Palo Alto Networks BPA

Palo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices. This integration was integrated and tested with version 1.0 of BPA. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure BPA on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for BPA.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    serverPanorama Server URL (e.g., https://192.168.0.1\)True
    keyPanorama API KeyTrue
    tokenBPA Access TokenTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

pan-os-get-documentation#


Gets the documentation of all BPA checks.

Base Command#

pan-os-get-documentation

Input#

Argument NameDescriptionRequired
doc_idsA comma-separated list of IDs of the documents to return.Optional

Context Output#

PathTypeDescription
PAN-OS-BPA.Documentation.Document.DocIdNumberThe ID of the document.
PAN-OS-BPA.Documentation.Document.TopNavStringThe TopNav field of the document.
PAN-OS-BPA.Documentation.Document.LeftNavStringThe LeftNav of the document.
PAN-OS-BPA.Documentation.Document.TitleStringThe title of the document.
PAN-OS-BPA.Documentation.Document.DocTypeStringThe type of the document.
PAN-OS-BPA.Documentation.Document.DescriptionStringThe description of the document.
PAN-OS-BPA.Documentation.Document.RationaleStringThe rationale of the document.
PAN-OS-BPA.Documentation.Document.ReferencesStringThe references for the document.
PAN-OS-BPA.Documentation.Document.ActiveBooleanWhether the document is active or not.
PAN-OS-BPA.Documentation.Document.LastUpdatedDateStringThe date the document was last updated.
PAN-OS-BPA.Documentation.Document.CapabilityLabelUnknownThe capability label of the document.
PAN-OS-BPA.Documentation.Document.ClassLabelUnknownThe class label of the document.
PAN-OS-BPA.Documentation.Document.ControlCategoryUnknownThe control category of the document.
PAN-OS-BPA.Documentation.Document.Cscv6ControlUnknownThe CSCv6 control of the document.
PAN-OS-BPA.Documentation.Document.Cscv7ControlUnknownThe CSCv7 control of the document.
PAN-OS-BPA.DocumentationUnknownThe list of BPA checks.

