Integration Guide for Isolating Threat Nodes Detected by Paloalto PAN-OS
This guide provides information on the integration between Genian NAC and Palo Alto PAN-OS products for node isolation based on threat node detection.
Overview
This document describes the installation and configuration steps for integrating Palo Alto PAN-OS, a Next Generation Firewall (NGFW), with Genian NAC, a network access control system.
The integration using tags allows Genian NAC to preemptively block threat nodes detected by PAN-OS before they access the network, thereby minimizing risk. Genian NAC can also provide remediation tools and user-facing isolation guidance by applying tags.
Integration Purpose
The integration between Genian NAC and PAN-OS offers the following advantages:
Minimize the Spread of Threats via Node-Level Network Blocking
- Genian NAC’s blocking sensors are installed at the same network level as user nodes.
- Since the blocking action occurs at the same point in the network where the threat exists, the spread is minimized and the node is isolated.
Risk-Based Isolation, Remediation, and Notification Policies
Genian NAC installs agents on user devices to collect node information.
When PAN-OS detects a threat, Genian NAC receives the information and, based on the severity, may:
- Isolate the node from the network
- Disable specific services
- Remove certain applications
- Display isolation reasons and remediation steps to the user attempting access
(e.g. create tags as high, medium, low based on severity)
<Access Control Integration Process>
- Threat node detection: PAN-OS
- IP information transmission (syslog): PAN-OS
- Extract syslog for malicious node: Genian NAC Policy Server
- Filter based on risk severity and category: Genian NAC Policy Server
- Apply tag: Genian NAC Policy Server
- Control node based on tag: Genian NAC Sensor
Pre-requisites
Networking Prerequisites
- Ensure syslog communication between Genian NAC Policy Center and Palo Alto PAN-OS.
| Method | TCP | UDP |
|---|---|---|
| Syslog | TLS (6514):TLSv 1.2 | UDP (514) |
- Genian NAC port info can be found in: System > Service Management > Connection Ports
- (PAN-OS supports only TLS v1.2 for SSL connections)
PAN-OS Configuration for Integration
The following configuration instructions are specific to integration with Genian NAC.
Step 1: Create a Syslog Server Profile
Navigate to: Device > Server Profiles > Syslog and click Add
(If there are multiple PAN-OS devices, select the appropriate Location)
Values to enter in the Syslog Server Profile dialog:
| Field | Value | Notes |
|---|---|---|
| Name | Genian_NAC_Tag | Use a unique name not already assigned to a tag |
| Syslog Server | IP address or domain (FQDN) | Enter Genian NAC policy server IP |
| Transport | Choose from TCP, UDP, SSL | Only TLSv1.2 is supported for SSL |
| Port | Specify communication port | TLS/TCP: 6514, UDP: 514 |
| Format | Choose BSD, IETF, IETF(SSL,TLS) | Default is BSD |
Step 2: Configure Syslog Forwarding for Traffic, Threat, and WildFire Logs
This config enables automatic response to threats like traffic logs, threat logs, and WildFire logs.
(You may use an existing Log Forwarding Profile or create a new one)
Navigate to: Objects > Log Forwarding, then in the Log Forwarding Profile window:
- Define a profile name
- For each log type, set log type, severity level, and Syslog Server Profile (select Genian_NAC_Tag)
Genian NAC Configuration for Integration
Syslog Integration for PAN-OS
When PAN-OS sends threat node information via syslog to Genian NAC, perform the following configuration in NAC.
Step 1: Configure syslog server to receive PAN-OS logs
Navigate to: Settings > System Settings > Audit Log
Click Add under Syslog Audit Log and enter the following:
| Field | Value | Notes |
|---|---|---|
| Filter Name | PANOS_critical | |
| Filter Type | host | Choose one from: Program, Host, Match, netmask |
| Filter Value | xxx.xxx.xxx.xxx | IP of PAN-OS device |
| IP Key | src= | Node’s IP |
| MAC Key | (Leave blank) | |
| User Key | (Leave blank) | |
| Charset | Unicode (UTF-8) |
Click Add after entering the values.
Step 2: Add Tags for Control
Genian NAC offers a flexible tag mechanism useful for external system integration. When connecting with PAN-OS, three types of tags were created and applied to apply control policies based on the risk level provided by the PAN-OS log. (Originally, PAN-OS provides Critical, High, Medium, Low, and Informational, but only the three with high risk were written.)
Navigate to: Settings > Property Management > Tag Management Click Actions > Create to define the tags:
Step 3: Create Log Filter and Apply Tags to Threat Nodes
Genian NAC supports customizable log filters that convert filtered data into actionable policies.
This integration guide explains, as an example, how to create a filter by searching for log descriptions of PAN-OS that contain 'Severity:critical' + 'category:malicious', and then applying tags to the nodes of the logs that correspond to this filter.
To create a log filter:
- Navigate to Audit > Logs
- Click Add Filters to open the filter setup
- In the description field, enter: 'Severity:critical'+ 'category:malicious'
- Click Save to save the filter
- Check the results to ensure unwanted logs are excluded
To assign tags based on risk:
In the filter footer, set tag as NONE > Assign and configure as follows:
| Field | Value | Notes |
|---|---|---|
| Search Target | Node | |
| Assign To | Node | |
| Tag to Add | PANOS-Critical | Refer to Threat Log Fields below |
This ensures that tags are assigned to nodes based on severity and category from PAN-OS logs.
Reference: See PAN-OS threat log filtering fields PAN-OS Threat log field
Step 4: Create a Control Policy
Genian NAC applies policies in groups. You must first group the tagged nodes.
To create a node group with a tag:
Navigate to: Policy > Group > Node and click Actions > Create
In the configuration section, fill out the basic details, then in the Group Conditions section, configure as follows:
| Field | Value | Notes |
|---|---|---|
| Logical Operation | OR | Choose AND or OR |
| Field | Tag | |
| Condition | Exists | |
| Value | PANOS-critical |
Click Create
To create a control policy with the tag:
Navigate to: Policy > Control Policy and click Actions > Create
Use the wizard to create the policy. During node group assignment, select PAN-OS critical.
After completing policy creation, click Apply Policy Changes (top-right) to finalize the integration.