cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

require the data source configuration guide

Hi Team,

We are in process to integrate the Palo Alto Next generation firewall and Websense DLP with our Mcafee Nitro ESM hence we require the data source configuration guide to integrate this data source, we want to know the steps and changes which we will do at data source end (Palo alto & Websense DLP), device information has been given below:

Device name: Palo Alto

Model number: PA 3050

IOS / OS Version: 6.1.x

Device name: Websense DLP

Model number: Websense DLP VM Based

IOS / OS Version: 8.1

3 Replies
Highlighted

Re: require the data source configuration guide

To add Palo Alto to the McAfee SIEM:

Configure Palo Alto Syslog Server Setup

  Select the Device tab and add the Syslog server profile

Add the profile to log settings for informational level

  Apply log forwarding to utilize new profile Enable the Security policy to forward logs using the new Syslog profile



Receiver Configuration

After selecting the Receiver, select the Add Data Source icon.

Data Source Vendor – Palo Alto

Data Source Model – Palo Alto firewall ASP

Data Format – Default.

Data Retrieval – Default.

Detailed steps

Enable syslog

Under the device tab, click log settings > system

Click edit

Select the following

syslog: under each severity level, enable syslog

Define the syslog server

Under the device tab, click log destinations > syslog to open the syslog settings.

Click new

Add name (case sensitive and unique)

server - ip address of the syslog server (SIEM receiver)

port -default is 514

Facility - choose a level from the drop down list

Click ok and activate

Enable send traffic log at session end:

under policies, click security  to open security rules

Select a zone from source or destination zone and click filter by zone

ensure send traffic log at session end is enabled .

ensure send traffic log at session start is set to deny

Select the log forwarding profile from the drop down menu.

Profile should contain IP of the receiver.

Websense can do  a SQL pull - You will need the database name, IP, and port ( usually 1433)

Note:

Problem

Your McAfee SIEM user account's database permissions are not sufficient to query all instances of a Websense database. In this scenario, the Receiver is unable to collect data from all instances of the database. For example, you have a Websense database called wslogdb70. As it grows the database will create instances of the database name, such as wslogdb70_1, wslogdb70_2, and so on, where it stores the current data.

While the DB user account might have permissions to successfully query the primary database, it might not have permissions to query the additional instances.

Solution

In the preceding example, the user account being utilized by the McAfee SIEM Receiver will require sysadmin rights to wslogdb70.

This inherently gives the user rights to all instances of that database that are created, eliminating the chance that the Receiver stops collecting data when a new instance is created.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: require the data source configuration guide

Means we need to add log forwarding profile in all the palo alto security policy rule????

Highlighted

Re: require the data source configuration guide

Please be informed that Palo Alto Next Generation firewall is already supported by McAfee as data source so it is easy to find the data source guide at the McAfee Website, regarding the Websense DLP is not supported and you can add it as a generic data source. please use this doc to parse the logs correctly.


Check this document to know more how to parse correctly:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24926/en_US...

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community