Palo Alto Networks PAN-OS

This integration supports both Palo Alto Networks Panorama and Palo Alto Networks Firewall. You can create separate instances of each integration, and they are not necessarily related or dependent on one another.

This integration was integrated and tested with version 8.1.0 of Palo Alto Firewall, Palo Alto Panorama

Panorama Playbook

  • PanoramaCommitConfiguration : Based on the playbook input, the Playbook will commit the configuration to Palo Alto Firewall, or push the configuration from Panorama to predefined device groups of firewalls. The integration is available from Demisto v3.0, but playbook uses the GenericPooling sub-playbook, which is only available from Demisto v4.0.
  • (Deprecated) PanoramaQueryTrafficLogs : Use the Panorama Query Logs playbook instead.W raps the following commands with genericPolling to enable a complete flow to query traffic logs.
  • Panorama Query Logs : W raps several commands (listed below) with genericPolling to enable a complete flow to query the following log types: traffic, threat, URL, data-filtering, and Wildfire.
  • PAN-OS DAG Configuration
  • PAN-OS EDL Setup

Use Cases

  • Create custom security rules in Palo Alto Networks PAN-OS.
  • Creating and updating address objects, address-groups, custom URL categories, URL filtering objects.
  • Get URL Filtering category information from Palo Alto - Request Change is a known Palo Alto limitation.
  • Add URL filtering objects including overrides to Palo Alto Panorama and Firewall
  • Committing configuration to Palo Alto FW and to Panorama, and pushing configuration from Panorama to Pre-Defined Device-Groups of Firewalls.
  • Block IP addresses using registered IP tags from PAN-OS without committing the PAN-OS instance. First you have to create a registered IP tag, DAG, and security rule, and commit the instance. You can then register additional IP addresses to the tag without committing the instance.
    1. Create a registered IP tag and add the necessary IP addresses by running the panorama-register-ip-tag command.

    2. Create a dynamic address group (DAG), by running the panorama-create-address-group command. Specify values for the following arguments: type="dynamic", match={ tagname }.

    3. Create a security rule using the DAG created in the previous step, by running the panorama-create-rule command.

    4. Commit the PAN-OS instance by running the PanoramaCommitConfiguration playbook.

    5. You can now register IP addresses to, or unregister IP addresses from, the IP tag by running the panorama-register-ip-tag command, or panorama-unregister-ip-tag command, respectively, without committing the PAN-OS instance.

Known Limitations

Configure Panorama on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Panorama.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Port
    • API Key
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Device group - Required for Panorama instance . If you want to use a shared location, the value in this field should be "shared".
    • Vsys - Required for Firewall instance (PAN-OS default is 'vsys1'): retrieve this from the Demisto URL, for example: <server_url>:port/<vsys_name>. If you have multiple vysys, select the one to configure on this instance.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Run any command supported in the Panorama API: panorama
  2. Commit a configuration: panorama-commit
  3. Push rules from Panorama to a device group: panorama-push-to-device-group
  4. Get a list of addresses: panorama-list-addresses
  5. Get address details: panorama-get-address
  6. Create an address object: panorama-create-address
  7. Delete an address: panorama-delete-address
  8. Get a list of address groups: panorama-list-address-groups
  9. Get details for an address group: panorama-get-address-group
  10. Create an address group: panorama-create-address-group
  11. Delete an address group: panorama-delete-address-group
  12. Edit an address group: panorama-edit-address-group
  13. Get details for a custom URL category: panorama-get-custom-url-category
  14. Create a custom URL category: panorama-create-custom-url-category
  15. Delete a custom URL category: panorama-delete-custom-url-category
  16. Add/Remove sites from a custom URL category: panorama-edit-custom-url-category
  17. Get details for a URL category: panorama-get-url-category
  18. Get details for a URL filtering rule: panorama-get-url-filter
  19. Create a URL filtering rule: panorama-create-url-filter
  20. Edit a URL filter: panorama-edit-url-filter
  21. Delete a URL filtering rule: panorama-delete-url-filter
  22. Create a rule: panorama-create-rule
  23. Create a custom block policy rule: panorama-custom-block-rule
  24. Change the location of a policy rule: panorama-move-rule
  25. Edit a policy rule: panorama-edit-rule
  26. Delete a policy rule: panorama-delete-rule
  27. Get a list of applications: panorama-list-applications
  28. Get the commit status for a configuration: panorama-commit-status
  29. Get the push status for a configuration: panorama-push-status
  30. Get a list of services: panorama-list-services
  31. Get information for a service: panorama-get-service
  32. Create a service: panorama-create-service
  33. Delete a service: panorama-delete-service
  34. Get a list of service groups: panorama-list-service-groups
  35. Get information for a service group: panorama-get-service-group
  36. Create a service group: panorama-create-service-group
  37. Delete a service group: panorama-delete-service-group
  38. Edit a service group: panorama-edit-service group
  39. Get information for PCAP files: panorama-get-pcap
  40. Get a list of all PCAP files: panorama-list-pcaps
  41. Get a list of EDLs: panorama-list-edls
  42. Get information for an EDL: panorama-get-edl
  43. Create an : panorama-create-edl
  44. Edit an EDL: panorama-edit-edl
  45. Delete an EDL: panorama-delete-edl
  46. Refresh an EDL: panorama-refresh-edl
  47. Register IP addresses to a tag: panorama-register-ip-tag
  48. Unregister IP addresses from a tag: panorama-unregister-ip-tag
  49. Query traffic logs: panorama-query-traffic-logs
  50. Check the query status of traffic logs: panorama-check-traffic-logs-status
  51. Get traffic logs: panorama-get-traffic-logs
  52. Get a list of predefined security rules: panorama-list-rules
  53. Query logs: panorama-query-logs
  54. Check the query status of logs: panorama-check-logs-status
  55. Get the data of a logs query: panorama-get-logs

1. Run any command supported in the PAN-OS API


Run any command supported in the API.

