Publisher: Splunk
Connector Version: 3.2.0
Product Vendor: Palo Alto Networks
Product Name: Panorama
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0
This app integrates with the Palo Alto Networks Panorama product to support several containment and investigative actions
The Panorama app has been tested with PanOS version 7.0.4 and should work with any version above.
All the containment actions (like block ip etc.), take a policy name and the policy type as parameters. The action first creates an object (Application Group, Address Group, etc.) on the Panorama device to represent the object being blocked. This object is then added to the specified policy. It does not modify any other policy parameters including the Action . Therefore you must pre-configure the policy action as Drop .
Most of the actions execute a commit on the panorama device followed by a commit on the device group. This second commit results in Panorama sending the commit to each device that belongs to a device group, which could take some time. It is a good idea to add a time interval between two panorama actions when executing a playbook
Panorama restricts object names to 31 characters. This could result in object names that are created by Phantom being truncated in some cases.
It is usually a good idea to have one Policy created on the Panorama device to handle the block of each type of object. The panorama_app playbook that is available on the community github repo assumes this type of configuration. Note that to block URLs on Panorama, they are included in a URL Filtering profile that is usually added to an Allow policy. Please see the PanOS documentation for more details.
You can use the commit API request to commit a candidate configuration to a firewall. Commit actions are called at the end of all Contain actions (e.g. BlockIP).
You can learn more about Commit Configuration below: (API)
If the option "Require audit comment on policies" (Panorama -> Management) is enabled, Audit comments must be specified to a given Policy rule before committing any changes to that rule.
WARNING: Additionally, the length of an Audit comment can be at most 256 characters.
You can learn more about Audit comment below:
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Panorama asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| device | required | string | Device IP/Hostname |
| verify_server_cert | optional | boolean | Verify server certificate |
| username | required | string | Username |
| password | required | password | Password |
test connectivity - Validate the asset configuration for connectivity
block url - Block an URL
unblock url - Unblock an URL
block application - Block an application
unblock application - Unblock an application
block ip - Block an IP
unblock ip - Unblock an IP
list applications - List the applications that the device knows about and can block
run query - Run a query on Panorama
Validate the asset configuration for connectivity
Type: test
Read only: True
This action logs into the device using a REST Api call to check the connection and credentials configured.
No parameters are required for this action
No Output
Block an URL
Type: contain
Read only: False
This action does the following to block a URL:
- Create an URL Filtering profile object named 'Phantom URL List for [device_group]' containing the URL to block.
If the profile is already present, then it will be updated to include the URL to block. IMPORTANT: For Version 9 and above, a URL Filtering profile no longer includes allow-list/block-list. The official workaround is to use a Custom URL category instead. Therefore, we create a new Custom URL category with the same name as the profile and link it to the profile. Then, We configure the profile to block the URL category on both 'SITE ACCESS' and 'USER CREDENTIAL SUBMISSION' columns. - Re-Configure the policy (specified in the policy_name parameter) to use the created URL Filtering profile.
If the policy is not found on the device, the action will return an error. - The action then proceeds to commit the changes to Panorama, followed by a commit to the device group. If the device group happens to be shared, then a commit will be sent to all the device groups belonging to it.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to block | string | url |
| device_group | required | Device group to configure, or 'shared' | string | |
| policy_type | required | Block policy type | string | |
| policy_name | required | Policy to use | string | |
| use_partial_commit | optional | Whether to perform Partial commit admin-level changes. Config's username is included as the administrator name in the request. Otherwise, plain commit is used by default. | boolean | |
| audit_comment | optional | Audit comment to be used with the policy name. Maximum 256 characters. | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.url | string | url |
| action_result.parameter.device_group | string | |
| action_result.parameter.policy_type | string | |
| action_result.parameter.policy_name | string | |
| action_result.parameter.use_partial_commit | boolean | |
| action_result.parameter.audit_comment | string | |
| action_result.data | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unblock an URL
Type: correct
Read only: False
For Version 8 and below, this action will remove the URL from the URL Filtering profile that was created/updated in the block url action. For Version 9 and above, this action will remove the URL from the Custom URL category that was created/updated in the block url action. The action then proceeds to commit the changes to Panorama, followed by a commit to the device group. If the device group happens to be shared, then a commit will be sent to all the device groups belonging to it.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to unblock | string | url |
| device_group | required | Device group to configure, or 'shared' | string | |
| use_partial_commit | optional | Whether to perform Partial commit admin-level changes. Config's username is included as the administrator name in the request. Otherwise, plain commit is used by default. | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.url | string | url |
| action_result.parameter.device_group | string | |
| action_result.parameter.use_partial_commit | boolean | |
| action_result.data | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Block an application
Type: contain
Read only: False
This action does the following to block an application:
- Create an Application group named 'Phantom App List for [device_group]' containing the application to block.
