Skip to main content

PAN-OS Policy Optimizer

This Integration is part of the PAN-OS Policy Optimizer Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama. This integration was integrated and tested with version 0.1 of PAN-OS Policy Optimizer

Configure PAN-OS Policy Optimizer on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for PAN-OS Policy Optimizer.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g., https://192.168.0.1:443)True
    UsernameTrue
    Vsys - Firewall instances onlyFalse
    Device Group - Panorama instances onlyFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

pan-os-po-get-stats#


Gets the Policy Optimizer statistics.

Base Command#

pan-os-po-get-stats

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.Stats.no_app_specifiedNumberNumber of rules with no apps specified.
PanOS.PolicyOptimizer.Stats.unusedNumberNumber of unused security policies.
PanOS.PolicyOptimizer.Stats.unused_appsNumberNumber of unused apps in security policies.
PanOS.PolicyOptimizer.Stats.unused_in_30_daysNumberNumber of unused security policies in 30 days.
PanOS.PolicyOptimizer.Stats.unused_in_90_daysNumberNumber of unused security policies in 90 days.

Command Example#

!pan-os-po-get-stats

Context Example#

{
"PanOS": {
"PolicyOptimizer": {
"Stats": {
"no_app_specified": "1",
"unused": "8",
"unused_apps": "0",
"unused_in_30_days": "13",
"unused_in_90_days": "12"
}
}
}
}

Human Readable Output#

Policy Optimizer Statistics:#

@nametext
no_app_specified1
unused_apps0
unused_in_30_days13
unused_in_90_days12
unused8

pan-os-po-no-apps#


Shows all security policies with no apps specified.

Base Command#

pan-os-po-no-apps

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.NoAppsUnknownContains information about the rules that have no apps specified. i.e., Source, Destination, etc.

Command Example#

!pan-os-po-no-apps

Context Example#

{
"PanOS": {
"PolicyOptimizer": {
"NoApps": {
"@__recordInfo": "{\"permission\":\"readonly\",\"xpathId\":\"panorama\",\"vsysName\":\"vsys1\",\"position\":\"pre\"}",
"@loc": "Lab-Devices",
"@name": "pano_rule",
"@panorama": "true",
"@uuid": "uuid",
"action": "allow",
"application": {
"member": [
"any"
]
},
"apps-allowed-count": "0",
"apps-seen-count": "72",
"bytes": "84800223916",
"category": {
"member": [
"any"
]
},
"days-no-new-app-count": "193",
"description": "a test rule for the move function",
"destination": {
"member": [
"any"
]
},
"first-hit-timestamp": "1602403843",
"from": {
"member": [
"any"
]
},
"hip-profiles": {
"member": [
"any"
]
},
"hit-count": "32193134",
"last-app-seen-since-count": "193",
"last-hit-timestamp": "1602468975",
"last-reset-timestamp": "0",
"rule-creation-timestamp": "1575916248",
"rule-modification-timestamp": "1614045009",
"service": {
"member": [
"application-default"
]
},
"source": {
"member": [
"any"
]
},
"source-user": {
"member": [
"any"
]
},
"to": {
"member": [
"any"
]
}
}
}
}
}

Human Readable Output#

Policy Optimizer No App Specified:#

@name@uuidactiondescriptionsourcedestination
pano_ruleuuidallowa test rule for the move functionmember: anymember: any

pan-os-po-unused-apps#


Gets the unused apps.

Base Command#

pan-os-po-unused-apps

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.UnusedAppsStringShows all security rules with unused apps.

Command Example#

!pan-os-po-unused-apps

Human Readable Output#

No Rules with unused apps were found.

pan-os-po-get-rules#


Gets unused, used, or any rules

Base Command#

pan-os-po-get-rules

Input#

Argument NameDescriptionRequired
timeframeThe time frame in days for which to show the unused rules. Default is 30. Default is 30.Optional
usageRule usage type. The values by which you want to filter. Possible values are: Unused, Used, Any. Default is Unused.Optional
excludeWhether to exclude rules reset during the last x days, where x is the value defined in the timeframe argument. It will not exclude rules by default. Possible values are: false, true. Default is false.Optional

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.UnusedRulesStringShows all unused security rules.
PanOS.PolicyOptimizer.AnyRulesStringShows all security rules.
PanOS.PolicyOptimizer.UsedRulesStringShows all used security rules.

Command Example#

!pan-os-po-get-rules usage=Any

Context Example#

{
"PanOS": {
"PolicyOptimizer": {
"AnyRules": [
{
"@__recordInfo": "{\"permission\":\"readonly\",\"xpathId\":\"panorama\",\"vsysName\":\"vsys1\",\"position\":\"pre\"}",
"@loc": "Lab-Devices",
"@name": "tip rule",
"@panorama": "true",
"@uuid": "uuid",
"action": "allow",
"application": {
"member": [
"any"
]
},
"apps-allowed-count": "0",
"apps-seen-count": "0",
"bytes": "0",
"category": {
"member": [
"any"
]
},
"days-no-new-app-count": [],
"destination": {
"member": [
"any"
]
},
"first-hit-timestamp": "0",
"from": {
"member": [
"any"
]
},
"hip-profiles": {
"member": [
"any"
]
},
"hit-count": "0",
"last-app-seen-since-count": [],
"last-hit-timestamp": "0",
"last-reset-timestamp": "0",
"rule-creation-timestamp": "1575925916",
"rule-modification-timestamp": "1614045009",
"service": {
"member": [
"application-default"
]
},
"source": {
"member": [
"tip"
]
},
"source-user": {
"member": [
"any"
]
},
"to": {
"member": [
"any"
]
}
}
]
}
}
}

Human Readable Output#

PolicyOptimizer AnyRules:#

@name@uuidactiondescriptionsourcedestination
tip ruleuuidallowmember: tipmember: any

pan-os-po-app-and-usage#


Gets the app usage statistics for a specific security rule.

Base Command#

pan-os-po-app-and-usage

Input#

Argument NameDescriptionRequired
rule_uuidThe UUID of the security rule.Required

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.AppsAndUsageUnknownShows detailed app usage statistics for specific security rules.

Command Example#

!pan-os-po-app-and-usage rule_uuid=uuid

Human Readable Output#

Rule with UUID:{uuid} does not use apps.

pan-os-get-dag#


Gets a specific dynamic address group.

Base Command#

pan-os-get-dag

Input#

Argument NameDescriptionRequired
dagDynamic address group name.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#