Base Command

panorama

Input
Argument Name Description Required
action Action to take. Can be: show, get, set, edit, delete, rename, clone, move, or override. Optional
category Category parameter. e.g. when exporting a configuration file use category=configuration. Optional
cmd Used for operations commands cmd specifies the xml struct that defines the command. Optional
command Run a command. e.g. "command = ". Optional
dst Specifies destination. Optional
element Used to define a new value for an object. Optional
to To parameter (used in specifying time and when cloning an object). Optional
from From parameter (used in specifying time and when cloning an object). Optional
key Sets a key value. Optional
where Specifies the type of a move operation (e.g. where=after, where=before, where=top, where=bottom). Optional
period Describe a time period. E.g. period=last-24-hrs. Optional
xpath Defines a location e.g. xpath=/config/predefined/application/entry[ @name ='hotmail'] Optional
pcap-id The threat PCAP ID in the threat log. Optional
serialno Specifies the device serial number. Optional
reporttype Choose dynamic, predefined or custom report. Optional
reportname The report name. Optional
log-type Used for retrieving logs. e.g. log-type=threat for threat logs. Optional
type The request type (e.g. export, import, log, config). Optional
search-time Used for threat PCAPs, the time that the PCAP was received on the firewall. Optional
target Target number of the firewall (Panorama instance). Optional

Context Output

There is no context output for this command.

2. Commit a configuration


Commits a configuration to Palo Alto Networks PAN-OS, but does not validate if the commit was successful. Committing toPAN-OS will not push the configuration to the Firewalls. To push the configuration, run the panorama-push-to-device-group command.

Base Command

panorama-commit

Input

There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Commit.JobID number Job ID of the configuration to commit.
Panorama.Commit.Status string Commit status.

Command Example
!panorama-commit
Human Readable Output

screen shot 2018-12-25 at 15 24 02

3. Push rules from PAN-OS to a device group


Pushes rules fromPAN-OS to the configured device group.

Base Command

panorama-push-to-device-group

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Push.DeviceGroup string Device group to which the policies were pushed.
Panorama.Push.JobID number Job ID of the configuration to be pushed.
Panorama.Push.Status string Push status.

Command Example
!panorama-push-to-device-group
Human Readable Output

screen shot 2018-12-25 at 15 15 09

4. Get a list of addresses


Returns a list of addresses.

Base Command

panorama-list-addresses

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
Tag The tag for which to filter the list of addresses. Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Address name.
Panorama.Addresses.Description string Address description.
Panorama.Addresses.FQDN string Address FQDN.
Panorama.Addresses.IP_Netmask string Address IP netmask.
Panorama.Addresses.IP_Range string Address IP range.
Panorama.Addresses.DeviceGroup string Address device group.
Panorama.Addresses.Tages string Address tags.

Command Example
!panorama-list-addresses
Human Readable Output

screen shot 2018-12-25 at 10 36 30

5. Get address details


Returns address details for the supplied address name.

Base Command

panorama-get-address

Input
Argument Name Description Required
name Address name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Address name.
Panorama.Addresses.Description string Address description.
Panorama.Addresses.FQDN string Address FQDN.
Panorama.Addresses.IP_Netmask string Address IP netmask.
Panorama.Addresses.IP_Range string Address IP range.
Panorama.Addresses.DeviceGroup string Address device group.
Panorama.Addresses.Tags string Address tags.

Command Example
!panorama-get-address name="Demisto address"
Human Readable Output

screen shot 2018-12-25 at 14 42 39

6. Create an address object


Creates an address object.

Base Command

panorama-create-address

Input
Argument Name Description Required
name Name for the new address. Required
description A description of the new address. Optional
fqdn FQDN of the new address. Optional
ip_netmask IP netmask of the new address, e.g., 10.10.10.10/24. Optional
ip_range IP range of the new address, e.g., 10.10.10.0-10.10.10.255. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for the new address Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Address name.
Panorama.Addresses.Description string Address description.
Panorama.Addresses.FQDN string Address FQDN.
Panorama.Addresses.IP_Netmask string Address IP netmask.
Panorama.Addresses.IP_Range string Address IP range.
Panorama.Adddresses.DeviceGroup string Address Device Group.
Panorama.Addresses.Tag string Address tag.

Command Example
!panorama-create-address name="address_test_pb" description="just a desc" ip_range="10.10.10.9-10.10.10.10"
Human Readable Output

7. Delete an address object


Deletes an address object.

Base Command

panorama-delete-address

Input
Argument Name Description Required
name Name of the address to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Name of the address that was deleted.

Command Example
!panorama-delete-address name="address_test_pb"
Human Readable Output

screen shot 2018-12-25 at 13 55 34

8. Get a list of address groups


Returns a list of address groups.

Base Command

panorama-list-address-groups

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for which to filter the address group. Optional

There are no input arguments for this command.

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Match string Dynamic address group match.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.Addresses string Static address group addresses.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tag string Address group tag.

Command Example
!panorama-list-address-groups
Human Readable Output

screen shot 2018-12-25 at 13 56 20

9. Get information for an address group


Returns details for the specified address group.

Base Command

panorama-get-address-group

Input
Argument Name Description Required
name Address group name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Match string Dynamic address group match.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.Addresses string Static address group addresses.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tags string Address group tags.

