About the connector
The Palo Alto Networks Panorama connector integrates with the Palo Alto Networks® Panorama and supports containment actions such as blocking URLs or IP addresses on the devices configured on Panorama.
This document provides information about the Palo Alto Networks Panorama connector, which facilitates automated interactions with Palo Alto Networks® Panorama using FortiSOAR™ playbooks. Add the Palo Alto Networks Panorama connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking URLs, IP addresses, or applications that you have specified and retrieving a list of connected firewalls from Panorama.
Version information
Connector Version: 3.1.0
Authored By: Fortinet
Certified: No
Release Notes for version 3.1.0
Following enhancements have been made to the Palo Alto Networks Panorama Connector in version 3.1.0:
- Added following new operations and respective playbooks:
- Add Host ID To Quarantine List
- Delete Host ID From Quarantine List
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-palo-alto-networks-panorama
Prerequisites to configuring the connector
- You must have the credentials of Palo Alto Networks Panorama server to which you will connect and perform automated operations.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Palo Alto Networks Panorama server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Palo Alto Networks Panorama connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Palo Alto Networks® Panorama server to connect and perform automated operations. |
| Username |
Username to access the Palo Alto Networks® Panorama server to connect and perform automated operations. |
| Password |
Password to access the Palo Alto Networks® Panorama server to connect and perform automated operations. |
| Device Group Name |
Name of the device group on which you want to perform operations. Enter shared in this field for a shared location. |
| Rule Type |
Select rule type, either Pre-rule or Post-rule, where the policy is configured. |
| Security Policy Name For Blocking IP |
Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block IP addresses. |
| Address Group |
Name of the address group that is linked to the specified security policy to block IP addresses. |
| Security Policy Name For Blocking URL |
Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block URLs. |
| URL Group |
Name of the URL group that is linked to the specified security policy to block IP URLs. |
| Security Policy Name For Blocking Application |
Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block applications. |
| Application Group |
Name of the application group that is linked to the specified security policy to block applications. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
| Function |
Description |
Annotation and Category |
| Block IP |
Blocks the IP address that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. |
block_ip
Containment |
| Unblock IP |
Unblocks the IP address that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. |
unblock_ip
Remediation |
| Block URL |
Blocks the URL that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. |
block_url
Containment |
| Unblock URL |
Unblocks the URL that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. |
unblock_url
Remediation |
| Block Application |
Blocks the application that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. |
block_app
Containment |
| Unblock Application |
Unblocks the application that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. |
unblock_app
Remediation |
| Get Connected Firewalls |
Retrieves a list of all configured firewalls from Palo Alto Networks® Panorama. |
firewall_list
Investigation |
| Get Device Groups |
Retrieves a list of all the device groups or details of specific device groups from Palo Alto Networks® Panorama based on the device group name you have specified. |
get_device_groups
Investigation |
| Get Application Groups |
Retrieves a list of all the application groups or details of specific application groups from Palo Alto Networks® Panorama based on the application group name you have specified. |
get_application_groups
Investigation |
| Add Host ID To Quarantine List |
Adds compromised devices to quarantine list, which you can then use to block GlobalProtect users from connecting those devices to a gateway. |
add_host_id_to_quarantine_list
Investigation |
| Delete Host ID From Quarantine List |
Removes the device that is no longer compromised, from the quarantine list |
delete_host_id_from_quarantine_list
Investigation |
operation: Block IP
Input parameters
| Parameter |
Description |
| IP Address |
Specify the IP address that you want to block using Palo Alto Networks® Panorama |
| Device group to configure |
Specify the device group on which you want to block the IP address. |
Output
The output contains a non-dictionary value.
operation: Unblock IP
Input parameters
| Parameter |
Description |
| IP Address |
Specify the IP address to unblock using Palo Alto Networks® Panorama |
| Device group to configure |
Specify the device group on which you want to block the IP address. |
Output
The output contains a non-dictionary value.
operation: Block URL
Input parameters
| Parameter |
Description |
| URL |
Specify the URL that you want to block using Palo Alto Networks® Panorama. |
| Device group to configure |
Specify the device group on which you want to block the URL. |
Output
The output contains a non-dictionary value.
operation: Unblock URL
Input parameters
| Parameter |
Description |
| URL |
Specify the URL that you want to unblock using Palo Alto Networks® Panorama. |
| Device group to configure |
Specify the device group on which you want to unblock the URL. |
Output
The output contains a non-dictionary value.
operation: Block Application
Input parameters
| Parameter |
Description |
| Application Name |
Specify the name of the application that you want to block using Palo Alto Networks® Panorama. |
| Device group to configure |
Specify the device group on which you want to block the application. |
Output
The output contains a non-dictionary value.
