This pack uses the Palo Alto Network developed library pandevice to implement a number of functions for interaction with Palo Alto Networks devices.

The actions in this pack are Panorama aware when appropiate. In most cases, you will reference the Panorama as the firewall and a desired device group via device_group.

Block threats on Palo Alto Networks (PAN) firewalls. This uses PAN HTTP server profiles (webhooks) which are available in PAN-OS version 8+.

Copy the example configuration in paloalto.yaml.example to /opt/stackstorm/configs/paloalto.yaml and edit as required. After making changes, tell ST2 to load them with sudo st2ctl reload --register-configs.

Example configuration:

---
firewall:
  default:
    host: prodfirewall.corp.lan
    api_username: admin
    api_password: admin

You can configure serveral devices (both Firewalls and Panoramas) all under the firewall config section. The default device will be used whenever the firewall parameter is not passed in various actions. You may also use an api key instead of username/password for device authentication using the api_key parameter in the config of each device.

In order to obtain Palo Alto API key, run the command below. Replace firewall with the IP address of firewall, and provide the appropriate username and password:

curl -kgX GET 'https://firewall/api/?type=keygen&user=admin&password=password'

Add or update an each of these object types on a Firewall/Panorama (or device group):

• address object - apply_address_object
• address group - apply_address_group
• service object - apply_service_object
• service group - apply_service_group
• security rule - apply_security_rule

The above objects may also be added and updated in bulk:

• bulk_apply_address_object
• bulk_apply_address_group
• bulk_apply_service_object
• bulk_apply_service_group
• bulk_apply_security_rule

You may also retrieve these objects in a json serialized string (or as a raw python pandevice object)

• get_address_obejcts
• get_address_groups
• get_service_objects
• get_service_groups
• get_security_rules

You can dynamically register IP Addresses/tags to the device using the User-ID API.

• register_ip and bulk_register_ip
• unregister_ip and bulk_unregister_ip

Issue commits to Firewalls and Panorama (including device groups)

• commit

The pack also includes an example rule which can be used to receive webhooks from a Palo Alto Networks Device that contain bad actors and use the pack actions to block those actors.

The rule name is block_bad_actors located in the rules/ directory. The rule receives webhooks from the firewall and registers the IP in the payload with a defined tag to the firewall for inclusion in a Dynamic Address Group to block traffic from the IP.

Configure a http webhook (http server profile) on the firewall/Panorama following the PAN-OS 8.0 documentation

Name of the StackStorm server has to match the certificate imported into the firewall/Panorama for connection. The firewall/Panorama will also need a StackStorm API key. To generate a new key run this command:

st2 apikey create -k -m '{"used_by": "PAN"}'

For more information, see this blog post.