Skip to main content

PAN-OS Policy Optimizer (Beta)

This Integration is part of the PAN-OS Policy Optimizer (beta) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama. This integration was integrated and tested with version 8 up to version 10.1.6 and version 10.2.0 of PAN-OS Policy Optimizer. Moved to beta due to the lack of a formal API.

Configure PAN-OS Policy Optimizer on Cortex XSOAR (beta)#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for PAN-OS Policy Optimizer (beta).

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g., https://192.168.0.1:443)True
    UsernameTrue
    Vsys - Firewall instances onlyFalse
    Device Group - Panorama instances onlyFalse
    PAN-OS Version(e.g. 8.2.3, 9, 10.1.6)False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

pan-os-po-get-stats#


Gets the Policy Optimizer statistics.

Base Command#

pan-os-po-get-stats

Input#

Argument NameDescriptionRequired
positionWhether to get pre-rules statistics or post-rules statistics. 'pre' for pre rules, 'post' for post-rules. Only for Panorama instances. Possible values are: pre, post. Default is pre.Optional

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.Stats.no_app_specifiedNumberNumber of rules with no apps specified.
PanOS.PolicyOptimizer.Stats.unusedNumberNumber of unused security policies.
PanOS.PolicyOptimizer.Stats.unused_appsNumberNumber of unused apps in security policies.
PanOS.PolicyOptimizer.Stats.unused_in_30_daysNumberNumber of unused security policies in 30 days.
PanOS.PolicyOptimizer.Stats.unused_in_90_daysNumberNumber of unused security policies in 90 days.

Command Example#

!pan-os-po-get-stats

Context Example#

{
"PanOS": {
"PolicyOptimizer": {
"Stats": {
"no_app_specified": "1",
"unused": "8",
"unused_apps": "0",
"unused_in_30_days": "13",
"unused_in_90_days": "12"
}
}
}
}

Human Readable Output#

Policy Optimizer Statistics:#

@nametext
no_app_specified1
unused_apps0
unused_in_30_days13
unused_in_90_days12
unused8

pan-os-po-no-apps#


Shows all security policies with no apps specified.

Base Command#

pan-os-po-no-apps

Input#

Argument NameDescriptionRequired
positionWhether to get pre-rules with no apps or post-rules with no apps. 'pre' for pre rules, 'post' for post-rules. Only for Panorama instances. Possible values are: pre, post. Default is pre.Optional

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.NoAppsUnknownContains information about the rules that have no apps specified. i.e., Source, Destination, etc.

Command Example#

!pan-os-po-no-apps

Context Example#

{
"PanOS": {
"PolicyOptimizer": {
"NoApps": {
"@__recordInfo": "{\"permission\":\"readonly\",\"xpathId\":\"panorama\",\"vsysName\":\"vsys1\",\"position\":\"pre\"}",
"@loc": "Lab-Devices",
"@name": "pano_rule",
"@panorama": "true",
"@uuid": "uuid",
"action": "allow",
"application": {
"member": [
"any"
]
},
"apps-allowed-count": "0",
"apps-seen-count": "72",
"bytes": "84800223916",
"category": {
"member": [
"any"
]
},
"days-no-new-app-count": "193",
"description": "a test rule for the move function",
"destination": {
"member": [
"any"
]
},
"first-hit-timestamp": "1602403843",
"from": {
"member": [
"any"
]
},
"hip-profiles": {
"member": [
"any"
]
},
"hit-count": "32193134",
"last-app-seen-since-count": "193",
"last-hit-timestamp": "1602468975",
"last-reset-timestamp": "0",
"rule-creation-timestamp": "1575916248",
"rule-modification-timestamp": "1614045009",
"service": {
"member": [
"application-default"
]
},
"source": {
"member": [
"any"
]
},
"source-user": {
"member": [
"any"
]
},
"to": {
"member": [
"any"
]
}
}
}
}
}

Human Readable Output#

Policy Optimizer No App Specified:#

@name@uuidactiondescriptionsourcedestination
pano_ruleuuidallowa test rule for the move functionmember: anymember: any

pan-os-po-unused-apps#


Gets the unused apps.

Base Command#

pan-os-po-unused-apps

Input#

Argument NameDescriptionRequired
positionWhether to get pre-rules unused apps or post-rules unused apps. 'pre' for pre rules, 'post' for post-rules. Only for Panorama instances. Possible values are: pre, post. Default is pre.Optional

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.UnusedAppsStringShows all security rules with unused apps.

Command Example#

!pan-os-po-unused-apps

Human Readable Output#

pan-os-po-get-rules#


Gets unused, used, or any rules

Base Command#

pan-os-po-get-rules

Input#

Argument NameDescriptionRequired
timeframeThe time frame in days for which to show the unused rules. Default is 30. Default is 30.Optional
usageRule usage type. The values by which you want to filter. Possible values are: Unused, Used, Any. Default is Unused.Optional
excludeWhether to exclude rules reset during the last x days, where x is the value defined in the timeframe argument. It will not exclude rules by default. Possible values are: false, true. Default is false.Optional

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.UnusedRulesStringShows all unused security rules.
PanOS.PolicyOptimizer.AnyRulesStringShows all security rules.
PanOS.PolicyOptimizer.UsedRulesStringShows all used security rules.

Command Example#

!pan-os-po-get-rules usage=Any

Context Example#

{
"PanOS": {
"PolicyOptimizer": {
"AnyRules": [
{
"@__recordInfo": "{\"permission\":\"readonly\",\"xpathId\":\"panorama\",\"vsysName\":\"vsys1\",\"position\":\"pre\"}",
"@loc": "Lab-Devices",
"@name": "tip rule",
"@panorama": "true",
"@uuid": "uuid",
"action": "allow",
"application": {
"member": [
"any"
]
},
"apps-allowed-count": "0",
"apps-seen-count": "0",
"bytes": "0",
"category": {
"member": [
"any"
]
},
"days-no-new-app-count": [],
"destination": {
"member": [
"any"
]
},
"first-hit-timestamp": "0",
"from": {
"member": [
"any"
]
},
"hip-profiles": {
"member": [
"any"
]
},
"hit-count": "0",
"last-app-seen-since-count": [],
"last-hit-timestamp": "0",
"last-reset-timestamp": "0",
"rule-creation-timestamp": "1575925916",
"rule-modification-timestamp": "1614045009",
"service": {
"member": [
"application-default"
]
},
"source": {
"member": [
"tip"
]
},
"source-user": {
"member": [
"any"
]
},
"to": {
"member": [
"any"
]
}
}
]
}
}
}

Human Readable Output#

PolicyOptimizer AnyRules:#

@name@uuidactiondescriptionsourcedestination
tip ruleuuidallowmember: tipmember: any

pan-os-po-app-and-usage#


Gets the app usage statistics for a specific security rule.

Base Command#

pan-os-po-app-and-usage

Input#

Argument NameDescriptionRequired
rule_uuidThe UUID of the security rule.Required

Context Output#

PathTypeDescription
PanOS.PolicyOptimizer.AppsAndUsageUnknownShows detailed app usage statistics for specific security rules.

Command Example#

!pan-os-po-app-and-usage rule_uuid=uuid

Human Readable Output#

Rule with UUID:{uuid} does not use apps.

pan-os-get-dag#


Gets a specific dynamic address group.

Base Command#

pan-os-get-dag

Input#

Argument NameDescriptionRequired
dagDynamic address group name.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#