Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Palo Alto

 

JSA Risk Manager supports the Palo Alto adapter. The Palo Alto adapter uses the PAN-OS XML-based Rest API to communicate with Palo Alto firewall devices.

The following features are available with the Palo Alto adapter:

  • Neighbor data support

  • Dynamic NAT

  • Static NAT

  • Static routing

  • SNMP discovery

  • IPSEC Tunneling/VPN

  • Applications

  • User/Groups

  • HTTPS connection protocol

Note

The Palo Alto adapter does not support shared policies that are pushed to devices by a Palo Alto Panorama network security management system.

The following table describes the integration requirements for the Palo Alto adapter.

Table 1: Integration Requirements for the Palo Alto Adapter

Integration requirement

Description

Versions

PAN-OS Versions 5.0 to 8.1

Minimum user access level

Superuser (full access) is required for PA devices with External Dynamic Lists or Full Qualifies Domain name (FQDN) objects to perform system-level commands.

Superuser (read-only) for all other PA devices.

SNMP discovery

SysDescr matches 'Palo Alto Networks(.*)series firewall' or sysOid matches 'panPA'

Required credential parameters

To add credentials in JSA log in as an administrator and use Configuration Source Management on the Admin tab.

Username

Password

Supported connection protocols

To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

HTTPS

Required commands to use for the backup operation.

/api/?type=op&cmd=<show><system><info></info></system>/show>

/api/?type=op&cmd=<show><config><running></running></config></show>

/api/?type=op&cmd=<show><interface>all</interface></show>

Optional commands to use for the backup operation.

/api/?type=op&cmd=<show>

<system><resources>

</resources></system></show>

/api/?type=op&cmd=/config/predefined/service

For PAN-OS versions 7.0 and lower: /api/?type=op&cmd=<request><system><external-list> <show><name>$listName</name>< /show></external-list></system></request> where $listName is a variable in this command, which is run multiple times.

For PAN-OS versions 7.1 and higher: /api/?

type=op&cmd=<request><system><external-list>

<show><type><ip><name>$listName</name></ip></

type></show></external-list></system></request>
where $listName is a variable in this command, which is run multiple times.

/api/?type=op&cmd=<show><object><dynamic-address-group><all></all><

/dynamic-address-group></object></show>

/api/?type=config&action=get&xpath=/config/predefined/application

/api/?type=op&cmd=<request><system><external

-list> <show><type><predefined-ip><name>

$listName</name></predefined-ip></type></show></

external-list></system></request>
where $listName is a variable in this command, which is run multiple times.

/api/?type=config&action=get&xpath=/config/ predefined/service

/api/?type=config&action=get&xpath=/config/ panorama

/api/?type=op&cmd=<request><system><fqdn> <show

-object><vsys><$vsysId</vsys><name>$FQDN<

/name></

show-object></fqdn></system></request>

where $vsysId is the virtual system the FQDN object resides on, and $FQDN is the required fully qualified domain name, which is run multiple times.

Required commands to use for telemetry and neighbor data.

/api/?type=op&cmd=<show><system><info></info></system></show>

/api/?type=op&cmd=<show><interface>all</interface></show>

/api/?type=op&cmd=<show><routing>

<interface></interface>

</routing></show>

Optional commands to use for telemetry and neighbor data.

/api/?type=op&cmd=

<show><counter>

<interface>all</interface></counter></show>

/api/?type=op&cmd

=<show>

<arp>all</arp></show></p><p><show><mac>all

</mac></show>

/api/?type=op&cmd=<show><arp><entry

name='all'/></arp></show>

/api/?type=op&cmd=<show><routing><route></route></routing></show>

Required commands to use for the GetApplication.

/api/?type=config&action=get&xpath=/config/predefined/application