Hi,
I have tried on both options so here is my experience.
Only firewall (NO panorama present)This works nicely. I used location vsys and default vsys name "vsys1" and created non-empty address group called siemlist.
Workflows work nice for adding and removing content (IP Addresses).
However, every change requires PaloAlto admin to click COMMIT every time content is changed in the group so it will take effect in the policy.....
There is permission for XML API called COMMIT on PaloALto. Maybe adding this commit feature to new version of app?
Panorama optionWhen we integrated with panorama, VSYS location didnt wort at all. We had 3 different VSYS names and for all of them the API error returned "cannot find location"
So we used shared object approach and it worked.
However, I cannot confirm the COMMIT situation. If the commit is still required even in this case, what is the purpose of integration?
Regards
------------------------------
Aleksandar Jokic
------------------------------
Original Message:
Sent: Fri January 15, 2021 06:10 AM
From: Nick Harrold
Subject: Blocking IP on Palo Alto Firewall
Hi Akhilesh,
Some thoughts on the questions you've asked:
- In theory, the integration should work with an individual firewall without Panorama. The API endpoints used are the same in both cases. If you provide the IP and API key for a specific firewall in the app.config then it will act on that firewall. I haven't personally tested this however and can't guarantee that it will work as intended
- An example workflow for this is provided as part of the integration "(Example) Panorama Block IP Address". This workflow is triggered by the manual rule "Example: Panorama Block IP Address" which exists for artifacts of the type "IP Address". If you want this action to trigger automatically then you will need to create an automatic rule to run this workflow or your own workflow that you've modified.
- You need to create an "Address Group" on the Firewall as well as a security policy that blocks the created Address Group. Something similar to this but with some addresses included as you can't create a blank Address Group:
And a security policy along the lines of
If you name the Address Group something different to that in the example, then you will need to update the inputs/preprocessing scripts in the workflow to reflect the new name.
Hope that helps
------------------------------
Nick Harrold
Original Message:
Sent: Fri January 01, 2021 07:52 AM
From: Akhilesh Deshmukh
Subject: Blocking IP on Palo Alto Firewall
Hi,
We are using Palo Alto firewall in our organization. We want to block certain IPs on the firewall via Resilient. For that, we have installed 'Palo Alto Networks Panorama Integration for Resilient' app from App Exchange on our integration server. Once, we get an incident from QRadar into Resilient, we want to block the IP which is received as an Artifact.
We have configured the firewall IP and API key in app.config file after installation of the app. However, we are doubtful in certain areas.
Couple of questions:
1. Do we need Panorama platform to perform IP blocking via Resilient ? Can we block IP directly on the firewall ?
2. How can we configure the workflow to block the IP address ?
3. Do we need to create a group in Firewall to block IPs ?
Note: We do not have Panorama centralized firewall management system in our organization. Just have firewalls.
We are struggling to figure out the solution to this. Kindly please help. Any proper documentation around this would be appreciated.
Thank you,
------------------------------
Akhilesh Deshmukh,
Data Analyst, SecurityHQ
------------------------------