Start Demo

The Platform

For Security

For Cloud

For IT Ops

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

ExtraHop Reveal(x)

Cloud-native visibility, detection, and
response for the hybrid enterprise.

Reveal(x) 360

SaaS-based network detection
and response.

Learn More

How It Workscaret-right

Reveal(x) Enterprise

Self-managed network detection
and response.

Learn More

How It Workscaret-right
caret-left Back

For Security

Protect and scale your business with complete visibility, real-time threat detections, and intelligent response.

Learn More

Comprehensive Inventory of All Devices

Detect Lateral Movement

Monitor Sensitive Data Movements

Respond to Alerts That Matter

Simple, Streamlined Threat Hunting

Next Generation Intrusion Detection System
caret-left Back

For Cloud

Secure rapid cloud adoption and maintain control of applications, workloads, and data in cloud or multi-cloud environments.

Learn More

Monitor Critical Cloud Workloads

Detect Supply Chain Attacks

Cloud Detection and Response

Respond to Alerts That Matter

Security for AWS

Security for Azure

Security for Google Cloud
caret-left Back

For IT Ops

Boost NOC/SOC collaboration and ensure availability and performance across your hybrid enterprise.

Learn More

Resolve Performance Issues

Support Distributed Workers

Reliably Scale to the Cloud

NetOps and SecOps Collaboration
caret-left Back

Blog

Learn More
caret-left Back

Customers

Partners

Resources

About Us

caret-left Back

Customers

Customer resources, training,
case studies, and more.

Visit Customer Portal

Support

Professional Services

Training

Solution Bundles Gallery

Community Forums

caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Visit Partner Portal

Panorama Partner Program

Overwatch Managed NDR

Technology Integration Partners

Become a Partner

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories

Network Attack Library

Protocol Library

Documentation

Firmware

Training Videos

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

The ExtraHop Difference

What Is Cloud-Native?

Careers

Newsroom

Upcoming Webinars and Events

Back Arrow Bundle Library

Palo Alto Firewall and Panorama Integration

Supported Bundle

Description

The ExtraHop Palo Alto bundle enables you to quarantine compromised devices on your Palo Alto firewall or in Panorama in real time as specific detections or alerts are identified by the ExtraHop Discover appliance.

Affected devices are added by IP address to an address group on the Palo Alto firewall or in Panorama, which then automatically applies policy rules to block traffic to and from those devices.

Firewall policy rules

The bundle includes two triggers: one for alerts and one for detections. You specify the alerts and detections you want the trigger to monitor and the address group where they should be quarantined. The bundle also includes a dashboard that displays the total number of detection and alert events that were sent to the firewall, along with the IP addresses of the related devices.

ExtraHop status dashboard

The bundle has been updated to add support for Panorama and automatic commits. You can now configure the triggers to send requests to Panorama instead of a single firewall.

You can also enable automatic commits of the configuration changes made by the trigger. This option commits only the changes made by the Palo Alto user configured in ODS. If you send requests to Panorama, this option also pushes the updates out to firewalls in the device groups you specify.

Bundle Contents

  • (1) Application
    • PaloAlto
  • (1) Dashboard
    • Palo Alto Remediation
  • (2) Triggers
    • Palo Alto Firewall Remediation - Alerts
    • Palo Alto Firewall Remediation - Detections

Requirements

  • ExtraHop firmware version 7.5 or later
  • Access to the Palo Alto firewall or Panorama with an administrator account. Palo Alto recommends that you create a dedicated admin account for API access.
  • Access to the Discover appliance with an account that has Unlimited privileges

Installation Instructions

Configure the Palo Alto firewall or Panorama

When a specified detection or alert occurs, the IP address of the related device is added to an address group.

  1. Create a static address group through the Web UI or API.

    Note: While you cannot create an empty address group through the Web UI, you can either add a placeholder IP address to the group in the Web UI or create an empty group through the API.

    For additional information about the Palo Alto API, see the PAN-OS and Panorama API Guide.


  2. Create two security policy rules to apply to your address group: one for inbound traffic and one for outbound traffic.

    • Type the address group you created in the previous step in the Destination Address field for the inbound rule and in the Source Address field for the outbound rule.
    • Select Deny as the action for each rule.
    • Policy rules are applied from top to bottom, so specific rules should be listed before general rules.

