Documentation Template

PALO ALTO NETWORKS
TSCM INSTALLATION GUIDE
Dated: December 11, 2015
Copyright© 2006-2015 ThreatSTOP, Inc. All Rights Reserved
NOTICE: All information contained herein is, and remains the property of ThreatSTOP, Inc. and
its suppliers, if any. The intellectual and technical concepts contained herein are proprietary to
ThreatSTOP, Inc. and its suppliers and may be covered by U.S. and Foreign Patents, patents in
process, and are protected by trade secret or copyright law.
Dissemination of this information or reproduction of this material is strictly forbidden unless prior
written permission is obtained from ThreatSTOP, Inc.
I
Overview ....................................................................................................................................................... 2
tsadmin ................................................................................................................................................. 2
Who should use this manual? ............................................................................................................... 2
Route Preparation ..................................................................................................................................... 2
VM Installation .......................................................................................................................................... 2
VMware Conversion and Setup ............................................................................................................ 3
Virtual Box Deployment ........................................................................................................................ 3
Adjusting the Appliance to Your Network Environment ...................................................................... 4
TSCM Installation ...................................................................................................................................... 4
TSCM Upgrades ..................................................................................................................................... 5
Enabling TSCM on the Device ................................................................................................................... 5
Adding a Palo Alto Networks Device to the TSCM ................................................................................ 5
Committing the Changes to the Device .................................................................................................. 10
Forcing the import of a block list into the EBL .................................................................................... 10
Making ThreatSTOP even smarter ...................................................................................................... 10
To turn on Log Forwarding for ThreatSTOP: ................................................................................... 11
To turn on Log Forwarding for other policies: ................................................................................ 11
Note ........................................................................................................................................................ 11
Steps to Remove ThreatSTOP Configurations from PAN Devices........................................................... 11
Testing the Connection ....................................................................................................................... 12
TSCM Configuration ................................................................................................................................ 12
TSCM Command Line Switches ............................................................................................................... 13
Configuration Switches ....................................................................................................................... 13
Notes and Limitations ............................................................................................................................. 14
1
Overview
ThreatSTOP's ThreatSTOP Centralized Manager (TSCM) software allows for the rapid deployment of the ThreatSTOP
firewall management service across multiple devices and types of devices in a production environment. Installation and
configuration have been simplified from the previous device installation and configuration procedures.
Device setup:
1.
2.
3.
4.
5.
Route Preparation
VM Installation
TSCM Installation
Enabling ThreatSTOP on the Device
Committing the Changes to the Device
The following instructions will cover the setup of the TSCM from the Command Line Interface (CLI). Note that these
setups can be automated with a simple shell script. However the instructions will only cover a single device installation
at this time.
The command to setup and control TSCM is tsadmin. During configuration tsadmin associates module files that contain
configuration data relevant to your available hardware. These files allow tsadmin to communicate with your hardware
and expedite setting up the ThreatSTOP service on your network.
This manual is intended to be a step-by-step guide for System Administrators of intermediate to advanced skill levels. It
assumes a certain level of familiarity with setting up Linux based Virtual Machines (VMs), and importing saved Virtual
Machine Images (OVA files) into a VM host.
Before installation can begin the following ports will need to be open along the communications route between the
specified destinations:
 tcp/udp port 53: Needs to be opened from the TSCM to ThreatSTOP's DNS server farms. The TSCM will query for
ThreatSTOP policy (IP Intelligence) data and deliver the data to your firewall device (network objects). This query is a
standard DNS query to ThreatSTOP's DNS servers.
 SSH access from the TSCM to the device: To load ThreatSTOP policy to your device, the TSCM requires SSH access to
your device.
 UDP port 514 from the device to the TSCM: Syslog on your device is configured to send data to the TSCM.
ThreatSTOP requires the messages from syslog as this is the source data for your reports.
 SSL from the TSCM to ThreatSTOP: syslogs are uploaded from the TSCM to ThreatSTOP where our internal systems
will parse and process your device logs. The results of this parsing can be viewed in the Reporting section of your
account on the ThreatSTOP portal.
