Security Operations Palo Alto Networks - Check and Block Value Workflow
-
- UpdatedJan 30, 2025
- 5 minutes to read
- Yokohama
- Palo Alto Networks Integration
As security incidents are created and triaged to identify potential threats, you can use the Security Operations Palo Alto Networks - Check and Block Value workflow to automatically check and update IP addresses, URLs, and domains using External Dynamic Lists defined in Palo Alto Networks - Firewall.
Before you begin
Role required: sn_si.analyst
About this task
During workflow execution, commands defined under are run. The Show type commands (for example, Show-IP-ExternalDynamicList) determine whether the value exists on the firewall. The Refresh type commands (for example, Refresh-IP-ExternalDynamicList) add value that do not exist on the firewall to the block list.
After the Blocked Status activity executes, approval by a system administrator is required before the workflow can proceed.
Procedure
Palo Alto Firewall- Block Request Status activity
This activity is called by other activities to set the Firewall block request status to success or failure.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| firewallBlockRequestSysid [string] | The system id of the firewall block request. This input variable is mandatory. |
| status [string] | Indicates whether the refresh job ran: success or failure. |
Output variables
The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.
| Variable | Description |
|---|---|
| result [string] | Indicates whether the success or failure of the refresh job. |
Palo Alto Firewall- Block Value activity
After the workflow has identified a value that is not on the firewall, the record is routed for approval. Upon approval, this activity connects to the MID Server via your SSH credentials and invokes a script that adds the value to the firewall External Block List.
Input variables
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| result [string] | The result passed to the EDL. |
Palo Alto Firewall- Blocked Status activity
This activity checks if the value (IP, URL, or domain) is included in its respective External Dynamic List/Dynamic Block List (EDL/DBL) on firewall. The EDL/DBL details are obtained from the firewall using an operational command, and a routine is performed to check if the value is blocked on the firewall.
Input variables
Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory.
Output variables
The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as data dynamically generated using the Palo Alto Firewall Operational Command API message.
| Variable | Description |
|---|---|
| commandResult [string] | The results from the firewall for the show EDL Details command. |
| blockedStatus [Boolean] | True indicates blocked. False indicates not blocked. |
| commandResponse [string] | The response status obtained from the firewall for the show EDL Details Command. |
Palo Alto Firewall: Get API Key Action
This action retrieves the API key from the firewall.
Input variables
Input variables determine the initial behavior of the action. All input variable entries listed are mandatory.
| Variable | Description |
|---|---|
| Username [string] | The user name of the firewall administrator. |
| Password [string] | The firewall administrator password. |
| FirewallIpAddress [string] | The IP address of the firewall. |
Output variables
The output variables contain data that can be used in subsequent actions. The output consists of data from the firewall configuration, as well as dynamically generated data.
| Variable | Description |
|---|---|
| APIKey [string] | The firewall API key. |
Palo Alto Firewall: Get Firewall Config Action
The Palo Alto Firewall: Get Firewall Config flow action gets all the related firewall configuration information from the database, and makes it available for use by the subsequent action.
Input variables
Input variables determine the initial behavior of the action.
| Variable | Description |
|---|---|
| firewallSysid [string] | The system id of the firewall. This input variable is mandatory. |
| typeOfValueToBeBlocked [string] | The type of value to be blocked on the firewall: IP, URL, or Domain. |
| firewallIPAddress [string] | The IP address of the firewall. |
Output variables
The output variables contain data that can be used in subsequent actions. The output consists of data from the firewall configuration, as well as dynamically generated data.
Palo Alto Firewall- Refresh EDL/DBL activity
This activity executes an operational command on the firewall to refresh the External Dynamic List from the source configured on the firewall. The output of this activity indicates whether the Refresh job has been queued up.
Input variables
Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory.
| Variable | Description |
|---|---|
| FirewallIpAddress [string] | The IP address of the firewall being refreshed. |
| FirewallApiKey [string] | The refreshed firewall API key. |
| FirewallCommand [string] | The operational command to be executed to queue up the refresh job. |
Output variables
The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data.
| Variable | Description |
|---|---|
| activity.Output.result [string] | A text string to indicate whether refresh job was queued to run: success or failure. |