Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Get started with the Palo Alto Networks Firewall Integration

Log in to subscribe to topics and get notified when content changes.

Get started with the Palo Alto Networks Firewall Integration

The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Palo Alto Networks - Firewall.

Before you begin

Role required: sn_sec_pan.admin
Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method.

Procedure

  1. Before activating and configuring the integration, access the Palo Alto Networks Firewall dashboard. Take note of the names of the IP Dynamic List, URL Dynamic List, or Domain Dynamic List you are using for firewall blocking.
  2. Navigate to Security Operations > Integration Configuration.
    The available security integrations appear as a series of cards.
    Palo Alto Networks Firewall integration card
  3. In the Palo Alto Networks Firewall card, click Install Plugin.
  4. In the Install Palo Alto Networks Firewall integration dialog box, review the plugin details and click Activate.
  5. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the Configure button for the integration is available.
  6. Click Configure.
    Palo Alto Networks Firewall configuration
  7. Click Configure firewalls.
  8. In the Firewall Configurations screen, click New.
  9. Fill in the fields on the form, as appropriate.
    Field Description
    Firewalls Click the lock icon and select the firewall to be configured.
    Firewall Version Select the Palo Alto Networks Firewall version. PAN-OS-7.1 is the recommended version. Selecting earlier versions may return inconsistent results.
    Username Enter the username to use when connecting to the firewall via REST endpoints.
    Password Enter the password for the connecting user.
    IP Dynamic List Enter the name of the External Dynamic List or Dynamic Block List you use for IP addresses.
    URL Dynamic List Enter the name of the External Dynamic List or Dynamic Block List you use for URLs.
    Domain Dynamic List Enter the name of the External Dynamic List or Dynamic Block List you use for domains.
  10. Click Submit.

Set up SSH credentials to the MID Server

Palo Alto Networks Firewall sends API calls to the MID Server. As such, ensure that SSH credentials have been created for the MID Server.

Before you begin

Role required: admin

The Orchestration plugin must be activated.

Procedure

  1. Navigate to Orchestration > Credentials & Connections > Credentials.
  2. Click New.
  3. In the Interceptor screen, click SSH Credentials.
  4. Fill in the fields, as needed.
    Table 1. SSH Credentials
    Field Description
    Name Enter a name for the credential.
    Active Select this check box to activate this credential.
    Applies to Select All MID servers or Specific MID servers.
    MID Servers If you selected Specific MID servers, click the lock icon and select the MID Servers you want to apply these credentials to.
    Order Select the order to which the credentials are tried by the server. Smaller numbers are tried first.
    User name Enter the user name of the user associated with these credentials, if any.
    Password If you entered a User name, enter the user's password.
    Tag Enter a tag to be used for search criteria. The Tag field should contain the same value as the Name.

Security Operations Integration Palo Alto Networks Firewall Launcher workflow

Security Operations Integration Palo Alto Networks Firewall Launcher workflow is the Palo Alto Networks Firewall implementation launched by the Security Operations Integration - Block Request capability workflow.

Before you begin

Role required: sn_si.analyst

About this task

Security Operations Palo Alto Networks - Check and Block Value workflow

As security incidents are created and triaged to identify potential threats, you can use the Security Operations Palo Alto Networks - Check and Block Value workflow to automatically check and update IP addresses, URLs, and domains using External Dynamic Lists defined in Palo Alto Networks - Firewall.

Before you begin

Role required: sn_si.analyst

About this task

The Security Operations Palo Alto Networks - Check and Block Value workflow is executed when Firewall Block Requests are submitted. The block request specifies the firewall to be used, the type of observable to be checked and blocked (if needed), and the block value. That is, the IP address, URL, or domain in question.

During workflow execution, commands defined under Palo Alto Networks Integration > Firewall > Commands are run. The Show type commands (for example, Show-IP-ExternalDynamicList) determine whether the value exists on the firewall. The Refresh type commands (for example, Refresh-IP-ExternalDynamicList) add value that do not exist on the firewall to the block list.

After the Blocked Status activity executes, approval by a system administrator is required before the workflow can proceed.

Figure 1. Security Operations Palo Alto Networks - Check and Block Value workflow
Palo Alto Networks Firewall - Check and Block workflow

Procedure

  1. Navigate to Palo Alto Networks Integration > Firewall > Block Requests.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Firewall Select the firewall to be used.
    Block Type Select the type of value to be checked:
    • IP
    • URL
    • DOMAIN
    Block Value Enter the value of the selected type to be checked on the firewall.
  4. Click Submit.

Palo Alto Firewall: Block Request Status activity

This activity is called by other activities to set the Firewall block request status to success or failure.

