Palo Alto Networks Panorama

Configure a Palo Alto Network Panorama on-premises device to pull IOCs from Threat Command.

The following table shows device-specific integration characteristics:

CharacteristicDescription
IOC typesDomains, IP addresses, and URLs.
IOC group limitationEach IOC group can contain only one type of IOC. For multiple types, create multiple IOC groups.
Device IOC limitThe device is limited to 250,000 IOCs.

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to the Threat Command virtual appliance.
  2. Configure the device to pull IOCs from Threat Command.

Add a Palo Alto Networks Panorama on-premises device

The procedure to add the device to Threat Command is different depending on the version of the Threat Command virtual appliance in your environment. To determine which version is running, see Determine the Version of Virtual Appliance.

Add the on-premises device

Add the device in virtual appliance v3.9

Prerequisites:

  • The Threat Command virtual appliance web interface is configured and you can access it.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the virtual appliance using the web access username and password.
  3. From the Devices page, click Devices (Pull).
  4. Click Add new device.
  5. In the Devices (Pull) screen, set up the new device:
    1. Type a user-defined, unique device name.
    2. Select the device type.
    3. Click Create.
  6. Verify that the new device was added:
    1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
    2. From the main menu, select Automation > Integrations.
      If this window is already open, refresh it by selecting Automation > Integrations from the menu.
      The new device is displayed in the On-Premises tab.
      TC
Add the device in virtual appliance v4.0

Prerequisites:

  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation > Integrations.
  3. From the Integrations page, click On-Premises.
  4. Click Add new device.
  5. In the Add New On-Premises Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.

Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a Palo Alto Networks Panorama device to pull IOCs

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.

Configuration for on-premises devices

When configuring an on-premises device, it is important to know which version of the Threat Command virtual appliance is running in your environment. This will affect which Rapid7 URL is displayed in the Device Details screen and also which URL to copy into the device management console.

tc

When running version 4.0 or later, the Legacy URL should be used only with Rapid7 support.

To determine which version of the virtual appliance is running, see Determine the version of virtual appliance.

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group
  • Ensure that HTTPS port 80 and 443 are available.

Palo Alto Panorama uses External Dynamic Lists (EDL) to pull IOCs from Threat Command. You must create EDLs for each IOC type (URL, IP or domain), then, you create a security policy to use the EDL to pull IOCs.

The two-step process is described in the following procedures.

To create Palo Alto External Dynamic Lists:

The create EDL process is identical for each type of IOC.

  1. Log in to the Palo Alto Networks dashboard via HTTPS.
  2. Choose Objects > External Dynamic Lists.
  3. Click Addto create a new EDL:
    1. Type a name for the EDL.
      This name will be used in the following step.
    2. From the Type field, select a type: IP ListDomain List, or URL List.
      The type must match the type in the IOC group.
    3. In the Source field, paste the entire value from the Threat Command IOC Group URL. - Be sure to replace [APPLIANCE_IP/URL] with the IP address of the virtual appliance:
      temporary placeholder
    4. Click OK.
    5. Click Commit.

Continue to the section for your IOC type.

To import URLs (EDL of type URL List):

  1. From the Palo Alto main menu, choose Objects > Security Profiles > URL Filtering.
  2. Click Add.
  3. In the URL Filtering Profile dialog, type a name.
  4. In the External Dynamic URL Lists section, select the EDL created for URLs and click OK.
  5. From Policies > Security, click Add.
  6. In the Security Policy Rule dialog, type a name for the new policy.
    The Rule Type should be universal (default).
  7. In the Source tab, select Any and select Source Zone.
    temporary placeholder
  8. In the Destination tab, select any  from the drop-down list, and mark DESTINATION ZONE.
    temporary placeholder
  9. In the Application tab, select Any.
  10. In the Service/URL Category tab, click Add.
    temporary placeholder
  11. From the list that opens, in the External Dynamic Lists section, select the EDL that was created for URLs.
  12. Click OK.
  13. From Policies > Security, select the new policy, then click Enable on the bottom menu.
  14. Click Commit.

When IOCs are present, you can see them at Objects > External Dynamic Lists. Select the EDL and look in the List Entries And Exceptions tab: temporary placeholderTo import IP addresses (EDL of type IP List):

  1. From the Palo Alto main menu, choose Policies > Security.
  2. Click Add.
  3. In the Security Policy Rule dialog, type a name for the new policy.
    The Rule Type  should be universal (default).
  4. In the Source tab, select SOURCE ZONE and Any above it**.**
  5. In the Destination tab, click Add.
  6. From the list that opens, in the External Dynamic Lists  section, select the IP List EDL from the drop-down.
  7. In the Application tab, select Any.
  8. In the Service/URL Category  tab, click Any for URL CATEGORY and for SERVICE.
  9. Click OK.
  10. From Policies > Security, select the new policy, then click Enable on the bottom menu.
  11. Click Commit.

When IOCs are present, you can see them at Objects > External Dynamic Lists. Select the EDL and look in the List Entries And Exceptions  tab: temporary placeholder

To import domains (EDL of type Domains List):

  1. From the Palo Alto main menu, choose Objects > Security Profiles > Anti-Spyware.
  2. Select the strict profile, then click Clone, and OK.
  3. Click the new profile.
  4. In the Anti-Spyware Profile  dialog, type a name over the cloned name.
  5. In the DNS Policies tab, select the EDL for domains, then click OK.
  6. From the main menu, choose Policies > Security.
  7. Click Add.
  8. In the Security Policy Rule dialog, type a name for the new policy.
    The Rule Type  should be universal (default).
  9. In the Source tab, select Any  for SOURCE ZONE.
    temporary placeholder
  10. In the Destination tab, select any  from the drop-down list and select ZONE.
    Also click Any for ADDRESS and select any in DEVICE.
    temporary placeholder
  11. In the Application tab, select Any.
  12. In the Service/URL Category  tab, select Any from the drop-down list.
  13. In the Actions tab, in the Profile Setting section, for Profile Type, select Profiles.
  14. For Anti-Spyware, select the Anti-Spyware profile that you created (the one that you cloned from another).
    temporary placeholder
  15. Click OK.
  16. From Policies > Security, select the new policy, then click Enable on the bottom menu.
  17. Click Commit.

When IOCs are present, you can see them at Objects > External Dynamic Lists. Select the EDL and look in the List Entries And Exceptions  tab: temporary placeholder