Configure Palo Alto Firewall
After adding a Palo Alto Firewall integration, analysts can block IP addresses, hosts, and networks while managing cases and incidents.
Obtain an API Key in the PAN-OS
Before configuring a firewall integration in LogRhythm NDR, some required information must be obtained from the PAN-OS.
Make sure that the PAN account used by LogRhythm NDR has the following permissions:
API Route | Actions | Object Access |
|---|---|---|
/restapi/v10.0/Objects/Addresses?location=vsys&vsys=vsys1 | POST PUT GET | Object/Addresses |
/restapi/v10.0/Objects/AddressGroups?location=vsys&vsys=vsys1 | POST PUT GET | Object/Address Groups |
/api/?type=commit&action=partial&cmd=<commit></commit> | POST PUT GET | Device/Commit |
To generate a PAN-OS API key from your internet browser, do the following:
To generate the API key, enter the following URL into your browser:
https://<hostname>/api/?type=keygen&user=<username>&password=<password>
Replace these tags with the information as defined.Tag
Description
<hostname> The IP address of the Palo Alto firewall. <username> The account's user name. <password> The account's password. Click Enter.
The API key appears in plaintext, between the <key></key> tags.
Add a Palo Alto Firewall Integration in LogRhythm NDR
- Log in to the LogRhythm NDR UI.
- Click the Settings tab, and then click Firewall Integrations.
The Firewall Table appears. - To add a new firewall integration, click Add Firewall Integration.
- Select the Site and Firewall Type from the drop-down menus.
- Enter an Integration Name for the firewall.
Enter the integration credentials into the relevant fields.
Field Description Firewall IP The IP address of the Palo Alto firewall. API Token The Palo Alto token. PAN Address Group The Palo Alto address group. PAN Tag The Palo Alto tag. For more information on obtaining the PAN Address Group and PAN Tag, see the user documentation available in the PAN-OS interface.- Click Active to enable the firewall integration.
To verify the credentials have been entered correctly, click Test.
If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be verified and re-entered.When using the Palo Alto firewall product, the maximum number of IPs may vary. For more information, see What is the Maximum Number of Addresses per Address Group in Panorama topic in the Palo Alto knowledge base.- Click Save.
The firewall integration is now complete within LogRhythm NDR. - (Optional) To make changes to an existing integration, click the green Edit icon in the Actions column.
The Edit Firewall Integration page appears. - After making changes, click Update.
The firewall integration is updated within LogRhythm NDR.