Skip to main content

Overview

The sfn start command initializes and starts the SafeNetworking application, including all background processing threads for DNS monitoring, IoT threat detection, and AutoFocus integration.

Command Syntax

sfn start

Description

This command performs the following operations:
  1. Initializes the Flask application - Starts the web server for API access
  2. Validates configuration - Checks that required API keys are set (AutoFocus)
  3. Starts background processors:
    • DNS event processing thread
    • IoT honeypot data integration thread
    • AutoFocus point tracking thread
  4. Logs system configuration - Records log level, ElasticSearch host, and port information

Prerequisites

  • AutoFocus API key must be configured in .panrc file
  • ElasticSearch must be accessible at the configured host and port
  • Total processor count (DNS_POOL_COUNT + URL_POOL_COUNT) must be ≤ 16 to comply with AutoFocus rate limits

Configuration

The command reads from the following configuration values:
LOG_LEVEL
string
Logging verbosity level for the application
ELASTICSEARCH_HOST
string
Hostname or IP address of the ElasticSearch instance
ELASTICSEARCH_PORT
integer
Port number for ElasticSearch connection
FLASK_HOST
string
Host address for the Flask web server (default: localhost)
FLASK_PORT
integer
Port number for the Flask web server
AUTOFOCUS_API_KEY
string
Required API key for Palo Alto AutoFocus integration

Usage Example

# Start the SafeNetworking application
sfn start

Expected Output

INFO - SafeNetworking application initializing with log level of INFO
INFO - ElasticSearch host is: localhost:9200
INFO - INIT - Starting with total proc count of 12
INFO - INIT - Initializing Background Processes
INFO - INIT - Background processes initialized
INFO - INIT - SafeNetworking server started @ 0.0.0.0:5000
 * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)

Background Processes

When started, the application launches the following background threads:

DNS Processing Thread

Searches for unprocessed sfn-dns documents in ElasticSearch, processes them with AutoFocus lookups, and enriches the data.

IoT Processing Thread

Retrieves and integrates IoT Honeypot threat intelligence data, enriching incoming IoT events with known malicious IP and domain information.

AutoFocus Points Thread

Periodically queries AutoFocus API to track remaining API points and ensure rate limits are not exceeded.

Error Conditions

If the AutoFocus API key is not set or equals “NOT-SET”, the application will log a CRITICAL error and exit immediately.
If the total processor count exceeds 16, a CRITICAL warning is logged. The application may not function correctly due to AutoFocus API rate limiting.

Stopping the Application

To stop the SafeNetworking application: 
# Press CTRL+C in the terminal where sfn start is running
  • sfn admin - Administrative functions for data management
  • sfn iot - Query IoT threat intelligence data
  • sfn load - Load CSV data into ElasticSearch

Build docs developers (and LLMs) love

Get started for freeTalk to us