Palo Alto Networks Automatic SLR

Use the Palo Alto Networks NGFW API to automatically generate a Security Lifecycle Review (SLR) Report.

Configure Automatic SLR on XSOAR#


  1. Navigate to Settings > Integrations > Utilities.

  2. Search for "Palo Alto Networks Automatic SLR.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescription
    NameA meaningful name for the integration instance.
    Firewall FQDN/IPManagement FQDN or IP address of the firewall
    Firewall TCP PortManagement Port (Default: 443) of the firewall
    Firewall API KeyAPI Key for the target firewall
    Firewall TimeoutTimeout value in seconds for API operations (Default: 300)
    Verify Firewall CertificateVerify the SSL/TLS Certificate the firewall presents
    CSP API KeyThe API Key for the Palo Alto Networks Customer Support Portal (CSP)
    CSP TimeoutTimeout value in seconds for API operations (Default: 300)
    Verify CSP CertificateVerify the SSL/TLS Certificate for the CSP
    XSOAR System ProxyEnable if XSOAR utilises a proxy
    Enable Verbose OutputEnables debug/verbose output to the war room
    Customer Account NameName of organisation to appear on the SLR Report
    Firewall Deployment LocationSelect the logicial deployment location of the firewall
    Deployment CountrySet the country the customer/firewall resides in
    Deployment Geographic RegionSelect the geographic region the customer/firewall resides in
    Customer IndustrySelect the industry the customer is in
    LanguageSelect the language for the report to be generated in
    Prepared BySet the name of the person who generated the report
    Requested BySet the email address of the person who generated the report
    Send ToSet the email address of the receipient who will receive the report
  1. Click Test to validate integration can communicate with the firewall.

NOTE: The test command does not function when Enable Verbose Output is set to enabled/true.

Step-by-step configuration#


This section will cover how to retrieve the Palo Alto Networks Customer Support Portal (CSP) and PAN-OS API key's

Firewall API Key#

A firewall "Super User" or administrator with a custom "Admin Role" limiting their interaction with the API is required to complete these steps.

This integration requires an API Key for the target firewall in order to run the neccesary API commands. In order to retireve that API Key either:

Run this command from a terminal, replacing <firewall>, <username> and <password> as needed -

curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'

Or

curl -k -X POST 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'

Alternatively, open a browser window and navigate to: https://<firewall>/api/?type=keygen&user=<username>&password=<password>

<response status="success">
<result>
<key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU</key>
</result>
</response>

Reference Material#

How-to generate an API Key: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key.html

Customer Support Portal (CSP) API Key#

A Customer Support Portal "Super User" is required to complete these steps.

  1. Ensure you have the "Super User" role assigned to your account by logging in to the CSP, then navigating to: Support Home > Members > Manage Users Under the "Roles" column you should have "Super User" assigned.

  2. Once you have the correct role assigned to your user, navigate to: Support Home > Assets > Licensing API

  3. If a key already exists, it will be displayed to you. We will use this key in the integration configuration.

  4. If a key does exist, click Generate to generate a new API key

NOTE: Pay attention to the expiry date and extend/regenerate the key as neccesary.

Reference Material#

Customer Support Portal Roles: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaTCAS How-to Generate the API Key: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall/licensing-api/manage-the-licensing-api-key.html

Commands#


You can execute these commands from the Demisto CLI or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Dump Integration Parameters#


In some circumstances, it may be required to get visbility of all currently configured parameters dumped to the context for troubleshooting.

Base Command#

!autoslr-dump-params

Arguments#

There are no input arguments for this command.

Context Output#
Context KeyDescriptionType
AutoSLR.params.csp_hostThe CSP base URLString
AutoSLR.params.csp_proxyEnable/disable system proxy for CSP communicationsBoolean
AutoSLR.params.csp_timeoutThe timeout value for CSP API operationsInteger
AutoSLR.params.csp_tls_verifyEnable/disable TLS verification for the CSPBoolean
AutoSLR.params.csp_verboseEnable/disable verbose output for CSP operationsBoolean
AutoSLR.params.ngfw_hostThe firewall base URLString
AutoSLR.params.ngfw_portThe firewall TCP portInteger
AutoSLR.params.ngfw_proxyEnable/disable system proxy for NGFW communicationsBoolean
AutoSLR.params.ngfw_timeoutThe timeout value for NGFW API operationsInteger
AutoSLR.params.ngfw_tls_verifyEnable/disable TLS verification for the CSPBoolean
AutoSLR.params.ngfw_verboseEnable/disable verbose output for CSP operationsBoolean
AutoSLR.params.slr_account_nameThe account name to appear on the SLR reportString
AutoSLR.params.slr_countryThe deployment country of the firewallString
AutoSLR.params.slr_deployment_locationThe logical deployment location of the firewallString
AutoSLR.params.slr_geographic_regionThe geographic region the firewall is deployed inString
AutoSLR.params.slr_industryThe industry of the customer organisationString
AutoSLR.params.slr_languageThe language the report should be generated inString
AutoSLR.params.slr_prepared_byThe name of the person who generated the reportString
AutoSLR.params.slr_requested_byThe email address of the person who generated the reportString
AutoSLR.params.slr_send_toThe email address of the receipient of the reportString
AutoSLR.params.system_proxyGlobal enable/disable the use of the system proxyString
AutoSLR.params.system_verboseGlobal enable/disable the verbose/debugging outputString

Retrieve "show system info" Output#


This command will retrieve certain information about the target firewall for use within other functions.

Base Command#

!autoslr-ngfw-system-info

Arguments#

There are no input arguments for this command.

Context Output#
Context KeyDescriptionType
AutoSLR.ngfw_system_info.hostnameThe hostname of the target firewallString
AutoSLR.ngfw_system_info.serialThe serial number of the target firewallString
AutoSLR.ngfw_system_info.softwareThe PAN-OS software version of the target firewallString

Initiate SLR Generation#


This command will initiate the *-stats_dump.tar.gz generation job on the target firewall

Base Command#

!autoslr-ngfw-generate

Arguments#

There are no input arguments for this command.

Context Output#
Context KeyDescriptionType
AutoSLR.generate.job_idThe Job ID of the generation taskInteger

Check SLR Generation Status#


This command will check the *-stats_dump.tar.gz generation job on the target firewall

Base Command#

!autoslr-ngfw-check

Arguments#
ArgumentDescriptionType
job_idThe Job ID of the generation taskInteger
Context Output#
Context KeyDescriptionType
AutoSLR.generate.job_statusThe Job status of the generation taskBoolean

Download *-stats_dump.tar.gz from the firewall#


This command will download the *-stats_dump.tar.gz from the target firewall

Base Command#

!autoslr-ngfw-download

Arguments#
ArgumentDescriptionType
job_idThe Job ID of the generation taskInteger
Context Output#
Context KeyDescriptionType
AutoSLR.generate.file_nameThe human readable filename of the downloaded fileString
InfoFile.EntryIDThe EntryID of the downloaded fileString

Note: In the default playbook supplied with the content pack, InfoFile.EntryID is copied to AutoSLR.generate.EntryID for use in the upload function.

Upload *-stats_dump.tar.gz to Palo Alto Networks#


This command will upload the *-stats_dump.tar.gz file to Palo Alto Networks for report generation

Base Command#

!autoslr-csp-upload

Arguments#
ArgumentDescriptionType
input_fileThe EntryID of the file to uploadString
Context Output#
Context KeyDescriptionType
AutoSLR.upload.idThe SLR Reference ID returned by the CSP APIString
AutoSLR.upload.send_toThe email address the completed report will be sent toString