Command Example#

!pan-os-get-documentation doc_ids=4,6,7

Context Example#

{
"PAN-OS-BPA": {
"Documentation": [
{
"Document": [
{
"Active": true,
"CapabilityLabel": [
"Preventative",
"Corrective"
],
"ClassLabel": [
"Technical"
],
"Complexity": "Advanced",
"ControlCategory": [
"Access Control"
],
"Cscv6Control": [
"11.1",
"12.1"
],
"Cscv7Control": [
"11.1",
"12.3"
],
"Description": "Do not specify both the source and destination zones as \"any\" on the rule.",
"DocId": 4,
"DocType": "Warning",
"Effort": 60,
"LastUpdatedDate": "2020-10-05T22:46:57.585179Z",
"LeftNav": "Security",
"Rationale": "Use Security policy settings to create rules that exactly define the traffic to which the rules apply (zones, IP addresses, users, applications). Policies that are too general may match traffic you don\u2019t want the policy to match and either permit undesirable traffic or deny legitimate traffic. Defining the source, destination, or both zones prevents potentially malicious traffic that uses evasive or deceptive techniques to avoid detection or appear benign from traversing the entire network, which reduces the attack surface and the threat scope. The exception to this best practice is when the Security policy needs to protect the entire network. For example, a rule that blocks traffic to malware or phishing URL categories can apply to all zones (and all traffic) because the URL Category clearly defines the traffic to block. Another example is blocking all unknown traffic with a block rule that applies to all traffic in all zones and defining the blocked applications as \u201cunknown-tcp\u201d, \u201cunknown-udp\u201d, and \u201cunknown-p2p\u201d.",
"References": "['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy']",
"Title": "Source/Destination = any/any",
"TopNav": "Policies"
},
{
"Active": true,
"CapabilityLabel": [
"Performance"
],
"ClassLabel": [
"Technical"
],
"Complexity": "Advanced",
"ControlCategory": [
"Audit and Accountability"
],
"Cscv6Control": [],
"Cscv7Control": [],
"Description": "Don't enable \"Log at Session Start\" in a rule except for troubleshooting purposes.",
"DocId": 6,
"DocType": "Warning",
"Effort": 60,
"LastUpdatedDate": "2020-10-05T22:46:57.596239Z",
"LeftNav": "Security",
"Rationale": "By default, the firewall creates logs at the end of the session for all sessions that match a Security policy rule because the application identification is likely to change as the firewall identifies the specific application and because logging at the session end consumes fewer resources than logging the session start. For example, at the start of a session, the firewall identifies Facebook traffic as web-browsing traffic, but after examining a few packets, the firewall refines the application to Facebook-base. Use \u201cLog at Session Start\u201d only to troubleshoot packet flow and related issues, or for tunnel session logs (only logging at session start shows active GRE tunnels in the Application Command Center).",
"References": "['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-data-center/data-center-best-practice-security-policy/log-and-monitor-data-center-traffic/what-data-center-traffic-to-log-and-monitor']",
"Title": "Log at Start of Session",
"TopNav": "Policies"
},
{
"Active": true,
"CapabilityLabel": [
"Recovery",
"Detective"
],
"ClassLabel": [
"Operational",
"Technical"
],
"Complexity": "Advanced",
"ControlCategory": [
"Contingency Planning",
"Audit and Accountability"
],
"Cscv6Control": [
"6.2",
"6.6",
"10.1"
],
"Cscv7Control": [
"6.3",
"6.6",
"10.1"
],
"Description": "Create and enable a Log Forwarding profile on the rule.",
"DocId": 7,
"DocType": "Warning",
"Effort": 60,
"LastUpdatedDate": "2020-10-05T22:46:57.601517Z",
"LeftNav": "Security",
"Rationale": "The firewall has limited log storage space and when the space fills up, the firewall purges the oldest logs. Configure Log Forwarding for the traffic that matches each Security policy rule. You can create profiles that send logs to a dedicated storage device such as Panorama in Log Collector mode, a syslog or SNMP server, or to an email profile, to provide redundant storage for the logs on the firewall and a long-term repository for older logs. You can create profiles to forward logs to one or more external storage devices to remain in compliance, run analytics, and review abnormal activity, threat behaviors, and long-term patterns.",
"References": "['https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/configure-log-forwarding']",
"Title": "Log Forwarding",
"TopNav": "Policies"
}
]
},
{
"active": true,
"capability_label": [
"Preventative",
"Corrective"
],
"class_label": [
"Technical"
],
"complexity": "Advanced",
"control_category": [
"Access Control"
],
"cscv6_control": [
"11.1",
"12.1"
],
"cscv7_control": [
"11.1",
"12.3"
],
"description": "Do not specify both the source and destination zones as \"any\" on the rule.",
"doc_id": 4,
"doc_type": "Warning",
"effort": 60,
"last_updated_date": "2020-10-05T22:46:57.585179Z",
"left_nav": "Security",
"rationale": "Use Security policy settings to create rules that exactly define the traffic to which the rules apply (zones, IP addresses, users, applications). Policies that are too general may match traffic you don\u2019t want the policy to match and either permit undesirable traffic or deny legitimate traffic. Defining the source, destination, or both zones prevents potentially malicious traffic that uses evasive or deceptive techniques to avoid detection or appear benign from traversing the entire network, which reduces the attack surface and the threat scope. The exception to this best practice is when the Security policy needs to protect the entire network. For example, a rule that blocks traffic to malware or phishing URL categories can apply to all zones (and all traffic) because the URL Category clearly defines the traffic to block. Another example is blocking all unknown traffic with a block rule that applies to all traffic in all zones and defining the blocked applications as \u201cunknown-tcp\u201d, \u201cunknown-udp\u201d, and \u201cunknown-p2p\u201d.",
"references": "['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy']",
"title": "Source/Destination = any/any",
"top_nav": "Policies"
},
{
"active": true,
"capability_label": [
"Performance"
],
"class_label": [
"Technical"
],
"complexity": "Advanced",
"control_category": [
"Audit and Accountability"
],
"cscv6_control": [],
"cscv7_control": [],
"description": "Don't enable \"Log at Session Start\" in a rule except for troubleshooting purposes.",
"doc_id": 6,
"doc_type": "Warning",
"effort": 60,
"last_updated_date": "2020-10-05T22:46:57.596239Z",
"left_nav": "Security",
"rationale": "By default, the firewall creates logs at the end of the session for all sessions that match a Security policy rule because the application identification is likely to change as the firewall identifies the specific application and because logging at the session end consumes fewer resources than logging the session start. For example, at the start of a session, the firewall identifies Facebook traffic as web-browsing traffic, but after examining a few packets, the firewall refines the application to Facebook-base. Use \u201cLog at Session Start\u201d only to troubleshoot packet flow and related issues, or for tunnel session logs (only logging at session start shows active GRE tunnels in the Application Command Center).",
"references": "['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-data-center/data-center-best-practice-security-policy/log-and-monitor-data-center-traffic/what-data-center-traffic-to-log-and-monitor']",
"title": "Log at Start of Session",
"top_nav": "Policies"
},
{
"active": true,
"capability_label": [
"Recovery",
"Detective"
],
"class_label": [
"Operational",
"Technical"
],
"complexity": "Advanced",
"control_category": [
"Contingency Planning",
"Audit and Accountability"
],
"cscv6_control": [
"6.2",
"6.6",
"10.1"
],
"cscv7_control": [
"6.3",
"6.6",
"10.1"
],
"description": "Create and enable a Log Forwarding profile on the rule.",
"doc_id": 7,
"doc_type": "Warning",
"effort": 60,
"last_updated_date": "2020-10-05T22:46:57.601517Z",
"left_nav": "Security",
"rationale": "The firewall has limited log storage space and when the space fills up, the firewall purges the oldest logs. Configure Log Forwarding for the traffic that matches each Security policy rule. You can create profiles that send logs to a dedicated storage device such as Panorama in Log Collector mode, a syslog or SNMP server, or to an email profile, to provide redundant storage for the logs on the firewall and a long-term repository for older logs. You can create profiles to forward logs to one or more external storage devices to remain in compliance, run analytics, and review abnormal activity, threat behaviors, and long-term patterns.",
"references": "['https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/configure-log-forwarding']",
"title": "Log Forwarding",
"top_nav": "Policies"
}
]
}
}

