Fortinet Document Library

Version:


Table of Contents

Palo Alto Firewall

2.0.0
Copy Link

About the connector

Palo Alto Networks® Firewall is a next-generation firewall by Palo Alto Networks®, which contains application awareness, full-stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilities of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

  • Identify applications regardless of port, protocol, evasive tactic, or Secure Sockets Layer.

  • Identify and control users regardless of IP address, location, or device.

  • Protect against known and unknown application-borne threats.

  • Fine-grained visibility and policy control over application access and functionality.

The PaloAlto Firewall connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking the communication with malicious IPs. Palo Alto Networks® help security analysts turn threat data into threat intelligence. It takes indicators from the network, like domain names and IPs, and connects them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the PaloAlto Firewall connector, which facilitates automated interactions, with a Palo Alto Networks® server using FortiSOAR™ playbooks. Add the PaloAlto Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs, and applications.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 6.4.1-2133

PaloAlto Firewall Versions Tested on: 9.1.1, 9.1.3, 10.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the PaloAlto Firewall connector in version 2.0.0:

  • Added the following new configuration parameters:
    • API Type
    • Product Version, if you have selected the API Type as 'REST APIs'
  • Renamed the configuration parameter 'URL Group' to 'Custom URL Group'

  • Added Rest API support for all actions.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-paloalto-firewall

Prerequisites to configuring the connector

  • You must have the IP address or hostname of the Palo Alto Networks® Firewall to which you will connect and perform the automated operations and credentials (username-password pair) to access the Palo Alto Networks® Firewall.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Permissions Required

To use the PaloAlto Firewall connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role. The API supports the following types of administrators and "Admin" roles:

  • Dynamic Roles: Superuser, Superuser (readonly), Device admin, Device admin (readonly), Vsys admin, and Vsys admin (readonly)
  • Role-based Admins: Device, Vsys, Panorama

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the PaloAlto Firewall connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL IP address or Hostname of the PaloAlto Firewall.
Username Username to access the PaloAlto Firewall.
Password Password to access the PaloAlto Firewall.
Security Policy Name for Blocking IP Security Policy Name that has been pre-configured in PaloAlto for blocking an IP.
IP Address Group Name of the IP Address Group that is linked to the Security Policy Name for Blocking IP.
Security Policy Name for Blocking URL Security Policy Name that has been pre-configured in PaloAlto for blocking a URL.
Custom URL Group Name of the URL Group that is linked to the Security Policy Name for Blocking URL.
Security Policy Name for Blocking Application Security Policy Name that has been pre-configured in PaloAlto for blocking an Application.
Application Group Name of the Application Group that is linked to the Security Policy Name for Blocking Application.
API Type Type of API that you want to use to run connector actions. You can choose between XML APIs or REST APIs.
If you choose 'REST APIs', then from the Product Version field, select the PAN-OS version that will be used to perform the connector actions.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onward:

Function Description Annotation and Category
Block IP Blocks the specified IP address in the PaloAlto Firewall. block_ip
Containment
Unblock IP Unblocks the specified IP address in the PaloAlto Firewall. unblock_ip
Remediation
Block URL Blocks the specified URL in the PaloAlto Firewall. block_url
Containment
Unblock URL Unblocks the specified URL in the PaloAlto Firewall. unblock_ip
Remediation
Block Application Blocks the specified application in the PaloAlto Firewall. block_app
Containment
Unblock Application Unblocks the specified Application in the PaloAlto Firewall. unblock_app
Remediation

operation: Block IP

Input parameters

Parameter Description
IP Address IP address that you want to block in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Unblock IP

Input parameters

Parameter Description
IP Address IP address that you want to unblock in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Block URL

Input parameters

Parameter Description
URL URL that you want to block in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Unblock URL

Input parameters

Parameter Description
URL URL that you want to unblock in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Block Application

Input parameters

Parameter Description
Application Name Name of the application that you want to block in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Unblock Application

Input parameters

Parameter Description
Application Name Name of the application that you want to unblock in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

Included playbooks

The Sample - PaloAlto Firewall - 2.0.0 playbook collection comes bundled with the PaloAlto Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the PaloAlto Firewall connector.

  • Block Application
  • Block IP
  • Block URL
  • Unblock Application
  • Unblock IP
  • Unblock URL

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Palo Alto Networks® Firewall is a next-generation firewall by Palo Alto Networks®, which contains application awareness, full-stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilities of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

The PaloAlto Firewall connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking the communication with malicious IPs. Palo Alto Networks® help security analysts turn threat data into threat intelligence. It takes indicators from the network, like domain names and IPs, and connects them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the PaloAlto Firewall connector, which facilitates automated interactions, with a Palo Alto Networks® server using FortiSOAR™ playbooks. Add the PaloAlto Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs, and applications.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 6.4.1-2133

PaloAlto Firewall Versions Tested on: 9.1.1, 9.1.3, 10.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the PaloAlto Firewall connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-paloalto-firewall

Prerequisites to configuring the connector

Permissions Required

To use the PaloAlto Firewall connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role. The API supports the following types of administrators and "Admin" roles:

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the PaloAlto Firewall connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL IP address or Hostname of the PaloAlto Firewall.
Username Username to access the PaloAlto Firewall.
Password Password to access the PaloAlto Firewall.
Security Policy Name for Blocking IP Security Policy Name that has been pre-configured in PaloAlto for blocking an IP.
IP Address Group Name of the IP Address Group that is linked to the Security Policy Name for Blocking IP.
Security Policy Name for Blocking URL Security Policy Name that has been pre-configured in PaloAlto for blocking a URL.
Custom URL Group Name of the URL Group that is linked to the Security Policy Name for Blocking URL.
Security Policy Name for Blocking Application Security Policy Name that has been pre-configured in PaloAlto for blocking an Application.
Application Group Name of the Application Group that is linked to the Security Policy Name for Blocking Application.
API Type Type of API that you want to use to run connector actions. You can choose between XML APIs or REST APIs.
If you choose 'REST APIs', then from the Product Version field, select the PAN-OS version that will be used to perform the connector actions.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onward:

Function Description Annotation and Category
Block IP Blocks the specified IP address in the PaloAlto Firewall. block_ip
Containment
Unblock IP Unblocks the specified IP address in the PaloAlto Firewall. unblock_ip
Remediation
Block URL Blocks the specified URL in the PaloAlto Firewall. block_url
Containment
Unblock URL Unblocks the specified URL in the PaloAlto Firewall. unblock_ip
Remediation
Block Application Blocks the specified application in the PaloAlto Firewall. block_app
Containment
Unblock Application Unblocks the specified Application in the PaloAlto Firewall. unblock_app
Remediation

operation: Block IP

Input parameters

Parameter Description
IP Address IP address that you want to block in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Unblock IP

Input parameters

Parameter Description
IP Address IP address that you want to unblock in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Block URL

Input parameters

Parameter Description
URL URL that you want to block in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Unblock URL

Input parameters

Parameter Description
URL URL that you want to unblock in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Block Application

Input parameters

Parameter Description
Application Name Name of the application that you want to block in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

operation: Unblock Application

Input parameters

Parameter Description
Application Name Name of the application that you want to unblock in the PaloAlto Firewall.

Output

The output contains the following populated JSON schema:
{
     "response": {
         "@code": "",
         "@status": "",
         "result": {
             "msg": {
                 "line": ""
             }
         }
     }
}

Included playbooks

The Sample - PaloAlto Firewall - 2.0.0 playbook collection comes bundled with the PaloAlto Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the PaloAlto Firewall connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.