Skip to main content
All CollectionsIntegration Guide
Palo Alto Firewall Integration
Palo Alto Firewall Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over 2 years ago

About Palo Alto

Palo Alto Networks, Inc. has pioneered the next generation of network security with an innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is the next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimized hardware and software architecture.

SIRP’s integration with Palo Alto Firewall allows security teams to execute response actions right from SIRP.

Supported Actions

SIRP’s Palo Alto integration app allows you to execute the following actions:

Action

Description

Block IP as Source

Block an IP Address as the source on Palo Alto firewall

Unblock IP Address as source

Unblock an IP Address as the source on Palo Alto firewall

Block IP as Destination

Block an IP Address as a destination on Palo Alto firewall

Unblock IP as Destination

Unblock an IP Address as destination on Palo Alto firewall

Block URL

Block URL on Palo Alto firewall

Unblock URL

Unblock URL on Palo Alto firewall

Account Creation

Create an API User on Palo Alto

Select an Admin Role profile.

Go to Device Admin Roles and select or create an admin role.

  1. Select features available to the admin role.

    • Select the XML API tab.

    • Enable or disable XML API features from the list, such as Report, Log, Configuration, and Commit.

    • Select OK to confirm your change.

  2. To Assign the admin role to an administrator account.

    See Configure an Administrative Account.

Select Device Administrators and Add an account

  1. Enter a user name e.g. (sirp_api)

  2. Select an Authentication Profile or sequence if you configured either for the administrator.

    If the firewall uses Local Authentication without a local user database for the account, select None (default) and enter a Password.

  3. Select the Administrator Type.

    Select the custom role you have created above.

  4. (Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database.

  5. Click OK and Commit.

Enable and Configure Palo Alto App

Generate Palo Alto API Key

To generate an API key, you need to make a GET or POST request to the firewall’s hostname or IP address using the administrative credentials.

Execute the following command in the shell or command prompt of a machine that can reach your firewall:

curl -k -X GET "https://<firewall>/api/?type=keygen&user=<username>&password=<password>"

OR

curl -k -X POST "https://<firewall>/api/?type=keygen&user=<username>&password=<password>"

Replace <username> with your username and <password> with your password.

A successful API call will return status="success" along with the API key within the key element. A sample response is shown below:

<response status="success">   <result>     <key>jHYWE56896nBvKqpfa62sJTRtYjHo2BgzEA9UOnlZNHt</key>   </result> </response>

Copy the API key to use in the App configuration.

Configure Palo Alto App

1. Next, log in to SIRP, then go to Apps from the left navigation bar

2. Locate the app named Palo Alto Firewall

3. Enable the Palo Alto app by clicking on the toggle button under the Status column.

4. As soon as you enable the App, you will get an option to add the configuration details. Add the following details and click Save:

a. IP: <IP address of Palo Alto Firewall>

b. API Key: <API Key copied from Palo Alto>

After the last step, you should be able to execute the Palo Alto actions on demand or through Playbooks to block and unblock IP addresses and URLs.

Did this answer your question?