If the group is already present, then it will be updated to include the application. - Re-Configure the policy (specified in the policy_name parameter) to use the created application group.
If the policy is not found on the device, the action will return an error. - The action then proceeds to commit the changes to Panorama, followed by a commit to the device group. If the device group happens to be shared, then a commit will be sent to all the device groups belonging to it.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| application | required | Application to block | string | network application |
| device_group | required | Device group to configure, or 'shared' | string | |
| policy_type | required | Block policy type | string | |
| policy_name | required | Policy to use | string | |
| use_partial_commit | optional | Whether to perform Partial commit admin-level changes. Config's username is included as the administrator name in the request. Otherwise, plain commit is used by default. | boolean | |
| audit_comment | optional | Audit comment to be used with the policy name. Maximum 256 characters. | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.application | string | network application |
| action_result.parameter.device_group | string | |
| action_result.parameter.policy_type | string | |
| action_result.parameter.policy_name | string | |
| action_result.parameter.use_partial_commit | boolean | |
| action_result.parameter.audit_comment | string | |
| action_result.data | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unblock an application
Type: correct
Read only: False
This action will remove the application from the Application group that was created/updated in the block application action. The action then proceeds to commit the changes to Panorama, followed by a commit to the device group. If the device group happens to be shared, then a commit will be sent to all the device groups belonging to it.
Note: This action will pass for any non-existing application name as API doesn't return an error for an incorrect application name.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| application | required | Application to unblock | string | network application |
| device_group | required | Device group to configure or 'shared' | string | |
| use_partial_commit | optional | Whether to perform Partial commit admin-level changes. Config's username is included as the administrator name in the request. Otherwise, plain commit is used by default. | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.application | string | network application |
| action_result.parameter.device_group | string | |
| action_result.parameter.use_partial_commit | boolean | |
| action_result.data | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Block an IP
Type: contain
Read only: False
This action uses a multistep approach to block an IP\. The approach differs whether is\_source\_address is true or not\. By default, it is false\. The procedure is as follows\:
- Create an address entry named '\[ip\_address\] Added By Phantom' with the specified IP address
- The container id of the phantom action is added as a tag to the address entry when it's created
- If is\_source\_address is false\:
- add this entry to an address group called Phantom Network List for \[device\_group\]
- The address entry and group will be created in the device group specified in the device\_group parameter
- configure the address group as a destination to the policy specified in the policy\_name parameter
- add this entry to an address group called PhantomNtwrkSrcLst\[device\_group\]
- The address entry and group will be created in the device group specified in the device\_group parameter
- configure the address group as a source to the policy specified in the policy\_name parameter
- The action then proceeds to commit the changes to Panorama, followed by a commit to the device group\. If the device group happens to be shared, then a commit will be sent to all the device groups belonging to it\.
Please Note\: If the Panorama Policy that is used to block a source or destination address has 'Any' in the Source Address or Destination Address field, Block IP will succeed but it will not work\. Therefore, make sure that the policy that the address group will be appended to has no 'Any' in the field that you are blocking from\. i\.e, if you are blocking an IP from source, make sure the policy does not have 'Any' under Source Address\.