VM installation can take one of two different paths. Users running an Oracle Virtual Box based environment will be able
to follow the directions in a Virtual Box Deployment and create an environment quickly and easily. Users running
VMware's vSphere client will need to follow the additional steps to convert the OVA from Virtual Box format into
VMWare's .OVF format as described in VMWare Conversion and Setup.
In both cases, after installing your VM client you will need to download the latest ts-appliance image from our FTP
service, and make note of its location. Once the VM import has completed you will need to configure Ubuntu as laid out
in Adjusting the Appliance to Your Network Environment.
2
Overview
Due to the distributed OVA being prepared for Oracle Virtual Box environments a conversion is necessary to use the
.OVA with vSphere. To do this you will need to download the VMware OVF tool from the VMware Web site and install it.
To do this:
1. Download the VMware OVF tool and make note of its location.
2. Follow the installer instructions to install the tool.
3. Create and name a directory in your hypervisor's data store, which is the directory where virtual machines reside.
4. Provide the name for the directory.
5. Move to that directory.
6. The converter tool deposits output files in the current directory.
7. Start the converter tool with the following command:
path-to-ovftool -tt=VMX <ova-file-name> <VMX-file-name>
For example:
/usr/bin/ovftool -tt=VMX ts-appliance.ova virtualappliance
8. The command might take a few minutes to complete. After which you will see output similar to the following:
Opening OVA source:
../ts-appliance.ova
Opening VMX target: ts-appliance
Target: ts-appliance.vmx
Disk progress: 36%
…
Disk Transfer Completed
Completed successfully
9. Two items appear in your current directory as a result of this task: a .vmdk disk image file and a .VMX virtual
machine configuration file, as the following example shows:
-rw------- 1 root root 1.6G 2015-10-16 14:46 ts-virtualappliance.vmdk
-rw-r--r-- 1 root root 1.1K 2015-10-16 14:46 ts-virtualappliance.vmx
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Once the conversion is complete you will be able to import the OVA into your vSphere host.
In your VM host, import the OVA file, under VMWare this is done by clicking Deploy OVF Template…
Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Next.
Review the specifications for the VM to be created, and make any needed changes to your host system to meet
these requirements. Then click Next.
Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click
Next.
Verify your storage setup and requirements then click Next.
Select the Provisioning required by your deployment. It's likely that the default of Thick Provision Lazy Zeroed will
be acceptable for most deployments. Click Next.
Verify the networks mapped in your OVF template and the network to which it will be deployed. Click Next.
Check the box next to Power on after deployment and click Finish.
After the OVF is deployed, close the Deployment Completed Successfully window.
1. In Virtual Box, import the OVA file, under Virtual Box this is done by clicking File and selecting Import Appliance…
3
2.
3.
4.
5.
6.
7.
8.
Overview
Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Open, then
click Next.
Review the specifications for the VM to be created, and make any needed changes. Then click Import.
Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click
Next.
Verify your storage setup and requirements then click Import.
After the VM has been imported right-click on the new VM entry and select Settings...
Select the Provisioning required by your deployment.
Verify the network connections mapped in your OVA template and the network to which it will be deployed, adjust
as needed. Then click OK.
1. Power on the VM Console and login using the following login information:
 Username: threatstop
 Password: threatstop
2. After powering up the system, the VM will need to be modified to access the network with a static IP address. To do
this:
1. At the command prompt enter:
sudo vi /etc/network/interfaces
2. Locate the line iface eth0 inet dhcp in the file (see figure 1) you will need to change this.
3. Modify the line to iface eth0 inet static, and uncomment the following four lines (see figure 2).
4. You will need to adjust the address, netmask, and gateway values to match your network.
Figure 1 /etc/network/interfaces default
5.
Figure 2 /etc/network/interfaces configured for a static IP
This should be followed by restarting the network using the command:
sudo /etc/init.d/networking restart
3. Once this is performed the system should be upgraded to the current version of Ubuntu using the following
commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of
your Internet connection.
