Palo Alto Networks BPA

BPA Integration Used to run Best Practice Assessment checks for Panorama. This integration was integrated and tested with version 1.0 of BPA

BPA Playbook

You can use the "Run Panorama Best Practice Assessment" playbook to run a BPA job on the configured instance.

Configure BPA on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for BPA.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Panorama Server URL (e.g., https://192.168.0.1)
    • Panorama Server Port (e.g 443)
    • Panorama API Key
    • BPA Access Token
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get documentaion: pan-os-get-documentation
  2. Submits a BPA job: pan-os-bpa-submit-job
  3. Returns results of BPA job: pan-os-bpa-get-job-results

1. pan-os-get-documentation


Get documentaion

Base Command

pan-os-get-documentation

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
There are no input arguments for this command.

Context Output
Path Type Description
PAN-OS-BPA.Documentation string Gets the documentation of all BPA checks

Command Example

!pan-os-get-documentation

Context Example
{
    "PAN-OS-BPA.Documentation": [
        {
            "active": true,
            "created_time": "2019-08-14T23:10:09.935024Z",
            "description": "GRE Tunnel Keep-Alive",
            "doc_id": 246,
            "doc_type": "Warning",
            "id": 246,
            "last_updated_time": "2019-08-14T23:10:09.935040Z",
            "left_nav": "GRE Tunnels",
            "rationale": "Configure Keep-alive on GRE Tunnel to ensure stability and monitoring of tunnel activity.",
            "references": "https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/create-a-gre-tunnel.html",
            "title": "GRE Tunnel Keep-Alive",
            "top_nav": "Network"
        },
        ...
       ]

Human Readable Output

BPA documentation

active created_time description doc_id doc_type id last_updated_time left_nav rationale references title top_nav
true 2019-08-14T23:10:09.935024Z GRE Tunnel Keep-Alive 246 Warning 246 2019-08-14T23:10:09.935040Z GRE Tunnels Configure Keep-alive on GRE Tunnel to ensure stability and monitoring of tunnel activity. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/create-a-gre-tunnel.html GRE Tunnel Keep-Alive Network

2. pan-os-bpa-submit-job


Submits a BPA job.

Base Command

pan-os-bpa-submit-job

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
generate_zip_bundle Whether to download the Panorama report. Can be "true" or "false". Default is "false". Optional

 

Context Output
Path Type Description
PAN-OS-BPA.SubmittedJob.JobID string Submitted job ID

 

Command Example

!pan-os-bpa-submit-job

Context Example
{
    "PAN-OS-BPA.SubmittedJob": {
        "JobID": "2b0c40d6-73a8-4d23-9bd8-27548b28beb5"
    }
}
Human Readable Output

Submitted BPA job ID: 2b0c40d6-73a8-4d23-9bd8-27548b28beb5

3. pan-os-bpa-get-job-results


Returns results of BPA job.

Base Command

pan-os-bpa-get-job-results

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
task_id The job id to get results from Required

 

Context Output
Path Type Description
PAN-OS-BPA.JobResults.JobID string Submitted job ID
PAN-OS-BPA.JobResults.Status string Job status
PAN-OS-BPA.JobResults.Checks Unknown List of checks

 

Command Example

!pan-os-bpa-get-job-results task_id=32bc2c82-5b8b-471d-aed1-cccb36a6d6f7

Context Example
{
    "PAN-OS-BPA.JobResults": {
        "Checks": [
            {
                "check_category": "device",
                "check_feature": "admin_role",
                "check_id": 154,
                "check_message": "It is recommended to create and use custom admin roles",
                "check_name": "Custom Admin Roles",
                "check_severity": "Info",
                "check_type": "Note"
            },
            ..
           ]
}
Human Readable Output

Checks received.