The address group name is limited to 32 characters\. The device group chosen will be appended to the address group name created\. If the resulting name is too long, the name will be trimmed, which may result in clipped or unusual names\. This is as intended, as it is a limitation by Panorama\.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to block | string | ip |
| is_source_address | optional | Source address | boolean | |
| device_group | required | Device group to configure, or 'shared' | string | |
| policy_type | required | Block policy type | string | |
| policy_name | required | Policy to use | string | |
| use_partial_commit | optional | Whether to perform Partial commit admin-level changes. Config's username is included as the administrator name in the request. Otherwise, plain commit is used by default. | boolean | |
| audit_comment | optional | Audit comment to be used with the policy name. Maximum 256 characters. | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.ip | string | ip |
| action_result.parameter.is_source_address | boolean | |
| action_result.parameter.device_group | string | |
| action_result.parameter.policy_type | string | |
| action_result.parameter.policy_name | string | |
| action_result.parameter.use_partial_commit | boolean | |
| action_result.parameter.audit_comment | string | |
| action_result.data | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unblock an IP
Type: correct
Read only: False
This action will remove the address entry from the Address group that was created/updated in the block ip action. This action behaves differently based upon whether is_source_address is true or false. By default, it is false.
If is_source_address is false:
- The given IP address will be removed from the Phantom Network List for [device_group] Address Group.
- The given IP address will be removed from the PhantomNtwrkSrcLst[device_group] Address Group.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to unblock | string | ip |
| is_source_address | optional | Source address | boolean | |
| device_group | required | Device group to configure, or 'shared' | string | |
| use_partial_commit | optional | Whether to perform Partial commit admin-level changes. Config's username is included as the administrator name in the request. Otherwise, plain commit is used by default. | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.ip | string | ip |
| action_result.parameter.device_group | string | |
| action_result.parameter.is_source_address | boolean | |
| action_result.parameter.use_partial_commit | boolean | |
| action_result.data | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List the applications that the device knows about and can block
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.data.*.@name | string | network application |
| action_result.data.*.category | string | |
| action_result.data.*.has-known-vulnerability | string | |
| action_result.data.*.used-by-malware | string | |
| action_result.data.*.@ori_country | string | |
| action_result.data.*.description | string | |
| action_result.data.*.consume-big-bandwidth | string | |
| action_result.data.*.able-to-transfer-file | string | |
| action_result.data.*.technology | string | |
| action_result.data.*.pervasive-use | string | |
| action_result.data.*.@ori_lauguage | string | |
| action_result.data.*.subcategory | string | |
| action_result.data.*.prone-to-misuse | string | |
| action_result.data.*.default.port.member | string | |
| action_result.data.*.evasive-behavior | string | |
| action_result.data.*.references.entry.link | string | |
| action_result.data.*.references.entry.@name | string | |
| action_result.data.*.tunnel-other-application | string | |
| action_result.data.*.@id | string | |
| action_result.data.*.risk | string | |
| action_result.data.*.application-container | string | |
| action_result.data.*.use-applications.member.#text | string | |
| action_result.data.*.use-applications.member.@minver | string | |
| action_result.data.*.use-applications.@minver | string | |
| action_result.data.*.@minver | string | |
| action_result.data.*.references.entry.*.link | string | |
| action_result.data.*.references.entry.*.@name | string | |
| action_result.data.*.use-applications.member | string | |
| action_result.data.*.file-type-ident | string | |
| action_result.data.*.virus-ident | string | |
| action_result.data.*.use-applications.member | string | |
| action_result.data.*.tunnel-applications.member | string | |
