This pack uses the Palo Alto Network developed library pandevice to implement a number of functions for interaction with Palo Alto Networks devices.
The actions in this pack are Panorama aware when appropiate. In most cases, you will reference the Panorama as the firewall
and a desired device group via device_group
.
Block threats on Palo Alto Networks (PAN) firewalls. This uses PAN HTTP server profiles (webhooks) which are available in PAN-OS version 8+.
Copy the example configuration in paloalto.yaml.example to /opt/stackstorm/configs/paloalto.yaml and edit as required. After making changes, tell ST2 to load them with sudo st2ctl reload --register-configs
.
Example configuration:
---
firewall:
default:
host: prodfirewall.corp.lan
api_username: admin
api_password: admin
You can configure serveral devices (both Firewalls and Panoramas) all under the firewall
config section. The default
device will be used whenever the firewall
parameter is not passed in various actions. You may also use an api key instead of username/password for device authentication using the api_key
parameter in the config of each device.
In order to obtain Palo Alto API key, run the command below. Replace firewall
with the IP address of firewall, and provide the appropriate username and password:
curl -kgX GET 'https://firewall/api/?type=keygen&user=admin&password=password'
Add or update an each of these object types on a Firewall/Panorama (or device group):
- address object -
apply_address_object
- address group -
apply_address_group
- service object -
apply_service_object
- service group -
apply_service_group
- security rule -
apply_security_rule
The above objects may also be added and updated in bulk:
bulk_apply_address_object
bulk_apply_address_group
bulk_apply_service_object
bulk_apply_service_group
bulk_apply_security_rule
You may also retrieve these objects in a json serialized string (or as a raw python pandevice object)
get_address_obejcts
get_address_groups
get_service_objects
get_service_groups
get_security_rules
You can dynamically register IP Addresses/tags to the device using the User-ID API.
register_ip
andbulk_register_ip
unregister_ip
andbulk_unregister_ip
Issue commits to Firewalls and Panorama (including device groups)
commit
The pack also includes an example rule which can be used to receive webhooks from a Palo Alto Networks Device that contain bad actors and use the pack actions to block those actors.
The rule name is block_bad_actors
located in the rules/
directory. The rule receives webhooks from the firewall and registers the IP in the payload with a defined tag to the firewall for inclusion in a Dynamic Address Group to block traffic from the IP.
Configure a http webhook (http server profile) on the firewall/Panorama following the PAN-OS 8.0 documentation
Name of the StackStorm server has to match the certificate imported into the firewall/Panorama for connection. The firewall/Panorama will also need a StackStorm API key. To generate a new key run this command:
st2 apikey create -k -m '{"used_by": "PAN"}'
For more information, see this blog post.