1. Enter sudo apt-get update
2. Enter sudo apt-get dist-upgrade
3. Additionally you will need a copy of gdebi to complete device setup. This can be obtained using the command
sudo apt-get install gdebi-core
The TSCM software can be downloaded from our FTP service to the VM that was just installed. Please download
TSCM_<version number> to your home directory. If you did not use the preconfigured OVA file to setup your VM, you
will need to make certain your Linux installation is completely up-to-date. You can do this by running the commands
4
Overview
sudo apt-get update and sudo apt-get dist-upgrade. You will also need a copy of gdebi to install the device files. To
obtain this run the command sudo apt-get install gdebi-core
Once the system has been fully updated you can begin the installation of TSCM:
1. Extract the TSCM file you downloaded using the command tar –xzvf TSCM_v<version number>.tar.gz
Any changes from previous versions of TSCM will be found in the README file.
2. Change into the TSCM directory using the command cd TSCM
3. The software will need to install a few gdebi packages included with the download. These will place the core TSCM
files, as well as device specific modules into the system locations that TSCM expects to locate them. To do this:
1. Enter: sudo gdebi multidevice-core_<version number>-1i386.deb and press ENTER. You will need
to repeat this step for the following files in addition to multidevice-core_<version number>1i386.deb:
1. sudo gdebi ts-asa_<version number>_all.deb
2. sudo ts-ciscoios_<version number>_all.deb
2. Answer Y to Do you want to install the package? each time the prompt appears. This will complete the
installation of TSCM and allow you to move onto configuration.
3. After installation it is safe to remove the downloaded and untarred files. To do this run the commands rm –r
TSCM/ rm TSCM*.tar.gz
4. At this point you will need to configure your network appliance to be ready to interface with the TSCM. These steps
are covered in Enabling ThreatSTOP On the Device.
Upgrades are performed in exactly the same manner as a fresh install. We recommend making a backup of your current
installation before proceeding with an upgrade. To perform a backup:
1. Change to the current installation directory. If you've performed the installation by following this document you can
simply enter cd ~ and press ENTER.
2. The following command will create a compressed tarball of the directory: tar -ca --file=TSCM_<version
number>.current.gz TSCM
3. Remove the existing TSCM folder with rm –r TSCM
4. Perform the install as previously explained, substituting the updated archive name where needed.
If for any reason the upgrade is found to fail, or you are unhappy with the new setup, simply untar the backed up
configuration using tar –xzvf TSCM_<version number>.current.gz to re-extract the known working setup over
the troubled upgrade.
To perform an upgrade: download the updated TSCM archive from the ftp server, extract the file as explained in TSCM
Installation, enter the TSCM directory provided, and run gdebi against each .deb file provided.
Certain conditions will need to be met to use ThreatSTOP Centralized Manager (TSCM) post installation.
 The user will need either root privileges, or if multiple users are to be allowed to setup devices with TSCM they will
need to be added to the threatstop user group.
 Additionally Port 80 will need to be opened for TCP communications between the TSCM and PAN devices.
Entering tsadmin by itself or followed by the switch --help will load tsadmin’s internal help system. This system is context
sensitive and will change in response to the rest of the provided command line. Definitions of the available switches are
available in the Switches section.
5
Overview
Note: Device name entries are not case sensitive.
The following steps correspond to onscreen prompts to add an PAN device to the TSCM. The steps are written in a
manner to install an TSCM controlled ThreatSTOP configuration onto a PAN device. Please be aware that this
configuration is put in place in a disabled state and will need to be activated through the PAN interface once these steps
are configured. Configuring the PAN to enable the configuration will be explained in Enabling a PAN Configuration Post
Setup. To enable TSCM with a PAN device, after extracting the files as explained in TSCM Installation.
1. Enter "tsadmin list" to check for available devices. On a fresh installation no devices should display, only the
header will appear. The rest of these steps will add a PAN device to your configuration.
Device name: Type Management IP syslog IP Log upload IP Log size Device updates Log
uploads
2. After verifying your devices, enter tsadmin add <device name> --type <type name>
For example given a PAN firewall named Test1:
tsadmin add Test1 --type pan
3. This displays the following prompt. Answer Y or accept the default to the prompt by pressing ENTER to begin the
configuration for a Palo Alto Networks device.
Configuring 'Palo Alto Networks'.