| action_result.data.*.data-ident | string | |
| action_result.data.*.implicit-use-applications.member | string | |
| action_result.data.*.default.port.member | string | |
| action_result.data.*.udp-timeout | string | |
| action_result.data.*.default.ident-by-ip-protocol | string | |
| action_result.data.*.file-forward | string | |
| action_result.data.*.use-applications.member.*.#text | string | |
| action_result.data.*.use-applications.member.*.@minver | string | |
| action_result.data.*.tunnel-applications.member.*.#text | string | |
| action_result.data.*.tunnel-applications.member.*.@minver | string | |
| action_result.data.*.tunnel-applications.@minver | string | |
| action_result.data.*.ottawa-name | string | |
| action_result.data.*.implicit-use-applications.member | string | |
| action_result.data.*.decode | string | |
| action_result.data.*.breaks-decryption | string | |
| action_result.data.*.tunnel-applications.member.#text | string | |
| action_result.data.*.tunnel-applications.member.@minver | string | |
| action_result.data.*.tunnel-applications.member | string | |
| action_result.data.*.related-applications.member | string | |
| action_result.data.*.child | string | |
| action_result.data.*.timeout | string | |
| action_result.data.*.analysis | string | |
| action_result.data.*.not-support-ssl | string | |
| action_result.data.*.enable-url-filter | string | |
| action_result.data.*.decode.#text | string | |
| action_result.data.*.decode.@minver | string | |
| action_result.data.*.correlate.rules.entry.threshold | string | |
| action_result.data.*.correlate.rules.entry.interval | string | |
| action_result.data.*.correlate.rules.entry.protocol | string | |
| action_result.data.*.correlate.rules.entry.track-by.member | string | |
| action_result.data.*.correlate.rule-match | string | |
| action_result.data.*.correlate.interval | string | |
| action_result.data.*.correlate.key-by.member | string | |
| action_result.data.*.tunnel-other-application.#text | string | |
| action_result.data.*.tunnel-other-application.@minver | string | |
| action_result.data.*.tcp-timeout | string | |
| action_result.data.*.ident-by-dport | string | |
| action_result.data.*.file-forward | string | |
| action_result.data.*.ident-by-sport | string | |
| action_result.data.*.preemptive | string | |
| action_result.data.*.use-applications.*.member | string | |
| action_result.data.*.netx-vmotion | string | |
| action_result.data.*.ha-safe | string | |
| action_result.data.*.timeout | string | |
| action_result.data.*.doc-review | string | |
| action_result.data.*.default.*.ident-by-ip-protocol | string | |
| action_result.data.*.default.*.port.member | string | |
| action_result.data.*.discard-timeout | string | |
| action_result.data.*.udp-discard-timeout | string | |
| action_result.data.*.default.ident-by-icmp-type | string | |
| action_result.data.*.deprecated | string | |
| action_result.data.*.alg-disable-capability | string | |
| action_result.data.*.risk | string | |
| action_result.data.*.tcp-discard-timeout | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary.total_applications | numeric | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Run a query on Panorama
Type: investigate
Read only: True
This action runs a query on Panorama and returns the set of logs matching the search criteria.
Use the range parameter to limit the number of logs returned by the action. If no range is given, the action will use the range 1-5000. The action can retrieve up to a maximum of 5000 logs. If more logs need to be retrieved, rerun the action with the next sequential range of values.
The log_type parameter can be one of the following:
- traffic - traffic logs
- url - URL filtering logs
- data - data filtering logs
- threat - threat logs
- config - config logs
- system - system logs
- hipmatch - HIP match logs
- wildfire - wildfire logs
- corr - correlated event logs
- corr-categ - correlated events by category
- corr-detail - correlated event details.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| log_type | required | Log type to query | string | |
| query | required | Query to run | string | |
| range | optional | Range of result logs to retrieve (e.g 1-5000 or 100-700) | string | |
| direction | optional | Direction to search | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.query | string | |
| action_result.parameter.log_type | string | |
| action_result.parameter.direction | string | |
| action_result.parameter.range | string | |