Command Example
!panorama-get-address-group name=suspicious_address_group
Human Readable Output

screen shot 2018-12-25 at 16 19 48

10. Create an address group


Creates an address group; "static" or "dynamic".

Base Command

panorama-create-address-group

Input
Argument Name Description Required
name Address group name. Required
type Address group type. Required
match Dynamic address group match. e.g., "1.1.1.1 or 2.2.2.2". Optional
addresses Static address group list of addresses. Optional
description Address group description. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for the address group. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Match string Dynamic address group match.
Panorama.AddressGroups.Addresses string Static address group list.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tag string Address group tags.

Command Example
!panorama-create-address-group name=suspicious_address_group type=dynamic match=1.1.1.1
          description="this ip is very bad"
Human Readable Output

screen shot 2018-12-25 at 16 20 48

11. Delete an address group


Deletes an address group.

Base Command

panorama-delete-address-group

Input
Argument Name Description Required
name Name of address group to delete. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Name of address group that was deleted.

Command Example
!panorama-delete-address-group name="dynamic_address_group_test_pb3"
Human Readable Output

screen shot 2018-12-25 at 14 03 36

12. Edit an address group


Edit an address group; "static" or "dynamic".

Base Command

panorama-edit-address-group

Input
Argument Name Description Required
name Name of the address group to edit. Required
type Address group type. Required
match Address group new match, e.g., "1.1.1.1 and 2.2.2.2". Optional
element_to_add Element to add to the list of the static address group. Only existing Address objects can be added. Optional
element_to_remove Element to remove to the list of the static address group. Only existing Address objects can be added. Optional
description Address group new description. Optional
tag Address group tag to edit. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Filter string Dynamic address group match.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.Addresses string Static address group addresses.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tags string Address group tags.

13. Get details for a custom URL category


Returns information for a custom URL category.

Base Command

panorama-get-custom-url-category

Input
Argument Name Description Required
name Custom URL category name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Custom URL category name.
Panorama.CustomURLCategory.Description string Custom URL category description.
Panorama.CustomURLCategory.Sites string Custom URL category list of sites.

Command Example
!panorama-get-custom-url-category name=my_personal_url_category
Human Readable Output

screen shot 2018-12-25 at 16 31 30

14. Create a custom URL category


Creates a custom URL category.

Base Command

panorama-create-custom-url-category

Input
Argument Name Description Required
name Name for the custom URL category to create. Required
description Description of the custom URL category to create. Optional
sites List of sites for the custom URL category. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Custom URL category name
Panorama.CustomURLCategory.Description string Custom URL category description.
Panorama.CustomURLCategory.Sites string Custom URL category list of sites.

Command Example
!panorama-create-custom-url-category name=suspicious_address_group sites=["thepill.com","abortion.com"] description=momo
Human Readable Output

screen shot 2018-12-25 at 16 34 18

15. Delete a custom URL category


Deletes a custom URL category.

Base Command

panorama-delete-custom-url-category

Input
Argument Name Description Required
name Name of the custom URL category to delete. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Name of the custom URL category to delete.

Command Example
!panorama-delete-custom-url-category name=suspicious_address_group
Human Readable Output

screen shot 2018-12-25 at 16 35 12

16. Add/Remove sites from a custom URL category


Add sites to, or remove sites from a custom URL category.

Base Command

panorama-edit-custom-url-category

Input
Argument Name Description Required
name Name of the custom URL category to which to add or remove sites. Required
sites CSV list of sites to add to the custom URL category. Required
action Add or remove sites; "add" or "remove". Required

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Custom URL category name.
Panorama.CustomURLCategory.Description string Custom URL category description.
Panorama.CustomURLCategory.Sites string Custom URL category list of sites.

Human Readable Output

17. Get details for a URL category


Gets a URL category from URL Filtering.

Base Command

panorama-get-url-category

Input
Argument Name Description Required
url URL to check. Required

Context Output
Path Type Description
Panorama.URLFiltering.URL string URL.
Panorama.URLFiltering.Category string URL category.

Command Example
!panorama-get-url-category url="poker.com"
Human Readable Output

screen shot 2018-12-25 at 14 06 07

18. Get details for a URL filtering rule


Get information for a URL filtering rule.

Base Command

panorama-get-url-filter

Input
Argument Name Description Required
name URL filter name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter name.
Panorama.URLFilter.Category.Name string URL filter category name.
Panorama.URLFilter.Category.Action string Action for the URL category.
Panorama.URLFilter.OverrideBlockList string URL filter override block list.
Panorama.URLFilter.OverrideAllowList string URL filter override allow list.
Panorama.URLFilter.Description string URL filter description.

Command Example
!panorama-get-url-filter name=demisto_default_url_filter
Human Readable Output

screen shot 2018-12-25 at 14 58 04

19. Create a URL filtering rule


Creates a URL filtering rule.

Base Command

panorama-create-url-filter

Input
Argument Name Description Required
name Name of the URL filter to create. Required
url_category One or more URL categories. Required
action Action for the URL categories; "allow", "block", "alert", "continue", "override". Required
override_allow_list CSV list of URLs to exclude from the allow list. Optional
override_block_list CSV list of URLs to exclude from the block list. Optional
description URL filter description. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter name
Panorama.URLFilter.Category.Name string URL filter category name
Panorama.URLFilter.Category.Action string Action for the URL category
Panorama.URLFilter.OverrideBlockList string URL filter override allow list
Panorama.URLFilter.OverrideBlockList string URL filter override block list
Panorama.URLFilter.Description string URL filter description.