Continue? (y or n) [default y]
4. Enter the Block list name you wish to use, if using a custom Block list, or press ENTER to accept the default. This
is the blocklist name as provided by ThreatSTOP and can be located in your Devices screen on the portal. The
format follows <Policy name>-netb.<Threatstop Account ID>.threatstop.local. For example TSBasicnetb.Threat<xx>.threatstop.local.
Block list name : [default basic.threatstop.local]
5. Enter the Allow list name you wish to use, if using a custom Allow list, or press ENTER to accept the default. This
is the allowlist name as provided by ThreatSTOP and can be located in your Devices screen on the portal. The
format follows <Policy name>-neta.<Threatstop Account ID>.threatstop.local. For example TSBasicneta.Threat<xx>.threatstop.local.
Allow list name : [default dns.threatstop.local]
Setting the Block list name and Allow list name fields will establish the external lists (EBL) in the PAN device.
6. Enter the Log upload IP address use the IP address seen in the ThreatSTOP portal. If you are uncertain of this
number visit our Check IP tool and copy the IP Address that appears.
Log upload IP address :
Alternatively you can run the following command to find the IP address to use:
wget -qO - https://www.threatstop.com/cgi-bin/validip.pl
A message will appear similar to the following example:
6
Overview
Your IP address: 192.0.2.0
This is the IP address you will want to use.
Note: IP address entries are validated by TSCM during installation. This will help to avoid invalid or risky IP
addresses such as 127.0.0.1 from being entered.
7. At the prompt for DNS Port, enter the port number used by your network. In the majority of cases, this is set to
the standard DNS port of 53, and it is safe to accept the default by pressing ENTER. In certain rare cases this may
need to be changed to port 5353.
DNS port : [default 53]
8. The Device management IP address is the firewall’s management IP address. This is the static IP address for this
management device, as it was established in the VM Interfaces section. If this is not set, the TSCM will not be
reachable for updates, and may require a reset to regain control.
Device management IP address :
9. Set the Syslog message source IP address used to send syslog data from the PAN device to the TSCM. From
there the TSCM will send the data to ThreatSTOP for processing. This is most likely going to be the same as the
Device management IP address listed above, though some configurations may have a different source.
Syslog message source IP :
Caution: While multiple devices can be set to the same IP address, this will cause IP collisions and should be
avoided. If an incorrect address is put in here, configuration will need to be performed again. A warning will not
be provided at this point if a collision has occurred. For setup purposes, if you have not setup your network
devices at this time, enter a unique ‘dummy’ address, and reconfigure the device after provisioning your
network.
10. For the Log rotate size, we recommend that you accept the default value provided; unless you have a specific
reason to change the log rotation size. This number is the log size in KiB.
Log rotate size, in Kb : [default 100]
11. For Send logs to ThreatSTOP enter Y.
A test needs to be performed to ensure the firewall is blocking connections based on a ThreatSTOP policy that
has been loaded into the firewall, and that attempts to connect to a hostile IP are being recorded by the TSCM.
However until the device is configured, this test will not complete, it is however OK to leave this switch set to
"Y". The configuration will continue and we'll update the device at the end with a command.
Send logs to ThreatSTOP? (y or n) [default n]
12. At the Enable policy updates? prompt enter Y. This will allow policy information to be downloaded from
ThreatSTOP's servers and loaded into the PAN device. This is the back bone of ThreatSTOP service, and is quite
potentially the most important step in this process.
Enable policy updates? (y or n) [default y]
7
Overview
13. At the Device username: prompt enter the username used to login to your firewall. This will need to be entered
to allow the TSCM to configure the device.
Device username :
14. At the Device password: prompt enter the password for the username entered in the last step. This also needs
to be entered to allow the TSCM to configure the device.
Note: The password will not display on the screen and is stored securely.
15. When prompted with Name of the Trusted Zone, enter a Trusted Zone name. This is the name used to refer to
anything on the safe side of your PAN device, meaning your internal network. This has been defaulted to
Trusted.
Name of the trusted zone : [default Trusted]
16. Similarly, enter the name for an Untrusted Zone at the Name of the Untrusted Zone prompt. This is the name
used for the Internet facing side of your PAN device. Anything that may present a questionable data source. The
default is set to Untrusted.
Name of the untrusted zone : [default Untrusted]
17.
