Fortinet black logo

Palo Alto Firewall

Home FortiSOAR Connectors Palo Alto Firewall
3.1.1
3.1.1
3.1.0
3.0.0
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.0.1
1.0.0

Palo Alto Firewall v3.1.1

About the connector

Palo Alto Networks® Firewall is a next-generation firewall by Palo Alto Networks®, which contains application awareness, full-stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilities of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

  • Identify applications regardless of port, protocol, evasive tactic, or Secure Sockets Layer.
  • Identify and control users regardless of IP address, location, or device.
  • Protect against known and unknown application-borne threats.
  • Fine-grained visibility and policy control over application access and functionality.

The Palo Alto Firewall connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking communication with malicious IPs. Palo Alto Networks® helps security analysts turn threat data into threat intelligence. It takes indicators from the network, like domain names and IPs, and connects them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the Palo Alto Firewall connector, which facilitates automated interactions, with a Palo Alto Networks® server using FortiSOAR™ playbooks. Add the Palo Alto Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs, and applications.

Version information

Connector Version: 3.1.1

FortiSOAR™ Version Tested on: 7.5.0-4015

Palo Alto Firewall Software Version Tested On: 10.2.2-h2

Palo Alto Firewall Version Tested on: 8556-7343

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.1.1

Following enhancements have been made to the Palo Alto Firewall Connector in version 3.1.1:

  • Fixed an issue where following actions were making XML API calls instead of JSON Rest API calls:
    • Block URL
    • Unblock URL
    • Block IP
    • Unblock IP

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-paloalto-firewall

Prerequisites to configuring the connector

  • You must have the credentials of Palo Alto Firewall server to which you will connect and perform automated operations.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Palo Alto Firewall server.

Minimum Permissions Required

To use the Palo Alto Firewall connector and call its REST APIs, you must be an Administrator or assigned an Admin role. The API supports the following types of administrators and Admin roles:

  • Dynamic Roles: Superuser, Superuser (readonly), Device admin, Device admin (readonly), Vsys admin, and Vsys admin (readonly)
  • Role-based Admins: Device, Vsys, Panorama

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Palo Alto Firewall connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter Description
Server URL IP address or Hostname of the Palo Alto Firewall.
Username Username to access the Palo Alto Firewall.
Password Password to access the Palo Alto Firewall.
Virtual System Virtual System (vsys) ID to access the Palo Alto Firewall. By default, this is set as vsys1.
Security Policy Name for Blocking IP Security Policy Name that has been pre-configured in Palo Alto for blocking an IP.
IP Address Group Name of the IP Address Group that is linked to the Security Policy Name for Blocking IP.
Security Policy Name for Blocking Application (Optional) Security Policy Name that has been pre-configured in Palo Alto for blocking an Application.
Application Group (Optional) Name of the Application Group that is linked to the Security Policy Name for Blocking Application.
Security Policy Name for Blocking URL (Optional) Security Policy Name that has been pre-configured in Palo Alto for blocking a URL.
Custom URL Group (Optional)Name of the URL Group that is linked to the Security Policy Name for Blocking URL.
API Type Type of API that you want to use to run connector actions. You can choose from following options:
  • XML APIs
  • REST APIs: Select values in the following field:
    • Product Version: Select the PAN-OS version to use for performing connector actions.
Verify SSL Specifies whether the SSL certificate for the server is to be verified.
By default, this option is set to True.

