Cyences App Fixes Splunk Integration with Palo Alto Networks

Palo Alto Networks latest software update, known as PAN-OS 9.1, has officially changed the log format for VPN/GlobalProtect logs. This switch has resulted in Splunk users experiening problems with populating their data for VPN/GlobalProtect related dashboards.

Palo Alto Networks Log Format Comparison for Splunk

9.0 Log Format
● Previously, GlobalProtect data was present in the pan:system sourcetype and globalprotect log_subtype
9.1 Log Format
● GlobalProtect data is present in the pan:globalprotect sourcetype and it contains multiple log_subtype values such as: login, configuration, connected, etc. We’ll be using the login log_subtype value for building the VPN dashboard.

VPN Dashboards

The latest PAN-OS 9.1 update is a breaking update for GlobalProtect. We’ve received this news from several Splunk users as they’re dismissing the VPN dashboards from the Remote Work Insights – Executive Dashboard app for Splunk because of it.

The RWI app currently has two dashboards that are focused on VPN activity:
● VPN Ops
● Global Protect VPN Login Activities

 

The Global Protect VPN Login Activities dashboard has stopped functioning with the recent modification from Palo Alto and it displays “No results found” on all of its dashboard panels.


The VPN Ops dashboard appears to be working, but it isn’t displaying the correct data.
As you can see from the screenshot below, it shows successful logins from Netherlands, which can’t be true for our Splunk environment, since we have a policy configured on Palo Alto to only allow connections from the United States and Mexico.


We’ve updated the VPN dashboard for the Cyences App, which will display the correct VPN data and this can be verified from the Palo Alto side. The screenshot below shows logins from the United States and Mexico only.

 

The new VPN dashboard for Cyences will be released with the 1.2.0 version update. Download the Cyences app for Splunk here.

Written by Usama Houlila.

Any questions, comments, or feedback are appreciated! Leave a comment or send me an email to uhoulila@crossrealms.com for any questions you might have.

Usama Houlia - CEO

Usama Houlila

President and Enterprise Architect
Usama Houlila is an Enterprise Architect with more than 20 years of professional experience providing technology solutions for organizations in industries including legal, public services, healthcare, finance, retail, hospitality, and manufacturing. Usama is well-versed in all phases of project delivery – from initiation to closeout. His ability to see the big picture is a product of his comprehensive knowledge of hardware, software, application, and systems engineering. Usama’s myriad interests include international affairs, nutrition and health, cooking, and music. He has played the flute since childhood and is an avid runner and bicyclist who recently added swimming and triathlons to the mix. He currently manages, designs, and deploys palo alto for legal, healthcare, and financial services.