Skip to content

Commit

Permalink
[Marketplace Contribution] PAN-OS by Palo Alto Networks - Content Pac…
Browse files Browse the repository at this point in the history 
…k Update (demisto#31985) (demisto#33088)

* "contribution update to pack "PAN-OS by Palo Alto Networks""

* Update Panorama.yml

* Update Panorama.py

* Update Panorama.yml

* Update Panorama_test.py

* Update Panorama.yml

* Update Panorama.py

* pre-commit

* Update 2_1_21.md

* Update 2_1_21.md

* Apply suggestions from code review



* rn

* rn

---------

Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com>
Co-authored-by: amkoppad <82898085+amkoppad@users.noreply.github.com>
Co-authored-by: MLainer1 <mlainer@paloaltonetworks.com>
Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
  • Loading branch information
@content-bot @xsoar-bot
@amkoppad @MLainer1 @ShirleyDenkberg @rundssoar
6 people authored and rundssoar committed Feb 28, 2024
1 parent 24d863a commit a191349
Show file tree
Hide file tree
Showing 6 changed files with 42 additions and 29 deletions.
20 changes: 16 additions & 4 deletions Packs/PAN-OS/Integrations/Panorama/Panorama.py
View file
@@ -1,5 +1,7 @@
import demistomock as demisto # noqa: F401
from CommonServerPython import * # noqa: F401


from collections import defaultdict
from dataclasses import dataclass, fields
from types import SimpleNamespace
Expand Down Expand Up @@ -11819,16 +11821,21 @@ def get_object(
)


def get_device_state(topology: Topology, target: str) -> dict:
def get_device_state(topology: Topology, target: str, filename: str = None) -> dict:
"""
Get the device state from the provided device target (serial number). Note that this will attempt to connect directly to the
firewall as there is no way to get the device state for a firewall via Panorama.

:param topology: `Topology` instance !no-auto-argument
:param target: String to filter to only show specific hostnames or serial numbers.
"""
if not filename:
file_name = f"{target}_device_state.tar.gz"
else:
file_name = f"{target}_{filename}_device_state.tar.gz"

return fileResult(
filename=f"{target}_device_state.tar.gz",
filename=file_name,
data=FirewallCommand.get_device_state(topology, target),
file_type=EntryType.ENTRY_INFO_FILE
)
Expand Down Expand Up @@ -11936,9 +11943,14 @@ def pan_os_get_running_config(args: dict):

if args.get("target"):
params["target"] = args.get("target")

file_name_arg = args.get("filename")
target = args.get("target")
if file_name_arg != 'running_config' and file_name_arg and target:
file_name = target + '_' + file_name_arg + '_running_config'
else:
file_name = file_name_arg
result = http_request(URL, 'POST', params=params, is_xml=True)
return fileResult("running_config", result)
return fileResult(file_name, result)


def pan_os_get_merged_config(args: dict):
Expand Down
14 changes: 5 additions & 9 deletions Packs/PAN-OS/Integrations/Panorama/Panorama.yml
View file
Expand Up @@ -5035,6 +5035,9 @@ script:
- arguments:
- description: The serial number of the device.
name: target
- defaultValue: 'running_config'
description: Name of the file to save the configuration to.
name: filename
description: Pull the running config file.
name: pan-os-get-running-config
- arguments:
Expand Down Expand Up @@ -7157,7 +7160,6 @@ script:
defaultValue: disable
description: Enables assigning EDL to the anti-spyware profile under "DNS Signature Policies".
name: pan-os-apply-dns-signature-policy
outputs: []
- arguments: []
description: Gets file-blocking best practices.
name: pan-os-get-file-blocking-best-practice
Expand Down Expand Up @@ -8434,6 +8436,8 @@ script:
- description: Serial number of the device from which to fetch the device state.
name: target
required: true
- description: Name of the file for the state file to be saved. Default will use the hostname as the filename.
name: filename
description: Get the device state from the provided device. Note; This will attempt to connect directly to the provided target to get the device state. If the IP address as reported in "show system info" is unreachable, this command will fail.
name: pan-os-platform-get-device-state
outputs:
Expand Down Expand Up @@ -8672,7 +8676,6 @@ script:
- reverse
description: Creates a new NAT rule in a Panorama/firewall instance.
name: pan-os-create-nat-rule
outputs: []
- arguments:
- description: The name of the NAT rule to delete. Can be retrieved from the pan-os-list-nat-rules command.
name: rulename
Expand All @@ -8687,7 +8690,6 @@ script:
- post-rulebase
description: Deletes a NAT rule.
name: pan-os-delete-nat-rule
outputs: []
- arguments:
- description: The name of the NAT rule to edit. Can be retrieved from the pan-os-list-nat-rules command.
name: rulename
Expand Down Expand Up @@ -8739,7 +8741,6 @@ script:
required: true
description: Edits a NAT rule.
name: pan-os-edit-nat-rule
outputs: []
- arguments:
- description: The name of the virtual router to retrieve. If not mentioned, will bring all the virtual routers.
name: virtual_router
Expand Down Expand Up @@ -8893,7 +8894,6 @@ script:
name: filter_bgp_extended_community
description: Creates a new redistribution-profile under a virtual-router for a Panorama/firewall instance.
name: pan-os-create-redistribution-profile
outputs: []
- arguments:
- description: The name of the redistribution-profile to edit.
name: name
Expand Down Expand Up @@ -8933,7 +8933,6 @@ script:
defaultValue: 'replace'
description: Edits a redistribution-profile in a virtual-router.
name: pan-os-edit-redistribution-profile
outputs: []
- arguments:
- description: The name of the redistribution-profile to delete.
name: name
Expand All @@ -8945,7 +8944,6 @@ script:
name: template
description: Deletes a redistribution-profile from a virtual-router.
name: pan-os-delete-redistribution-profile
outputs: []
- arguments:
- description: The name of the pbf-rule to retrieve. If not mentioned, will bring all the pbf rules.
name: rulename
Expand Down Expand Up @@ -9117,7 +9115,6 @@ script:
name: nexthop_address_list
description: Creates a new policy-based-forwarding (PBF) rule in a Panorama/firewall instance.
name: pan-os-create-pbf-rule
outputs: []
- arguments:
- description: The name of the PBF rule to edit. Can be retrieved from the pan-os-list-pbf-rules command.
name: rulename
Expand Down Expand Up @@ -9271,7 +9268,6 @@ script:
name: device-group
description: Deletes an application-group.
name: pan-os-delete-application-group
outputs: []
- arguments:
- description: Whether to include shared tags in the list.
name: include_shared_tags
Expand Down
26 changes: 12 additions & 14 deletions Packs/PAN-OS/Integrations/Panorama/Panorama_description.md
View file
@@ -1,56 +1,54 @@
The integration uses the Panorama XML API.
To obtain an API Key, run the following REST command and copy the key:
https://[PanoramaIP]/api/?type=keygen&user=[user]&password=[password]