NOTE: For more information on how to create policy and objects(address groups) in the Palo Alto firewall server, see the https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/web-interface-basics document.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Block IP Blocks the specified IP address in the Palo Alto Firewall. block_ip
Containment
Unblock IP Unblocks the specified IP address in the Palo Alto Firewall unblock_ip
Remediation
Block URL Blocks the specified URL in Palo Alto Firewall block_url
Containment
Unblock URL Unblocks the specified URL in Palo Alto Firewall unblock_url
Remediation
Block Application Blocks the specified application in Palo Alto Firewall block_app
Containment
Unblock Application Unblocks the specified application in Palo Alto Firewall unblock_app
Remediation
Create Security Policy Rule Creates a security policy rule in Palo Alto Firewall based on the input parameters that you have specified. create_security_rule
Investigation
Get All Security Policy Rules List Retrieves a list of all security policy rules or specific security policy rule from Palo Alto Firewall based on the input parameters that you have specified. list_security_rule
Investigation
Update Security Policy Rule Modifies a security policy rule in Palo Alto Firewall based on the input parameters that you have specified. edit_security_rule
Investigation
Rename Security Policy Rule Renames an existing security policy rule in Palo Alto Firewall based on the name of security policy rule and new name of security policy rule that you have specified. rename_security_rule
Investigation
Move Security Policy Rule Moves a specific security policy rule to a specified position in Palo Alto Firewall. move_security_rule
Investigation
Delete Security Policy Rule Removes a specific security policy rule from Palo Alto Firewall based on the name of security policy rule that you have specified. delete_security_rule
Investigation
Create IP Address Object Creates an IP address object in Palo Alto Firewall based on the name of IP address, address type, or other input parameters that you have specified. create_address
Investigation
Get All Address List Retrieves a list of all address from Palo Alto Firewall. get_address_list
Investigation
Get Specific IP Address Object Details Retrieves a specific address details from Palo Alto Firewall based on the name of IP address that you have specified. get_address_details
Investigation
Update IP Address Object Modifies a specific IP address object in Palo Alto Firewall based on the name of IP address, address type, or other input parameters that you have specified. edit_address
Investigation
Rename IP Address Object Name Renames an existing IP address object name in Palo Alto Firewall based on the name of IP address and new name of IP address that you have specified. rename_address
Investigation
Delete IP Address Object Removes a specific IP address object from Palo Alto Firewall based on the name of IP address that you have specified. delete_address
Investigation
Create Address Group Creates an address group in Palo Alto Firewall based on the name of address group, address group type, or other input parameters that you have specified. create_address_group
Investigation
Get All Address Group List Retrieves a list of all address groups from Palo Alto Firewall. get_address_group_list
Investigation
Get Address Group Details Retrieves a specific address group details from Palo Alto Firewall based on the name of address group that you have specified. get_address_group
Investigation
Rename Specific Address Group Renames an existing address group in Palo Alto Firewall based on the name of address group and new name of address group that you have specified. rename_address_group
Investigation
Add IP Address to Address Group Adds IP address to specific address group in Palo Alto Firewall based on the name of address group and name of IP address. add_address_to_specific_group
Investigation
Remove IP Address from Address Group Removes IP address from specific address group in Palo Alto Firewall based on the name of address group and name of IP address. remove_address_from_specific_group
Investigation
Delete Address Group Removes a specific address group from Palo Alto Firewall based on the name of the address group that you have specified. delete_address_group
Investigation

operation: Block IP

Input parameters

Parameter Description
IP Address Specify the IP address that you want to block in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Unblock IP

Input parameters

Parameter Description
IP Address Specify the IP address that you want to unblock in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "@status": "",
    "msg": ""
}

operation: Block URL

Input parameters

Parameter Description
URL Specify the URL that you want to block in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Unblock URL

Input parameters

Parameter Description
URL Specify the URL that you want to unblock in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Block Application

Input parameters

Parameter Description
Application Name Specify the name of the application that you want to block in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Unblock Application

Input parameters

Parameter Description
Application Name Specify the name of the application that you want to unblock in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Create Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to create in Palo Alto Firewall.
Source Security Zone Specify the source security zone of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Destination Security Zone Specify the destination security zone of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Source IP Address Specify the source IP address of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified IP address.
Destination IP Address Specify the destination IP address of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified IP address.
Service Specify the service of the security policy rule being created in Palo Alto Firewall. Default value is application-default to ensure that any application that the rule allows are allowed only on their standard ports.
Application Specify the application being allowed or blocked in the security policy rule being created in Palo Alto Firewall. Adding the application, safely enables it on the created security policy rule.
Action Select the action option of the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Deny: Blocks traffic and enforces the default Deny Action defined for the application that is being denied.
  • Allow: Allows the traffic.
  • Drop: Silently drops the traffic. For an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
  • Reset Client: Sends a TCP reset to the client-side device.
  • Reset Server: Sends a TCP reset to the server-side device.
  • Reset Both: Sends a TCP reset to both the client-side and server-side devices.
  • By default it is set to Allow.
Category (Optional) Specify the URL Category of the security policy rule being created in Palo Alto Firewall. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
Source User (Optional) Specify the users and groups to match in the security policy rule being created in Palo Alto Firewall. Mapped users or groups at the source of the traffic can be allowed or blocked.
Rule Type (Optional) Select the rule type of the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Universal: By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.

    For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

  • Intrazone: A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules).

    For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.

  • Interzone: A security policy allowing traffic between two different zones. However, the traffic between the same zone will not be allowed when created with this type, this applies the rule to all matching traffic between the specified source and destination zones.

