Versions Compared

Old Version 3

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 4

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

The Devo relay, also referred to as the "in-house" relay, was designed to reside within a customer's secure network, receive events over an unencrypted channel, then forward them to the Devo cloud using SSL encryption. As a result, it is not equipped to receive inbound SSL connections. Your data environment may consist of several, separate secure networks, each containing data sources whose events you want to forward to Devo via the relay. Image Removed

...

To enable this, we can use a tunneling service installed on the relay machine to accept connections with SSL encryption, then forward the data to the Devo relay. This procedure uses the open-source stunnel application and is comprised of the following steps.

...

In the PAN-OS console, select Device → Certificate Management → Certificates → Device Certificates. Generate a new certificate and call it RootCA. Once generated, select the RootCA certificate in the CA Certificates table and edit its information. Select the Trusted Root CA check box, then click OK.  For more information about Root CA certificates, see the vendor documentation

Image Removed
Image Added
Image Removed
Image Added

In the same area of the Palo Alto console, generate another new certificate, this time call it SyslogCert. Enter the IP address of the machine where stunnel is installed as the Common Name, select the RootCA certificate as the Signed By value, and do not select the Certificate Authority check box.Image Removed

...

Click Generate.  Finally, click the certificate name to edit it, select the Certificate for Secure Syslog check box, and click OK.  For more information about generating a certificate, see the vendor documentation.

...

Copy the Palo Alto certificates to the Devo relay/stunnel machine

In the next step, you will install stunnel on the same machine as the Devo relay. To prepare to handle the SSL traffic, you need to copy the certificates to this machine and remove the passphrase from the SyslogCert certificate.

...

Install and configure stunnel 

You need to install stunnel on the machine running the Devo relay, then set it up to manage the inbound SSL connections and forward data received to the relay. 

...

You will need to set up just one type-4 relay rule rulethat uses a regular expression and capturing groups to isolate data contained in the inbound event to build the correct Devo tag. 

  • Source Port → 13005

  • Source Data →  ^[^,]+,[^,]+,[^,]+,([^,]+).*$

  • Target Tag → firewall.paloalto.\\D1

  • Select the Stop Processing and Sent without syslog tag check boxes

...

Once you add the rule, the relay is prepared to recieve events from stunnel and forward them correctly to the Devo cloud.

...

In Palo Alto, go to Device → Server Profiles → Syslog and click Add. Set up the new profile being sure to specify the following:

  • Syslog server - The IP address of the machine on which stunnel is installed.

  • Port - The port on which stunnel will listen for inbound SSL connections (in our example, 6514).

You can enter any name you like and accept the default values for the other fields.

...