Input variables

Input variables determine the initial behavior of the activity.

Table 2. Input variables
Variable Description
firewallBlockRequestSysid [string] The system id of the firewall block request. This input variable is mandatory.
status [string] Indicates whether the refresh job ran: success or failure.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 3. Output variables
Variable Description
result [string] Indicates whether the success or failure of the refresh job.

Palo Alto Firewall: Block Value activity

After the workflow has identified a value that is not on the firewall, the record is routed for approval. Upon approval, this activity connects to the MID Server via your SSH credentials and invokes a script that adds the value to the firewall External Block List.

Input variables

Input variables determine the initial behavior of the activity.
Note: You must manually enter the input variables for this activity and then publish the workflow. If the workflow is not published, the input variables will not be saved for non-admin users.
Table 4. Input variables
Variable Description
toBeBlockedValue [string] The value to be added to the EDL if not already present. This input variable is mandatory.
typeToBeBlocked [string] The type of value to be blocked: IP, URL, or Domain. This input variable is mandatory.
targetHost [string] The MID Server on which the script is executed.
SSHCredentialTag [string] The SSH credential tag defined on the MID server.
scriptCommand [string] The AppendValueToList.sh script used to add the value to the EDL. It requires the full path to the MID Server.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 5. Output variables
Variable Description
result [string] The result passed to the EDL.

Palo Alto Firewall: Blocked Status activity

This activity checks if the value (IP, URL, or domain) is included in its respective External Dynamic List/Dynamic Block List (EDL/DBL) on firewall. The EDL/DBL details are obtained from the firewall using an operational command, and a routine is performed to check if the value is blocked on the firewall.

Input variables

Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory.

Table 6. Input variables
Variable Description
valueToBeChecked [string] The value in the block request.
showEDLDetailsCommand [string] The External Dynamic List command being used to determine whether the value exists on the firewall.
FirewallIpAddress [string] The IP address of the firewall used.
FirewallApiKey [string] The firewall API key.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as data dynamically generated using the Palo Alto Firewall Operational Command API message.

Table 7. Output variables
Variable Description
commandResult [string] The results from the firewall for the show EDL Details command.
blockedStatus [Boolean] True indicates blocked. False indicates not blocked.
commandResponse [string] The response status obtained from the firewall for the show EDL Details Command.

Palo Alto Firewall: Get API Key activity

This activity retrieves the API key from the firewall.

Input variables

Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory.

Table 8. Input variables
Variable Description
Username [string] The user name of the firewall administrator.
Password [string] The firewall administrator password.
FirewallIpAddress [string] The IP address of the firewall.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 9. Output variables
Variable Description
APIKey [string] The firewall API key.

Palo Alto Firewall: Get Firewall Config activity

The Palo Alto Firewall: Get Firewall Config workflow activity gets all the related firewall configuration information from the database, and makes it available for use by the subsequent activity.

Input variables

Input variables determine the initial behavior of the activity.

Table 10. Input variables
Variable Description
firewallSysid [string] The system id of the firewall. This input variable is mandatory.
typeOfValueToBeBlocked [string] The type of value to be blocked on the firewall: IP, URL, or Domain.
firewallIPAddress [string] The IP address of the firewall.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 11. Output variables
Variable Description
ipEDLName [string] The External Dynamic List name for IP addresses.
urlEDLName [string] The External Dynamic List name for URLs.
domainEDLName [string] The External Dynamic List name for domains.
firewallVersionSysId [string] The system id for the firewall version.
refreshEDLCommand [string] The command to be used to refresh the EDL from the source.
ShowEDLDetailsCommand [string] The command to be used to get the EDL details.
status [Boolean] True indicates success. False indicates failure.
error [string] The error, if any, that occurred in the activity.
endpoint [Encrypted] The encrypted endpoint from the database.

Palo Alto Firewall: Refresh EDL/DBL activity

This activity executes an operational command on the firewall to refresh the External Dynamic List from the source configured on the firewall. The output of this activity indicates whether the Refresh job has been queued up.

Input variables

Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory.

Table 12. Input variables
Variable Description
FirewallIpAddress [string] The IP address of the firewall being refreshed.
FirewallApiKey [string] The refreshed firewall API key.
FirewallCommand [string] The operational command to be executed to queue up the refresh job.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 13. Output variables
Variable Description
activity.Output.result [string] A text string to indicate whether refresh job was queued to run: success or failure.

Get Log Data workflow

If Security Incident Response, Threat Intelligence, and Palo Alto Networks - Firewall are activated, the Security Operations Palo Alto Networks - Get Log Data workflow automatically executes when the Source IP for observables in a security incident is changed.