For the Virtual system name prompt, enter the vsys name as it appears at the top of the screen when viewing
your vsys. This is not the entry in the Name field of the device, but has the format vsysX (where X is a number)
and should appear at the top of the screen when configuring the PAN device. For a single firewall instance this
would be vsys1.
Virtual system name (case-sensitive) : [default VSYS_NAME]
18. The number of dynamic lists ThreatSTOP may use: Defaults to 9 (one allow and eight block). This property will
need to be adjusted to meet the available resources on your device. If you have custom dynamic lists already
generated, you will need to drop this number to account for the number of block and allow lists you currently
have setup.
The number of dynamic lists ThreatSTOP may use : [default 9]
**** Important PAN device configuration note :
You indicated "yes" to enable device updates by ThreatSTOP.
Upon the first update, the PAN device will be configured,
followed by a FULL commit of all pending changes on the
device. If you want time to check your device for pending
configuration changes that were not initiated by ThreatSTOP,
you may proceed with updates disabled. And then come back
later and enable this setting.
Note:
o ThreatSTOP has only performed limited testing of Palo Alto Networks devices.
o As noted in the PA Administrators Guide for release 6.0 there is a limit of 4700 entries to a single Dynamic
Block List (page 237). We provide up to 8 block list URLS and one allow list URL.
o If this is a new device and new policy, please wait about 15 minutes before attempting to apply the policy to
the PAN device
19. The prompt Are you sure you want device updates enabled at this time? allows device updates by ThreatSTOP.
The first update will configure the device and issue a full commit of any pending changes. If you have pending
8
Overview
changes that were not created by ThreatSTOP you may wish to enter N for now, verify the changes, and then rerun this setup and enter Y to enable ThreatSTOP's changes.
Configured policy rules are installed in a disabled state. They will need to be enabled on the PAN device once the
changes have been uploaded to the device.
Are you sure you want device updates enabled at this time? (y or n) [default y]
20. The next step will check the connectivity between the TSCM and the device. This is done transparently by the
API which attempts to automatically connect to the device. A successful attempt will display:
[INFO ] : Checking Palo Alto Networks credentials at 192.0.2.0
Successfully added pan
Once this process completes press ENTER to return to the command line. If an IP collision is detected it will be
displayed at this point. No changes will be saved and you will need to go through the steps to add a device again
and provide an IP address that does not conflict with another device. The availability of IP addresses can be
determined using the command tsadmin list to determine which addresses in your configuration have already
been issued in your network setup.
Caution: Once the device is configured the Hostname in Syslog is set to a value of ipv4-address. Do not change
this. It is required for ThreatSTOP reporting to work correctly, and changes to this value will cause the reporting
to fail.
21. If the connection test was completed successfully. This will allow system logs to be downloaded from the TSCM,
and uploaded to ThreatSTOP for processing.
22. After the program exits, if the connection test was successful enter tsadmin update <device name> and
press ENTER. This will configure the PAN with the data provided above, set the syslog source IP, establish the
syslog server, setup log forwarding, create the EBLs and then setup the policies.
23. Configuration of the TSCM is now complete, but the policies uploaded to the TSCM will not be active at this
point. You will need to login to the TSCM and activate the policies in the firewall itself. Instructions to
accomplish this are detailed in Enabling a PAN Configuration Post Setup.
Caution: Lists cannot be imported until they have been added to a policy rule. Once the list is added to an
enabled policy rule the data for it will be imported.
9
Overview
Once the configuration of the TSCM is completed, you will need to turn on the policies in the PAN device to place the
device in a state to receive information from the
TSCM and ThreatSTOP. To enable to the policies on
the device:
1. Log into your device through the web
management interface.
2. Click on Policies.
3. You will see all of your rules established for
your policy on this device. Including four
rules for ThreatSTOP:
o ThreatSTOP-Allow-Inbound
o ThreatSTOP-Allow-Outbound
o ThreatSTOP-Block-Inbound
o ThreatSTOP-Block-Outbound
4. Place these rules where you want them in
your policy. We recommend placing them
at the top to receive the maximum amount of protection from ThreatSTOP.
