Breadcrumbs

Configure Palo Alto Firewall

After adding a Palo Alto Firewall integration, analysts can block IP addresses, hosts, and networks while managing cases and incidents.

Obtain an API Key in the PAN-OS

Before configuring a firewall integration in LogRhythm NDR, some required information must be obtained from the PAN-OS.

For more information on using the PAN-OS console to obtain required information, see 

Firewall Administration

.

Make sure that the PAN account used by LogRhythm NDR has the following permissions:

API Route

Actions

Object Access

/restapi/v10.0/Objects/Addresses?location=vsys&vsys=vsys1

POST
PUT
GET

Object/Addresses

/restapi/v10.0/Objects/AddressGroups?location=vsys&vsys=vsys1

POST
PUT
GET

Object/Address Groups

/api/?type=commit&action=partial&cmd=<commit></commit>

POST
PUT
GET

Device/Commit

To generate a PAN-OS API key from your internet browser, do the following:

  1. To generate the API key, enter the following URL into your browser:
    https://<hostname>/api/?type=keygen&user=<username>&password=<password>
    Replace these tags with the information as defined.

    Tag

    Description

    <hostname>

    The IP address of the Palo Alto firewall.

    <username>

    The account's user name.

    <password>

    The account's password.


  2. Click Enter.
    The API key appears in plaintext, between the <key></key> tags.

Add a Palo Alto Firewall Integration in LogRhythm NDR

  1. Log in to the LogRhythm NDR UI.

  2. Click the Settings tab, and then click Firewall Integrations.
    The Firewall Table appears.

  3. To add a new firewall integration, click Add Firewall Integration.

  4. Select the Site and Firewall Type from the drop-down menus.

  5. Enter an Integration Name for the firewall.

  6. Enter the integration credentials into the relevant fields.

    Field

    Description

    Firewall IP

    The IP address of the Palo Alto firewall. 

    API Token

    The Palo Alto token.

    PAN Address Group

    The Palo Alto address group.

    PAN Tag

    The Palo Alto tag.


    For more information on obtaining the PAN Address Group and PAN Tag, see the user documentation available in the PAN-OS interface.


  7. Click Active to enable the firewall integration.

  8. To verify the credentials have been entered correctly, click Test.
    If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be verified and re-entered.

    When using the Palo Alto firewall product, the maximum number of IPs may vary. For more information, see 

    What is the Maximum Number of Addresses per Address Group in Panorama

    topic in the Palo Alto knowledge base.


  9. Click Save.
    The firewall integration is now complete within LogRhythm NDR.

  10. (Optional) To make changes to an existing integration, click the green Edit icon in the Actions column.
    The Edit Firewall Integration page appears.

  11. After making changes, click Update.
    The firewall integration is updated within LogRhythm NDR.