Fortinet Document Library

Version:


Table of Contents

Palo Alto Firewall

1.0.0
Copy Link

About the connector

 

PaloAlto is a next-generation firewall by PaloAlto Networks, which contains application awareness, full stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilit ies of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

  • Identify applications regardless of port, protocol, evasive tactic, or Secure Sockets Layer.

  • Identify and control users regardless of IP address, location, or device.

  • Protect against known and unknown application-borne threats.

  • Fine-grained visibility and policy control over application acces and functionality.

The PaloAlto connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking the communication with malicious IPs. PaloAlto help security analysts turn thread data into thread intelligence. It take indicators from network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the PaloAlto connector, which facilitates automated interactions, with a PaloAlto server using FortiSOAR™ playbooks. Add the PaloAlto connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs and applications.

 

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on:  4.9.0.0-662 and later

PaloAlto Versions Version Tested on: The PaloAlto connector has been tested on the following: Model: PA-VM version 8.0.0 Application version: 655-3816

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-paloalto

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the IP address or hostname of the PaloAlto Firewall to which you will connect and perform the automated operations.
  • You must also have the username and password to access the PaloAlto Firewall.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Important: You must append /api in the server URL while configuring the connector. For example, https://<serverip>/api

Configuration parameters

In FortiSOAR™, on the Connectors page, select the PaloAlto connector and click Configure to configure the following  parameters:

Parameter Description
Server URL IP address or Hostname of the PaloAlto Firewall.
Username Username to access the PaloAlto Firewall.
Password Password to access the PaloAlto Firewall.
Security Policy Name for Blocking IP Security Policy Name that has been preconfigured in PaloAlto for blocking an IP.
Address Group Name of the AddressGroup that is linked to the Security Policy Name for Blocking IP.
Security Policy Name for Blocking URL Security Policy Name that has been preconfigured in PaloAlto for blocking a URL.
Address Group Name of the AddressGroup that is linked to the Security Policy Name for Blocking URL.
Security Policy Name for Blocking Application Security Policy Name that has been preconfigured in PaloAlto for blocking a Application.
Address Group Name of the AddressGroup that is linked to the Security Policy Name for Blocking Application.

 

Actions supported by the connector

The following automated operations can be included in playbooks:

  • Block IP: Blocks the specified IP address.

  • Unblock IP: Unblocks the specified IP address.

  • Block URL: Blocks the specified URL.

  • Unblock URL: Unblocks the specified URL.

  • Block Application: Blocks the specified application.

  • Unblock Application: Unblocks the specified application.

operation: Block IP

Input parameters

Parameter Description
IP IP address that you want to block.

Output

A customized json output that is formatted for easy reference is the output for all the operations. 

The json output returns a Success message if the IP is successful blocked or an Error message containing the reason for failure if the IP is not blocked.

Following image displays a sample output:

operation: Unblock IP

Input parameters

Parameter Description
IP IP address that you want to unblock.

Output

The json output returns a Success message if the IP is successful unblocked or an Error message containing the reason for failure if the IP is not unblocked.

Following image displays a sample output:

operation: Block URL

Input parameters

Parameter Description
url URL that you want to block.

Output

The json output returns a Success message if the URL is successful blocked or an Error message containing the reason for failure if the URL is not blocked.

Following image displays a sample output:

operation: Unblock URL

Input parameters

Parameter Description
url URL that you want to unblock.

Output

The json output returns a Success message if the URL is successful unblocked or an Error message containing the reason for failure if the URL is not unblocked.

Following image displays a sample output:

operation: Block Application

Input parameters

Parameter Description
app Name of the application that you want to block.

Output

The json output returns a Success message if the application is successful blocked or an Error message containing the reason for failure if the application is not blocked.

Following image displays a sample output:

operation: Unblock Application

Input parameters

Parameter Description
app Name of the application that you want to unblock.

Output

The json output returns a Success message if the application is successful unblocked or an Error message containing the reason for failure if the application is not unblocked.

Following image displays a sample output:

Included playbooks

The Sample - PaloAlto - 1.0.0 playbook collection comes bundled with the PaloAlto connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the PaloAlto connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

 

PaloAlto is a next-generation firewall by PaloAlto Networks, which contains application awareness, full stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilit ies of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

The PaloAlto connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking the communication with malicious IPs. PaloAlto help security analysts turn thread data into thread intelligence. It take indicators from network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the PaloAlto connector, which facilitates automated interactions, with a PaloAlto server using FortiSOAR™ playbooks. Add the PaloAlto connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs and applications.

 

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on:  4.9.0.0-662 and later

PaloAlto Versions Version Tested on: The PaloAlto connector has been tested on the following: Model: PA-VM version 8.0.0 Application version: 655-3816

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-paloalto

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Important: You must append /api in the server URL while configuring the connector. For example, https://<serverip>/api

Configuration parameters

In FortiSOAR™, on the Connectors page, select the PaloAlto connector and click Configure to configure the following  parameters:

Parameter Description
Server URL IP address or Hostname of the PaloAlto Firewall.
Username Username to access the PaloAlto Firewall.
Password Password to access the PaloAlto Firewall.
Security Policy Name for Blocking IP Security Policy Name that has been preconfigured in PaloAlto for blocking an IP.
Address Group Name of the AddressGroup that is linked to the Security Policy Name for Blocking IP.
Security Policy Name for Blocking URL Security Policy Name that has been preconfigured in PaloAlto for blocking a URL.
Address Group Name of the AddressGroup that is linked to the Security Policy Name for Blocking URL.
Security Policy Name for Blocking Application Security Policy Name that has been preconfigured in PaloAlto for blocking a Application.
Address Group Name of the AddressGroup that is linked to the Security Policy Name for Blocking Application.

 

Actions supported by the connector

The following automated operations can be included in playbooks:

operation: Block IP

Input parameters

Parameter Description
IP IP address that you want to block.

Output

A customized json output that is formatted for easy reference is the output for all the operations. 

The json output returns a Success message if the IP is successful blocked or an Error message containing the reason for failure if the IP is not blocked.

Following image displays a sample output:

operation: Unblock IP

Input parameters

Parameter Description
IP IP address that you want to unblock.

Output

The json output returns a Success message if the IP is successful unblocked or an Error message containing the reason for failure if the IP is not unblocked.

Following image displays a sample output:

operation: Block URL

Input parameters

Parameter Description
url URL that you want to block.

Output

The json output returns a Success message if the URL is successful blocked or an Error message containing the reason for failure if the URL is not blocked.

Following image displays a sample output:

operation: Unblock URL

Input parameters

Parameter Description
url URL that you want to unblock.

Output

The json output returns a Success message if the URL is successful unblocked or an Error message containing the reason for failure if the URL is not unblocked.

Following image displays a sample output:

operation: Block Application

Input parameters

Parameter Description
app Name of the application that you want to block.

Output

The json output returns a Success message if the application is successful blocked or an Error message containing the reason for failure if the application is not blocked.

Following image displays a sample output:

operation: Unblock Application

Input parameters

Parameter Description
app Name of the application that you want to unblock.

Output

The json output returns a Success message if the application is successful unblocked or an Error message containing the reason for failure if the application is not unblocked.

Following image displays a sample output:

Included playbooks

The Sample - PaloAlto - 1.0.0 playbook collection comes bundled with the PaloAlto connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the PaloAlto connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.