Palo Alto Firewall and Panorama Integration

Description

The ExtraHop Palo Alto bundle enables you to quarantine compromised devices on your Palo Alto firewall or in Panorama in real time as specific detections or alerts are identified by the ExtraHop Discover appliance.

Affected devices are added by IP address to an address group on the Palo Alto firewall or in Panorama, which then automatically applies policy rules to block traffic to and from those devices.

The bundle includes two triggers: one for alerts and one for detections. You specify the alerts and detections you want the trigger to monitor and the address group where they should be quarantined. The bundle also includes a dashboard that displays the total number of detection and alert events that were sent to the firewall, along with the IP addresses of the related devices.

The bundle has been updated to add support for Panorama and automatic commits. You can now configure the triggers to send requests to Panorama instead of a single firewall.

You can also enable automatic commits of the configuration changes made by the trigger. This option commits only the changes made by the Palo Alto user configured in ODS. If you send requests to Panorama, this option also pushes the updates out to firewalls in the device groups you specify.

Bundle Contents

• (1) Application
  
  • PaloAlto
    
• (1) Dashboard
  • Palo Alto Remediation
• (2) Triggers
  • Palo Alto Firewall Remediation - Alerts
  • Palo Alto Firewall Remediation - Detections

Requirements

• ExtraHop firmware version 7.5 or later
• Access to the Palo Alto firewall or Panorama with an administrator account. Palo Alto recommends that you create a dedicated admin account for API access.
• Access to the Discover appliance with an account that has Unlimited privileges

Installation Instructions

Configure the Palo Alto firewall or Panorama

When a specified detection or alert occurs, the IP address of the related device is added to an address group.

1. Create a static address group through the Web UI or API.
   

   Note: While you cannot create an empty address group through the Web UI, you can either add a placeholder IP address to the group in the Web UI or create an empty group through the API.

   For additional information about the Palo Alto API, see the PAN-OS and Panorama API Guide.

   
   

2. Create two security policy rules to apply to your address group: one for inbound traffic and one for outbound traffic.

   • Type the address group you created in the previous step in the Destination Address field for the inbound rule and in the Source Address field for the outbound rule.
     
   • Select Deny as the action for each rule.
     
   • Policy rules are applied from top to bottom, so specific rules should be listed before general rules.
     

   For additional information about policy rules on Panorama, see the Defining Policies on Panorama section in the PAN-OS Web Interface Reference.

Configure the Discover appliance

Add an HTTP target for an open data stream

1. Configure an HTTP target for an open data stream with the following parameters.
   
   • In the Name field, type paloaltofw. (If you type a different name, be sure to update the PALO_ALTO_ODS field in the triggers with the new name.)
     
   • In the Host field, type the hostname or IP address of a Palo Alto firewall or Panorama.
     
   • From the Authentication drop-down list, select Basic.
     
2. Click the ExtraHop Discover logo to access the Web UI.
   

Install the bundle

1. Download the bundle on this page.
2. Upload and apply the bundle.

Configure the triggers

Only enable the trigger for the type of event you want to monitor.

1. In the Web UI on the Discover appliance, click the System Settings icon .
2. Click Triggers.
3. In the list of triggers, click Palo Alto Firewall Remediation - Alerts.
4. Click the Editor tab.

5. Configure the following variables:

   • ADDR_GROUP
     Type the name of the Palo Alto address group that you configured above.
   • PALO_ALTO_ODS
     Type the name of the Palo Alto ODS target that you configured above: paloaltofw.
   • ALERT_NAMES
     Type the names of the alerts configured on your Discover appliance that you want the trigger to monitor. These alerts must be configured for device metrics. The trigger collects the IP address for the device and adds it to the quarantined address group on the Palo Alto firewall or Panorama.

   To automatically commit the address group changes to your firewall or Panorama, configure the following variables:
   - COMMIT
   Set to true to enable automatic commits. - USERNAME
   Type the name of the user configured for the Palo Alto ODS target.

   To add IP addresses to an address group on Panorama instead of a single firewall, configure the following variables:

   • PANORAMA
     Set to true to send requests to Panorama instead of a firewall.
   • DEVICE_GROUPS
     Type the names of the device groups you want Panorama to push updates to if you enable automatic commits.

The example below shows an edited trigger configuration with an address group name of "Quarantined Devices", two device alerts, and automatic commits enabled.

    const ADDR_GROUP = "Quarantined Devices";  
    const PALO_ALTO_ODS = "paloaltofw";
    const ALERT_NAMES = [
        "Ransomware Type One",
        "Ransomware Type Four"
    ];
    
    /**** Commit settings ****/
    const COMMIT = true;
    const USERNAME = "extrahop";

    /**** Panorama settings ****/
    const PANORAMA = false;
    const DEVICE_GROUPS = [];

1. Click Save and Close.
2. Click Palo Alto Firewall Remediation - Detections.
3. Click the Editor tab.

4. Configure the following variables:

   • ADDR_GROUP
     Type the name of the Palo Alto address group that you configured above.
   • PALO_ALTO_ODS
     Type the name of the Palo Alto ODS target that you configured above: paloaltofw.
   • RISK_THRESHOLD
     Type a threshold for the risk score of the detections found by your Discover appliance that you want the trigger to monitor. For detections related to device metrics with a risk score above the threshold, the trigger collects the IP address for the device and adds it to the quarantined address group on the Palo Alto firewall or Panorama.
     
     

   To automatically commit the address group changes to your firewall or Panorama, configure the following variables: - COMMIT
   Set to true to enable auto matic commits. - USERNAME
   Type the name of the user configured for the Palo Alto ODS target.

   To add IP addresses to an address group on Panorama instead of a single firewall, configure the following variables:
   - PANORAMA
   Set to true to send requests to Panorama instead of a firewall. - DEVICE_GROUPS
   Type the names of the device groups you want Panorama to push updates to if you enable automatic commits.

The example below shows an edited trigger configuration for Panorama with automatic commits enabled.

    const ADDR_GROUP = "Quarantined Devices";
    const PALO_ALTO_ODS = "paloaltofw";
    const RISK_THRESHOLD = 80

    /**** Commit settings ****/
    const COMMIT = true;
    const USERNAME = "extrahop";

    /**** Panorama settings ****/
    const PANORAMA = true;
    const DEVICE_GROUPS = ["devicegroup"];

1. Click Save and Close.
2. Select the checkboxes next to the Palo Alto Remediation triggers that you want to enable and then click Enable.