PaloAlto
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

PaloAlto

  • Dark
    Light
  • PDF

Overview
Securing your enterprise starts with your firewall. Safeguard internet networks from known and unknown security threats with the Palo Alto PA 3020 security appliance.

Pre-requisites to use PaloAlto and DNIF

Outbound access required for connectivity between DNIF Setup and PaloAlto FireWall

Note

netmiko python lib is required pip install netmiko

Protocol Source IP Source Port Direction Destination IP Destination Port
SSH DS,CR Any Egress PaloAlto Host 22
Note

The above rule assumes both request and response in enabled

PaloAlto trigger plugin functions

Details of the function that can be used with the PaloAlto trigger plugin is given in this section.

Note

In all the functions explained below, the examples use an event store named threatsample.
This event store does not exist in DNIF by default. However, it can be created/imported.

  • block_source
    This function allows you to add an malicious/unauthorized IP communicating with your network to a user pre-defined group in PaloAlto to block it.

  • Input
    IP Address

  • Example

_fetch $SrcIP from threatsample limit 1
>>_trigger api paloalto block_source $SrcIP

  • Output

image.png

The output of the trigger call has the following structure (for the available data)

Field Description
$PaloALtoAPIStatus Blocked on Palo ALto
$PaloAltoBlocked True/False
$PaloALtoError Error result for the block operation
$PaloALtoErrorConnection Failed to connect with Palo Alto Firewall with reason for error
  • release_source
    This function allows you to release an malicious/unauthorized IP present in the user pre-defined group in PaloAlto to release it.

  • Input
    IP Address

Example

_fetch $SrcIP from threatsample limit 1
>>_trigger api paloalto release_source $SrcIP
  • Output
    image.png

The output of the trigger call has the following structure (for the available data)

Field Description
$PaloALtoAPIStatus Released from Palo ALto
$PaloALtoRelease True/False
$PaloALtoError Error result for the block operation
$PaloALtoErrorConnection Failed to connect with Palo Alto Firewall with reason for error

Using the PaloAlto trigger API and DNIF

Getting started with PaloAlto trigger API and DNIF

  • Place the paloalto.tar.gz in the /var/tmp location of host machine

  • Login to your Data Store, Correlator containers and access DNIF Container via SSH

  • Copy the files on the server from location /var/tmp to the relevant location using below commands:

cp /var/tmp/paloalto.tar.gz /dnif/<D-Key>/trigger_plugins/
  • Move to the ‘/dnif/<D-Key>/trigger_plugins’ folder path.
cd /dnif/<D-Key>/trigger_plugins/
  • Extract the paloalto.tar.gz using the following command
tar -xvzf paloalto.tar.gz
  • Move to the ‘/dnif/<D-Key>/trigger_plugins/paloalto/’ folder path and edit the dnifconfig.yml configuration file

  • Replace the tag:*<Add your PaloAlto > with your corresponding PaloAlto details

trigger_plugin:
  PALOALTO_USER: <ADD FW USER>
  PALOALTO_PASS: <ADD FW PASS>
  PALOALTO_GROUP: <ADD FW GROUP>
  PALOALTO_ADDROBJ: <ADD FW ADDROBJ>
  PALOALTO_FWIP: <ADD FW HOSTIP>

Installing the dependecy packages using provided wheel files

  • Place the dep.tar.gz in the /var/tmp location of host machine.

  • Login to your Data Store, Correlator containers, and access DNIF Container via SSH

  • Copy the files on the server from location /var/tmp to the relevant location using below commands:

cp /var/tmp/dep.tar.gz /dnif/<D-Key>/trigger_plugins/paloalto
  • Move to the ‘/dnif/<D-Key>/trigger_plugins/paloalto’ folder path.
cd /dnif/<D-Key>/trigger_plugins/paloalto
  • Extract the dep.tar.gz using the following command
tar -xvzf dep.tar.gz
  • Install the packages using the following command
pip install --no-index --find-links=/dnif/<D-Key>/trigger_plugins/paloalto/dep_pckg/ netmiko

Was this article helpful?

What's Next