Integrating Palo Alto Firewall Plugin For A POC Demo

InsightConnect Plugins
1

Hi, what are the setup steps for this plugin? ***UPDATED

  1. Choose a Palo FW
  2. Create a local FW account with XML API Admin role (assume that API access is enabled and a new XML API Admin Role has been made *best practices via Palo Alto)
  3. Setup new connection using creds
  4. ?
  5. success

Our main purpose for this plugin is to be able to block IP addresses provided by R7 in emails.

2

Hey @ilovesoar, the Palo Alto Firewall Plugin supports individual firewalls or a Panorama firewall address. The user will need permissions to manage address objects and groups.

Note that will be shipping a configuration document that will be available under the Plugin Configuration menu soon, it’s in progress right now.

We also have a few pre-built workflows that demonstrate how to block hosts from Slack or Microsoft Teams. I recommend starting here to get an understanding of how to use many of the features of the plugin.

In general, the best practice to block and unblock IP addresses is to create an existing firewall policy/rule in your firewall such as a Deny All rule and assign an address group to that rule that the plugin will use. For example, an address group called “InsightConnect Block List” and when any address object is added to the address group it will be automatically blocked. Then to unblock, it’s just a matter of removing that address object from the group. In this way, InsightConnect is just managing a list of address objects.

You can create address objects on the fly with the Create Address Object action. Another common task is to check if an address is already blocked using the Check If Address in Group action e.g. if it’s attached to a Deny All rule.

The combination of these actions allow for building robust firewall blocking automations. Let us know if you have any more questions.

1 Like
3

I updated the original question with better info… :+1:

4

Hi Jon!
What is the most common method to use to pass the add address to address group plugin in the address object field? I know it needs an array string type.

Example; if I wanted to use an alert trigger log to extract the source IP field to add that to the create address object plugin and then use the add address object to address group plugin.

The problem I’m running into is that the add address object to address group plugin is taking each individual number and putting that in its own field instead of a single <10.x.x.x/> field.

Any help would be greatly appreciated.