Working with Palo Alto and FortiGate App for Splunk

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone this is a new video for creating a lock inside this block and work how to connect the fertigate and palo alto to spline basically i have three devices here one of them is palo alto the other one is uh 40 gate and the last one is splunk and my goal is to send a log from ferdigate and parallel to to splunk and work with uh the fortigate app and the palo alto app inside this block so i i do a basic configuration because uh i need to send a log i'll go inside the 40k i'll start with the 48 i go under log report lock settings and send the syslog so my xblock server is this ip address 37 sorry 37 and i'm gonna send all logs all features of traffic logs and even logs and then you should click on apply so yeah this is for fortigate if you have a policy inside the your security policy you can also set that one but uh it's easy just you go under security policy and uh inside uh log the session you can select your session and send traffic and this one was for uh for the gate so you come back to your splunk and find more app you'll search for 4d gate and then install uh these two apps i'll make it smaller my window page so this one splunk uh for the gate for the neck fortinet for the gate app for splunk so it is on this one with your username and password so and then you you will install this one for the 40 net for the gate add-on for its blog so i'll do the same thing for this one and yeah done so after you have done you have this app here so you go under setting data input so you can create it index but the easiest way is just go under udp and create a new local udp you know that to for the gate is send the syslog through port to 514 so 514 udp you select that one and because you have already added the uh app you can select from here underline log yeah this one and the app is going to be for legate 40 net uh for the gate for splunk this one and because we have selected default index you can leave it as just as the default the other items and then submit it uh start search because i'm using index so uh anyway we we go on the 4d net for the gate app let's check from here to see that does it connect to our yeah look it connects to our session virtual domain and device is trying to see uh https traffic web management traffic and other stuff so also i can go to other things that we have here event dashboard and system dashboard so this way when you set it as a data input this app works properly and yeah this one is for 40 40 gate so you can do this one for palo alto i'll just connect to my palo alto and you need to syslog in palo alto i i configured this one splunk my server is it's long and then you can one four two two three two enter two three two one nine seven thirty seven udp i use another port like 5514 so i can send the syslog through this port and locks under lock settings you can go and uh try to configure this item so i call it splunk so i want to send all logs and you assign only the profile that you have created in previous step the splunk syslog profile and for this one also you can send the configuration log so this log and you assign it yeah i will call this one splunk don't forget in inside the parallel to you should commit your configuration so i will commit you my configuration and then in the meantime i come back to my splunk and i will add these apps again uh paulo alto at search pal also i have two apps here one of them add-on apps so i will add the first one this one so i enter my username it's gonna install this app and it'll need a restart so i'll restart it my splunk so let's see this one completed so i just wait until splunk enterprise restart it will prompt me there you go so i can log in again then i will install the next one so lagging and now you have the both both apps so you can go under setting just a few seconds to download and install yeah done so you go under data input the easiest way is through the data input you can create default index for each of them uh let's do this wave with index because yeah i want to learn that you how you can create with index so you can go and here enter this one is paulo alto index and you can assign like 10 10 gig because this one you use the maximum size of your splunk for indexing so 10 gig is enough then so and after you create this one you can go to data input and udp create a new udp this this time my udp port is 5514 i created inside the palo alto and the same thing because you have created the palo alto pa pan and there are some options here pan logs it will give you a logs of this palo alto you can select also paolo ulto splunk app and because we created the index you can select this one next and next and start searching so basically you should have some um likes so let's let's see we have a log or not so to generate some logs again i can log out from palo alto and logging again so it'll generate some logs yeah it'll generate some logs you can see that admin is connected so then you can go under parallel to app and yeah i skipped tour and something that here you should know that for example threat needs some traffic but under my this palo alto and this verdict there isn't any traffic so i don't have any policy so the only thing you can check is a real-time event fit and this one should work because um this is real-time events from palo alto device let's see what is the result we're waiting for data so let's let's wait for a second to see that shouldn't be okay so um there is an issue here so i correct my data input because it seems that this app is set for default index and you cannot use your own index so you go under your data input and more settings and select instead of a parallel to select the default index and then if you come back to your app you should receive some logs um you go under real time event so the issue was um i guess the index so now i am receiving to try to test more you can enter wrong password here like i am entering wrong password to see that how paul alter reacts so if you come back to your you can see that okay we have it 21 events and you can go through each of them and click on each of them to see uh what is the event so i can also search based on the panel this time so you can see 11 3 events happens here three events happens here so also i can log in yeah then this way this apps works so that's that's something that you can if you generate some traffic then you should able to see to work with other other things like web activity or if you have a vpn you can have a global protect network security and other stuff i hope this has been informative and thank you for watching
Info
Channel: Hamidreza Talebi
Views: 704
Rating: undefined out of 5
Keywords: palo alto, splunk, SIEM, fortigate, palo alto app for splunk, fortigate app for splunk
Id: zMfMF-b0tkY
Channel Id: undefined
Length: 13min 44sec (824 seconds)
Published: Sun Nov 29 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.