PAN-OS Policy Optimizer (Beta)
PAN-OS Policy Optimizer (beta) Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
beta
This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.
Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama. This integration was integrated and tested with version 8 up to version 10.1.6 and version 10.2.0 of PAN-OS Policy Optimizer. Moved to beta due to the lack of a formal API.
#
Configure PAN-OS Policy Optimizer (Beta) in CortexParameter | Required |
---|---|
Server URL (e.g., https://192.168.0.1:443) | True |
Username | True |
Password | True |
Vsys - Firewall instances only | False |
Device Group - Panorama instances only | False |
PAN-OS Version (The exact version, e.g., 10.1.4, 1.1, 9) | False |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
pan-os-po-get-statsGets the Policy Optimizer statistics.
#
Base Commandpan-os-po-get-stats
#
InputArgument Name | Description | Required |
---|---|---|
position | Whether to get pre-rules statistics or post-rules statistics. 'pre' for pre rules, 'post' for post-rules. Only for Panorama instances. Possible values are: pre, post. Default is pre. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PanOS.PolicyOptimizer.Stats.no_app_specified | Number | Number of rules with no apps specified. |
PanOS.PolicyOptimizer.Stats.unused | Number | Number of unused security policies. |
PanOS.PolicyOptimizer.Stats.unused_apps | Number | Number of unused apps in security policies. |
PanOS.PolicyOptimizer.Stats.unused_in_30_days | Number | Number of unused security policies in 30 days. |
PanOS.PolicyOptimizer.Stats.unused_in_90_days | Number | Number of unused security policies in 90 days. |
#
Command Example!pan-os-po-get-stats
#
Context Example#
Human Readable Output#
Policy Optimizer Statistics:
@name text no_app_specified 1 unused_apps 0 unused_in_30_days 13 unused_in_90_days 12 unused 8
#
pan-os-po-no-appsShows all security policies with no apps specified.
#
Base Commandpan-os-po-no-apps
#
InputArgument Name | Description | Required |
---|---|---|
position | Whether to get pre-rules with no apps or post-rules with no apps. 'pre' for pre rules, 'post' for post-rules. Only for Panorama instances. Possible values are: pre, post. Default is pre. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PanOS.PolicyOptimizer.NoApps | Unknown | Contains information about the rules that have no apps specified. For example, Source and Destination. |
#
Command Example!pan-os-po-no-apps
#
Context Example#
Human Readable Output#
Policy Optimizer No App Specified:
@name @uuid action description source destination pano_rule uuid allow a test rule for the move function member: any member: any
#
pan-os-po-unused-appsGets the unused apps.
#
Base Commandpan-os-po-unused-apps
#
InputArgument Name | Description | Required |
---|---|---|
position | Whether to get pre-rules unused apps or post-rules unused apps. 'pre' for pre rules, 'post' for post-rules. Only for Panorama instances. Possible values are: pre, post. Default is pre. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PanOS.PolicyOptimizer.UnusedApps | String | Shows all security rules with unused apps. |
#
pan-os-po-get-rulesGets unused, used, or any rules.
#
Base Commandpan-os-po-get-rules
#
InputArgument Name | Description | Required |
---|---|---|
timeframe | The time frame in days to show the unused rules. Default is 30. | Optional |
usage | Rule usage type to filter by. Can be Unused, Used, or Any. Possible values are: Unused, Used, Any. Default is Unused. | Optional |
exclude | Whether to exclude rules reset during the last x days, where x is the value defined in the timeframe argument. It will not exclude rules by default. Possible values are: false, true. Default is false. | Optional |
position | Whether to get pre-rules, post-rules or both. 'pre' for pre rules, 'post' for post-rules, only for panorama instances. Possible values are: pre, post, both. Default is both. | Optional |
rule_type | Which type of rules to query. Possible values are: security, nat, qos, pbf, decryption, tunnel-inspect, application-override, authentication, dos, sdwan. Default is security. | Optional |
limit | The maximum number of rules to return. Default is 200. | Optional |
page_size | The amount of items to return in each paginated call. Can only be a value of up to 200. Default is 200. | Optional |
page | A specific pagination page to get items from. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PanOS.PolicyOptimizer.UnusedRules | String | Shows all unused security rules. |
PanOS.PolicyOptimizer.AnyRules | String | Shows all security rules. |
PanOS.PolicyOptimizer.UsedRules | String | Shows all used security rules. |
#
Command Example!pan-os-po-get-rules usage=Any
#
Context Example#
Human Readable Output#
PolicyOptimizer AnyRules:
@name @uuid action description source destination tip rule uuid allow member: tip member: any
#
pan-os-po-app-and-usageGets the app usage statistics for a specific security rule.
#
Base Commandpan-os-po-app-and-usage
#
InputArgument Name | Description | Required |
---|---|---|
rule_uuid | The UUID of the security rule. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
PanOS.PolicyOptimizer.AppsAndUsage | Unknown | Shows detailed app usage statistics for specific security rules. |
#
Command Example!pan-os-po-app-and-usage rule_uuid=uuid
#
Human Readable OutputRule with UUID:{uuid} does not use apps.
#
pan-os-get-dagGets a specific dynamic address group.
#
Base Commandpan-os-get-dag
#
InputArgument Name | Description | Required |
---|---|---|
dag | Dynamic address group name. | Required |
#
Context OutputThere is no context output for this command.