3 Replies Latest reply on May 3, 2016 9:07 AM by yassinezeroual

    require the data source configuration guide

    syadav30

      Hi Team,

       

      We are in process to integrate the Palo Alto Next generation firewall and Websense DLP with our Mcafee Nitro ESM hence we require the data source configuration guide to integrate this data source, we want to know the steps and changes which we will do at data source end (Palo alto & Websense DLP), device information has been given below:

       

      Device name: Palo Alto

      Model number: PA 3050

      IOS / OS Version: 6.1.x

       

      Device name: Websense DLP

      Model number: Websense DLP VM Based

      IOS / OS Version: 8.1

        • 1. Re: require the data source configuration guide
          rgarrett

          To add Palo Alto to the McAfee SIEM:

           

          Configure Palo Alto Syslog Server Setup

            Select the Device tab and add the Syslog server profile

          Add the profile to log settings for informational level

            Apply log forwarding to utilize new profile Enable the Security policy to forward logs using the new Syslog profile



          Receiver Configuration

          After selecting the Receiver, select the Add Data Source icon.

          Data Source Vendor – Palo Alto

          Data Source Model – Palo Alto firewall ASP

          Data Format – Default.

          Data Retrieval – Default.

           

          Detailed steps

           

          Enable syslog

           

          Under the device tab, click log settings > system

          Click edit

          Select the following

          syslog: under each severity level, enable syslog

          Define the syslog server

          Under the device tab, click log destinations > syslog to open the syslog settings.

          Click new

          Add name (case sensitive and unique)

          server - ip address of the syslog server (SIEM receiver)

          port -default is 514

          Facility - choose a level from the drop down list

          Click ok and activate

           

          Enable send traffic log at session end:

          under policies, click security  to open security rules

          Select a zone from source or destination zone and click filter by zone

          ensure send traffic log at session end is enabled .

          ensure send traffic log at session start is set to deny

          Select the log forwarding profile from the drop down menu.

          Profile should contain IP of the receiver.

           

          Websense can do  a SQL pull - You will need the database name, IP, and port ( usually 1433)

          Note:

          Problem

          Your McAfee SIEM user account's database permissions are not sufficient to query all instances of a Websense database. In this scenario, the Receiver is unable to collect data from all instances of the database. For example, you have a Websense database called wslogdb70. As it grows the database will create instances of the database name, such as wslogdb70_1, wslogdb70_2, and so on, where it stores the current data.

          While the DB user account might have permissions to successfully query the primary database, it might not have permissions to query the additional instances.

          Solution

          In the preceding example, the user account being utilized by the McAfee SIEM Receiver will require sysadmin rights to wslogdb70.

          This inherently gives the user rights to all instances of that database that are created, eliminating the chance that the Receiver stops collecting data when a new instance is created.

          • 2. Re: require the data source configuration guide
            kmc

            Means we need to add log forwarding profile in all the palo alto security policy rule????

            • 3. Re: require the data source configuration guide
              yassinezeroual

              Please be informed that Palo Alto Next Generation firewall is already supported by McAfee as data source so it is easy to find the data source guide at the McAfee Website, regarding the Websense DLP is not supported and you can add it as a generic data source. please use this doc to parse the logs correctly.


              Check this document to know more how to parse correctly:

              https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24926/en_US/How%20to%20write%20a%20McAfee%20ESM%20Custom%20Parser%20and % 20troubleshoot%20a%20data%20source.pdf