Before you begin

Role required: sn_si.analyst

About this task

During workflow execution, firewall configuration information is retrieved from the database and the API Key is retrieved from the firewall. The Get Log activity queues up a search query on the firewall. When the query runs, it returns a Job ID that is used to retrieve threat logs data from the firewall. It attaches the log data as an XML file to the security incident.
Figure 2. Security Operations Palo Alto Networks - Get Log Data workflow
Get Log Data workflow

Procedure

  1. Navigate to a security incident that contains observables.
  2. Click the Security Incident Observables tab.
  3. In Source IP, add or modify the IP address.
  4. Click Update.
    The Security Operations Palo Alto Networks - Get Log Data workflow executes and enriched threat log data is attached to the security incident. The information is also parsed and displayed in the Firewall Logs section under the Enrichment Data tab.

Palo Alto Firewall: Get API Key activity

This activity retrieves the API key from the firewall.

Input variables

Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory.

Table 14. Input variables
Variable Description
Username [string] The user name of the firewall administrator.
Password [string] The firewall administrator password.
FirewallIpAddress [string] The IP address of the firewall.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 15. Output variables
Variable Description
APIKey [string] The firewall API key.

Palo Alto Firewall: Get Firewall Config activity

The Palo Alto Firewall: Get Firewall Config workflow activity gets all the related firewall configuration information from the database, and makes it available for use by the subsequent activity.

Input variables

Input variables determine the initial behavior of the activity.

Table 16. Input variables
Variable Description
firewallSysid [string] The system id of the firewall. This input variable is mandatory.
typeOfValueToBeBlocked [string] The type of value to be blocked on the firewall: IP, URL, or Domain.
firewallIPAddress [string] The IP address of the firewall.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 17. Output variables
Variable Description
ipEDLName [string] The External Dynamic List name for IP addresses.
urlEDLName [string] The External Dynamic List name for URLs.
domainEDLName [string] The External Dynamic List name for domains.
firewallVersionSysId [string] The system id for the firewall version.
refreshEDLCommand [string] The command to be used to refresh the EDL from the source.
ShowEDLDetailsCommand [string] The command to be used to get the EDL details.
status [Boolean] True indicates success. False indicates failure.
error [string] The error, if any, that occurred in the activity.
endpoint [Encrypted] The encrypted endpoint from the database.

Palo Alto Firewall: Get Log activity

The Palo Alto Firewall: Get Log workflow activity schedules a query on the firewall to retrieve logs and returns a JobID used to retrieve the log data.

Input variables

Input variables determine the initial behavior of the activity.

Table 18. Input variables
Variable Description
FirewallIpAddress [string] The IP address of the firewall. This input variable is mandatory.
FirewallApiKey [string] The API access key of the firewall. This input variable is mandatory.
FirewallLogType [string] The type of log data to be retrieved (set to threat). This input variable is mandatory.
FirewallLogFilterQuery [string] The query to be executed to search for logs on the firewall. This input variable is mandatory.
LogDirection [string] Specifies whether logs are shown oldest first (backward) or newest first (forward) order.
LogNumber [string] Specifies the number of logs to retrieve.
LogSkipCount [string] Specifies the number of logs to skip when doing a log retrieval.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 19. Output variables
Variable Description
QueuedJobID [string] The Job ID returned from the firewall.
JobScheduled [string] Specifies (success or failure) whether the job was sent to the firewall.
error [string] Any errors returned.

Palo Alto Firewall: Job Data Action activity

After the Palo Alto Firewall: Get Log activity queues the search query to the firewall and the job runs, the Palo Alto Firewall: Job Data Action activity retrieves the threat log data from the firewall.

Input variables

Input variables determine the initial behavior of the activity. All input fields are mandatory.

Table 20. Input variables
Variable Description
FirewallIpAddress [string] The IP address of the firewall.
FirewallApiKey [string] The API access key of the firewall.
JobID [string] The ID of the queued job.

Output variables

The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.

Table 21. Output variables
Variable Description
commandStatus [string] Specifies (success or failure) whether data was retrieved from the firewall.
JobData [string] The data collected from the firewall.
error [string] Any errors returned.

Write content to record as attachment activity

This activity writes the content passed in from an input and creates a designated attachment to a given record.

The Write content to record as attachment activity can be used with any workflow to write content and attach it to a record.

Input variables

Input variables determine the initial behavior of the activity.

Table 22. Input variables
Variable Description
tablename [string] The table name for the record. This input field is mandatory.
sysid [string] The system identifier (sys_id) of a task record. This input field is mandatory.
payload The plain text content to be written as an attachment. This input field is mandatory.
filename The attachment file name.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 23. Output variables
Variable Description
result [string] Indicates whether the update was successful.
Feedback