    For additional information about policy rules on Panorama, see the Defining Policies on Panorama section in the PAN-OS Web Interface Reference.

Configure the Discover appliance

Add an HTTP target for an open data stream

  1. Configure an HTTP target for an open data stream with the following parameters.
    • In the Name field, type paloaltofw. (If you type a different name, be sure to update the PALO_ALTO_ODS field in the triggers with the new name.)
    • In the Host field, type the hostname or IP address of a Palo Alto firewall or Panorama.
    • From the Authentication drop-down list, select Basic.
  2. Click the ExtraHop Discover logo to access the Web UI.

Install the bundle

  1. Download the bundle on this page.
  2. Upload and apply the bundle.

Configure the triggers

Only enable the trigger for the type of event you want to monitor.

  1. In the Web UI on the Discover appliance, click the System Settings icon .
  2. Click Triggers.
  3. In the list of triggers, click Palo Alto Firewall Remediation - Alerts.
  4. Click the Editor tab.

  5. Configure the following variables:

    • ADDR_GROUP
      Type the name of the Palo Alto address group that you configured above.
    • PALO_ALTO_ODS
      Type the name of the Palo Alto ODS target that you configured above: paloaltofw.
    • ALERT_NAMES
      Type the names of the alerts configured on your Discover appliance that you want the trigger to monitor. These alerts must be configured for device metrics. The trigger collects the IP address for the device and adds it to the quarantined address group on the Palo Alto firewall or Panorama.

    To automatically commit the address group changes to your firewall or Panorama, configure the following variables:
    - COMMIT
    Set to true to enable automatic commits. - USERNAME
    Type the name of the user configured for the Palo Alto ODS target.

    To add IP addresses to an address group on Panorama instead of a single firewall, configure the following variables:

    • PANORAMA
      Set to true to send requests to Panorama instead of a firewall.
    • DEVICE_GROUPS
      Type the names of the device groups you want Panorama to push updates to if you enable automatic commits.

The example below shows an edited trigger configuration with an address group name of "Quarantined Devices", two device alerts, and automatic commits enabled.

    const ADDR_GROUP = "Quarantined Devices";  
    const PALO_ALTO_ODS = "paloaltofw";
    const ALERT_NAMES = [
        "Ransomware Type One",
        "Ransomware Type Four"
    ];
    
    /**** Commit settings ****/
    const COMMIT = true;
    const USERNAME = "extrahop";

    /**** Panorama settings ****/
    const PANORAMA = false;
    const DEVICE_GROUPS = [];
  1. Click Save and Close.
  2. Click Palo Alto Firewall Remediation - Detections.
  3. Click the Editor tab.

  4. Configure the following variables:

    • ADDR_GROUP
      Type the name of the Palo Alto address group that you configured above.
    • PALO_ALTO_ODS
      Type the name of the Palo Alto ODS target that you configured above: paloaltofw.
    • RISK_THRESHOLD
      Type a threshold for the risk score of the detections found by your Discover appliance that you want the trigger to monitor. For detections related to device metrics with a risk score above the threshold, the trigger collects the IP address for the device and adds it to the quarantined address group on the Palo Alto firewall or Panorama.

    To automatically commit the address group changes to your firewall or Panorama, configure the following variables: - COMMIT
    Set to true to enable auto matic commits. - USERNAME
    Type the name of the user configured for the Palo Alto ODS target.

    To add IP addresses to an address group on Panorama instead of a single firewall, configure the following variables:
    - PANORAMA
    Set to true to send requests to Panorama instead of a firewall. - DEVICE_GROUPS
    Type the names of the device groups you want Panorama to push updates to if you enable automatic commits.

The example below shows an edited trigger configuration for Panorama with automatic commits enabled.

    const ADDR_GROUP = "Quarantined Devices";
    const PALO_ALTO_ODS = "paloaltofw";
    const RISK_THRESHOLD = 80

    /**** Commit settings ****/
    const COMMIT = true;
    const USERNAME = "extrahop";

    /**** Panorama settings ****/
    const PANORAMA = true;
    const DEVICE_GROUPS = ["devicegroup"];
  1. Click Save and Close.
  2. Select the checkboxes next to the Palo Alto Remediation triggers that you want to enable and then click Enable.

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More