Human Readable Output#

BPA documentation#

ActiveCapabilityLabelClassLabelComplexityControlCategoryCscv6ControlCscv7ControlDescriptionDocIdDocTypeEffortLastUpdatedDateLeftNavRationaleReferencesTitleTopNav
truePreventative,
Corrective
TechnicalAdvancedAccess Control11.1,
12.1
11.1,
12.3
Do not specify both the source and destination zones as "any" on the rule.4Warning602020-10-05T22:46:57.585179ZSecurityUse Security policy settings to create rules that exactly define the traffic to which the rules apply (zones, IP addresses, users, applications). Policies that are too general may match traffic you don’t want the policy to match and either permit undesirable traffic or deny legitimate traffic. Defining the source, destination, or both zones prevents potentially malicious traffic that uses evasive or deceptive techniques to avoid detection or appear benign from traversing the entire network, which reduces the attack surface and the threat scope. The exception to this best practice is when the Security policy needs to protect the entire network. For example, a rule that blocks traffic to malware or phishing URL categories can apply to all zones (and all traffic) because the URL Category clearly defines the traffic to block. Another example is blocking all unknown traffic with a block rule that applies to all traffic in all zones and defining the blocked applications as “unknown-tcp”, “unknown-udp”, and “unknown-p2p”.['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy']Source/Destination = any/anyPolicies
truePerformanceTechnicalAdvancedAudit and AccountabilityDon't enable "Log at Session Start" in a rule except for troubleshooting purposes.6Warning602020-10-05T22:46:57.596239ZSecurityBy default, the firewall creates logs at the end of the session for all sessions that match a Security policy rule because the application identification is likely to change as the firewall identifies the specific application and because logging at the session end consumes fewer resources than logging the session start. For example, at the start of a session, the firewall identifies Facebook traffic as web-browsing traffic, but after examining a few packets, the firewall refines the application to Facebook-base. Use “Log at Session Start” only to troubleshoot packet flow and related issues, or for tunnel session logs (only logging at session start shows active GRE tunnels in the Application Command Center).['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-data-center/data-center-best-practice-security-policy/log-and-monitor-data-center-traffic/what-data-center-traffic-to-log-and-monitor']Log at Start of SessionPolicies
trueRecovery,
Detective
Operational,
Technical
AdvancedContingency Planning,
Audit and Accountability
6.2,
6.6,
10.1
6.3,
6.6,
10.1
Create and enable a Log Forwarding profile on the rule.7Warning602020-10-05T22:46:57.601517ZSecurityThe firewall has limited log storage space and when the space fills up, the firewall purges the oldest logs. Configure Log Forwarding for the traffic that matches each Security policy rule. You can create profiles that send logs to a dedicated storage device such as Panorama in Log Collector mode, a syslog or SNMP server, or to an email profile, to provide redundant storage for the logs on the firewall and a long-term repository for older logs. You can create profiles to forward logs to one or more external storage devices to remain in compliance, run analytics, and review abnormal activity, threat behaviors, and long-term patterns.['https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/configure-log-forwarding']Log ForwardingPolicies

