Start Demo

Back Arrow Bundle Library

Palo Alto Firewall Integration

Supported Bundle

Description

The ExtraHop Palo Alto bundle enables you to quarantine compromised devices on your Palo Alto firewall in real time as specific detections or alerts are identified by the ExtraHop Discover appliance.

Affected devices are added by IP address to an address group on the Palo Alto firewall, which then automatically applies policy rules to block traffic to and from those devices.

Firewall policy rules

The bundle includes two triggers: one for alerts and one for detections. You specify the alerts and detections you want the trigger to monitor and the address group where they should be quarantined. The bundle also includes a dashboard that displays the total number of detection and alert events that were sent to the firewall, along with the IP addresses and names of the related devices.

ExtraHop status dashboard

Bundle Contents

  • (1) Application
    • PaloAlto
  • (1) Dashboard
    • Palo Alto Remediation
  • (2) Triggers
    • Palo Alto Firewall Remediation - Alerts
    • Palo Alto Firewall Remediation - Detections

Requirements

  • ExtraHop firmware version 7.5 or later
  • Access to the Palo Alto firewall with an administrator account. Palo Alto recommends that you create a dedicated admin account for API access.
  • Access to the Discover appliance with an account that has Unlimited privileges

Installation Instructions

Configure the Palo Alto firewall

Create an address group

When a specified detection or alert occurs, the IP address of the related device is added to an address group based on your security policy rules.

While you cannot create an empty address group through the Web UI, you can either add a placeholder IP address to the group in the Web UI or create an empty group through the API.

Create a static group through the Web UI with a placeholder

  1. Click the Objects tab, then select Address Groups from the left navigation.
  2. Click Add at the bottom of the page.
  3. In the Name field, type a name to identify the address group.
  4. From the Type drop-down list, select Static.
  5. In the Addresses section, click Add.
  6. From the bottom of the drop-down list, click New Address.
  7. In the Name field, type a name to identify the placeholder IP address.
  8. In the blank field next to IP Netmask, type a placeholder IP address that is not on your network.
  9. Click OK.

Create a static group through the API

Send a GET request to your firewall. Modify the following example syntax with information about your environment:

  • Replace [FIREWALL_IP/HOSTNAME] with the IP address or hostname of your Palo Alto firewall.
  • Replace ExampleGroup with the name that you want to configure for your address group. 
    https://[FIREWALL_IP/HOSTNAME]/api/?type=config&action=set&xpath=/config/devices/entry/vsys/entry/address-group/entry[@name='ExampleGroup']&element=<static></static>

For additional information about the Palo Alto API, see the PAN-OS and Panorama API Guide.

Create policy rules

You must create two security policy rules to apply to your address group: one for inbound traffic and one for outbound traffic. The policy rules are applied from top to bottom, so specific rules should be listed before general rules.

  1. Click the Policies tab, and then click Security.
  2. Click Add from the bottom of the page.
  3. In the Name field, type a descriptive name for the policy.
  4. Click the Source tab.
  5. Above the section for Source Zone, select the checkbox next to Any.
  6. Select the checkbox next to Source Address, click Add, and then select the address group you created in the previous section.
  7. Click the Destination tab. Above the section for Destination Zone, select Any from the drop-down list.
  8. Above the Destination Address, select the checkbox next to Any.
  9. Click the Actions tab.
  10. From the Action drop-down, select Deny and configure any additional options as needed.
  11. Click OK.
  12. Click Add again to create a second policy rule.
  13. In the Name field, type a descriptive name for the policy.
  14. Click the Source tab. Above the sections for Source Zone and Source Address, select the checkboxes next to Any.
  15. Click the Destination tab.
  16. Above the Destination Address, select the checkbox next to Any.
  17. Select the checkbox next to Destination Address, click Add, and then select the address group you created in the previous section.
  18. Click the Actions tab.
  19. From the Action drop-down, select Deny and configure any additional options as needed.
  20. Click OK.

Configure the Discover appliance

Add an HTTP target for an open data stream

  1. Follow the instructions in Configure an HTTP target for an open data stream with the following parameters.
    a. In the Name field, type paloaltofw. (If you type a different name, be sure to update the PALO_ALTO_ODS field in the triggers with the new name.)
    b. In the Host field, type the hostname or IP address of your Palo Alto firewall.
    c. From the Authentication drop-down list, select Basic.
  2. Click the ExtraHop Discover logo to access the Web UI.

Install the bundle

  1. Download the bundle on this page.
  2. Upload and apply the bundle.

Configure the triggers

Only enable the trigger for the type of event you want to monitor.

  1. In the Web UI on the Discover appliance, click the System Settings icon .
  2. Click Triggers.
  3. In the list of triggers, click Palo Alto Firewall Remediation - Alerts.
  4. Click the Editor tab.
  5. Configure the following variables:
    • ADDR_GROUP
      Type the name of the Palo Alto address group that you configured above.
    • PALO_ALTO_ODS
      Type the name of the Palo Alto firewall ODS target that you configured above: paloaltofw.
    • ALERT_NAMES
      Type the names of the alerts configured on your Discover appliance that you want the trigger to monitor. These alerts must be configured for device metrics. The trigger collects the IP address for the device and adds it to the quarantined address group on the Palo Alto firewall.

The example below shows an edited trigger configuration, with an address group name of "Quarantined Devices" and six device alerts.

const ADDR_GROUP = "Quarantined Devices";  
const PALO_ALTO_ODS = "paloaltofw";  
const ALERT_NAMES = [  
    "Ransomware Type One",  
    "Ransomware Type Four",  
    "CIFS Server Error Ratio",  
    "Kerberos Error Ratio",  
    "Database Server Errors",  
    "DNS Errors"  
]
  1. Click Save and Close.
  2. Click Palo Alto Firewall Remediation - Detections.
  3. Click the Editor tab.
  4. Configure the following variables:
    • ADDR_GROUP
      Type the name of the Palo Alto address group that you configured above.
    • PALO_ALTO_ODS
      Type the name of the Palo Alto firewall ODS target that you configured above: paloaltofw.
    • RISK_THRESHOLD
      Type a threshold for the risk score of the detections found by your Discover appliance that you want the trigger to monitor. For detections related to device metrics with a risk score equal to or above the threshold, the trigger collects the IP address for the device and adds it to the quarantined address group on the Palo Alto firewall.

The example below shows an edited trigger configuration. 

const ADDR_GROUP = "Quarantined Devices";  
const PALO_ALTO_ODS = "paloaltofw";  
const RISK_THRESHOLD = 80
  1. Click Save and Close.
  2. Select the checkboxes next to the Palo Alto Remediation triggers and then click Enable.

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More