20. Edit a URL filter


Name of the URL filter to edit.

Base Command

panorama-edit-url-filter

Input
Argument Name Description Required
name URL filter to edit Required
element_to_change Element to change; "override_allow_list", "ovveride_block_list" Required
element_value Element value, limited to one value. Required
add_remove_element Add or remove an element from the Allow List field or Block List field, default is "add" the element_value to the list. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter name.
Panorama.URLFilter.Description string URL filter description.
Panorama.URLFilter.Category.Name string URL filter category.
Panorama.URLFilter.Action string Action for the URL category.
Panorama.URLFilter.OverrideAllowList string Allow Overrides for the URL category.
Panorama.URLFilter.OverrideBlockList string Block Overrides for the URL category.

Command Example
!panorama-edit-url-filter name=demisto_default_url_filter element_to_change=override_allow_list element_value="poker.com" add_remove_element=add
Human Readable Output

screen shot 2018-12-25 at 15 00 05

21. Delete a URL filtering rule


Deletes a URL filtering rule.

Base Command

panorama-delete-url-filter

Input
Argument Name Description Required
name Name of the URL filter rule to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter rule name that was deleted.

22. Create a policy rule


Creates a policy rule.

Base Command

panorama-create-rule

Input
Argument Name Description Required
rulename Name of the rule to create. Optional
description Description of the rule to create. Optional
action Action for the rule; "allow", "deny", "drop". Required
source Source address; "address", "address group". Optional
destination Destination address; "address", "address group". Optional
negate_source Whether to negate the source (address, address group); "Yes" or "No". Optional
negate_destination Whether to negate the destination (address, address group); "Yes" or "No". Optional
service Service for the rule (service object) to create. Optional
disable Whether to disable the rule; "Yes" or "No" (default is "No"). Optional
application Application for the rule to create. Optional
source_user Source user for the rule to create. Optional
pre_post Pre rule or Post rule. Optional
target Specify a target firewall for the rule. Optional
log_forwarding Log forwarding profile (Panorama instances). Optional
device-group The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags Rule tags to create. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.
Panorama.SecurityRule.Description string Rule description.
Panorama.SecurityRule.Action string Action for the rule.
Panorama.SecurityRule.Source string Source address.
Panorama.SecurityRule.Destination string Destination address.
Panorama.SecurityRule.NegateSource boolean Whether the source is negated (address, address group).
Panorama.SecurityRule.NegateDestination boolean Whether the destination is negated (address, address group).
Panorama.SecurityRule.Service string Service for the rule.
Panorama.SecurityRule.Disabled string Whether the rule is disabled.
Panorama.SecurityRule.Application string Application for the rule.
Panorama.SecurityRule.Target string Target firewall.
Panorama.SecurityRule.LogForwarding string Log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroup string Device group for the rule (Panorama instances).
Panorama.SecurityRules.Tags string Rule tags.

Command Example
!panorama-create-rule rulename="block_bad_application" description="do not play at work" action="deny" application="fortnite"
Human Readable Output

screen shot 2018-12-25 at 14 12 20

23. Create a custom block policy rule


Creates a custom block policy rule.

Base Command

panorama-custom-block-rule

Input
Argument Name Description Required
rulename Name of the custom block policy rule to create. Optional
object_type Object type to block in the policy rule. Can be "ip", "address-group", "edl", or "custom-url-category". Required
object_value Object value. Required
direction Direction to block. Can be "to", "from", or "both". Default is "both". This argument is not applicable to the "custom-url-category" object_type. Optional
pre_post Pre rule or Post rule. Optional
target Specify a target firewall for the rule. Optional
log_forwarding Log forwarding profile (Panorama instances). Optional
device-group The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for the custom block policy rule. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.
Panorama.SecurityRule.Object string Blocked object.
Panorama.SecurityRule.Direction string Direction blocked.
Panorama.SecurityRule.Target string Target firewall.
Panorama.SecurityRule.LogForwarding string Log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroup string Device group for the rule (Panorama instances).
Panorama.SecurityRule.Tags string Rule tags.

24. Change the location of a policy rule


Changes the location of a policy rule.

Base Command

panorama-move-rule

Input
Argument Name Description Required
rulename Name of the rule to move. Required
where Where to move the rule to; "before", "after", "top", or "bottom". If you specify "up" or "down", you need to supply the "dst" argument. Required
dst Destination rule relative to the rule you are moving. Only supply this argument if you specified "up" or "down" for the "where" argument. Optional
pre_post Rule location. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.

Command Example
!panorama-move-rule rulename="test_rule3" where="bottom"
Human Readable Output

screen shot 2018-12-25 at 14 08 18

25. Edit a policy rule


Edit a policy rule.

Base Command

panorama-edit-rule

Input
Argument Name Description Required
rulename Name of the rule to edit. Required
element_to_change Parameter in the security rule to change. Can be "source", "destination", "application", "action", "category", "description", "disabled", "target", "log-forwarding", or "tag". Required
element_value New value for the parameter. Required
pre_post Pre rule or Post rule (Panorama instances). Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.
Panorama.SecurityRule.Description string Rule description.
Panorama.SecurityRule.Action string Action for the rule.
Panorama.SecurityRule.Source string Source address.
Panorama.SecurityRule.Destination string Destination address.
Panorama.SecurityRule.NegateSource boolean Is the source negated (address, address group).
Panorama.SecurityRule.NegateDestination boolean Is the destination negated (address, address group).
Panorama.SecurityRule.Service string Service for the rule.
Panorama.SecurityRule.Disabled string Is the rule disabled.
Panorama.SecurityRule.Application string Application for the rule.
Panorama.SecurityRule.Target string Target firewall (Panorama instances).
Panorama.SecurityRule.DeviceGroup string Device group for the rule (Panorama instances).
Panorama.SecurityRule.Tags string Tags for the rule.