    For example, if setting the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.

By default it set to Universal.
Disabled (Optional) Select whether to disable the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Yes
  • No
By default it set to No.
Custom Properties (Optional) Specify the additional properties, in the JSON format, that you want to specify for the security policy rule being created in Palo Alto Firewall. The additional properties signify additional fields associated with the security policy rule.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Get All Security Policy Rules List

Input parameters

Parameter Description
Security Policy Rule Name (Optional) Specify the name of the security policy rule to retrieve from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "to": {
                    "member": []
                },
                "from": {
                    "member": []
                },
                "@name": "",
                "@uuid": "",
                "@vsys": "",
                "action": "",
                "source": {
                    "member": []
                },
                "service": {
                    "member": []
                },
                "category": {
                    "member": []
                },
                "disabled": "",
                "@location": "",
                "source-hip": {
                    "member": []
                },
                "application": {
                    "member": []
                },
                "destination": {
                    "member": []
                },
                "source-user": {
                    "member": []
                },
                "destination-hip": {
                    "member": []
                }
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Update Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to update in Palo Alto Firewall.
Source Security Zone Specify the source security zone of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Destination Security Zone Specify the destination security zone of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Source IP Address Specify the source IP address of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified IP address.
Destination IP Address Specify the destination IP address of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified IP address.
Service Specify the service of the security policy rule being updated in Palo Alto Firewall.
Application Specify the application being allowed or blocked in the security policy rule being updated in Palo Alto Firewall. Adding the application, safely enables it on the updated security policy rule.
Action Select the action option of the security policy rule being updated in Palo Alto Firewall. You can choose from the following options:
  • Deny: Blocks traffic and enforces the default Deny Action defined for the application that is being denied.
  • Allow: Allows the traffic.
  • Drop: Silently drops the traffic. For an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
  • Reset Client: Sends a TCP reset to the client-side device.
  • Reset Server: Sends a TCP reset to the server-side device.
  • Reset Both: Sends a TCP reset to both the client-side and server-side devices.
  • By default it is set to Allow.
Category (Optional) Specify the URL Category of the security policy rule being updated in Palo Alto Firewall. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
Source User (Optional) Specify the users and groups to match in the security policy rule being updated in Palo Alto Firewall. Mapped users or groups at the source of the traffic can be allowed or blocked.
Rule Type (Optional) Select the rule type of the security policy rule being updated in Palo Alto Firewall. You can choose from the following options:
  • Universal: By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.

    For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

  • Intrazone: A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules).

    For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.

  • Interzone: A security policy allowing traffic between two different zones. However, the traffic between the same zone will not be allowed when created with this type, this applies the rule to all matching traffic between the specified source and destination zones.

    For example, if setting the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.

By default it set to Universal.
Disabled (Optional) Select whether to disable the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Yes
  • No
By default it set to No.
Custom Properties (Optional) Specify the additional properties, in the JSON format, that you want to specify for the security policy rule being updated in Palo Alto Firewall. The additional properties signify additional fields associated with the security policy rule.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Rename Security Policy Rule

Input parameters

Parameter Description
Existing Security Policy Rule Name Specify the name of the existing security policy rule to rename in Palo Alto Firewall.
New Security Policy Rule Name Specify the new name of the security policy rule being renamed in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Move Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to move to a specified position in Palo Alto Firewall.
Move To Select the policy position from the options to move the security policy rule in Palo Alto Firewall. You can choose from the following options:
  • Top: Select this option to move the rule to the top and be applied before all other rules in the queue.
  • Bottom: Select this option to move the rule to the bottom and be applied after all other rules in the queue.
  • Before: Specify the name of the security policy rule before which to move this policy in the Before which Rule Name field.
  • After: Specify the name of the security policy rule after which to move this policy in the After which Rule Name field.
By default, it is set to Top.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Delete Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to delete from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Create IP Address Object

Input parameters

Parameter Description
IP Address Name Specify the name of the IP address object to create in Palo Alto Firewall.
Address Type Select the type of the address to create in Palo Alto Firewall. You can choose from the following options:
  • IP Netmask: Specify the IP netmask to create IP address in the IP Netmask field. For example, 1.1.1.1, 1.1.1.1/1, 2001:db8:123:1::1, 2001:db8:123:1::1/64
  • IP Range: Specify the IP range in the IP Range field. For example 10.0.0.1-10.0.0.4, 2001:db8:123:1::1-2001:db8:123:1::11
  • IP Wildcard Specify the IP wildcard in the IP Wildcard field. An address object of type IP Wildcard Mask can specify only IPv4 addresses and is useful if you define private IPv4 addresses to internal devices and your addressing structure assigns meaning to certain bits in the address.
  • FQDN: Specify the FQDN in the FQDN field. An address object of type FQDN (for example, www.fortinet.com) provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
Tag (Optional) (Not available for IP Wildcard Address Type)
Specify the tag to create address object in Palo Alto Firewall. Tags on objects help group related items.
Description (Optional) Specify a brief description for the address object being created in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Get All Address List

