search
WebsiteTest DriveStatus

Palo Alto Networks Firewall

circle-check

This is a separate from the "Palo Alto Cortex XDR" cloud and EDR data and alert source.

The Dropzone AI Platform integrates with Palo Alto Networks Firewall, a leading next-generation firewall solution. Integrating Palo Alto with Dropzone allows Dropzone to automatically investigate security incidents by analyzing network traffic data within the firewall ecosystem. Additionally, Dropzone can assess threat logs from Palo Alto Firewall, enabling deeper investigations into potential attacks and enhancing proactive threat detection and response.

hashtag
Integrations Overview

To enable these integrations you will perform the following actions:

  • Create an Admin with Read Only permissions

  • Generate an API key

hashtag
Create an Admin Role Profile

  • At the top of your Palo Alto account, navigate to Device

Navigate to Device

  • In the left sidebar, navigate to Admin Roles

Navigate to Admin Roles

  • In the bottom left corner, click "Add"

Click "Add"

  • Click XML API and enable the Log and Operational Requests permissions

  • Name the Admin Role Profile something memorable, such as "Dropzone-AI"

  • Click "OK"

Generate a new Admin Role Profile

  • In the left sidebar, navigate to Administrators

Navigate to Administrators

  • In the bottom corner, click "Add"

Click "Add"

  • Name the new administrator something memorable, such as "Dropzone-Admin", and create a memorable password. Be sure to save these, as they will be used later to generate the API token

  • Assign the administrator the "Role Based" type

  • In "Profile", select the name of the profile you just created

  • Click "Ok"

Create a new Administrator

  • In the top corner, click "Commit"

Commit your changes

hashtag
Generate an API Key

To obtain an API Key, do the following:

  • Using the administrative credentials you just generated, SSH into the Palo Alto firewall

  • Run the following commands:

  • Copy the API key generated and store it in a safe location for use later in the Dropzone UI where it is called "API key"

  • For further information, see the Palo Alto API documentationarrow-up-right

hashtag
Enable Palo Alto Networks Firewall

To enable the Alert Source integration, you will need the following information:

Dropzone Field
Source

Server

The same as your company server url in Palo Alto, eg https://<111.22.33.444>

API Key

The API key value you generated earlier

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

The Palo Alto Networks Firewall Tile
The Palo Alto Alert configuration (pt 1)

  • Under "Filter on Severity," select the severity levels of alerts you wish for Dropzone AI to investigate

The Palo Alto Alert configuration (pt 2)

  • In the "Threat Name" section, you may input an array of Python regex patterns to include or exclude specific threats by namearrow-up-right. To do so, select whether to exlude or include the listed threat names, then click "Add Item" and input the array

The Palo Alto Alert configuration (pt 3)
The Palo Alto Alert configuration (pt 4)
The Palo Alto Alert configuration (pt 5)

  • Input your desired Poll interval and lookback

The Palo Alto Alert configuration (pt 6)

  • Click "Test & Save" to finish

If you have any errors, engage your Dropzone AI support representative.

PreviousPalo Alto CortexNextPanther

Last updated

Was this helpful?