For more information, visit the [Palo Alto Networks documentation](https://docs.paloaltonetworks.com/panorama).

---
You need to create a separate integration instance for Palo Alto Networks Firewall and Palo Alto Networks. Unless specified otherwise, all commands are valid for both Firewall and Panorama.

---
### Firewall: Configure the vsys
- The vsys is located in the Firewall URL; e.g., https://<server>#device::<vsys>::device/setup

### Panorama: Configure a device group
- Access the Panorama UI.
- Go to **Panorama** > **Device Groups**.
- Choose a device group name.

---
### Fetch Incidents
The Panorama integration now supports fetch incidents.
The Panorama integration now supports fetch incidents.
The incidents are fetched according to a number of different optional log type queries. The log types are: **Traffic, Threat, URL, Data, Correlation, System, Wildfire, Decryption**.


##### Max incidents per fetch
##### Max incidents per fetch
The max incidents per fetch parameter specifies the maximum number of incidents to fetch **per** Log Type Query.

##### Log Type
The queries that will be included during the fetch are decided according to the "Log Type" parameter (Multiple select dropdown).
The queries that will be included during the fetch are decided according to the "Log Type" parameter (Multiple select dropdown).
- Selecting "All" will use all the log type queries in the fetch.
- To choose a specific set of queries, select their log types from the dropdown (make sure "All" option is unselected).

##### Log Type Query
##### Log Type Query
- Each log type has its own query field in the instance configuration.
- Note that the default query values has some example text in it, make sure to enter a valid query.

##### Log Type Query Examples

| Log Type | Query Example |
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| Traffic | (addr.src in {source}) and (addr.dst in {destination}) and (action eq {action}) |
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| Traffic | (addr.src in {source}) and (addr.dst in {destination}) and (action eq {action}) |
| Threat | (severity geq high) |
| URL | ((action eq block-override) or (action eq block-url)) and (severity geq high) |
| Data | ((action eq alert) or (action eq wildfire-upload-success) or (action eq forward)) and (severity geq high) |
| Correlation | (hostid eq {host_id}) and (match_time in {last_x_time}) and (objectname eq {object_name}) and (severity geq '{severity}') and (src in {source_address}) |
| System | (subtype eq {sub_type}) and (severity geq {severity}) |
| System | (subtype eq {sub_type}) and (severity geq {severity}) |
| Wildfire Submission | ((action eq wildfire-upload-fail) or (action eq wildfire-upload-skip) or (action eq sinkhole)) |
| Decryption | (app eq {application}) and (policy_name geq {policy_name}) and ((src in {source}) or (dst in {destination})) |

##### Classifiers and Mappers

This integration supports a default Classifier (Panorama Classifier) and Mapper (Panorama Mapper) that handles incidents returned from the API.

---

[View Integration Documentation](https://xsoar.pan.dev/docs/reference/integrations/panorama)
---
2 changes: 1 addition & 1 deletion Packs/PAN-OS/Integrations/Panorama/Panorama_test.py
View file
Expand Up @@ -4029,7 +4029,7 @@ def test_pan_os_get_running_config(mocker):
<response status='error' code='13'><msg><line>SOME_SERIAL_NUMBER not connected</line></msg></response>
"""
mocker.patch("Panorama.http_request", return_value=return_mock)
created_file = pan_os_get_running_config({"target": "SOME_SERIAL_NUMBER"})
created_file = pan_os_get_running_config({"target": "SOME_SERIAL_NUMBER", "filename": "running_config"})
assert created_file['File'] == 'running_config'


Expand Down
7 changes: 7 additions & 0 deletions Packs/PAN-OS/ReleaseNotes/2_1_22.md
View file
@@ -0,0 +1,7 @@
#### Integrations

##### Palo Alto Networks PAN-OS

- Added the feature to append a filename string to the run-config and device state files for the following commands:
***pan-os-platform-get-device-state***
***pan-os-get-running-config***
2 changes: 1 addition & 1 deletion Packs/PAN-OS/pack_metadata.json
View file
Expand Up @@ -2,7 +2,7 @@
"name": "PAN-OS by Palo Alto Networks",
"description": "Manage Palo Alto Networks Firewall and Panorama. Use this pack to manage Prisma Access through Panorama. For more information see Panorama documentation.",
"support": "xsoar",
"currentVersion": "2.1.21",
"currentVersion": "2.1.22",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down

0 comments on commit a191349

Please sign in to comment.