08-19-2019 09:56 AM - edited 08-19-2019 02:42 PM
hi all
i want to send the firepower user-ip-mapping informations as syslog to Palo Alto, and then we will use the syslog parser to get usernames in Palo Alto.
how i send only user traffic or user activity logs as syslog on FMC or Sensor ?
Thanks for helps !
Murat
08-19-2019 12:29 PM
Hi,
You can consult the following guide on how to configure Syslog
On Syslog settings, you can choose what facility you want.
Bets Regards.
08-19-2019 01:33 PM - edited 08-19-2019 02:43 PM
hi
thanks for response
i explaned missing my question sorry. my bad. please let me explain little bit more .
we are using 2 firewall . one of is firepower and another one of is palo alto. we are getting all user information with Firepower User agent and users sending smoothly to FMC.
our problem is with TS agent so we have problems with users sending over Terminal Server . You know the firepower ts agent works source port based. thats why we can install only one TS agent on Terminal Server . thats why we installed only The Firepower TS Agent on TServer. and we are taking the TS user infos via TS agent to the FMC. We dont have any problem here. but thats why we couldnt send the TS user infos to the Palo Alto because of couldnt install Palo Alto agent on TS server.
i have thought we can send the user logs by syslog to the palo alto but i guess we wont make this because all TS server ACP logs on Firepower will hit the one IP and multiple users.
for example ;
Terminal Server IP : 10.10.10.10
User1 and User2 ACL logs.
08-19-2019 23:12:30 Local6.Info 10.10.10.150 2019-08-19T20:11:45Z %FTD-6-430002: AccessControlRuleAction: Allow, SrcIP: 10.10.10.10, DstIP: 172.217.16.131, SrcPort: 15128, DstPort: 80, Protocol: tcp, IngressZone: INSIDE, EgressZone: OUTSIDE, ACPolicy: FTDv, AccessControlRuleName: user-log-test, Prefilter Policy: Default Prefilter Policy, User: user1, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128, ResponderBytes: 66, NAPPolicy: Unknown
08-19-2019 23:13:30 Local6.Info 10.10.10.150 2019-08-19T20:11:45Z %FTD-6-430002: AccessControlRuleAction: Allow, SrcIP: 10.10.10.10, DstIP: 172.217.16.131, SrcPort: 15128, DstPort: 80, Protocol: tcp, IngressZone: INSIDE, EgressZone: OUTSIDE, ACPolicy: FTDv, AccessControlRuleName: user-log-test, Prefilter Policy: Default Prefilter Policy, User: user2, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128, ResponderBytes: 66, NAPPolicy: Unknown
We can send these logs to the Palo Alto but when Palo Alto received second log it will deleted first log that it parsed
Even if we use the source port according to the TS agent port assigned during syslog parsing, I guess we will not be able to do this because the users are variable and it assigned port random.
do you have any suggestion about this case ?
I hope my question has been descriptive.
Thanks Regards.
08-19-2019 10:04 PM
I don't believe this can be done with the TS Agent and FMC as an intermediary.
I had heard PANW was able to integrate user information from ISE syslog entires but the article is silent on how that works (or doesn't) in a TS environment:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5sCAC
If you use ISE that might be an option.
08-19-2019 11:53 PM
Thanks for your idea Marvin
Yes we are currently using ISE .
Regarding your suggestion, I think the same scenario will apply. Each log parsed by PAN will overwrite when a new one arrives. because , one ip (TServer IP) and multiple user log will be sending by ISE
and by the way, we couldn't use PxGrid integration between ISE and FMC. The reason of this it is similar parsing problem; because we used EAP-FAST as dot1x Auth method . You know , It works machine + user auth. and ISE is sending username information as user+machine to the FMC . and That's why FMC can not parse this user info and couldn't write to connection event and couldn't send to sensor as correctly. Instead of pxgrid we used firepower user and ts agent because of all of these problems.
for example;
the user activity log on FMC when used EAP-FAST; this user info seems as unknown in the connection > events .
There is a bug that hits this stuation >. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd73842
Thanks again
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: