Palo Alto Networks PAN-OS

This integration supports both Palo Alto Networks Panorama and Palo Alto Networks Firewall. You can create separate instances of each integration, and they are not necessarily related or dependent on one another.

This integration was integrated and tested with version 8.1.0 of Palo Alto Firewall, Palo Alto Panorama

Panorama Playbook

  • PanoramaCommitConfiguration : Based on the playbook input, the Playbook will commit the configuration to Palo Alto Firewall, or push the configuration from Panorama to predefined device groups of firewalls. The integration is available from Demisto v3.0, but playbook uses the GenericPooling sub-playbook, which is only available from Demisto v4.0.
  • (Deprecated) PanoramaQueryTrafficLogs : Use the Panorama Query Logs playbook instead.W raps the following commands with genericPolling to enable a complete flow to query traffic logs.
  • Panorama Query Logs : W raps several commands (listed below) with genericPolling to enable a complete flow to query the following log types: traffic, threat, URL, data-filtering, and Wildfire.
  • PAN-OS DAG Configuration
  • PAN-OS EDL Setup

Use Cases

  • Create custom security rules in Palo Alto Networks PAN-OS.
  • Creating and updating address objects, address-groups, custom URL categories, URL filtering objects.
  • Get URL Filtering category information from Palo Alto - Request Change is a known Palo Alto limitation.
  • Add URL filtering objects including overrides to Palo Alto Panorama and Firewall
  • Committing configuration to Palo Alto FW and to Panorama, and pushing configuration from Panorama to Pre-Defined Device-Groups of Firewalls.
  • Block IP addresses using registered IP tags from PAN-OS without committing the PAN-OS instance. First you have to create a registered IP tag, DAG, and security rule, and commit the instance. You can then register additional IP addresses to the tag without committing the instance.
    1. Create a registered IP tag and add the necessary IP addresses by running the panorama-register-ip-tag command.

    2. Create a dynamic address group (DAG), by running the panorama-create-address-group command. Specify values for the following arguments: type="dynamic", match={ tagname }.

    3. Create a security rule using the DAG created in the previous step, by running the panorama-create-rule command.

    4. Commit the PAN-OS instance by running the PanoramaCommitConfiguration playbook.

    5. You can now register IP addresses to, or unregister IP addresses from, the IP tag by running the panorama-register-ip-tag command, or panorama-unregister-ip-tag command, respectively, without committing the PAN-OS instance.

  • Create a predefined security profiles with the best practices by Palo Alto Networks.
  • Get security profiles best practices as defined by Palo Alto Networks.
    For more inforamtion about Palo Alto Networks best practices, visit Palo Alto Networks best practices .
  • Apply security profiles to specific rule.
  • Set default categories to block in the URL filtering profile.
  • Enforce WildFire best practice.
    1. Set file upload to the maximum size.
    2. WildFire Update Schedule is set to download and install updates every minute.
    3. All file types are forwarded.

Known Limitations

Configure Panorama on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Panorama.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Port
    • API Key
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Device group - Required for Panorama instance . If you want to use a shared location, the value in this field should be "shared".
    • Vsys - Required for Firewall instance (PAN-OS default is 'vsys1'): retrieve this from the Demisto URL, for example: <server_url>:port/<vsys_name>. If you have multiple vysys, select the one to configure on this instance.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Run any command supported in the Panorama API: panorama
  2. Commit a configuration: panorama-commit
  3. Push rules from Panorama to a device group: panorama-push-to-device-group
  4. Get a list of addresses: panorama-list-addresses
  5. Get address details: panorama-get-address
  6. Create an address object: panorama-create-address
  7. Delete an address: panorama-delete-address
  8. Get a list of address groups: panorama-list-address-groups
  9. Get details for an address group: panorama-get-address-group
  10. Create an address group: panorama-create-address-group
  11. Delete an address group: panorama-delete-address-group
  12. Edit an address group: panorama-edit-address-group
  13. Get details for a custom URL category: panorama-get-custom-url-category
  14. Create a custom URL category: panorama-create-custom-url-category
  15. Delete a custom URL category: panorama-delete-custom-url-category
  16. Add/Remove sites from a custom URL category: panorama-edit-custom-url-category
  17. Get details for a URL category: panorama-get-url-category
  18. Get details for a URL filtering rule: panorama-get-url-filter
  19. Create a URL filtering rule: panorama-create-url-filter
  20. Edit a URL filter: panorama-edit-url-filter
  21. Delete a URL filtering rule: panorama-delete-url-filter
  22. Create a rule: panorama-create-rule
  23. Create a custom block policy rule: panorama-custom-block-rule
  24. Change the location of a policy rule: panorama-move-rule
  25. Edit a policy rule: panorama-edit-rule
  26. Delete a policy rule: panorama-delete-rule
  27. Get a list of applications: panorama-list-applications
  28. Get the commit status for a configuration: panorama-commit-status
  29. Get the push status for a configuration: panorama-push-status
  30. Get a list of services: panorama-list-services
  31. Get information for a service: panorama-get-service
  32. Create a service: panorama-create-service
  33. Delete a service: panorama-delete-service
  34. Get a list of service groups: panorama-list-service-groups
  35. Get information for a service group: panorama-get-service-group
  36. Create a service group: panorama-create-service-group
  37. Delete a service group: panorama-delete-service-group
  38. Edit a service group: panorama-edit-service group
  39. Get information for PCAP files: panorama-get-pcap
  40. Get a list of all PCAP files: panorama-list-pcaps
  41. Get a list of EDLs: panorama-list-edls
  42. Get information for an EDL: panorama-get-edl
  43. Create an : panorama-create-edl
  44. Edit an EDL: panorama-edit-edl
  45. Delete an EDL: panorama-delete-edl
  46. Refresh an EDL: panorama-refresh-edl
  47. Register IP addresses to a tag: panorama-register-ip-tag
  48. Unregister IP addresses from a tag: panorama-unregister-ip-tag
  49. Query traffic logs: panorama-query-traffic-logs
  50. Check the query status of traffic logs: panorama-check-traffic-logs-status
  51. Get traffic logs: panorama-get-traffic-logs
  52. Get a list of predefined security rules: panorama-list-rules
  53. Query logs: panorama-query-logs
  54. Check the query status of logs: panorama-check-logs-status
  55. Get the data of a logs query: panorama-get-logs
  56. Checks whether a session matches the specified security policy. This command is only available on Firewall instances: panorama-security-policy-match
  57. Lists the static routes of a virtual router: panorama-list-static-routes
  58. Returns the specified static route of a virtual router: panorama-get-static-route
  59. Adds a static route: panorama-add-static-route
  60. Deletes a static route: panorama-delete-static-route
  61. Show firewall device software version: panorama-show-device-version
  62. Downloads the latest content update: panorama-download-latest-content-update
  63. Checks the download status of a content update: panorama-content-update-download-status
  64. Installs the latest content update: panorama-install-latest-content-update
  65. Gets the installation status of the content update: panorama-content-update-install-status
  66. Checks the PAN-OS software version from the repository: panorama-check-latest-panos-software
  67. Downloads the target PAN-OS software version to install on the target device: panorama-download-panos-version
  68. Gets the download status of the target PAN-OS software: panorama-download-panos-status
  69. Installs the target PAN-OS version on the specified target device: panorama-install-panos-version
  70. Gets the installation status of the PAN-OS software: panorama-install-panos-status
  71. Reboots the Firewall device: panorama-device-reboot
  72. Show the IP location information: panorama-show-location-ip
  73. Get information about PAN-OS available licenses and their statuses: panorama-get-licences
  74. Get information about profiles: panorama-get-security-profiles
  75. Apply profile to specific rules / rules with specific tag: panorama-apply-security-profile
  76. Show ssl decryption rules under policies -> decryption -> rules: panorama-get-ssl-decryption-rules
  77. Retrieve Wildfire Configuration: panorama-get-wildfire-configuration
  78. Set default categories to block in the URL filtering profile: panorama-url-filtering-block-default-categories
  79. Show anti-spyware best practices: panorama-get-anti-spyware-best-practice
  80. Show file-blocking best practices: panorama-get-file-blocking-best-practice
  81. Show anti-virus best practices: panorama-get-antivirus-best-practice
  82. Show vulnerability-protection best practices: panorama-get-vulnerability-protection-best-practice
  83. Show WildFire best practices: panorama-get-wildfire-best-practice
  84. Show URL Filtering best practices: panorama-get-url-filtering-best-practice
  85. Enforce wildfire file upload to the maximum size + all file types are forwarded and update schedule: panorama-enforce-wildfire-best-practice
  86. Create antivirus best practice profile: panorama-create-antivirus-best-practice-profile
  87. Create Anti Spyware best practice profile: panorama-create-anti-spyware-best-practice-profile
  88. Create vulnerability protection best practice profile: panorama-create-vulnerability-best-practice-profile
  89. Create URL filtering best practice profile: panorama-create-url-filtering-best-practice-profile
  90. Create file blocking best practice profile: panorama-create-file-blocking-best-practice-profile
  91. Create WildFire analysis best practice profile: panorama-create-wildfire-best-practice-profile

1. Run any command supported in the PAN-OS API


Run any command supported in the API.

Base Command

panorama

Input
Argument Name Description Required
action Action to take. Can be: show, get, set, edit, delete, rename, clone, move, or override. Optional
category Category parameter. e.g. when exporting a configuration file use category=configuration. Optional
cmd Used for operations commands cmd specifies the xml struct that defines the command. Optional
command Run a command. e.g. "command = ". Optional
dst Specifies destination. Optional
element Used to define a new value for an object. Optional
to To parameter (used in specifying time and when cloning an object). Optional
from From parameter (used in specifying time and when cloning an object). Optional
key Sets a key value. Optional
where Specifies the type of a move operation (e.g. where=after, where=before, where=top, where=bottom). Optional
period Describe a time period. E.g. period=last-24-hrs. Optional
xpath Defines a location e.g. xpath=/config/predefined/application/entry[ @name ='hotmail'] Optional
pcap-id The threat PCAP ID in the threat log. Optional
serialno Specifies the device serial number. Optional
reporttype Choose dynamic, predefined or custom report. Optional
reportname The report name. Optional
log-type Used for retrieving logs. e.g. log-type=threat for threat logs. Optional
type The request type (e.g. export, import, log, config). Optional
search-time Used for threat PCAPs, the time that the PCAP was received on the firewall. Optional
target Target number of the firewall (Panorama instance). Optional

Context Output

There is no context output for this command.

2. Commit a configuration


Commits a configuration to Palo Alto Networks PAN-OS, but does not validate if the commit was successful. Committing toPAN-OS will not push the configuration to the Firewalls. To push the configuration, run the panorama-push-to-device-group command.

Base Command

panorama-commit

Input

There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Commit.JobID number Job ID of the configuration to commit.
Panorama.Commit.Status string Commit status.

Command Example
!panorama-commit
Human Readable Output

screen shot 2018-12-25 at 15 24 02

3. Push rules from PAN-OS to a device group


Pushes rules fromPAN-OS to the configured device group.

Base Command

panorama-push-to-device-group

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Push.DeviceGroup string Device group to which the policies were pushed.
Panorama.Push.JobID number Job ID of the configuration to be pushed.
Panorama.Push.Status string Push status.

Command Example
!panorama-push-to-device-group
Human Readable Output

screen shot 2018-12-25 at 15 15 09

4. Get a list of addresses


Returns a list of addresses.

Base Command

panorama-list-addresses

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
Tag The tag for which to filter the list of addresses. Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Address name.
Panorama.Addresses.Description string Address description.
Panorama.Addresses.FQDN string Address FQDN.
Panorama.Addresses.IP_Netmask string Address IP netmask.
Panorama.Addresses.IP_Range string Address IP range.
Panorama.Addresses.DeviceGroup string Address device group.
Panorama.Addresses.Tages string Address tags.

Command Example
!panorama-list-addresses
Human Readable Output

screen shot 2018-12-25 at 10 36 30

5. Get address details


Returns address details for the supplied address name.

Base Command

panorama-get-address

Input
Argument Name Description Required
name Address name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Address name.
Panorama.Addresses.Description string Address description.
Panorama.Addresses.FQDN string Address FQDN.
Panorama.Addresses.IP_Netmask string Address IP netmask.
Panorama.Addresses.IP_Range string Address IP range.
Panorama.Addresses.DeviceGroup string Address device group.
Panorama.Addresses.Tags string Address tags.

Command Example
!panorama-get-address name="Demisto address"
Human Readable Output

screen shot 2018-12-25 at 14 42 39

6. Create an address object


Creates an address object.

Base Command

panorama-create-address

Input
Argument Name Description Required
name Name for the new address. Required
description A description of the new address. Optional
fqdn FQDN of the new address. Optional
ip_netmask IP netmask of the new address, e.g., 10.10.10.10/24. Optional
ip_range IP range of the new address, e.g., 10.10.10.0-10.10.10.255. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for the new address Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Address name.
Panorama.Addresses.Description string Address description.
Panorama.Addresses.FQDN string Address FQDN.
Panorama.Addresses.IP_Netmask string Address IP netmask.
Panorama.Addresses.IP_Range string Address IP range.
Panorama.Adddresses.DeviceGroup string Address Device Group.
Panorama.Addresses.Tag string Address tag.

Command Example
!panorama-create-address name="address_test_pb" description="just a desc" ip_range="10.10.10.9-10.10.10.10"
Human Readable Output

7. Delete an address object


Deletes an address object.

Base Command

panorama-delete-address

Input
Argument Name Description Required
name Name of the address to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Addresses.Name string Name of the address that was deleted.

Command Example
!panorama-delete-address name="address_test_pb"
Human Readable Output

screen shot 2018-12-25 at 13 55 34

8. Get a list of address groups


Returns a list of address groups.

Base Command

panorama-list-address-groups

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for which to filter the address group. Optional

There are no input arguments for this command.

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Match string Dynamic address group match.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.Addresses string Static address group addresses.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tag string Address group tag.

Command Example
!panorama-list-address-groups
Human Readable Output

screen shot 2018-12-25 at 13 56 20

9. Get information for an address group. A dynamic address group with a tag will return only the tag name, not the IPs associated with this tag.


Returns details for the specified address group.

Base Command

panorama-get-address-group

Input
Argument Name Description Required
name Address group name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Match string Dynamic address group match.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.Addresses string Static address group addresses.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tags string Address group tags.

Command Example
!panorama-get-address-group name=suspicious_address_group
Human Readable Output

screen shot 2018-12-25 at 16 19 48

10. Create an address group


Creates an address group; "static" or "dynamic".

Base Command

panorama-create-address-group

Input
Argument Name Description Required
name Address group name. Required
type Address group type. Required
match Dynamic address group match. e.g., "1.1.1.1 or 2.2.2.2". Optional
addresses Static address group list of addresses. Optional
description Address group description. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for the address group. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Match string Dynamic address group match.
Panorama.AddressGroups.Addresses string Static address group list.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tag string Address group tags.

Command Example
!panorama-create-address-group name=suspicious_address_group type=dynamic match=1.1.1.1
          description="this ip is very bad"
Human Readable Output

screen shot 2018-12-25 at 16 20 48

11. Delete an address group


Deletes an address group.

Base Command

panorama-delete-address-group

Input
Argument Name Description Required
name Name of address group to delete. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Name of address group that was deleted.

Command Example
!panorama-delete-address-group name="dynamic_address_group_test_pb3"
Human Readable Output

screen shot 2018-12-25 at 14 03 36

12. Edit an address group


Edit an address group; "static" or "dynamic".

Base Command

panorama-edit-address-group

Input
Argument Name Description Required
name Name of the address group to edit. Required
type Address group type. Required
match Address group new match, e.g., "1.1.1.1 and 2.2.2.2". Optional
element_to_add Element to add to the list of the static address group. Only existing Address objects can be added. Optional
element_to_remove Element to remove to the list of the static address group. Only existing Address objects can be added. Optional
description Address group new description. Optional
tag Address group tag to edit. Optional

Context Output
Path Type Description
Panorama.AddressGroups.Name string Address group name.
Panorama.AddressGroups.Type string Address group type.
Panorama.AddressGroups.Filter string Dynamic address group match.
Panorama.AddressGroups.Description string Address group description.
Panorama.AddressGroups.Addresses string Static address group addresses.
Panorama.AddressGroups.DeviceGroup string Address device group.
Panorama.AddressGroups.Tags string Address group tags.

13. Get details for a custom URL category


Returns information for a custom URL category.

Base Command

panorama-get-custom-url-category

Input
Argument Name Description Required
name Custom URL category name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Custom URL category name.
Panorama.CustomURLCategory.Description string Custom URL category description.
Panorama.CustomURLCategory.Sites string Custom URL category list of sites.

Command Example
!panorama-get-custom-url-category name=my_personal_url_category
Human Readable Output

screen shot 2018-12-25 at 16 31 30

14. Create a custom URL category


Creates a custom URL category.

Base Command

panorama-create-custom-url-category

Input
Argument Name Description Required
name Name for the custom URL category to create. Required
description Description of the custom URL category to create. Optional
sites List of sites for the custom URL category. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Custom URL category name
Panorama.CustomURLCategory.Description string Custom URL category description.
Panorama.CustomURLCategory.Sites string Custom URL category list of sites.

Command Example
!panorama-create-custom-url-category name=suspicious_address_group sites=["thepill.com","abortion.com"] description=momo
Human Readable Output

screen shot 2018-12-25 at 16 34 18

15. Delete a custom URL category


Deletes a custom URL category.

Base Command

panorama-delete-custom-url-category

Input
Argument Name Description Required
name Name of the custom URL category to delete. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Name of the custom URL category to delete.

Command Example
!panorama-delete-custom-url-category name=suspicious_address_group
Human Readable Output

screen shot 2018-12-25 at 16 35 12

16. Add/Remove sites from a custom URL category


Add sites to, or remove sites from a custom URL category.

Base Command

panorama-edit-custom-url-category

Input
Argument Name Description Required
name Name of the custom URL category to which to add or remove sites. Required
sites CSV list of sites to add to the custom URL category. Required
action Add or remove sites; "add" or "remove". Required

Context Output
Path Type Description
Panorama.CustomURLCategory.Name string Custom URL category name.
Panorama.CustomURLCategory.Description string Custom URL category description.
Panorama.CustomURLCategory.Sites string Custom URL category list of sites.

Human Readable Output

17. Get details for a URL category


Gets a URL category from URL Filtering.

Base Command

panorama-get-url-category

Input
Argument Name Description Required
url URL to check. Required

Context Output
Path Type Description
Panorama.URLFiltering.URL string URL.
Panorama.URLFiltering.Category string URL category.

Command Example
!panorama-get-url-category url="poker.com"
Human Readable Output

screen shot 2018-12-25 at 14 06 07

18. Get details for a URL filtering rule


Get information for a URL filtering rule.

Base Command

panorama-get-url-filter

Input
Argument Name Description Required
name URL filter name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter name.
Panorama.URLFilter.Category.Name string URL filter category name.
Panorama.URLFilter.Category.Action string Action for the URL category.
Panorama.URLFilter.OverrideBlockList string URL filter override block list.
Panorama.URLFilter.OverrideAllowList string URL filter override allow list.
Panorama.URLFilter.Description string URL filter description.

Command Example
!panorama-get-url-filter name=demisto_default_url_filter
Human Readable Output

screen shot 2018-12-25 at 14 58 04

19. Create a URL filtering rule


Creates a URL filtering rule.

Base Command

panorama-create-url-filter

Input
Argument Name Description Required
name Name of the URL filter to create. Required
url_category One or more URL categories. Required
action Action for the URL categories; "allow", "block", "alert", "continue", "override". Required
override_allow_list CSV list of URLs to exclude from the allow list. Optional
override_block_list CSV list of URLs to exclude from the block list. Optional
description URL filter description. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter name
Panorama.URLFilter.Category.Name string URL filter category name
Panorama.URLFilter.Category.Action string Action for the URL category
Panorama.URLFilter.OverrideBlockList string URL filter override allow list
Panorama.URLFilter.OverrideBlockList string URL filter override block list
Panorama.URLFilter.Description string URL filter description.

20. Edit a URL filter


Name of the URL filter to edit.

Base Command

panorama-edit-url-filter

Input
Argument Name Description Required
name URL filter to edit Required
element_to_change Element to change; "override_allow_list", "ovveride_block_list" Required
element_value Element value, limited to one value. Required
add_remove_element Add or remove an element from the Allow List field or Block List field, default is "add" the element_value to the list. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter name.
Panorama.URLFilter.Description string URL filter description.
Panorama.URLFilter.Category.Name string URL filter category.
Panorama.URLFilter.Action string Action for the URL category.
Panorama.URLFilter.OverrideAllowList string Allow Overrides for the URL category.
Panorama.URLFilter.OverrideBlockList string Block Overrides for the URL category.

Command Example
!panorama-edit-url-filter name=demisto_default_url_filter element_to_change=override_allow_list element_value="poker.com" add_remove_element=add
Human Readable Output

screen shot 2018-12-25 at 15 00 05

21. Delete a URL filtering rule


Deletes a URL filtering rule.

Base Command

panorama-delete-url-filter

Input
Argument Name Description Required
name Name of the URL filter rule to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.URLFilter.Name string URL filter rule name that was deleted.

22. Create a policy rule


Creates a policy rule.

Base Command

panorama-create-rule

Input
Argument Name Description Required
rulename Name of the rule to create. Optional
description Description of the rule to create. Optional
action Action for the rule; "allow", "deny", "drop". Required
source Source address; "address", "address group". Optional
destination Destination address; "address", "address group". Optional
source_zone A comma-separated list of source zones.. Optional
destination_zone A comma-separated list of source zones.. Optional
negate_source Whether to negate the source (address, address group); "Yes" or "No". Optional
negate_destination Whether to negate the destination (address, address group); "Yes" or "No". Optional
service Service for the rule (service object) to create. Optional
disable Whether to disable the rule; "Yes" or "No" (default is "No"). Optional
application Application for the rule to create. Optional
source_user Source user for the rule to create. Optional
pre_post Pre rule or Post rule. Optional
target Specify a target firewall for the rule. Optional
log_forwarding Log forwarding profile (Panorama instances). Optional
device-group The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags Rule tags to create. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.
Panorama.SecurityRule.Description string Rule description.
Panorama.SecurityRule.Action string Action for the rule.
Panorama.SecurityRule.Source string Source address.
Panorama.SecurityRule.Destination string Destination address.
Panorama.SecurityRule.NegateSource boolean Whether the source is negated (address, address group).
Panorama.SecurityRule.NegateDestination boolean Whether the destination is negated (address, address group).
Panorama.SecurityRule.Service string Service for the rule.
Panorama.SecurityRule.Disabled string Whether the rule is disabled.
Panorama.SecurityRule.Application string Application for the rule.
Panorama.SecurityRule.Target string Target firewall.
Panorama.SecurityRule.LogForwarding string Log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroup string Device group for the rule (Panorama instances).
Panorama.SecurityRules.Tags string Rule tags.

Command Example
!panorama-create-rule rulename="block_bad_application" description="do not play at work" action="deny" application="fortnite"
Human Readable Output

screen shot 2018-12-25 at 14 12 20

23. Create a custom block policy rule


Creates a custom block policy rule.

Base Command

panorama-custom-block-rule

Input
Argument Name Description Required
rulename Name of the custom block policy rule to create. Optional
object_type Object type to block in the policy rule. Can be "ip", "address-group", "edl", or "custom-url-category". Required
object_value Object value. Required
direction Direction to block. Can be "to", "from", or "both". Default is "both". This argument is not applicable to the "custom-url-category" object_type. Optional
pre_post Pre rule or Post rule. Optional
target Specify a target firewall for the rule. Optional
log_forwarding Log forwarding profile (Panorama instances). Optional
device-group The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for the custom block policy rule. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.
Panorama.SecurityRule.Object string Blocked object.
Panorama.SecurityRule.Direction string Direction blocked.
Panorama.SecurityRule.Target string Target firewall.
Panorama.SecurityRule.LogForwarding string Log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroup string Device group for the rule (Panorama instances).
Panorama.SecurityRule.Tags string Rule tags.

24. Change the location of a policy rule


Changes the location of a policy rule.

Base Command

panorama-move-rule

Input
Argument Name Description Required
rulename Name of the rule to move. Required
where Where to move the rule to; "before", "after", "top", or "bottom". If you specify "up" or "down", you need to supply the "dst" argument. Required
dst Destination rule relative to the rule you are moving. Only supply this argument if you specified "up" or "down" for the "where" argument. Optional
pre_post Rule location. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.

Command Example
!panorama-move-rule rulename="test_rule3" where="bottom"
Human Readable Output

screen shot 2018-12-25 at 14 08 18

25. Edit a policy rule


Edit a policy rule.

Base Command

panorama-edit-rule

Input
Argument Name Description Required
rulename Name of the rule to edit. Required
element_to_change Parameter in the security rule to change. Can be "source", "destination", "application", "action", "category", "description", "disabled", "target", "log-forwarding", or "tag". Required
element_value New value for the parameter. Required
pre_post Pre rule or Post rule (Panorama instances). Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.
Panorama.SecurityRule.Description string Rule description.
Panorama.SecurityRule.Action string Action for the rule.
Panorama.SecurityRule.Source string Source address.
Panorama.SecurityRule.Destination string Destination address.
Panorama.SecurityRule.NegateSource boolean Is the source negated (address, address group).
Panorama.SecurityRule.NegateDestination boolean Is the destination negated (address, address group).
Panorama.SecurityRule.Service string Service for the rule.
Panorama.SecurityRule.Disabled string Is the rule disabled.
Panorama.SecurityRule.Application string Application for the rule.
Panorama.SecurityRule.Target string Target firewall (Panorama instances).
Panorama.SecurityRule.DeviceGroup string Device group for the rule (Panorama instances).
Panorama.SecurityRule.Tags string Tags for the rule.

Command Example
!panorama-edit-rule rulename="block_bad_application" element_to_change=action element_value=drop
Human Readable Output

screen shot 2018-12-25 at 14 29 40

26. Delete a policy rule


Deletes a policy rule.

Base Command

panorama-delete-rule

Input
Argument Name Description Required
rulename Name of the rule to delete. Required
pre_post Pre rule or Post rule (Panorama instances). Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name string Rule name.

Command Example
!panorama-delete-rule rulename=block_bad_application
Human Readable Output

screen shot 2018-12-25 at 14 30 48

27. Get a list of applications


Returns a list of predefined applications.

Base Command

panorama-list-applications

Input

There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Applications.Name string Application name.
Panorama.Applications.Id number Application ID.
Panorama.Applications.Category string Application category.
Panorama.Applications.SubCategory string Application sub-category.
Panorama.Applications.Technology string Application technology.
Panorama.Applications.Risk number Application risk (1-5).
Panorama.Applications.Description string Application description.

Command Example
!panorama-list-applications
Human Readable Output

screen shot 2018-12-25 at 14 33 50

28. Get the commit status for a configuration


Get the commit status for a configuration.

Base Command

panorama-commit-status

Input
Argument Name Description Required
job_id Job ID to check. Required

Context Output
Path Type Description
Panorama.Commit.JobID number Job ID of the configuration to be committed.
Panorama.Commit.Status string Commit status.
Panorama.Commit.Details string Job ID details.
Panorama.Commit.Warnings string Job ID warnings.

Command Example
!panorama-commit-status job_id=948
Human Readable Output

screen shot 2018-12-25 at 15 01 14

29. Get the push status for a configuration


Get the push status for a configuration.

Base Command

panorama-push-status

Input
Argument Name Description Required
job_id Job ID to check. Required

Context Output
Path Type Description
Panorama.Push.DeviceGroup string Device group to which the policies were pushed.
Panorama.Push.JobID number Job ID of the configuration to be pushed.
Panorama.Push.Status string Push status.
Panorama.Push.Details string Job ID details.

Command Example
!panorama-push-status job_id=951
Human Readable Output

screen shot 2018-12-25 at 15 23 18

30. Get a list of services


Returns a list of all services.

Base Command

panorama-list-services

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for which to filter the service. Optional

There is no input for this command.

Context Output
Path Type Description
Panorama.Services.Name string Service name.
Panorama.Services.Protocol string Service protocol.
Panorama.Services.Description string Service description.
Panorama.Services.DestinationPort string Service destination port.
Panorama.Services.SourcePort string Service source port.
Panorama.Services.DeviceGroup string Service device group.
Panorama.Services.Tags string Service tags.

Command Example
!panorama-list-services
Human Readable Output

screen shot 2019-01-24 at 19 52 45

31. Get information for a service


Returns service details for the supplied service name.

Base Command

panorama-get-service

Input
Argument Name Description Required
name Service name. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Services.Name string Service name.
Panorama.Services.Protocol string Service protocol.
Panorama.Services.Description string Service descriptions.
Panorama.Services.DestinationPort string Service destination port.
Panorama.Services.SourcePort string Service source port.
Panorama.Services.DeviceGroup string Service device group.
Panorama.Service.Tags string Service tags.

Command Example
!panorama-get-service name=guy_ser3
Human Readable Output

screen shot 2019-01-24 at 19 53 04

32. Create a service


Creates a service.

Base Command

panorama-create-service

Input
Argument Name Description Required
name Name for the new service. Required
protocol Protocol for the new service. Required
destination_port Destination port for the new service. Required
source_port Source port for the new service. Optional
description Description of the new service. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for the new service. Optional

Context Output
Path Type Description
Panorama.Services.Name string Service name.
Panorama.Services.Protocol string Service protocol.
Panorama.Services.Description string Service descriptions.
Panorama.Services.DestinationPort string Service destination port.
Panorama.Services.SourcePort string Service source port.
Panorama.Services.DeviceGroup string Service device group.
Panorama.Services.Tags string Service tags.

Command Example
!panorama-create-service name=guy_ser3 protocol=udp destination_port=36 description=bfds
Human Readable Output

placeholder

33. Delete a service


Deletes a service.

Base Command

panorama-delete-service

Input
Argument Name Description Required
name Name of the service to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.Services.Name string Service name.

Command Example
!panorama-delete-service name=guy_ser3
Human Readable Output

placeholder

34. Get a list of service groups


Returns a list of service groups.

Base Command

panorama-list-service-groups

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name
Panorama.ServiceGroups.Services string Service group related services
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service tags.

Command Example
!panorama-list-service-groups
Human Readable Output

placeholder

35. Get information for a service group


Returns details for the specified service group.

Base Command

panorama-get-service-group

Input
Argument Name Description Required
name Service group name. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name.
Panorama.ServiceGroups.Services string Service group related services.
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service group tags.

Command Example
!panorama-get-service-group name=ser_group6
Human Readable Output

placeholder

36. Create a service group


Creates a service group.

Base Command

panorama-create-service-group

Input
Argument Name Description Required
name Service group Name. Required
services Service group related services. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tags The tags for which to filter the service groups. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name.
Panorama.ServiceGroups.Services string Service group related services.
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service group tags.

Command Example
    !panorama-create-service-group name=lalush_sg4 services=`["demisto_service1","demi_service_test_pb"]
  

Human Readable Output

placeholder

37. Delete a service group


Deletes a service group.