Command Example
!panorama-edit-rule rulename="block_bad_application" element_to_change=action element_value=drop
Human Readable Output

screen shot 2018-12-25 at 14 29 40

26. Delete a policy rule


Deletes a policy rule.

Base Command

panorama-delete-rule

Input
Argument Name Description Required
rulename Name of the rule to delete. Required
pre_post Pre rule or Post rule (Panorama instances). Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.

Command Example
!panorama-delete-rule rulename=block_bad_application
Human Readable Output

screen shot 2018-12-25 at 14 30 48

27. Get a list of applications


Returns a list of predefined applications.

Base Command

panorama-list-applications

Input

There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Applications.Name string Application name.
Panorama.Applications.Id number Application ID.
Panorama.Applications.Category string Application category.
Panorama.Applications.SubCategory string Application sub-category.
Panorama.Applications.Technology string Application technology.
Panorama.Applications.Risk number Application risk (1-5).
Panorama.Applications.Description string Application description.

Command Example
!panorama-list-applications
Human Readable Output

screen shot 2018-12-25 at 14 33 50

28. Get the commit status for a configuration


Get the commit status for a configuration.

Base Command

panorama-commit-status

Input
Argument Name Description Required
job_id Job ID to check. Required

Context Output
Path Type Description
Panorama.Commit.JobID number Job ID of the configuration to be committed.
Panorama.Commit.Status string Commit status.
Panorama.Commit.Details string Job ID details.
Panorama.Commit.Warnings string Job ID warnings.

Command Example
!panorama-commit-status job_id=948
Human Readable Output

screen shot 2018-12-25 at 15 01 14

29. Get the push status for a configuration


Get the push status for a configuration.

Base Command

panorama-push-status

Input
Argument Name Description Required
job_id Job ID to check. Required

Context Output
Path Type Description
Panorama.Push.DeviceGroup string Device group to which the policies were pushed.
Panorama.Push.JobID number Job ID of the configuration to be pushed.
Panorama.Push.Status string Push status.
Panorama.Push.Details string Job ID details.

Command Example
!panorama-push-status job_id=951
Human Readable Output

screen shot 2018-12-25 at 15 23 18

30. Get a list of services


Returns a list of all services.

Base Command

panorama-list-services

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for which to filter the service. Optional

There is no input for this command.

Context Output
Path Type Description
Panorama.Services.Name string Service name.
Panorama.Services.Protocol string Service protocol.
Panorama.Services.Description string Service description.
Panorama.Services.DestinationPort string Service destination port.
Panorama.Services.SourcePort string Service source port.
Panorama.Services.DeviceGroup string Service device group.
Panorama.Services.Tags string Service tags.

Command Example
!panorama-list-services
Human Readable Output

screen shot 2019-01-24 at 19 52 45

31. Get information for a service


Returns service details for the supplied service name.

Base Command

panorama-get-service

Input
Argument Name Description Required
name Service name. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Services.Name string Service name.
Panorama.Services.Protocol string Service protocol.
Panorama.Services.Description string Service descriptions.
Panorama.Services.DestinationPort string Service destination port.
Panorama.Services.SourcePort string Service source port.
Panorama.Services.DeviceGroup string Service device group.
Panorama.Service.Tags string Service tags.

Command Example
!panorama-get-service name=guy_ser3
Human Readable Output

screen shot 2019-01-24 at 19 53 04

32. Create a service


Creates a service.

Base Command

panorama-create-service

Input
Argument Name Description Required
name Name for the new service. Required
protocol Protocol for the new service. Required
destination_port Destination port for the new service. Required
source_port Source port for the new service. Optional
description Description of the new service. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for the new service. Optional

Context Output
Path Type Description
Panorama.Services.Name string Service name.
Panorama.Services.Protocol string Service protocol.
Panorama.Services.Description string Service descriptions.
Panorama.Services.DestinationPort string Service destination port.
Panorama.Services.SourcePort string Service source port.
Panorama.Services.DeviceGroup string Service device group.
Panorama.Services.Tags string Service tags.

Command Example
!panorama-create-service name=guy_ser3 protocol=udp destination_port=36 description=bfds
Human Readable Output

placeholder

33. Delete a service


Deletes a service.

Base Command

panorama-delete-service

Input
Argument Name Description Required
name Name of the service to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Services.Name string Service name.

Command Example
!panorama-delete-service name=guy_ser3
Human Readable Output

placeholder

34. Get a list of service groups


Returns a list of service groups.

Base Command

panorama-list-service-groups

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name
Panorama.ServiceGroups.Services string Service group related services
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service tags.

Command Example
!panorama-list-service-groups
Human Readable Output

placeholder

35. Get information for a service group


Returns details for the specified service group.

Base Command

panorama-get-service-group

Input
Argument Name Description Required
name Service group name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name.
Panorama.ServiceGroups.Services string Service group related services.
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service group tags.

Command Example
!panorama-get-service-group name=ser_group6
Human Readable Output

placeholder

36. Create a service group


Creates a service group.

Base Command

panorama-create-service-group

Input
Argument Name Description Required
name Service group Name. Required
services Service group related services. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for which to filter the service groups. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name.
Panorama.ServiceGroups.Services string Service group related services.
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service group tags.

Command Example
    !panorama-create-service-group name=lalush_sg4 services=`["demisto_service1","demi_service_test_pb"]
  

Human Readable Output

placeholder

37. Delete a service group


Deletes a service group.

Base Command

panorama-delete-service-group

Input
Argument Name Description Required
name Name of the service group to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Name of the service group that was deleted.
Panorama.ServiceGroups.DeviceGroup string Device group for the service group that was deleted (Panorama instances).

Command Example
!panorama-delete-service-group name=lalush_sg4
Human Readable Output

placeholder

38. Edit a service group


Modifies details of a service group.

Base Command

panorama-edit-service-group

Input
Argument Name Description Required
name Service group name Required
services_to_remove Services to remove from the service group. Only existing Services
objects can be removed.
Optional
services_to_add Services to add to the service group. Only existing Services objects
can be added.
Optional
tags Services group tag to edit. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name.
Panorama.ServiceGroups.Services string Service group related services.
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service group tags.

Command Example
    panorama-edit-service-group name=lalush_sg4 services_to_remove=`["serice_udp_test_pb","demisto_service1"]
  
Human Readable Output screen shot 2019-01-24 at 19 58 56

39. Get information for a PCAP file


Returns information for a Panorama PCAP file. The recommended maximum file size is 5 MB. If the limit is exceeded, you might need to SSH the firewall and run the scp export command to export the PCAP file. For more information, see the Palo Alto Networks documentation .

Base Command

panorama-get-pcap

Input
Argument Name Description Required
pcapType The type of packet capture. Required
from The file name for the PCAP type ("dlp-pcap", "filters-pcap", "application-pcap". Optional
localName The new name for the PCAP file after downloading. If this argument is not specified, the file name will be the PCAP file name that was set in the firewall. Optional
serialNo The serial number for the request. For more information, see the Panorama XML API Documentation. Optional
searchTime The search time for the request. For more information, see the Panorama XML API Documentation. Optional
pcapID The ID of the PCAP for the request. For more information, see the Panorama XML API Documentation. Optional
password The password for Panorama. This is only required for the "dlp-pcap" PCAP type. Optional

Context Output
Path Type Description
File.Size number The file size.
File.Name string The file name.
File.Type string The file type.
File.Info string The file info.
File.Extenstion string The file extension.
File.EntryID string The file entryID.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA-1 hash of the file.
File.SHA256 string The SHA-256 hash of the file.

Command Example
!panorama-get-pcaps pcapType="filter-pcap" from=pcap_test
Human Readable Output

pcap_is_working

40. Get a list of all PCAP files


Returns a list of all Panorama PCAP files, by PCAP type.

Base Command

panorama-list-pcaps

Input
Argument Name Description Required
pcapType The type of packet capture. Required
from The file name for the PCAP type (“dlp-pcap”, “filters-pcap”, “application-pcap”). For “application-pcap”, also use . Optional
password The password for Panorama. This is only required for the “dlp-pcap” PCAP type. Optional

Context Output
Path Type Description
Panorama.Pcaps.Name string The PCAP name.

Command Example
!panorama-list-pcaps pcapType=“filter-pcap”
Human Readable Output

Screen Shot 2019-03-20 at 14 58 23

41. Get a list of EDLs


Returns a list of external dynamic lists.

Base Command

panorama-list-edls

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.Type string The type of EDL.
Panorama.EDL.URL string URL in which the EDL is stored.
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

Command Example
!panorama-list-edls
Human Readable Output

Screen Shot 2019-04-11 at 17 18 50

42. Get information for an EDL


Returns information for an external dynamic list.

Base Command

panorama-get-edl

Input
Argument Name Description Required
name Name of the EDL. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.Type string The type of EDL.
Panorama.EDL.URL string URL in which the EDL is stored.
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

Command Example
!panorama-get-edl name=test_pb_domain_edl_DONT_DEL
Human Readable Output

Screen Shot 2019-04-11 at 17 23 05

43. Create an EDL


Creates an external dynamic list.

Base Command

panorama-create-edl

Input
Argument Name Description Required
name Name of the EDL. Required
url URL from which to pull the EDL. Required
type The type of EDL. Required
recurring Time interval for pulling and updating the EDL. Required
certificate_profile Certificate Profile name for the URL that was previously uploaded to PAN OS. Optional
description Description of the EDL. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.Type string The type of EDL.
Panorama.EDL.URL string URL in which the EDL is stored.
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

44. Edit an EDL


Modifies an element of an external dynamic list.

Base Command

panorama-edit-edl

Input
Argument Name Description Required
name Name of the external dynamic list to edit Required
element_to_change The element to change (“url”, “recurring”, “certificate_profile”, “description”). Required
element_value The element value. Required

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.URL string URL in which the EDL is stored
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

Command Example
!panorama-edit-edl name=test_pb_domain_edl_DONT_DEL element_to_change=description element_value="new description3"
Human Readable Output

Screen Shot 2019-04-11 at 17 21 56

45. Delete an EDL


Deletes an external dynamic list.

Base Command

panorama-delete-edl

Input
Argument Name Description Required
name Name of the EDL to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL that was deleted.

Command Example
!panorama-delete-edl name=shani_uel33
Human Readable Output

Screen Shot 2019-04-11 at 17 22 38

46. Refresh an EDL


Refreshes the specified external dynamic list.

Base Command

panorama-refresh-edl

Input
Argument Name Description Required
name Name of the EDL. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output

There is no context output for this command.

Command Example
!panorama-refresh-edl name=domain_edl66
Human Readable Output

Screen Shot 2019-04-14 at 16 37 57

47. Register IP addresses to a tag


Registers IP addresses to a tag.

Base Command

panorama-register-ip-tag

Input
Argument Name Description Required
tag Tag to which to register IP addresses. Required
IPs IP addresses to register. Required
persistent Whether the IP addresses remain registered to the tag after device reboots (“True”:persistent, “False":non-persistent). Default is “True”. Optional

Context Output
Path Type Description
Panorama.DynamicTags.Tag string Name for the tag.
Panorama.DynamicTags.IPs string Registered IP addresses.

Command Example
!panorama-register-ip-tag tag=tag02 IPs=[“10.0.0.13”,“10.0.0.14”]
Context Example

Screen Shot 2019-04-16 at 9 57 58

Human Readable Output

Screen Shot 2019-04-16 at 9 58 32

48. Unregister IP addresses from a tag


Unregisters IP addresses from a tag.

Base Command

panorama-unregister-ip-tag

Input
Argument Name Description Required
tag Tag from which to unregister IP addresses. Required
IPs IP addresses to unregister. Required

Command Example
!panorama-unregister-ip-tag tag=tag02 IPs=`["10.0.0.13","10.0.0.14"]
Human Readable Output

Screen Shot 2019-04-16 at 9 58 18

49. Query traffic logs


Queries traffic logs.

Base Command

panorama-query-traffic-logs

Input
Argument Name Description Required
query Specifies the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. Optional
number_of_logs The number of logs to retrieve. Default is 100. Maximum is 5,000. Optional
direction Whether logs are shown oldest first (forward) or newest first (backward). Default is backward. Optional
source Source address for the query. Optional
destination Destination address for the query. Optional
receive_time Date and time after which logs were received, in the format: YYYY/MM/DD HH:MM:SS. Optional
application Application for the query. Optional
to_port Destination port for the query. Optional
action Action for the query. Optional

Context Output
Path Type Description
Panorama.TrafficLogs.JobID Number Job ID of the traffic logs query.
Panorama.TrafficLogs.Status String Status of the traffic logs query.

Command Example
!panorama-query-traffic-logs query="" number_of_logs="100" direction="backward" source="" destination="" receive_time="" application="" to_port="" action="allow"
Human Readable Output

Screen Shot 2019-07-02 at 10 41 45

50. Check the query status of traffic logs


Checks the query status of traffic logs.

Base Command

panorama-check-traffic-logs-status

Input
Argument Name Description Required
job_id Job ID of the query. Required

Context Output
Path Type Description
Panorama.TrafficLogs.JobID Number Job ID of the traffic logs query.
Panorama.TrafficLogs.Status String Status of the traffic logs query.

Command Example
!panorama-check-traffic-logs-status job_id="1865"
Human Readable Output

Screen Shot 2019-07-02 at 10 43 32

51. Get traffic logs


Retrieves traffic log query data by job id

Base Command

panorama-get-traffic-logs

Input
Argument Name Description Required
job_id Job ID of the query. Required

Context Output
Path Type Description
Panorama.TrafficLogs.JobID Number Job ID of the traffic logs query.
Panorama.TrafficLogs.Status String Status of the traffic logs query.
Panorama.TrafficLogs.Logs.Action String Action of the traffic log.
Panorama.TrafficLogs.Logs.ActionSource String Action source of the traffic log.
Panorama.TrafficLogs.Logs.Application String Application of the traffic log.
Panorama.TrafficLogs.Logs.Category String Category of the traffic log.
Panorama.TrafficLogs.Logs.DeviceName String Device name of the traffic log.
Panorama.TrafficLogs.Logs.Destination String Destination of the traffic log.
Panorama.TrafficLogs.Logs.DestinationPort String Destination port of the traffic log.
Panorama.TrafficLogs.Logs.FromZone String From zone of the traffic log.
Panorama.TrafficLogs.Logs.Protocol String Protocol of the traffic log.
Panorama.TrafficLogs.Logs.ReceiveTime String Receive time of the traffic log.
Panorama.TrafficLogs.Logs.Rule String Rule of the traffic log.
Panorama.TrafficLogs.Logs.SessionEndReason String Session end reason of the traffic log.
Panorama.TrafficLogs.Logs.Source String Source of the traffic log.
Panorama.TrafficLogs.Logs.SourcePort String Source port of the traffic log.
Panorama.TrafficLogs.Logs.StartTime String Start time of the traffic log.
Panorama.TrafficLogs.Logs.ToZone String To zone of the traffic log.

Command Example
!panorama-get-traffic-logs job_id="1865"
Human Readable Output

Screen Shot 2019-07-02 at 10 44 12 copy

52. Get a list of predefined security rules


Returns a list of predefined security rules.

Base Command

panorama-list-rules

Input
Argument Name Description Required
pre_post Rules location. Can be "pre-rulebase" or "post-rulebase". Mandatory for Panorama instances. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for which to filter the rules. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name String Rule name.
Panorama.SecurityRule.Action String Action for the rule.
Panorama.SecurityRule.Location String Rule location.
Panorama.SecurityRule.Category String Rule category.
Panorama.SecurityRule.Application String Application for the rule.
Panorama.SecurityRule.Destination String Destination address.
Panorama.SecurityRule.From String Rule from.
Panorama.SecurityRule.Service String Service for the rule.
Panorama.SecurityRule.To String Rule to.
Panorama.SecurityRule.Source String Source address.
Panorama.SecurityRule.DeviceGroup String Device group for the rule (Panorama instances).
Panorama.SecurityRules.Tags String Rule tags.