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "@location": "",
                "ip-netmask": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Get Specific IP Address Object Details

Input parameters

Parameter Description
IP Address Name Specify the name of the IP address object to retrieve its details from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "@location": "",
                "ip-netmask": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Update IP Address Object

Input parameters

Parameter Description
IP Address Name Specify the name of the IP address object to update in Palo Alto Firewall.
Address Type Select the type of the address to update in Palo Alto Firewall. You can choose from the following options:
  • IP Netmask: Specify the IP netmask to update IP address in the IP Netmask field. For example, 1.1.1.1, 1.1.1.1/1, 2001:db8:123:1::1, 2001:db8:123:1::1/64
  • IP Range: Specify the IP range in the IP Range field. For example 10.0.0.1-10.0.0.4, 2001:db8:123:1::1-2001:db8:123:1::11
  • IP Wildcard Specify the IP wildcard in the IP Wildcard field. An address object of type IP Wildcard Mask can specify only IPv4 addresses and is useful if you define private IPv4 addresses to internal devices and your addressing structure assigns meaning to certain bits in the address.
  • FQDN: Specify the FQDN in the FQDN field. An address object of type FQDN (for example, www.fortinet.com) provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
Tag (Optional) Specify the tag to update address object in Palo Alto Firewall. Tags on objects help group related items.
Description (Optional) Specify a brief description for the address object being updated in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Rename IP Address Object Name

Input parameters

Parameter Description
Existing IP Address Name Specify the name of an existing IP address object to rename it in Palo Alto Firewall.
New IP Address Name Specify the new name of the IP Address object being renamed in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Delete IP Address Object

Input parameters

Parameter Description
Name of IP Address Specify the name of the IP address object to delete from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Create Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to create in Palo Alto Firewall.
Address Group Type Select the type of the address group to create in Palo Alto Firewall. You can choose from the following options:
  • Static: Specify the IP address name of the member in Member IP Address Name field.
  • Dynamic: Specify the filter or the match criteria to group the address name of the members in Filter field.
By default it set to Static.
Tag (Optional) Specify the tag associated with the address group being created in Palo Alto Firewall. Tags on objects help group related items.
Description (Optional) Specify the brief description associated with the address group being created in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Get All Address Group List

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "static": {
                    "member": []
                },
                "dynamic": {
                    "filter": ""
                },
                "@location": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Get Address Group Details

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to retrieve its details from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "static": {
                    "member": []
                },
                "dynamic": {
                    "filter": ""
                },
                "@location": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Rename Specific Address Group

Input parameters

Parameter Description
Existing Address Group Name Specify the name of the existing address group to rename in Palo Alto Firewall.
New Address Group Name Specify a new name of the address group being renamed in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Add IP Address to Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to add IP address names in Palo Alto Firewall.
Member IP Name Specify the name of the IP address to add in the specified address group in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "result": {
            "msg": {
                "line": ""
            }
        },
        "@status": ""
    }
}

operation: Remove IP Address from Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group from which to remove IP address name in Palo Alto Firewall.
Member IP Name Specify the name of the IP address to remove from the specified address group in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "result": {
            "msg": {
                "line": ""
            }
        },
        "@status": ""
    }
}

operation: Delete Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to delete from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

Included playbooks

The Sample - Palo Alto Firewall - 3.1.1 playbook collection comes bundled with the Palo Alto Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Firewall connector.