pan-os-bpa-submit-job#


Submits a job to the BPA job queue. PAN-OS devices with large configuration files may take a few minutes for the job to be submitted.

Base Command#

pan-os-bpa-submit-job

Input#

Argument NameDescriptionRequired
generate_zip_bundleWhether to download the Panorama report. Can be "true" or "false". Default is "false".Optional
timeoutThe timeout for the request. Default is 120.Optional

Context Output#

PathTypeDescription
PAN-OS-BPA.SubmittedJob.JobIDStringSubmitted Job ID, used to query results when the job is done.

Command Example#

!pan-os-bpa-submit-job

Context Example#

{
"PAN-OS-BPA": {
"SubmittedJob": {
"JobID": "ca5dc5a7-c3e5-474a-8d04-e3129c1b0edf"
}
}
}

Human Readable Output#

Submitted BPA job ID: ca5dc5a7-c3e5-474a-8d04-e3129c1b0edf

pan-os-bpa-get-job-results#


Returns results of BPA job.

Base Command#

pan-os-bpa-get-job-results

Input#

Argument NameDescriptionRequired
task_idThe job ID for which to return results.Required
exclude_passed_checksWhether to exclude passed checks. Can be "true" or "false". Default is "false".Optional
check_idA comma-separated list of the BPA IDs of the results to return.Optional
check_nameA comma-separated list of the name of the results to return.Optional

Context Output#

PathTypeDescription
PAN-OS-BPA.JobResults.JobIDStringThe submitted job ID.
PAN-OS-BPA.JobResults.StatusStringThe job status in the queue (in progress or completed).
PAN-OS-BPA.JobResults.ChecksUnknownThe list of checks.
InfoFile.NamestringFile name.
InfoFile.EntryIDstringFile entry ID.
InfoFile.SizenumberFile size.
InfoFile.TypestringFile type, e.g., "PE"
InfoFile.InfostringBasic information of the file.
InfoFile.ExtensionstringFile extension.

Command Example#

!pan-os-bpa-get-job-results task_id=b0539068-e1c1-496c-9dfd-a1274947f76e check_id=104,105 check_name="Accelerated Aging"

Context Example#

{
"PAN-OS-BPA": {
"JobResults": {
"Checks": [
{
"check_category": "device",
"check_feature": "device_setup_services",
"check_id": 105,
"check_message": "It is recommended to configure a primary and secondary NTP Server Address",
"check_name": "NTP Server Address",
"check_passed": false,
"check_type": "Warning"
},
{
"check_category": "device",
"check_feature": "device_setup_services",
"check_id": 104,
"check_message": null,
"check_name": "Verify Update Server Identity",
"check_passed": true,
"check_type": "Warning"
},
{
"check_category": "device",
"check_feature": "device_setup_session",
"check_id": 121,
"check_message": null,
"check_name": "Accelerated Aging",
"check_passed": true,
"check_type": "Warning"
}
],
"JobID": "b0539068-e1c1-496c-9dfd-a1274947f76e",
"Status": "complete"
}
}
}

Human Readable Output#

BPA Results#

check_categorycheck_featurecheck_idcheck_messagecheck_namecheck_passedcheck_type
devicedevice_setup_services105It is recommended to configure a primary and secondary NTP Server AddressNTP Server AddressfalseWarning
devicedevice_setup_services104Verify Update Server IdentitytrueWarning
devicedevice_setup_session121Accelerated AgingtrueWarning