operation: Unblock Application
Input parameters
| Parameter |
Description |
| Application Name |
Specify the name of the application that you want to unblock using Palo Alto Networks® Panorama. |
| Device group to configure |
Specify the device group on which you want to unblock the application. |
Output
The output contains a non-dictionary value.
operation: Get Connected Firewalls
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"response": {
"@status": "",
"result": {
"devices": {
"entry": {
"@name": "",
"serial": "",
"connected": "",
"unsupported-version": "",
"deactivated": "",
"hostname": "",
"ip-address": "",
"uptime": "",
"family": "",
"model": "",
"sw-version": "",
"app-version": "",
"av-version": "",
"wildfire-version": "",
"threat-version": "",
"url-db": "",
"url-filtering-version": "",
"logdb-version": "",
"global-protect-client-package-version": "",
"domain": "",
"vpn-disable-mode": "",
"operational-mode": "",
"certificate-status": "",
"certificate-subject-name": "",
"certificate-expiry": "",
"connected-at": "",
"custom-certificate-usage": "",
"multi-vsys": "",
"vsys": {
"entry": {
"@name": "",
"display-name": "",
"shared-policy-status": "",
"shared-policy-md5sum": ""
}
}
}
}
}
}
}
operation: Get Device Groups
Input parameters
| Parameter |
Description |
| Device Group Name |
(Optional) Specify the name of the device group for which you want to retrieve details from Palo Alto Networks® Panorama. |
Output
The output contains the following populated JSON schema:
{
"response": {
"@status": "",
"@code": "",
"result": {
"@total-count": "",
"@count": "",
"device-group": {
"@admin": "",
"@dirtyId": "",
"@time": "",
"entry": {
"@name": "",
"@admin": "",
"@dirtyId": "",
"@time": "",
"devices": {
"entry": {
"@name": ""
}
},
"address-group": {
"@admin": "",
"@dirtyId": "",
"@time": "",
"entry": {
"@name": "",
"@admin": "",
"@dirtyId": "",
"@time": "",
"static": {
"@admin": "",
"@dirtyId": "",
"@time": "",
"member": [
{
"@admin": "",
"@dirtyId": "",
"@time": "",
"#text": ""
}
]
}
}
},
"address": {
"@admin": "",
"@dirtyId": "",
"@time": "",
"entry": [
{
"@name": "",
"ip-netmask": ""
}
]
},
"profiles": {
"url-filtering": {
"entry": {
"@name": "",
"description": "",
"credential-enforcement": {
"mode": {
"disabled": ""
},
"log-severity": ""
},
"block-list": {
"member": []
},
"action": ""
}
}
},
"application-group": ""
}
}
}
}
}
operation: Get Application Groups
Input parameters
| Parameter |
Description |
| Application Group Name |
(Optional) Specify the name of the application group for which you want to retrieve details from Palo Alto Networks® Panorama. |
Output
The output contains the following populated JSON schema:
{
"response": {
"@status": "",
"@code": "",
"result": {
"@total-count": "",
"@count": "",
"application-group": {
"@admin": "",
"@dirtyId": "",
"@time": "",
"entry": {
"@name": "",
"@admin": "",
"@dirtyId": "",
"@time": "",
"members": {
"@admin": "",
"@dirtyId": "",
"@time": "",
"member": [
{
"@admin": "",
"@dirtyId": "",
"@time": "",
"#text": ""
}
]
}
}
}
}
}
}
operation: Add Host ID To Quarantine List
Input parameters
| Parameter |
Description |
| Virtual System |
Specify the vsys of the firewall containing the quarantine list. |
| Host ID |
Specify the host ID of the compromised device. |
| Reason |
Specify the reason for quarantine. The reason cannot contain spaces. |
| Source |
Specify the source device or application from which this quarantine device was added to the quarantine list. |
| Serial No |
Specify the serial number of the device to be quarantined. |
Output
The output contains a non-dictionary value.
operation: Delete Host ID From Quarantine List
Input parameters
| Parameter |
Description |
| Host ID |
Specify the host ID to remove from the quarantine list. |
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - Palo Alto Networks Panorama - 3.1.0 playbook collection comes bundled with the Palo Alto Networks Panorama connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Networks Panorama connector.
- Add Host ID To Quarantine List
- Block Application
- Block IP
- Block URL
- Delete Host ID From Quarantine List
- Get Application Groups
- Get Connected Firewalls
- Get Device Groups
- Unblock Application
- Unblock IP
- Unblock URL
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
