IBM Security SOAR

Expand all | Collapse all

Blocking IP on Palo Alto Firewall

  • 1.  Blocking IP on Palo Alto Firewall

    Posted Fri January 01, 2021 07:52 AM

    We are using Palo Alto firewall in our organization. We want to block certain IPs on the firewall via Resilient. For that, we have installed 'Palo Alto Networks Panorama Integration for Resilient' app from App Exchange on our integration server. Once, we get an incident from QRadar into Resilient, we want to block the IP which is received as an Artifact. 

    We have configured the firewall IP and API key in app.config file after installation of the app. However, we are doubtful in certain areas.

    Couple of questions:
    1. Do we need Panorama platform to perform IP blocking via Resilient ? Can we block IP directly on the firewall ?
    2. How can we configure the workflow to block the IP address ?
    3. Do we need to create a group in Firewall to block IPs ?

    Note: We do not have Panorama centralized firewall management system in our organization. Just have firewalls.

    We are struggling to figure out the solution to this. Kindly please help. Any proper documentation around this would be appreciated.

    Thank you,

    Akhilesh Deshmukh,
    Data Analyst, SecurityHQ

  • 2.  RE: Blocking IP on Palo Alto Firewall

    Posted Fri January 15, 2021 03:32 PM

    Hi Akhilesh, 

    Some thoughts on the questions you've asked: 

    1. In theory, the integration should work with an individual firewall without Panorama. The API endpoints used are the same in both cases.  If you provide the IP and API key for a specific firewall in the app.config then it will act on that firewall.  I haven't personally tested this however and can't guarantee that it will work as intended
    2. An example workflow for this is provided as part of the integration "(Example) Panorama Block IP Address". This workflow is triggered by the manual rule "Example: Panorama Block IP Address" which exists for artifacts of the type "IP Address".  If you want this action to trigger automatically then you will need to create an automatic rule to run this workflow or your own workflow that you've modified.
    3. You need to create an "Address Group" on the Firewall as well as a security policy that blocks the created Address Group. Something similar to this but with some addresses included as you can't create a blank Address Group:
    Screenshot of a Palo Alto Address Group

    And a security policy along the lines of

    Screenshot of a Palo Alto Security Policy

    If you name the Address Group something different to that in the example, then you will need to update the inputs/preprocessing scripts in the workflow to reflect the new name. 

    Hope that helps

    Nick Harrold

  • 3.  RE: Blocking IP on Palo Alto Firewall

    Posted Thu March 04, 2021 09:05 AM

    I have tried on both options so here is my experience.

    Only firewall (NO panorama present)

    This works nicely. I used location vsys and default vsys name "vsys1" and created non-empty address group called siemlist. 

    Workflows work nice for adding and removing content (IP Addresses).

    However, every change requires PaloAlto admin to click COMMIT every time content is changed in the group so it will take effect in the policy.....

    There is permission for XML API called COMMIT on PaloALto. Maybe adding this commit feature to new version of app?

    Panorama option

    When we integrated with panorama, VSYS location didnt wort at all. We had 3 different VSYS names and for all of them the API error returned "cannot find location"

    So we used shared object approach and it worked.

    However, I cannot confirm the COMMIT situation. If the commit is still required even in this case, what is the purpose of integration?


    Aleksandar Jokic

  • 4.  RE: Blocking IP on Palo Alto Firewall

    Posted Tue March 09, 2021 05:50 AM
    Hi Aleksandar,

    Thank you very much for sharing this info with us. It is great that we can block IP addresses on Palo Alto firewall using panorama function in Resilient. 
    I tried to configure the workflows, however, it did not work for us. It seems we are missing on some minor details.

    Will it be possible for you to share the workflow for blocking IP address with us ? Like how exactly you have configured the workflow.
    This would be a great help.


    Akhilesh Deshmukh,
    Data Analyst, SecurityHQ