Palo Alto Firewall v2.0.4

About the connector

Palo Alto Networks® Firewall is a next-generation firewall by Palo Alto Networks®, which contains application awareness, full-stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilities of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

• Identify applications regardless of port, protocol, evasive tactic, or Secure Sockets Layer.
• Identify and control users regardless of IP address, location, or device.
• Protect against known and unknown application-borne threats.
• Fine-grained visibility and policy control over application access and functionality.

The Palo Alto Firewall connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking communication with malicious IPs. Palo Alto Networks® helps security analysts turn threat data into threat intelligence. It takes indicators from the network, like domain names and IPs, and connects them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the Palo Alto Firewall connector, which facilitates automated interactions, with a Palo Alto Networks® server using FortiSOAR™ playbooks. Add the Palo Alto Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs, and applications.

Version information

Connector Version: 2.0.4

FortiSOAR™ Version Tested on: 7.2.0-914

Palo Alto Firewall Versions Tested on: 10.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.4

Following enhancements have been made to the Palo Alto Firewall connector in version 2.0.4:

• Added the facility to commit changes when the API Type is selected as 'REST APIs'. In the previous versions of the connector, any changes made by the connector actions using REST APIs required to be explicitly committed; whereas, now the commit is handled by the connector code.
• Updated the 'Security Policy Name For Blocking Application' and 'Application Group' configuration parameters as optional parameters.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-paloalto-firewall

Prerequisites to configuring the connector

• You must have the IP address or hostname of the Palo Alto Networks® Firewall to which you will connect and perform the automated operations and credentials (username-password pair) to access the Palo Alto Networks® Firewall.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the Palo Alto Networks® Firewall.

Permissions Required

To use the Palo Alto Firewall connector and call its REST APIs, you must be an "Administrator" or assigned an "Admin" role. The API supports the following types of administrators and "Admin" roles:

• Dynamic Roles: Superuser, Superuser (readonly), Device admin, Device admin (readonly), Vsys admin, and Vsys admin (readonly)
• Role-based Admins: Device, Vsys, Panorama

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Palo Alto Firewall connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

For the procedure to configure a connector, click here.

NOTE: For more information on how to create policy and objects(address groups) in the Palo Alto firewall server, see the https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/web-interface-basics document.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onward:

operation: Block IP

Input parameters

Output

The output contains the following populated JSON schema:
{
"response": {
"@code": "",
"@status": "",
"result": {
"msg": {
"line": ""
}
}
}
}

operation: Unblock IP

Input parameters

Output

The output contains the following populated JSON schema:
{
"response": {
"@code": "",
"@status": "",
"result": {
"msg": {
"line": ""
}
}
}
}

operation: Block URL

Input parameters

Output

The output contains the following populated JSON schema:
{
"response": {
"@code": "",
"@status": "",
"result": {
"msg": {
"line": ""
}
}
}
}

operation: Unblock URL

Input parameters

Output

The output contains the following populated JSON schema:
{
"response": {
"@code": "",
"@status": "",
"result": {
"msg": {
"line": ""
}
}
}
}

operation: Block Application

Input parameters

Output

The output contains the following populated JSON schema:
{
"response": {
"@code": "",
"@status": "",
"result": {
"msg": {
"line": ""
}
}
}
}

operation: Unblock Application

Input parameters

Output

The output contains the following populated JSON schema:
{
"response": {
"@code": "",
"@status": "",
"result": {
"msg": {
"line": ""
}
}
}
}

Included playbooks

The Sample - Palo Alto Firewall - 2.0.4 playbook collection comes bundled with the Palo Alto Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Firewall connector.

• Block Application
• Block IP
• Block URL
• Unblock Application
• Unblock IP
• Unblock URL

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.