Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Palo Alto

 

JSA Risk Manager supports the Palo Alto adapter. The Palo Alto adapter uses the PAN-OS XML-based Rest API to communicate with Palo Alto firewall devices.

The following features are available with the Palo Alto adapter:

  • Neighbor data support

  • Dynamic NAT

  • Static NAT

  • SNMP discovery

  • IPSEC Tunneling/VPN

  • Applications

  • User/Groups

  • HTTPS connection protocol

Note

The Palo Alto adapter does not support shared policies that are pushed to devices by a Palo Alto Panorama network security management system.

The following table describes the integration requirements for the Palo Alto adapter.

Table 1: Integration Requirements for the Palo Alto Adapter

Integration requirement

Description

Versions

PAN-OS Versions 5.0 to 7.0

Minimum user access level

Superuser (full access) Required for PA devices that have Dynamic Block Lists to perform system-level commands.

Superuser (read-only) for all other PA devices.

SNMP discovery

SysDescr matches 'Palo Alto Networks(.*)series firewall' or sysOid matches 'panPA'

Required credential parameters

To add credentials in JSA log in as an administrator and use Configuration Source Management on the Admin tab.

Username

Password

Supported connection protocols

To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

HTTPS

Required commands to use for the backup operation.

/api/?type=op&cmd=<show><system><info></info></system>/show>

/api/?type=op&cmd=<show><config><running></running></config></show>

/api/?type=op&cmd=<show><interface>all</interface></show>

Optional commands to use for the backup operation.

/api/?type=op&cmd=<show><system><resources></resources></system></show>

/api/?type=op&cmd=/config/predefined/service

/api/?type=op&cmd=<request><system><external-list> <show><name>$listName</name>< /show></external-list></system></request> where $listName is a variable in this command, which is run multiple times.

/api/?type=op&cmd=<show><object><dynamic-address-group><all></all><

/dynamic-address-group></object></show>

/api/?type=config&action=get&xpath=/config/predefined/application

Required commands to use for telemetry and neighbor data.

/api/?type=op&cmd=<show><system><info></info></system></show>

/api/?type=op&cmd=<show><interface>all</interface></show>

/api/?type=op&cmd=<show><routing><interface></interface></routing></show>

Optional commands to use for telemetry and neighbor data.

/api/?type=op&cmd=<show><counter><interface>all</interface></counter></show>

/api/?type=op&cmd=<show><arp>all</arp></show></p><p><show><mac>all</mac></show>

/api/?type=op&cmd=<show><arp>all</arp></show>

/api/?type=op&cmd=<show><routing><route></route></routing></show>

Required commands to use for the GetApplication.

/api/?type=config&action=get&xpath=/config/predefined/application