Focus

AutoFocus™ Administrator’s Guide

Use AutoFocus Miners with the Palo Alto Networks Firewall

Table of Contents

Use AutoFocus Miners with the Palo Alto Networks Firewall

Use AutoFocus miners to dynamically send indicators from AutoFocus to an external dynamic list on a PAN-OS 9.0 firewall.

Add the root certificate authority (CA) certificate for MineMeld to the firewall.
1. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.godaddy.com/repository/gd-class2-root.crt
2. On the firewall, select DeviceCertificate ManagementCertificates.
3. Import the certificate to the firewall.
  1. Give the certificate a descriptive name.
  2. Browse for the certificate file and attach the GoDaddy certificate you downloaded.
  3. Click OK.
Create a certificate profile for the MineMeld root CA certificate.
1. On the firewall, select DeviceCertificate ManagementCertificate Profile.
2. Add a new certificate profile.
  1. Give the certificate profile a descriptive name.
  2. Click Add, select the certificate name from the CA Certificate drop-down, and click OK.
  3. Click OK.
Configure the MineMeld nodes that will send indicators to the firewall.

This procedure focuses on using AutoFocus miners to forward indicators to an external dynamic list; however, you can use other MineMeld miners that extract IPv4 addresses, domains, and URLs to forward indicators to an external dynamic list.
1. Use an AutoFocus sample or indicator store miner to Forward AutoFocus Indicators to MineMeld.
2. In MineMeld, Connect MineMeld Nodes (AutoFocus miner and processor) to an output that can feed indicators to an external dynamic list on the firewall.
  
  To find outputs that you can use with an external dynamic list, view the list of MineMeld Prototypes and search with the keyword EDL.
3. Restrict access to the indicators.
  1. Select the output node you plan to use with an external dynamic list from the list of Nodes.
  2. Click Tags, enter a tag name to use with the output node, and click OK.
  3. Click Admin, and select the Feeds Users tab.
  4. Click (+) to add a new user profile for accessing the indicators from the output node.
  5. Create a username and password, confirm the password, and click OK.
  6. Grant the user you just created access to the output node. In the Access setting for the user, select the tag for the output node and click OK.
Configure the firewall to access an external dynamic list based on the indicators from the AutoFocus miners.
Follow the steps to add a new external dynamic list to the firewall and observe the following guidelines:
- Enter the MineMeld-provided link from the output node as the Source of the external dynamic list. To find this link in MineMeld, select the output node from the list of Nodes and copy the Feed Base URL link.
- Select the Certificate Profile you created for the MineMeld root CA certificate.
- Select Client Authentication, and enter the username and password for the user you created from the previous step.
Verify that the firewall can receive indicators from the AutoFocus miners.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.

About AutoFocus