Palo Alto Networks BPA (Deprecated)
Best Practice Assessment (BPA) by Palo Alto Networks (Deprecated) Pack.#
This Integration is part of theDeprecated
Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.
Palo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices. This integration was integrated and tested with version 1.0 of BPA. Supported Cortex XSOAR versions: 5.0.0 and later.
#
Configure BPA in CortexParameter | Description | Required |
---|---|---|
server | Server URL (either Firewall or Panorama). e.g., https:\/\/192.168.0.1 | True |
key | Panorama API Key | True |
token | BPA Access Token | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
pan-os-get-documentationGets the documentation of all BPA checks.
#
Base Commandpan-os-get-documentation
#
InputArgument Name | Description | Required |
---|---|---|
doc_ids | A comma-separated list of IDs of the documents to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PAN-OS-BPA.Documentation.Document.DocId | Number | The ID of the document. |
PAN-OS-BPA.Documentation.Document.TopNav | String | The TopNav field of the document. |
PAN-OS-BPA.Documentation.Document.LeftNav | String | The LeftNav of the document. |
PAN-OS-BPA.Documentation.Document.Title | String | The title of the document. |
PAN-OS-BPA.Documentation.Document.DocType | String | The type of the document. |
PAN-OS-BPA.Documentation.Document.Description | String | The description of the document. |
PAN-OS-BPA.Documentation.Document.Rationale | String | The rationale of the document. |
PAN-OS-BPA.Documentation.Document.References | String | The references for the document. |
PAN-OS-BPA.Documentation.Document.Active | Boolean | Whether the document is active or not. |
PAN-OS-BPA.Documentation.Document.LastUpdatedDate | String | The date the document was last updated. |
PAN-OS-BPA.Documentation.Document.CapabilityLabel | Unknown | The capability label of the document. |
PAN-OS-BPA.Documentation.Document.ClassLabel | Unknown | The class label of the document. |
PAN-OS-BPA.Documentation.Document.ControlCategory | Unknown | The control category of the document. |
PAN-OS-BPA.Documentation.Document.Cscv6Control | Unknown | The CSCv6 control of the document. |
PAN-OS-BPA.Documentation.Document.Cscv7Control | Unknown | The CSCv7 control of the document. |
PAN-OS-BPA.Documentation | Unknown | The list of BPA checks. |
#
Command Example!pan-os-get-documentation doc_ids=4,6,7
#
Context Example#
Human Readable Output#
BPA documentation
Active CapabilityLabel ClassLabel Complexity ControlCategory Cscv6Control Cscv7Control Description DocId DocType Effort LastUpdatedDate LeftNav Rationale References Title TopNav true Preventative,
CorrectiveTechnical Advanced Access Control 11.1,
12.111.1,
12.3Do not specify both the source and destination zones as "any" on the rule. 4 Warning 60 2020-10-05T22:46:57.585179Z Security Use Security policy settings to create rules that exactly define the traffic to which the rules apply (zones, IP addresses, users, applications). Policies that are too general may match traffic you don’t want the policy to match and either permit undesirable traffic or deny legitimate traffic. Defining the source, destination, or both zones prevents potentially malicious traffic that uses evasive or deceptive techniques to avoid detection or appear benign from traversing the entire network, which reduces the attack surface and the threat scope. The exception to this best practice is when the Security policy needs to protect the entire network. For example, a rule that blocks traffic to malware or phishing URL categories can apply to all zones (and all traffic) because the URL Category clearly defines the traffic to block. Another example is blocking all unknown traffic with a block rule that applies to all traffic in all zones and defining the blocked applications as “unknown-tcp”, “unknown-udp”, and “unknown-p2p”. ['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy'] Source/Destination = any/any Policies true Performance Technical Advanced Audit and Accountability Don't enable "Log at Session Start" in a rule except for troubleshooting purposes. 6 Warning 60 2020-10-05T22:46:57.596239Z Security By default, the firewall creates logs at the end of the session for all sessions that match a Security policy rule because the application identification is likely to change as the firewall identifies the specific application and because logging at the session end consumes fewer resources than logging the session start. For example, at the start of a session, the firewall identifies Facebook traffic as web-browsing traffic, but after examining a few packets, the firewall refines the application to Facebook-base. Use “Log at Session Start” only to troubleshoot packet flow and related issues, or for tunnel session logs (only logging at session start shows active GRE tunnels in the Application Command Center). ['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-data-center/data-center-best-practice-security-policy/log-and-monitor-data-center-traffic/what-data-center-traffic-to-log-and-monitor'] Log at Start of Session Policies true Recovery,
DetectiveOperational,
TechnicalAdvanced Contingency Planning,
Audit and Accountability6.2,
6.6,
10.16.3,
6.6,
10.1Create and enable a Log Forwarding profile on the rule. 7 Warning 60 2020-10-05T22:46:57.601517Z Security The firewall has limited log storage space and when the space fills up, the firewall purges the oldest logs. Configure Log Forwarding for the traffic that matches each Security policy rule. You can create profiles that send logs to a dedicated storage device such as Panorama in Log Collector mode, a syslog or SNMP server, or to an email profile, to provide redundant storage for the logs on the firewall and a long-term repository for older logs. You can create profiles to forward logs to one or more external storage devices to remain in compliance, run analytics, and review abnormal activity, threat behaviors, and long-term patterns. ['https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/configure-log-forwarding'] Log Forwarding Policies
#
pan-os-bpa-submit-jobSubmits a job to the BPA job queue. PAN-OS devices with large configuration files may take a few minutes for the job to be submitted.
#
Base Commandpan-os-bpa-submit-job
#
InputArgument Name | Description | Required |
---|---|---|
generate_zip_bundle | Whether to download the Panorama report. Can be "true" or "false". Default is "false". | Optional |
timeout | The timeout for the request. Default is 120. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PAN-OS-BPA.SubmittedJob.JobID | String | Submitted Job ID, used to query results when the job is done. |
#
Command Example!pan-os-bpa-submit-job
#
Context Example#
Human Readable OutputSubmitted BPA job ID: ca5dc5a7-c3e5-474a-8d04-e3129c1b0edf
#
pan-os-bpa-get-job-resultsReturns results of BPA job.
#
Base Commandpan-os-bpa-get-job-results
#
InputArgument Name | Description | Required |
---|---|---|
task_id | The job ID for which to return results. | Required |
exclude_passed_checks | Whether to exclude passed checks. Can be "true" or "false". Default is "false". | Optional |
check_id | A comma-separated list of the BPA IDs of the results to return. | Optional |
check_name | A comma-separated list of the name of the results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PAN-OS-BPA.JobResults.JobID | String | The submitted job ID. |
PAN-OS-BPA.JobResults.Status | String | The job status in the queue (in progress or completed). |
PAN-OS-BPA.JobResults.Checks | Unknown | The list of checks. |
InfoFile.Name | string | File name. |
InfoFile.EntryID | string | File entry ID. |
InfoFile.Size | number | File size. |
InfoFile.Type | string | File type, e.g., "PE" |
InfoFile.Info | string | Basic information of the file. |
InfoFile.Extension | string | File extension. |
#
Command Example!pan-os-bpa-get-job-results task_id=b0539068-e1c1-496c-9dfd-a1274947f76e check_id=104,105 check_name="Accelerated Aging"
#
Context Example#
Human Readable Output#
BPA Results
check_category check_feature check_id check_message check_name check_passed check_type device device_setup_services 105 It is recommended to configure a primary and secondary NTP Server Address NTP Server Address false Warning device device_setup_services 104 Verify Update Server Identity true Warning device device_setup_session 121 Accelerated Aging true Warning