Palo Alto Networks Firewall

Palo Alto Networks Firewall

The Dropzone AI Platform integrates with Palo Alto Networks Firewall, a leading next-generation firewall solution. Integrating Palo Alto with Dropzone allows Dropzone to automatically investigate security incidents by analyzing network traffic data within the firewall ecosystem. Additionally, Dropzone can assess threat logs from Palo Alto Firewall, enabling deeper investigations into potential attacks and enhancing proactive threat detection and response.

Integrations Overview

To enable these integrations you will perform the following actions:

  • Create an Admin with Read Only permissions

  • Generate an API key

Create an Admin Role Profile

  • At the top of your Palo Alto account, navigate to Device

Navigate to Device
  • In the left sidebar, navigate to Admin Roles

Navigate to Admin Roles
  • In the bottom left corner, click "Add"

Click "Add"
  • Click XML API and enable the Log and Operational Requests permissions

  • Name the Admin Role Profile something memorable, such as "Dropzone-AI"

  • Click "OK"

Generate a new Admin Role Profile
  • In the left sidebar, navigate to Administrators

Navigate to Administrators
  • In the bottom corner, click "Add"

Click "Add"
  • Name the new administrator something memorable, such as "Dropzone-Admin", and create a memorable password. Be sure to save these, as they will be used later to generate the API token

  • Assign the administrator the "Role Based" type

  • In "Profile", select the name of the profile you just created

  • Click "Ok"

Create a new Administrator
  • In the top corner, click "Commit"

Commit your changes

Generate an API Key

To obtain an API Key, do the following:

  • Using the administrative credentials you just generated, SSH into the Palo Alto firewall

  • Run the following commands:

https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>
curl -k http(s)://<host>:<port>/api/\?type\=keygen\&user\=<user>\&password\=<password>
  • Copy the API key generated and store it in a safe location for use later in the Dropzone UI where it is called "API key"

  • For further information, see the Palo Alto API documentation

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

Dropzone Field
Source

Server

The same as your company server url in Palo Alto, eg https://<111.22.33.444>

API Key

The API key value you generated earlier

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

The Palo Alto Networks Firewall Tile
  • Under the Data Source heading, input your Server and the API Key

Fill out the Data Source details
  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

Dropzone Field
Source

Server

The same as your company server url in Palo Alto, eg https://<111.22.33.444>

API Key

The API key value you generated earlier

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

The Palo Alto Networks Firewall Tile
  • Under the Alert Source heading, input your Server and the API Key

Fill out the Alert Source details (pt 1)
  • Under "Filter on Severity", select the severity levels of alerts you wish for Dropzone AI to investigate

  • Under "Filter in Action", select which action types you wish for Dropzone AI to investigate

Fill out the Data Source details (pt 2)
  • Input your desired Poll interval and lookback

  • Click "Test & Save" to finish

Click "Test & Save" to finish

If you have any errors, engage your Dropzone AI support representative.

Last updated

Was this helpful?