5. After placing the rules in your desired location select all four rules, and click Enable (
the screen.
6. Now click Commit (
) at the bottom of
) at the top of the screen to enact the changes.
Now that your policies have been enabled you will want to test the connection between your device and ThreatSTOP.
Details on how to do this can be found in Testing the Connection below.
It may be necessary at times to force the import of a block list into the EBL. The procedure to do this is:
1. Click Objects.
2. Click Dynamic Block Lists.
3. Check the box next to the lists you want
imported immediately.
4. Click Import Now (
).
In addition to the ThreatSTOP policies that you will now receive, and the updates that these will send back, you have the
option of setting up log forwarding on all of a devices policies using syslog and Log forwarding. Enabling this information
across all of your devices will help to strengthen the threat intelligence we provide.
This procedure has two parts, one of ThreatSTOP and one for existing policies on the PAN.
10
Overview
1. Under Objects click Log Forwarding.
2. Click on ThreatSTOP.
3. Select any of the data you want to forward and
click OK.
4. Click on Commit, and your next set of logs will
be contributed to our threat assessment pool.
1.
2.
3.
4.
Click on the Device tab.
Then click on Syslog.
Then click on TSCM.
Click Add.
A list of log forwarding options will appear.
5. Add the entries TSCM should be included in and click OK twice.
6. Click Commit to save the changes to the router.
For Palo Alto devices a webserver is maintained on the TSCM VM. The PAN should be pointed to this for rule updates.
If a PAN device is removed from TSCM, the ThreatSTOP configurations on the PAN device are not removed. You will
need to log onto your PAN device and perform the following steps:
1. Delete the ThreatSTOP Policy Rules - these rules reference the dynamic block lists and the log forwarding profile.
You will be unable to delete those configurations until these policy rules are removed. Under Policies->Security :
1. Check each of the four ThreatSTOP policy rules
2. Press Delete at the bottom of the policy rules window
2. Delete the ThreatSTOP Dynamic Block Lists. Under Objects->Dynamic Block Lists :
1. Check each of the ThreatSTOP entries
2. Press Delete at the bottom of the window
3. Delete the ThreatSTOP log Forwarding profile - this profile references the ThreatSTOP syslog server. The syslog
server can't be deleted until the profile is removed. Under Objects-> Log Forwarding :
1. Check the ThreatSTOP entry
2. Press Delete at the bottom of the window
4. Delete the ThreatSTOP syslog server. Under Device-> Syslog :
1. Check the ThreatSTOP syslog server
2. Press Delete at the bottom of the window
5. Change the Send HOSTNAME in Syslog setting from your ipv4_address to the desired setting. Under Device-> Setup
1. Hit the edit icon at the top right of the Logging and Reporting Settings
2. Click on the Log Export and Reporting tab in the new dialog
3. Choose a new setting via the dropdown menu
6. Commit the changes
That will set the PAN back to its pre-ThreatSTOP state.
11
Overview
After device setup has been completed and the changes committed to the device, a test will need to be run to verify the
firewall is behaving as intended. To perform this test:
1. Open a console on the TSCM and enter tail -f /var/log/threatstop/devices/<device name>/syslog
2. From a device behind the firewall that is not the TSCM, attempt to connect to bad.threatstop.com with a web
browser.
o If the connection is blocked, you will see a connection blocked error message in the web browser, and the log
being tailed will update.
o If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will
need to be double checked.
If the command runs successfully update the device's configuration as detailed in TSCM Configuration to begin sending
logs back to ThreatSTOP for enhanced security.
After the initial setup, the device can be reconfigured (for example to enable sending logs to ThreatSTOP for processing)
using the following instructions:
1. At the command prompt enter: tsadmin configure <device name> and press ENTER.
2. Accept the established defaults; these will be pulled from the settings provided during the initial device setup. If a
parameter needs to be changed, you may do so when its prompt appears.
3. If setup completed correctly in the previous steps and you choose to Submit logs to ThreatSTOP enter Y when
prompted.
4. The username and password are stored securely and will not need to be added a second time.
5. A prompt to Enable Password may appear and will need to be entered.
6. For the block list grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to
appear as in the maintenance device control panel.
