Palo Alto Networks Firewall

Palo Alto Networks Firewall

The Dropzone AI Platform integrates with Palo Alto Networks Firewall, a leading next-generation firewall solution. Integrating Palo Alto with Dropzone allows Dropzone to automatically investigate security incidents by analyzing network traffic data within the firewall ecosystem. Additionally, Dropzone can assess threat logs from Palo Alto Firewall, enabling deeper investigations into potential attacks and enhancing proactive threat detection and response.

Integrations Overview

To enable these integrations you will perform the following actions:

• Create an Admin with Read Only permissions

• Generate an API key

Create an Admin Role Profile

• At the top of your Palo Alto account, navigate to Device

• In the left sidebar, navigate to Admin Roles

• In the bottom left corner, click "Add"

• Click XML API and enable the Log and Operational Requests permissions

• Name the Admin Role Profile something memorable, such as "Dropzone-AI"

• Click "OK"

• In the left sidebar, navigate to Administrators

• In the bottom corner, click "Add"

• Name the new administrator something memorable, such as "Dropzone-Admin", and create a memorable password. Be sure to save these, as they will be used later to generate the API token

• Assign the administrator the "Role Based" type

• In "Profile", select the name of the profile you just created

• Click "Ok"

• In the top corner, click "Commit"

Generate an API Key

To obtain an API Key, do the following:

• Using the administrative credentials you just generated, SSH into the Palo Alto firewall

• Run the following commands:

https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>

curl -k http(s)://<host>:<port>/api/\?type\=keygen\&user\=<user>\&password\=<password>

• Copy the API key generated and store it in a safe location for use later in the Dropzone UI where it is called "API key"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

• In the bottom left hand corner, click Settings > Integrations

• Click "Available"

• In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

• Under the Data Source heading, input your Server and the API Key

• Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

• In the bottom left hand corner, click Settings > Integrations

• Click "Available"

• In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

• Under the Alert Source heading, input your Server and the API Key

• Under "Filter on Severity", select the severity levels of alerts you wish for Dropzone AI to investigate

• Under "Filter in Action", select which action types you wish for Dropzone AI to investigate

• Input your desired Poll interval and lookback

• Click "Test & Save" to finish

If you have any errors, engage your Dropzone AI support representative.