The Palo Alto Networks Panorama connector integrates with the Palo Alto Networks® Panorama and supports containment actions such as blocking URLs or IP addresses on the devices configured on Panorama.
This document provides information about the Palo Alto Networks Panorama connector, which facilitates automated interactions with Palo Alto Networks® Panorama using FortiSOAR™ playbooks. Add the Palo Alto Networks Panorama connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking URLs, IP addresses, or applications that you have specified and retrieving a list of connected firewalls from Panorama.
Connector Version: 3.1.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Palo Alto Networks Panorama Connector in version 3.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-palo-alto-networks-panorama
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Palo Alto Networks Panorama connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Palo Alto Networks® Panorama server to connect and perform automated operations. |
Username | Username to access the Palo Alto Networks® Panorama server to connect and perform automated operations. |
Password | Password to access the Palo Alto Networks® Panorama server to connect and perform automated operations. |
Device Group Name | Name of the device group on which you want to perform operations. Enter shared in this field for a shared location. |
Rule Type | Select rule type, either Pre-rule or Post-rule, where the policy is configured. |
Security Policy Name For Blocking IP | Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block IP addresses. |
Address Group | Name of the address group that is linked to the specified security policy to block IP addresses. |
Security Policy Name For Blocking URL | Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block URLs. |
URL Group | Name of the URL group that is linked to the specified security policy to block IP URLs. |
Security Policy Name For Blocking Application | Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block applications. |
Application Group | Name of the application group that is linked to the specified security policy to block applications. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Block IP | Blocks the IP address that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | block_ip Containment |
Unblock IP | Unblocks the IP address that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | unblock_ip Remediation |
Block URL | Blocks the URL that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | block_url Containment |
Unblock URL | Unblocks the URL that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | unblock_url Remediation |
Block Application | Blocks the application that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | block_app Containment |
Unblock Application | Unblocks the application that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | unblock_app Remediation |
Get Connected Firewalls | Retrieves a list of all configured firewalls from Palo Alto Networks® Panorama. | firewall_list Investigation |
Get Device Groups | Retrieves a list of all the device groups or details of specific device groups from Palo Alto Networks® Panorama based on the device group name you have specified. | get_device_groups Investigation |
Get Application Groups | Retrieves a list of all the application groups or details of specific application groups from Palo Alto Networks® Panorama based on the application group name you have specified. | get_application_groups Investigation |
Add Host ID To Quarantine List | Adds compromised devices to quarantine list, which you can then use to block GlobalProtect users from connecting those devices to a gateway. | add_host_id_to_quarantine_list Investigation |
Delete Host ID From Quarantine List | Removes the device that is no longer compromised, from the quarantine list | delete_host_id_from_quarantine_list Investigation |
Parameter | Description |
---|---|
IP Address | Specify the IP address that you want to block using Palo Alto Networks® Panorama |
Device group to configure | Specify the device group on which you want to block the IP address. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
IP Address | Specify the IP address to unblock using Palo Alto Networks® Panorama |
Device group to configure | Specify the device group on which you want to block the IP address. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
URL | Specify the URL that you want to block using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to block the URL. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
URL | Specify the URL that you want to unblock using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to unblock the URL. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Application Name | Specify the name of the application that you want to block using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to block the application. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Application Name | Specify the name of the application that you want to unblock using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to unblock the application. |
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{ "response": { "@status": "", "result": { "devices": { "entry": { "@name": "", "serial": "", "connected": "", "unsupported-version": "", "deactivated": "", "hostname": "", "ip-address": "", "uptime": "", "family": "", "model": "", "sw-version": "", "app-version": "", "av-version": "", "wildfire-version": "", "threat-version": "", "url-db": "", "url-filtering-version": "", "logdb-version": "", "global-protect-client-package-version": "", "domain": "", "vpn-disable-mode": "", "operational-mode": "", "certificate-status": "", "certificate-subject-name": "", "certificate-expiry": "", "connected-at": "", "custom-certificate-usage": "", "multi-vsys": "", "vsys": { "entry": { "@name": "", "display-name": "", "shared-policy-status": "", "shared-policy-md5sum": "" } } } } } } }
Parameter | Description |
---|---|
Device Group Name | (Optional) Specify the name of the device group for which you want to retrieve details from Palo Alto Networks® Panorama. |
The output contains the following populated JSON schema:
{ "response": { "@status": "", "@code": "", "result": { "@total-count": "", "@count": "", "device-group": { "@admin": "", "@dirtyId": "", "@time": "", "entry": { "@name": "", "@admin": "", "@dirtyId": "", "@time": "", "devices": { "entry": { "@name": "" } }, "address-group": { "@admin": "", "@dirtyId": "", "@time": "", "entry": { "@name": "", "@admin": "", "@dirtyId": "", "@time": "", "static": { "@admin": "", "@dirtyId": "", "@time": "", "member": [ { "@admin": "", "@dirtyId": "", "@time": "", "#text": "" } ] } } }, "address": { "@admin": "", "@dirtyId": "", "@time": "", "entry": [ { "@name": "", "ip-netmask": "" } ] }, "profiles": { "url-filtering": { "entry": { "@name": "", "description": "", "credential-enforcement": { "mode": { "disabled": "" }, "log-severity": "" }, "block-list": { "member": [] }, "action": "" } } }, "application-group": "" } } } } }
Parameter | Description |
---|---|
Application Group Name | (Optional) Specify the name of the application group for which you want to retrieve details from Palo Alto Networks® Panorama. |
The output contains the following populated JSON schema:
{ "response": { "@status": "", "@code": "", "result": { "@total-count": "", "@count": "", "application-group": { "@admin": "", "@dirtyId": "", "@time": "", "entry": { "@name": "", "@admin": "", "@dirtyId": "", "@time": "", "members": { "@admin": "", "@dirtyId": "", "@time": "", "member": [ { "@admin": "", "@dirtyId": "", "@time": "", "#text": "" } ] } } } } } }
Parameter | Description |
---|---|
Virtual System | Specify the vsys of the firewall containing the quarantine list. |
Host ID | Specify the host ID of the compromised device. |
Reason | Specify the reason for quarantine. The reason cannot contain spaces. |
Source | Specify the source device or application from which this quarantine device was added to the quarantine list. |
Serial No | Specify the serial number of the device to be quarantined. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Host ID | Specify the host ID to remove from the quarantine list. |
The output contains a non-dictionary value.
The Sample - Palo Alto Networks Panorama - 3.1.0
playbook collection comes bundled with the Palo Alto Networks Panorama connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Networks Panorama connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Palo Alto Networks Panorama connector integrates with the Palo Alto Networks® Panorama and supports containment actions such as blocking URLs or IP addresses on the devices configured on Panorama.
This document provides information about the Palo Alto Networks Panorama connector, which facilitates automated interactions with Palo Alto Networks® Panorama using FortiSOAR™ playbooks. Add the Palo Alto Networks Panorama connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking URLs, IP addresses, or applications that you have specified and retrieving a list of connected firewalls from Panorama.
Connector Version: 3.1.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Palo Alto Networks Panorama Connector in version 3.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-palo-alto-networks-panorama
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Palo Alto Networks Panorama connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Palo Alto Networks® Panorama server to connect and perform automated operations. |
Username | Username to access the Palo Alto Networks® Panorama server to connect and perform automated operations. |
Password | Password to access the Palo Alto Networks® Panorama server to connect and perform automated operations. |
Device Group Name | Name of the device group on which you want to perform operations. Enter shared in this field for a shared location. |
Rule Type | Select rule type, either Pre-rule or Post-rule, where the policy is configured. |
Security Policy Name For Blocking IP | Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block IP addresses. |
Address Group | Name of the address group that is linked to the specified security policy to block IP addresses. |
Security Policy Name For Blocking URL | Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block URLs. |
URL Group | Name of the URL group that is linked to the specified security policy to block IP URLs. |
Security Policy Name For Blocking Application | Name of the security policy that you have already configured on the Palo Alto Networks® Panorama server to block applications. |
Application Group | Name of the application group that is linked to the specified security policy to block applications. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Block IP | Blocks the IP address that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | block_ip Containment |
Unblock IP | Unblocks the IP address that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | unblock_ip Remediation |
Block URL | Blocks the URL that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | block_url Containment |
Unblock URL | Unblocks the URL that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | unblock_url Remediation |
Block Application | Blocks the application that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | block_app Containment |
Unblock Application | Unblocks the application that you have specified on all or selected devices configured on Palo Alto Networks® Panorama. | unblock_app Remediation |
Get Connected Firewalls | Retrieves a list of all configured firewalls from Palo Alto Networks® Panorama. | firewall_list Investigation |
Get Device Groups | Retrieves a list of all the device groups or details of specific device groups from Palo Alto Networks® Panorama based on the device group name you have specified. | get_device_groups Investigation |
Get Application Groups | Retrieves a list of all the application groups or details of specific application groups from Palo Alto Networks® Panorama based on the application group name you have specified. | get_application_groups Investigation |
Add Host ID To Quarantine List | Adds compromised devices to quarantine list, which you can then use to block GlobalProtect users from connecting those devices to a gateway. | add_host_id_to_quarantine_list Investigation |
Delete Host ID From Quarantine List | Removes the device that is no longer compromised, from the quarantine list | delete_host_id_from_quarantine_list Investigation |
Parameter | Description |
---|---|
IP Address | Specify the IP address that you want to block using Palo Alto Networks® Panorama |
Device group to configure | Specify the device group on which you want to block the IP address. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
IP Address | Specify the IP address to unblock using Palo Alto Networks® Panorama |
Device group to configure | Specify the device group on which you want to block the IP address. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
URL | Specify the URL that you want to block using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to block the URL. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
URL | Specify the URL that you want to unblock using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to unblock the URL. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Application Name | Specify the name of the application that you want to block using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to block the application. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Application Name | Specify the name of the application that you want to unblock using Palo Alto Networks® Panorama. |
Device group to configure | Specify the device group on which you want to unblock the application. |
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{ "response": { "@status": "", "result": { "devices": { "entry": { "@name": "", "serial": "", "connected": "", "unsupported-version": "", "deactivated": "", "hostname": "", "ip-address": "", "uptime": "", "family": "", "model": "", "sw-version": "", "app-version": "", "av-version": "", "wildfire-version": "", "threat-version": "", "url-db": "", "url-filtering-version": "", "logdb-version": "", "global-protect-client-package-version": "", "domain": "", "vpn-disable-mode": "", "operational-mode": "", "certificate-status": "", "certificate-subject-name": "", "certificate-expiry": "", "connected-at": "", "custom-certificate-usage": "", "multi-vsys": "", "vsys": { "entry": { "@name": "", "display-name": "", "shared-policy-status": "", "shared-policy-md5sum": "" } } } } } } }
Parameter | Description |
---|---|
Device Group Name | (Optional) Specify the name of the device group for which you want to retrieve details from Palo Alto Networks® Panorama. |
The output contains the following populated JSON schema:
{ "response": { "@status": "", "@code": "", "result": { "@total-count": "", "@count": "", "device-group": { "@admin": "", "@dirtyId": "", "@time": "", "entry": { "@name": "", "@admin": "", "@dirtyId": "", "@time": "", "devices": { "entry": { "@name": "" } }, "address-group": { "@admin": "", "@dirtyId": "", "@time": "", "entry": { "@name": "", "@admin": "", "@dirtyId": "", "@time": "", "static": { "@admin": "", "@dirtyId": "", "@time": "", "member": [ { "@admin": "", "@dirtyId": "", "@time": "", "#text": "" } ] } } }, "address": { "@admin": "", "@dirtyId": "", "@time": "", "entry": [ { "@name": "", "ip-netmask": "" } ] }, "profiles": { "url-filtering": { "entry": { "@name": "", "description": "", "credential-enforcement": { "mode": { "disabled": "" }, "log-severity": "" }, "block-list": { "member": [] }, "action": "" } } }, "application-group": "" } } } } }
Parameter | Description |
---|---|
Application Group Name | (Optional) Specify the name of the application group for which you want to retrieve details from Palo Alto Networks® Panorama. |
The output contains the following populated JSON schema:
{ "response": { "@status": "", "@code": "", "result": { "@total-count": "", "@count": "", "application-group": { "@admin": "", "@dirtyId": "", "@time": "", "entry": { "@name": "", "@admin": "", "@dirtyId": "", "@time": "", "members": { "@admin": "", "@dirtyId": "", "@time": "", "member": [ { "@admin": "", "@dirtyId": "", "@time": "", "#text": "" } ] } } } } } }
Parameter | Description |
---|---|
Virtual System | Specify the vsys of the firewall containing the quarantine list. |
Host ID | Specify the host ID of the compromised device. |
Reason | Specify the reason for quarantine. The reason cannot contain spaces. |
Source | Specify the source device or application from which this quarantine device was added to the quarantine list. |
Serial No | Specify the serial number of the device to be quarantined. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Host ID | Specify the host ID to remove from the quarantine list. |
The output contains a non-dictionary value.
The Sample - Palo Alto Networks Panorama - 3.1.0
playbook collection comes bundled with the Palo Alto Networks Panorama connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Networks Panorama connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.