cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1835
Views
0
Helpful
4
Replies

how can i send the Firepower user information received from TS Agent to Palo Alto?

murat001
Level 4
Level 4

hi all

 

i want to send the firepower user-ip-mapping informations as syslog to Palo Alto, and then we will use the syslog parser to get usernames in Palo Alto. 

 

how i send only user traffic or user activity logs as syslog on FMC or Sensor ?

 

Thanks for helps !

 

Murat

 

 

4 Replies 4

eruizrub
Cisco Employee
Cisco Employee

Hi,

 

You can consult the following guide on how to configure Syslog

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html

 

 On Syslog settings, you can choose what facility you want.

 

Bets Regards.

 

hi

thanks for response

i explaned missing my question sorry. my bad. please let me explain little bit more . 

 

we are using 2 firewall . one of is firepower and another one of is palo alto.  we are getting all user information with Firepower User agent and users sending smoothly to FMC. 

 

our problem is with TS agent so we have problems with users sending over Terminal Server .  You know the firepower ts agent works source port based. thats why we can install only one TS agent on Terminal Server . thats why we installed only The Firepower TS Agent on TServer. and we are taking the TS user infos via TS agent to the FMC. We dont have any problem here. but thats why we couldnt send the TS user infos to the Palo Alto because of couldnt install Palo Alto agent on TS server.

i have thought we can send the user logs by syslog to the palo alto but i guess we wont make this because all TS server ACP logs on Firepower will hit the one IP and multiple users.


for example ;
Terminal Server IP : 10.10.10.10
User1 and User2 ACL logs.

 

08-19-2019 23:12:30 Local6.Info 10.10.10.150 2019-08-19T20:11:45Z %FTD-6-430002: AccessControlRuleAction: Allow, SrcIP: 10.10.10.10, DstIP: 172.217.16.131, SrcPort: 15128, DstPort: 80, Protocol: tcp, IngressZone: INSIDE, EgressZone: OUTSIDE, ACPolicy: FTDv, AccessControlRuleName: user-log-test, Prefilter Policy: Default Prefilter Policy, User: user1, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128, ResponderBytes: 66, NAPPolicy: Unknown

 

08-19-2019 23:13:30 Local6.Info 10.10.10.150 2019-08-19T20:11:45Z %FTD-6-430002: AccessControlRuleAction: Allow, SrcIP: 10.10.10.10, DstIP: 172.217.16.131, SrcPort: 15128, DstPort: 80, Protocol: tcp, IngressZone: INSIDE, EgressZone: OUTSIDE, ACPolicy: FTDv, AccessControlRuleName: user-log-test, Prefilter Policy: Default Prefilter Policy, User: user2, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128, ResponderBytes: 66, NAPPolicy: Unknown

 

We can send these logs to the Palo Alto but when Palo Alto received second log it will deleted first  log that it parsed

 

Even if we use the source port according to the TS agent port assigned during syslog parsing, I guess we will not be able to do this because the users are variable and it assigned port random. 

 

do you have any suggestion about this case ?

I hope my question has been descriptive.

 

Thanks Regards.

I don't believe this can be done with the TS Agent and FMC as an intermediary.

I had heard PANW was able to integrate user information from ISE syslog entires but the article is silent on how that works (or doesn't) in a TS environment:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5sCAC

If you use ISE that might be an option.

Thanks for your idea Marvin 

Yes we are currently using ISE .

Regarding your suggestion, I think the same scenario will apply. Each log parsed by PAN will overwrite when a new one arrives. because , one ip (TServer IP) and multiple user log will be sending by ISE

 

and by the way,  we couldn't use PxGrid integration between ISE and FMC.  The reason of this it is similar parsing problem;   because we used EAP-FAST as dot1x Auth method . You know , It works machine + user auth. and ISE is sending username information as user+machine to the FMC . and That's why FMC can not parse this user info and couldn't write to connection event and couldn't send to sensor as correctly. Instead of pxgrid we used firepower user and ts agent because of all of these problems.

 

for example;

the user activity log on FMC when used EAP-FAST; this user info seems as unknown in the connection > events . 

There is a bug that hits this stuation >. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd73842

user + machine.jpg

 

Thanks again

 

Regards

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: