As security incidents are created and triaged to identify potential threats, you can
use the Security Operations Palo Alto Networks - Check and Block
Value workflow to automatically check and update IP addresses, URLs, and
domains using External Dynamic Lists defined in Palo Alto Networks - Firewall.
The Security Operations Palo Alto Networks - Check and Block
Value workflow is executed when Firewall Block Requests are submitted.
The block request specifies the firewall to be used, the type of observable to be
checked and blocked (if needed), and the block value. That is, the IP address, URL, or
domain in question.
Role required: sn_si.analyst
During workflow execution, commands defined under are run. The Show type commands (for example,
Show-IP-ExternalDynamicList) determine whether the value exists on the firewall. The
Refresh type commands (for example, Refresh-IP-ExternalDynamicList) adds ones that
do not exist on the firewall to the block list.
After the Blocked Status activity executes, approval by a system administrator is
required before the workflow can proceed.
Fill in the fields on the form, as appropriate.
||Select the firewall to be used.
||Select the type of value to be checked:
||Enter the value of the selected type to be checked on