About Palo Alto
Palo Alto Networks, Inc. has pioneered the next generation of network security with an innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is the next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimized hardware and software architecture.
SIRP’s integration with Palo Alto Firewall allows security teams to execute response actions right from SIRP.
SIRP’s Palo Alto integration app allows you to execute the following actions:
Block IP as Source
Block an IP Address as the source on Palo Alto firewall
Unblock IP Address as source
Unblock an IP Address as the source on Palo Alto firewall
Block IP as Destination
Block an IP Address as a destination on Palo Alto firewall
Unblock IP as Destination
Unblock an IP Address as destination on Palo Alto firewall
Block URL on Palo Alto firewall
Unblock URL on Palo Alto firewall
Create an API User on Palo Alto
Select an Admin Role profile.
Go to Device Admin Roles and select or create an admin role.
Select features available to the admin role.
Select the XML API tab.
Enable or disable XML API features from the list, such as Report, Log, Configuration, and Commit.
Select OK to confirm your change.
To Assign the admin role to an administrator account.
See Configure an Administrative Account.
Select Device Administrators and Add an account
Enter a user name e.g. (sirp_api)
Select an Authentication Profile or sequence if you configured either for the administrator.
If the firewall uses Local Authentication without a local user database for the account, select None (default) and enter a Password.
Select the Administrator Type.
Select the custom role you have created above.
(Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database.
Click OK and Commit.
Enable and Configure Palo Alto App
Generate Palo Alto API Key
To generate an API key, you need to make a GET or POST request to the firewall’s hostname or IP address using the administrative credentials.
Execute the following command in the shell or command prompt of a machine that can reach your firewall:
curl -k -X GET "https://<firewall>/api/?type=keygen&user=<username>&password=<password>"
curl -k -X POST "https://<firewall>/api/?type=keygen&user=<username>&password=<password>"
Replace <username> with your username and <password> with your password.
A successful API call will return status="success" along with the API key within the key element. A sample response is shown below:
<response status="success"> <result> <key>jHYWE56896nBvKqpfa62sJTRtYjHo2BgzEA9UOnlZNHt</key> </result> </response>
Copy the API key to use in the App configuration.
Configure Palo Alto App
1. Next, log in to SIRP, then go to Apps from the left navigation bar
2. Locate the app named Palo Alto Firewall
3. Enable the Palo Alto app by clicking on the toggle button under the Status column.
4. As soon as you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
a. IP: <IP address of Palo Alto Firewall>
b. API Key: <API Key copied from Palo Alto>
After the last step, you should be able to execute the Palo Alto actions on demand or through Playbooks to block and unblock IP addresses and URLs.