  • Add IP Address to Address Group
  • Block IP
  • Unblock IP
  • Block URL
  • Unblock URL
  • Block Application
  • Unblock Application
  • Get All Security Policy Rules List
  • Create Security Policy Rule
  • Update Security Policy Rule
  • Rename Security Policy Rule
  • Move Security Policy Rule
  • Delete Security Policy Rule
  • Get Specific IP Address Object Details
  • Create IP Address Object
  • Update IP Address Object
  • Rename IP Address Object Name
  • Delete IP Address Object
  • Get All Address Group List
  • Get All Address List
  • Get Address Group Details
  • Create Address Group
  • Rename Specific Address Group
  • Remove IP Address from Address Group
  • Delete Address Group

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

Palo Alto Networks® Firewall is a next-generation firewall by Palo Alto Networks®, which contains application awareness, full-stack visibility, extra-firewall intelligence, and upgrade paths in addition to the full capabilities of both traditional firewalls and intrusion prevention systems. Additionally, the company defines its firewall technology by the following abilities:

The Palo Alto Firewall connector allows the user to block and unblock both the IP and the application, thereby protecting against known and unknown threats and blocking communication with malicious IPs. Palo Alto Networks® helps security analysts turn threat data into threat intelligence. It takes indicators from the network, like domain names and IPs, and connects them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the Palo Alto Firewall connector, which facilitates automated interactions, with a Palo Alto Networks® server using FortiSOAR™ playbooks. Add the Palo Alto Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking IPs, URLs, and applications.

Version information

Connector Version: 3.1.1

FortiSOAR™ Version Tested on: 7.5.0-4015

Palo Alto Firewall Software Version Tested On: 10.2.2-h2

Palo Alto Firewall Version Tested on: 8556-7343

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.1.1

Following enhancements have been made to the Palo Alto Firewall Connector in version 3.1.1:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-paloalto-firewall

Prerequisites to configuring the connector

Minimum Permissions Required

To use the Palo Alto Firewall connector and call its REST APIs, you must be an Administrator or assigned an Admin role. The API supports the following types of administrators and Admin roles:

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Palo Alto Firewall connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter Description
Server URL IP address or Hostname of the Palo Alto Firewall.
Username Username to access the Palo Alto Firewall.
Password Password to access the Palo Alto Firewall.
Virtual System Virtual System (vsys) ID to access the Palo Alto Firewall. By default, this is set as vsys1.
Security Policy Name for Blocking IP Security Policy Name that has been pre-configured in Palo Alto for blocking an IP.
IP Address Group Name of the IP Address Group that is linked to the Security Policy Name for Blocking IP.
Security Policy Name for Blocking Application (Optional) Security Policy Name that has been pre-configured in Palo Alto for blocking an Application.
Application Group (Optional) Name of the Application Group that is linked to the Security Policy Name for Blocking Application.
Security Policy Name for Blocking URL (Optional) Security Policy Name that has been pre-configured in Palo Alto for blocking a URL.
Custom URL Group (Optional)Name of the URL Group that is linked to the Security Policy Name for Blocking URL.
API Type Type of API that you want to use to run connector actions. You can choose from following options:
  • XML APIs
  • REST APIs: Select values in the following field:
    • Product Version: Select the PAN-OS version to use for performing connector actions.
Verify SSL Specifies whether the SSL certificate for the server is to be verified.
By default, this option is set to True.

NOTE: For more information on how to create policy and objects(address groups) in the Palo Alto firewall server, see the https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/web-interface-basics document.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Block IP Blocks the specified IP address in the Palo Alto Firewall. block_ip
Containment
Unblock IP Unblocks the specified IP address in the Palo Alto Firewall unblock_ip
Remediation
Block URL Blocks the specified URL in Palo Alto Firewall block_url
Containment
Unblock URL Unblocks the specified URL in Palo Alto Firewall unblock_url
Remediation
Block Application Blocks the specified application in Palo Alto Firewall block_app
Containment
Unblock Application Unblocks the specified application in Palo Alto Firewall unblock_app
Remediation
Create Security Policy Rule Creates a security policy rule in Palo Alto Firewall based on the input parameters that you have specified. create_security_rule
Investigation
Get All Security Policy Rules List Retrieves a list of all security policy rules or specific security policy rule from Palo Alto Firewall based on the input parameters that you have specified. list_security_rule
Investigation
Update Security Policy Rule Modifies a security policy rule in Palo Alto Firewall based on the input parameters that you have specified. edit_security_rule
Investigation
Rename Security Policy Rule Renames an existing security policy rule in Palo Alto Firewall based on the name of security policy rule and new name of security policy rule that you have specified. rename_security_rule
Investigation
Move Security Policy Rule Moves a specific security policy rule to a specified position in Palo Alto Firewall. move_security_rule
Investigation
Delete Security Policy Rule Removes a specific security policy rule from Palo Alto Firewall based on the name of security policy rule that you have specified. delete_security_rule
Investigation
Create IP Address Object Creates an IP address object in Palo Alto Firewall based on the name of IP address, address type, or other input parameters that you have specified. create_address
Investigation
Get All Address List Retrieves a list of all address from Palo Alto Firewall. get_address_list
Investigation
Get Specific IP Address Object Details Retrieves a specific address details from Palo Alto Firewall based on the name of IP address that you have specified. get_address_details
Investigation
Update IP Address Object Modifies a specific IP address object in Palo Alto Firewall based on the name of IP address, address type, or other input parameters that you have specified. edit_address
Investigation
Rename IP Address Object Name Renames an existing IP address object name in Palo Alto Firewall based on the name of IP address and new name of IP address that you have specified. rename_address
Investigation
Delete IP Address Object Removes a specific IP address object from Palo Alto Firewall based on the name of IP address that you have specified. delete_address
Investigation
Create Address Group Creates an address group in Palo Alto Firewall based on the name of address group, address group type, or other input parameters that you have specified. create_address_group
Investigation
Get All Address Group List Retrieves a list of all address groups from Palo Alto Firewall. get_address_group_list
Investigation
Get Address Group Details Retrieves a specific address group details from Palo Alto Firewall based on the name of address group that you have specified. get_address_group
Investigation
Rename Specific Address Group Renames an existing address group in Palo Alto Firewall based on the name of address group and new name of address group that you have specified. rename_address_group
Investigation
Add IP Address to Address Group Adds IP address to specific address group in Palo Alto Firewall based on the name of address group and name of IP address. add_address_to_specific_group
Investigation
Remove IP Address from Address Group Removes IP address from specific address group in Palo Alto Firewall based on the name of address group and name of IP address. remove_address_from_specific_group
Investigation
Delete Address Group Removes a specific address group from Palo Alto Firewall based on the name of the address group that you have specified. delete_address_group
Investigation

operation: Block IP

Input parameters

Parameter Description
IP Address Specify the IP address that you want to block in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Unblock IP

Input parameters

Parameter Description
IP Address Specify the IP address that you want to unblock in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "@status": "",
    "msg": ""
}

operation: Block URL

Input parameters

Parameter Description
URL Specify the URL that you want to block in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Unblock URL

Input parameters

Parameter Description
URL Specify the URL that you want to unblock in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Block Application

Input parameters

Parameter Description
Application Name Specify the name of the application that you want to block in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Unblock Application

Input parameters

Parameter Description
Application Name Specify the name of the application that you want to unblock in the Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "@status": "",
        "result": {
            "msg": {
                "line": ""
            }
        }
    }
}

operation: Create Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to create in Palo Alto Firewall.
Source Security Zone Specify the source security zone of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Destination Security Zone Specify the destination security zone of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Source IP Address Specify the source IP address of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified IP address.
Destination IP Address Specify the destination IP address of the security policy rule being created in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified IP address.
Service Specify the service of the security policy rule being created in Palo Alto Firewall. Default value is application-default to ensure that any application that the rule allows are allowed only on their standard ports.
Application Specify the application being allowed or blocked in the security policy rule being created in Palo Alto Firewall. Adding the application, safely enables it on the created security policy rule.
Action Select the action option of the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Deny: Blocks traffic and enforces the default Deny Action defined for the application that is being denied.
  • Allow: Allows the traffic.
  • Drop: Silently drops the traffic. For an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
  • Reset Client: Sends a TCP reset to the client-side device.
  • Reset Server: Sends a TCP reset to the server-side device.
  • Reset Both: Sends a TCP reset to both the client-side and server-side devices.
  • By default it is set to Allow.
Category (Optional) Specify the URL Category of the security policy rule being created in Palo Alto Firewall. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
Source User (Optional) Specify the users and groups to match in the security policy rule being created in Palo Alto Firewall. Mapped users or groups at the source of the traffic can be allowed or blocked.
Rule Type (Optional) Select the rule type of the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Universal: By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.

    For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

  • Intrazone: A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules).

    For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.

  • Interzone: A security policy allowing traffic between two different zones. However, the traffic between the same zone will not be allowed when created with this type, this applies the rule to all matching traffic between the specified source and destination zones.

    For example, if setting the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.

By default it set to Universal.
Disabled (Optional) Select whether to disable the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Yes
  • No
By default it set to No.
Custom Properties (Optional) Specify the additional properties, in the JSON format, that you want to specify for the security policy rule being created in Palo Alto Firewall. The additional properties signify additional fields associated with the security policy rule.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Get All Security Policy Rules List

Input parameters

Parameter Description
Security Policy Rule Name (Optional) Specify the name of the security policy rule to retrieve from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "to": {
                    "member": []
                },
                "from": {
                    "member": []
                },
                "@name": "",
                "@uuid": "",
                "@vsys": "",
                "action": "",
                "source": {
                    "member": []
                },
                "service": {
                    "member": []
                },
                "category": {
                    "member": []
                },
                "disabled": "",
                "@location": "",
                "source-hip": {
                    "member": []
                },
                "application": {
                    "member": []
                },
                "destination": {
                    "member": []
                },
                "source-user": {
                    "member": []
                },
                "destination-hip": {
                    "member": []
                }
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Update Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to update in Palo Alto Firewall.
Source Security Zone Specify the source security zone of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Destination Security Zone Specify the destination security zone of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified security zone.

A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the firewall.
Source IP Address Specify the source IP address of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic originating from the specified IP address.
Destination IP Address Specify the destination IP address of the security policy rule being updated in Palo Alto Firewall. Once specified, the Palo Alto firewall implements the rule on all traffic destined to the specified IP address.
Service Specify the service of the security policy rule being updated in Palo Alto Firewall.
Application Specify the application being allowed or blocked in the security policy rule being updated in Palo Alto Firewall. Adding the application, safely enables it on the updated security policy rule.
Action Select the action option of the security policy rule being updated in Palo Alto Firewall. You can choose from the following options:
  • Deny: Blocks traffic and enforces the default Deny Action defined for the application that is being denied.
  • Allow: Allows the traffic.
  • Drop: Silently drops the traffic. For an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
  • Reset Client: Sends a TCP reset to the client-side device.
  • Reset Server: Sends a TCP reset to the server-side device.
  • Reset Both: Sends a TCP reset to both the client-side and server-side devices.
  • By default it is set to Allow.
Category (Optional) Specify the URL Category of the security policy rule being updated in Palo Alto Firewall. If you select a URL category, only web traffic will match the rule and only if the traffic is destined for that specified category.
Source User (Optional) Specify the users and groups to match in the security policy rule being updated in Palo Alto Firewall. Mapped users or groups at the source of the traffic can be allowed or blocked.
Rule Type (Optional) Select the rule type of the security policy rule being updated in Palo Alto Firewall. You can choose from the following options:
  • Universal: By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.

    For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

  • Intrazone: A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules).

    For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.

  • Interzone: A security policy allowing traffic between two different zones. However, the traffic between the same zone will not be allowed when created with this type, this applies the rule to all matching traffic between the specified source and destination zones.

    For example, if setting the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.

By default it set to Universal.
Disabled (Optional) Select whether to disable the security policy rule being created in Palo Alto Firewall. You can choose from the following options:
  • Yes
  • No
By default it set to No.
Custom Properties (Optional) Specify the additional properties, in the JSON format, that you want to specify for the security policy rule being updated in Palo Alto Firewall. The additional properties signify additional fields associated with the security policy rule.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Rename Security Policy Rule

Input parameters

Parameter Description
Existing Security Policy Rule Name Specify the name of the existing security policy rule to rename in Palo Alto Firewall.
New Security Policy Rule Name Specify the new name of the security policy rule being renamed in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Move Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to move to a specified position in Palo Alto Firewall.
Move To Select the policy position from the options to move the security policy rule in Palo Alto Firewall. You can choose from the following options:
  • Top: Select this option to move the rule to the top and be applied before all other rules in the queue.
  • Bottom: Select this option to move the rule to the bottom and be applied after all other rules in the queue.
  • Before: Specify the name of the security policy rule before which to move this policy in the Before which Rule Name field.
  • After: Specify the name of the security policy rule after which to move this policy in the After which Rule Name field.
By default, it is set to Top.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Delete Security Policy Rule

Input parameters

Parameter Description
Security Policy Rule Name Specify the name of the security policy rule to delete from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Create IP Address Object