7. For the allow list grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to
appear as in the maintenance device control panel.
8. For the Max entries, or Number of Dynamic Lists prompts accept the defaults or enter the values determined to be
required for your network.
9. To verify your settings enter tsadmin show <device name> and review the output.
Once the device has been reconfigured it will not immediately update. tsadmin update is scheduled in cron
(/etc/cron.d/multidevice-core) and will automatically update the device when the job is normally scheduled to run. You
can speed up this process by:
1. Entering tsadmin update <device name>.
12
Overview
The following command line switches can be used with the TSCM to gather information and perform maintenance
functions.
 --help or ? Shows the available help systems, this command may be used in several locations to load context
sensitive help (where available) relative to the commands and switches being used.
 version: shows the version of tsadmin being accessed.
 show <device name>: Shows all information on
record about a specified device. Including the
DNS server addresses.
 update <device name>: Updates block and
allow lists manually.
 remove <device name>: Removes an unwanted
device from the list of devices to configure. Logs
associated with the device will be left behind
and will need to be deleted if they are not
wanted.
 list displays a list of all devices currently being
controlled by TSCM. Specifies the following
information about the device:
o Device name: The device nickname
specified by your naming schema.
o Type: The type of firewall associated with
the device, this will control which TSCM
module is used to interface with the device.
o Management IP: The IP address used to
issue commands to the router.
Example 1: Sample results of using the show command.
o Syslog IP: The IP address used by the
router to provide event messages (block messages) to the ThreatSTOP client. Used by the VM to configure
Syslog, to provide the associated IPs with routers.
o Log Upload IP: The IP address to identify the log to the ThreatSTOP service. This must match what has been
entered in the ThreatSTOP Portal.
o Log size: What size the log is allowed to reach before being rotated out and scheduled for upload to ThreatSTOP
for further analysis.
o Device updates: Shows whether the device is setup to receive updates to the block and allow lists from
ThreatSTOP.
o Log uploads: Clearly shows if logs from this device will be gathered and uploaded to ThreatSTOP for analysis.
The following two switches (add and configure) have subsets that may be specified to speed up device setup. The
configuration switches are defined in the
Configuration Switches section.
 add <device name>: Used to add a specified
device to the TSCM. This is used to enter
the device entry flow outlined in Adding a
Palo Alto Networks Device to the TSCM.
 configure <device name>: Allows the
specified device to be reconfigured after
initial setup. More information about
configuring a device may be found in TSCM
Configuration.


--allow_list ThreatSTOP Allow List Name.
Default value: dns.threatstop.local
--block_list ThreatSTOP Block List Name.
Default value: basic.threatstop.local
Example 2: A sample output of the list command.
13
Overview














--device Management IP address. No default value.
--dns_server DNS server to use (use multiple times for more than one DNS server). Note that if no entry is provided
the addresses are defaulted to: 64.87.26.147 and 24.249.204.58
--enable_pw enable password. No default value.
--logsize Syslog file size in Kb before it is rotated. Default value is 100.
--logupload Enable log uploads. This has two valid statues: enabled and disabled.
--loguploadip External IP address of device (same as on the ThreatSTOP web page).
--maxpolicysize Maximum number of entries allowed in block or allow object groups. This value will need to be
adjusted based on the model of networking device. For example Cisco ASA models 5520 and higher will be ok with
the default of 30000. However, other devices may have different sizes they can use.
--object_group_allow Name of the network object group for the allow lists. The default value for this function is:
threatstop-allow
--object_group_block Name of the network object group for the block lists. The default value for this function is:
threatstop-block
--password SSH password, the password used to access the command line on the firewall.
--port Port number to use for DNS queries, the default value is 53, and will not need to be changed in most cases.
--syslogip IP address from which to capture device logs.
--updates Enable device policy updates. Determines whether updates downloaded from ThreatSTOP will be applied
to the device. Two states are available: enabled or disabled
--username SSH username
Attempting to run multiple instances of tsadmin will not work. Multiple users are locked, and only the first user will be
allowed to commit their changes.
It is possible to adjust resources on a VM, but the number of CPUs cannot be changed, this will cause the VM to fail to
start.
14