Command Example
!panorama-list-rules
Human Readable Output

Screen Shot 2019-07-29 at 11 46 09
Screen Shot 2019-07-29 at 11 46 22

53. Query logs


Query logs in Panorama.

Base Command

panorama-query-logs

Input
Argument Name Description Required
log-type The log type. Can be "threat", "traffic", "wildfire", "url", or "data". Required
query The query string by which to match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. Optional
time-generated The time that the log was generated from the timestamp and prior to it. For example: "2019/08/11 01:10:44". Optional
addr-src Source address. Optional
ip The source or destination IP address.
addr-dst Destination address. Optional
zone-src Source zone. Optional
zone-dst Destination Source. Optional
action Rule action. Optional
port-dst Destination port. Optional
rule Rule name, for example: "Allow all outbound". Optional
url URL, for example: "safebrowsing.googleapis.com". Optional
filedigest File hash (for WildFIre logs only). Optional
number_of_logs Maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000. Optional

Context Output
Path Type Description
Panorama.Monitor.JobID String Job ID of the logs query.
Panorama.Monitor.Status String Status of the logs query.
Panorama.Monitor.Message String Message of the logs query.

Command Example
!panorama-query-logs log-type=data query=( addr.src in 192.168.1.12 )
Human Readable Output

Screen Shot 2019-08-19 at 12 59 42

Command Example
!panorama-query-logs log-type=wildfire filedigest=4f79697b40d0932e91105bd496908f8e02c130a0e36f6d3434d6243e79ef82e0
Human Readable Output

Screen Shot 2019-08-19 at 13 01 38

54. Check log query status


Checks the status of a logs query.

Base Command

panorama-check-logs-status

Input
Argument Name Description Required
job_id Job ID of the query. Required

Context Output
Path Type Description
Panorama.Monitor.JobID String Job ID of the logs query.
Panorama.Monitor.Status String Status of the logs query.

Command Example
!panorama-check-logs-status job_id=657
Human Readable Output

Screen Shot 2019-08-19 at 13 02 54

55. Get log query data


Retrieves the data of a logs query.

Base Command

panorama-get-logs

Input
Argument Name Description Required
job_id Job ID of the query. Required
ignore_auto_extract Whether to auto-enrich the War Room entry. If "true", entry is not auto-enriched. If "false", entry is auto-extracted. Default is "true". Optional

Context Output
Path Type Description
Panorama.Monitor.Action String Action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", of "block-url".
Panorama.Monitor.Application String Application associated with the session.
Panorama.Monitor.Category String The URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware"’, or "benign". For other subtypes, the value is "any".
Panorama.Monitor.DeviceName String The hostname of the firewall on which the session was logged.
Panorama.Monitor.DestinationAddress String Original session destination IP address.
Panorama.Monitor.DestinationUser String Username of the user to which the session was destined.
Panorama.Monitor.DestinationCountry String Destination country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.DestinationPort String Destination port utilized by the session.
Panorama.Monitor.FileDigest String Only for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Panorama.Monitor.FileName String File name or file type when the subtype is file.File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire.
Panorama.Monitor.FileType String Only for the WildFire subtype, all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
Panorama.Monitor.FromZone String The zone from which the session was sourced.
Panorama.Monitor.URLOrFilename String The actual URI when the subtype is url. File name or file type when the subtype is file. File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire. URL or file name when the subtype is vulnerability (if applicable)
Panorama.Monitor.NATDestinationIP String If destination NAT performed, the post-NAT destination IP address.
Panorama.Monitor.NATDestinationPort String Post-NAT destination port.
Panorama.Monitor.NATSourceIP String If source NAT performed, the post-NAT source IP address.
Panorama.Monitor.NATSourcePort String Post-NAT source port.
Panorama.Monitor.PCAPid String The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
Panorama.Monitor.IPProtocol String IP protocol associated with the session.
Panorama.Monitor.Recipient String Only for the WildFire subtype, all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.Rule String Name of the rule that the session matched.
Panorama.Monitor.RuleID String ID of the rule that the session matched.
Panorama.Monitor.ReceiveTime String Time the log was received at the management plane.
Panorama.Monitor.Sender String Only for the WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.SessionID String An internal numerical identifier applied to each session.
Panorama.Monitor.DeviceSN String The serial number of the firewall on which the session was logged.
Panorama.Monitor.Severity String Severity associated with the threat. Can be "informational", "low", "medium", "high", or "critical".
Panorama.Monitor.SourceAddress String Original session source IP address.
Panorama.Monitor.SourceCountry String Source country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.SourceUser String Username of the user who initiated the session.
Panorama.Monitor.SourcePort String Source port utilized by the session.
Panorama.Monitor.ThreatCategory String Describes threat categories used to classify different types of threat signatures.
Panorama.Monitor.Name String Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier
Panorama.Monitor.ID String Palo Alto Networks ID for the threat.
Panorama.Monitor.ToZone String The zone to which the session was destined.
Panorama.Monitor.TimeGenerated String Time that the log was generated on the dataplane.
Panorama.Monitor.URLCategoryList String A list of the URL filtering categories that the firewall used to enforce the policy.

Command Example
!panorama-get-logs job_id=678
Human Readable Output

Screen Shot 2019-08-19 at 12 59 16

Command Example
!panorama-get-logs job_id=676
Human Readable Output

Screen Shot 2019-08-19 at 13 00 25

Playbook Videos

These video show how to set up and use the PAN-OS DAG Configuration playbook and PAN-OS EDL Setup playbook.

PAN-OS DAG Configuration

PAN-OS EDL Setup