Input parameters

Parameter Description
IP Address Name Specify the name of the IP address object to create in Palo Alto Firewall.
Address Type Select the type of the address to create in Palo Alto Firewall. You can choose from the following options:
  • IP Netmask: Specify the IP netmask to create IP address in the IP Netmask field. For example, 1.1.1.1, 1.1.1.1/1, 2001:db8:123:1::1, 2001:db8:123:1::1/64
  • IP Range: Specify the IP range in the IP Range field. For example 10.0.0.1-10.0.0.4, 2001:db8:123:1::1-2001:db8:123:1::11
  • IP Wildcard Specify the IP wildcard in the IP Wildcard field. An address object of type IP Wildcard Mask can specify only IPv4 addresses and is useful if you define private IPv4 addresses to internal devices and your addressing structure assigns meaning to certain bits in the address.
  • FQDN: Specify the FQDN in the FQDN field. An address object of type FQDN (for example, www.fortinet.com) provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
Tag (Optional) (Not available for IP Wildcard Address Type)
Specify the tag to create address object in Palo Alto Firewall. Tags on objects help group related items.
Description (Optional) Specify a brief description for the address object being created in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Get All Address List

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "@location": "",
                "ip-netmask": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Get Specific IP Address Object Details

Input parameters

Parameter Description
IP Address Name Specify the name of the IP address object to retrieve its details from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "@location": "",
                "ip-netmask": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Update IP Address Object

Input parameters

Parameter Description
IP Address Name Specify the name of the IP address object to update in Palo Alto Firewall.
Address Type Select the type of the address to update in Palo Alto Firewall. You can choose from the following options:
  • IP Netmask: Specify the IP netmask to update IP address in the IP Netmask field. For example, 1.1.1.1, 1.1.1.1/1, 2001:db8:123:1::1, 2001:db8:123:1::1/64
  • IP Range: Specify the IP range in the IP Range field. For example 10.0.0.1-10.0.0.4, 2001:db8:123:1::1-2001:db8:123:1::11
  • IP Wildcard Specify the IP wildcard in the IP Wildcard field. An address object of type IP Wildcard Mask can specify only IPv4 addresses and is useful if you define private IPv4 addresses to internal devices and your addressing structure assigns meaning to certain bits in the address.
  • FQDN: Specify the FQDN in the FQDN field. An address object of type FQDN (for example, www.fortinet.com) provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
Tag (Optional) Specify the tag to update address object in Palo Alto Firewall. Tags on objects help group related items.
Description (Optional) Specify a brief description for the address object being updated in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Rename IP Address Object Name

Input parameters

Parameter Description
Existing IP Address Name Specify the name of an existing IP address object to rename it in Palo Alto Firewall.
New IP Address Name Specify the new name of the IP Address object being renamed in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Delete IP Address Object

Input parameters

Parameter Description
Name of IP Address Specify the name of the IP address object to delete from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Create Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to create in Palo Alto Firewall.
Address Group Type Select the type of the address group to create in Palo Alto Firewall. You can choose from the following options:
  • Static: Specify the IP address name of the member in Member IP Address Name field.
  • Dynamic: Specify the filter or the match criteria to group the address name of the members in Filter field.
By default it set to Static.
Tag (Optional) Specify the tag associated with the address group being created in Palo Alto Firewall. Tags on objects help group related items.
Description (Optional) Specify the brief description associated with the address group being created in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Get All Address Group List

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "static": {
                    "member": []
                },
                "dynamic": {
                    "filter": ""
                },
                "@location": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Get Address Group Details

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to retrieve its details from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "@code": "",
    "result": {
        "entry": [
            {
                "tag": {
                    "member": []
                },
                "@name": "",
                "@vsys": "",
                "static": {
                    "member": []
                },
                "dynamic": {
                    "filter": ""
                },
                "@location": "",
                "description": ""
            }
        ],
        "@count": "",
        "@total-count": ""
    },
    "@status": ""
}

operation: Rename Specific Address Group

Input parameters

Parameter Description
Existing Address Group Name Specify the name of the existing address group to rename in Palo Alto Firewall.
New Address Group Name Specify a new name of the address group being renamed in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

operation: Add IP Address to Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to add IP address names in Palo Alto Firewall.
Member IP Name Specify the name of the IP address to add in the specified address group in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "result": {
            "msg": {
                "line": ""
            }
        },
        "@status": ""
    }
}

operation: Remove IP Address from Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group from which to remove IP address name in Palo Alto Firewall.
Member IP Name Specify the name of the IP address to remove from the specified address group in Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "response": {
        "@code": "",
        "result": {
            "msg": {
                "line": ""
            }
        },
        "@status": ""
    }
}

operation: Delete Address Group

Input parameters

Parameter Description
Address Group Name Specify the name of the address group to delete from Palo Alto Firewall.

Output

The output contains the following populated JSON schema:

{
    "msg": "",
    "@code": "",
    "@status": ""
}

Included playbooks

The Sample - Palo Alto Firewall - 3.1.1 playbook collection comes bundled with the Palo Alto Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Firewall connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next