| action_result.data.*.job.id | string | |
| action_result.data.*.job.tdeq | string | |
| action_result.data.*.job.tenq | string | |
| action_result.data.*.job.tlast | string | |
| action_result.data.*.job.status | string | |
| action_result.data.*.job.cached-logs | string | |
| action_result.data.*.log.logs.entry.*.to | string | |
| action_result.data.*.log.logs.entry.*.app | string | |
| action_result.data.*.log.logs.entry.*.dst | string | ip |
| action_result.data.*.log.logs.entry.*.src | string | ip |
| action_result.data.*.log.logs.entry.*.from | string | |
| action_result.data.*.log.logs.entry.*.rule | string | |
| action_result.data.*.log.logs.entry.*.type | string | |
| action_result.data.*.log.logs.entry.*.vsys | string | |
| action_result.data.*.log.logs.entry.*.bytes | string | |
| action_result.data.*.log.logs.entry.*.dport | string | port |
| action_result.data.*.log.logs.entry.*.flags | string | |
| action_result.data.*.log.logs.entry.*.proto | string | |
| action_result.data.*.log.logs.entry.*.seqno | string | |
| action_result.data.*.log.logs.entry.*.sport | string | port |
| action_result.data.*.log.logs.entry.*.start | string | |
| action_result.data.*.log.logs.entry.*.@logid | string | |
| action_result.data.*.log.logs.entry.*.action | string | |
| action_result.data.*.log.logs.entry.*.domain | string | domain |
| action_result.data.*.log.logs.entry.*.dstloc | string | |
| action_result.data.*.log.logs.entry.*.logset | string | |
| action_result.data.*.log.logs.entry.*.serial | string | |
| action_result.data.*.log.logs.entry.*.srcloc | string | |
| action_result.data.*.log.logs.entry.*.elapsed | string | |
| action_result.data.*.log.logs.entry.*.packets | string | |
| action_result.data.*.log.logs.entry.*.padding | string | |
| action_result.data.*.log.logs.entry.*.pbf-c2s | string | |
| action_result.data.*.log.logs.entry.*.pbf-s2c | string | |
| action_result.data.*.log.logs.entry.*.subtype | string | |
| action_result.data.*.log.logs.entry.*.vsys_id | string | |
| action_result.data.*.log.logs.entry.*.category | string | |
| action_result.data.*.log.logs.entry.*.cpadding | string | |
| action_result.data.*.log.logs.entry.*.flag-nat | string | |
| action_result.data.*.log.logs.entry.*.natdport | string | |
| action_result.data.*.log.logs.entry.*.natsport | string | |
| action_result.data.*.log.logs.entry.*.flag-pcap | string | |
| action_result.data.*.log.logs.entry.*.pkts_sent | string | |
| action_result.data.*.log.logs.entry.*.repeatcnt | string | |
| action_result.data.*.log.logs.entry.*.sessionid | string | |
| action_result.data.*.log.logs.entry.*.bytes_sent | string | |
| action_result.data.*.log.logs.entry.*.config_ver | string | |
| action_result.data.*.log.logs.entry.*.flag-proxy | string | |
| action_result.data.*.log.logs.entry.*.inbound_if | string | |
| action_result.data.*.log.logs.entry.*.sym-return | string | |
| action_result.data.*.log.logs.entry.*.actionflags | string | |
| action_result.data.*.log.logs.entry.*.device_name | string | |
| action_result.data.*.log.logs.entry.*.outbound_if | string | |
| action_result.data.*.log.logs.entry.*.transaction | string | |
| action_result.data.*.log.logs.entry.*.flag-flagged | string | |
| action_result.data.*.log.logs.entry.*.receive_time | string | |
| action_result.data.*.log.logs.entry.*.action_source | string | |
| action_result.data.*.log.logs.entry.*.non-std-dport | string | |
| action_result.data.*.log.logs.entry.*.pkts_received | string | |
| action_result.data.*.log.logs.entry.*.time_received | string | |
| action_result.data.*.log.logs.entry.*.bytes_received | string | |
| action_result.data.*.log.logs.entry.*.captive-portal | string | |
| action_result.data.*.log.logs.entry.*.decrypt-mirror | string | |
| action_result.data.*.log.logs.entry.*.time_generated | string | |
| action_result.data.*.log.logs.entry.*.dg_hier_level_1 | string | |
| action_result.data.*.log.logs.entry.*.dg_hier_level_2 | string | |
| action_result.data.*.log.logs.entry.*.dg_hier_level_3 | string | |
| action_result.data.*.log.logs.entry.*.dg_hier_level_4 | string | |
| action_result.data.*.log.logs.entry.*.flag-url-denied | string | |
| action_result.data.*.log.logs.entry.*.temporary-match | string | |
| action_result.data.*.log.logs.entry.*.session_end_reason | string | |
| action_result.data.*.log.logs.@count | string | |
| action_result.data.*.log.logs.@progress | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary.num_logs | numeric | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |