Palo Alto Networks Firewall
Palo Alto Networks Firewall
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Palo Alto Networks Firewall.
The Dropzone AI Platform integrates with Palo Alto Networks Firewall, a leading next-generation firewall solution. Integrating Palo Alto with Dropzone allows Dropzone to automatically investigate security incidents by analyzing network traffic data within the firewall ecosystem. Additionally, Dropzone can assess threat logs from Palo Alto Firewall, enabling deeper investigations into potential attacks and enhancing proactive threat detection and response.
Integrations Overview
To enable these integrations you will perform the following actions:
Create an Admin with Read Only permissions
Generate an API key
Create an Admin Role Profile
At the top of your Palo Alto account, navigate to Device

In the left sidebar, navigate to Admin Roles

In the bottom left corner, click "Add"

Click XML API and enable the Log and Operational Requests permissions
Name the Admin Role Profile something memorable, such as "Dropzone-AI"
Click "OK"

In the left sidebar, navigate to Administrators

In the bottom corner, click "Add"

Name the new administrator something memorable, such as "Dropzone-Admin", and create a memorable password. Be sure to save these, as they will be used later to generate the API token
Assign the administrator the "Role Based" type
In "Profile", select the name of the profile you just created
Click "Ok"

In the top corner, click "Commit"

Generate an API Key
To obtain an API Key, do the following:
Using the administrative credentials you just generated, SSH into the Palo Alto firewall
Run the following commands:
Copy the API key generated and store it in a safe location for use later in the Dropzone UI where it is called "API key"
For further information, see the Palo Alto API documentation
Enable the Dropzone Data Source Integration
To enable the Data Source integration, you will need the following information:
Server
The same as your company server url in Palo Alto, eg https://<111.22.33.444>
API Key
The API key value you generated earlier
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations

Click "Available"

In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

Under the Data Source heading, input your Server and the API Key

Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable the Dropzone Alert Source Integration
To enable the Alert Source integration, you will need the following information:
Server
The same as your company server url in Palo Alto, eg https://<111.22.33.444>
API Key
The API key value you generated earlier
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations

Click "Available"

In the Search bar, search Palo Alto Networks Firewall, then click "Configure"

Under the Alert Source heading, input your Server and the API Key

Under "Filter on Severity", select the severity levels of alerts you wish for Dropzone AI to investigate
Under "Filter in Action", select which action types you wish for Dropzone AI to investigate

Input your desired Poll interval and lookback
Click "Test & Save" to finish

If you have any errors, engage your Dropzone AI support representative.
Last updated
Was this helpful?