Check and Block Value workflow

As security incidents are created to isolate potential malware, you can use the Security Operations Palo Alto Networks - Check and Block Value workflow to automatically check IP addresses, URLs, and domains using External Dynamic Lists defined in Security Operations Palo Alto Networks - Firewall.

Before you begin

Role required: sn_si.analyst

About this task

The Security Operations Palo Alto Networks - Check and Block Value workflow is executed when Firewall Block Requests are submitted. The block request specifies the firewall to be used, the type of file to be checked and blocked (if needed), and the block value. That is, the IP address, URL, or domain in question.

During workflow execution, commands defined under Palo Alto Networks Integration > Firewall > Commands are run. The Show type commands (for example, Show-IP-ExternalDynamicList) determine whether the value exists on the firewall. The Refresh type commands (for example, Refresh-IP-ExternalDynamicList) adds ones that do not exist on the firewall to the block list.

After the Blocked Status activity executes, approval by a system administrator is required before the workflow can proceed.

Figure 1. Security Operations Palo Alto Networks - Check and Block Value workflow
Palo Alto Networks Firewall - Check and Block workflow

Procedure

  1. Navigate to Palo Alto Networks Integration > Firewall > Block Requests.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Firewall Select the firewall to be used.
    Block Type Select the type of value to be checked:
    • IP
    • URL
    • DOMAIN
    Block Value Enter the value of the selected type to be checked on the firewall.
  4. Click Submit.