    • searches-base.json
    • visualisations-base.json
    • dashboards-base.json
  • Install Elastic Stack 6.1

    • ElasticSearch
    • Kibana
    • LogStash
  • Edit 'PAN-OS.conf'

    • Set your timezone correctly (Very important)
    • Copy the file into your conf directory. For Ubuntu/Debian this is "/etc/logstash/conf.d/", other directories are available here
  • Upload the two pre-built index templates with additional GeoIP fields

curl -XPUT http://<your-elasticsearch-server>:9200/_template/panos-traffic?pretty -H 'Content-Type: application/json' -d @traffic_template_mapping-v1.json
curl -XPUT http://<your-elasticsearch-server>:9200/_template/panos-threat?pretty -H 'Content-Type: application/json' -d @threat_template_mapping-v1.json
  • Restart Elastic Search & LogStash

  • Configure your PANW Firewall(s) to send syslog messages to your Elastic Stack server

    • UDP 5514
    • Format BSD
    • Facility LOG_USER
  • Ensure that your firewall generates at least one traffic, threat, system & config syslog entry each

    • You may have to trigger a threat log entry. Follow this guide from Palo Alto for instructions
    • After committing to set your syslog server, you will need to do another committ (any change) to actually send a config log message
  • Once the data is rolling, login to Kibana and create the 4 new index patterns, all with a Time Filter field of '@timestamp'

    • panos-traffic
    • panos-threat
    • panos-system
    • panos-config
  • And lastly, import the saved object files (in this orders)

    • searches-base.json
    • visualisations-base.json
    • dashboards-base.json

And that's it! Once you have some logs in the system, you should see the dashboards start to fill up

References

About

PANW Firewall Visualisations using Elastic Stack

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published