Base Command

panorama-delete-service-group

Input
Argument Name Description Required
name Name of the service group to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Name of the service group that was deleted.
Panorama.ServiceGroups.DeviceGroup string Device group for the service group that was deleted (Panorama instances).

Command Example
!panorama-delete-service-group name=lalush_sg4
Human Readable Output

placeholder

38. Edit a service group


Modifies details of a service group.

Base Command

panorama-edit-service-group

Input
Argument Name Description Required
name Service group name Required
services_to_remove Services to remove from the service group. Only existing Services
objects can be removed.
Optional
services_to_add Services to add to the service group. Only existing Services objects
can be added.
Optional
tags Services group tag to edit. Optional

Context Output
Path Type Description
Panarama.ServiceGroups.Name string Service group name.
Panorama.ServiceGroups.Services string Service group related services.
Panorama.ServiceGroups.DeviceGroup string Service device group.
Panorama.ServiceGroups.Tags string Service group tags.

Command Example
    panorama-edit-service-group name=lalush_sg4 services_to_remove=`["serice_udp_test_pb","demisto_service1"]
  
Human Readable Output screen shot 2019-01-24 at 19 58 56

39. Get information for a PCAP file


Returns information for a Panorama PCAP file. The recommended maximum file size is 5 MB. If the limit is exceeded, you might need to SSH the firewall and run the scp export command to export the PCAP file. For more information, see the Palo Alto Networks documentation .

Base Command

panorama-get-pcap

Input
Argument Name Description Required
pcapType The type of packet capture. Required
from The file name for the PCAP type ("dlp-pcap", "filters-pcap", "application-pcap". Optional
localName The new name for the PCAP file after downloading. If this argument is not specified, the file name will be the PCAP file name that was set in the firewall. Optional
serialNo The serial number for the request. For more information, see the Panorama XML API Documentation. Optional
searchTime The search time for the request. For more information, see the Panorama XML API Documentation. Optional
pcapID The ID of the PCAP for the request. For more information, see the Panorama XML API Documentation. Optional
password The password for Panorama. This is only required for the "dlp-pcap" PCAP type. Optional

Context Output
Path Type Description
File.Size number The file size.
File.Name string The file name.
File.Type string The file type.
File.Info string The file info.
File.Extenstion string The file extension.
File.EntryID string The file entryID.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA-1 hash of the file.
File.SHA256 string The SHA-256 hash of the file.

Command Example
!panorama-get-pcaps pcapType="filter-pcap" from=pcap_test
Human Readable Output

pcap_is_working

40. Get a list of all PCAP files


Returns a list of all Panorama PCAP files, by PCAP type.

Base Command

panorama-list-pcaps

Input
Argument Name Description Required
pcapType The type of packet capture. Required
from The file name for the PCAP type (“dlp-pcap”, “filters-pcap”, “application-pcap”). For “application-pcap”, also use . Optional
password The password for Panorama. This is only required for the “dlp-pcap” PCAP type. Optional

Context Output
Path Type Description
Panorama.Pcaps.Name string The PCAP name.

Command Example
!panorama-list-pcaps pcapType=“filter-pcap”
Human Readable Output

Screen Shot 2019-03-20 at 14 58 23

41. Get a list of EDLs


Returns a list of external dynamic lists.

Base Command

panorama-list-edls

Input
Argument Name Description Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.Type string The type of EDL.
Panorama.EDL.URL string URL in which the EDL is stored.
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

Command Example
!panorama-list-edls
Human Readable Output

Screen Shot 2019-04-11 at 17 18 50

42. Get information for an EDL


Returns information for an external dynamic list.

Base Command

panorama-get-edl

Input
Argument Name Description Required
name Name of the EDL. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.Type string The type of EDL.
Panorama.EDL.URL string URL in which the EDL is stored.
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

Command Example
!panorama-get-edl name=test_pb_domain_edl_DONT_DEL
Human Readable Output

Screen Shot 2019-04-11 at 17 23 05

43. Create an EDL


Creates an external dynamic list.

Base Command

panorama-create-edl

Input
Argument Name Description Required
name Name of the EDL. Required
url URL from which to pull the EDL. Required
type The type of EDL. Required
recurring Time interval for pulling and updating the EDL. Required
certificate_profile Certificate Profile name for the URL that was previously uploaded to PAN OS. Optional
description Description of the EDL. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.Type string The type of EDL.
Panorama.EDL.URL string URL in which the EDL is stored.
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

44. Edit an EDL


Modifies an element of an external dynamic list.

Base Command

panorama-edit-edl

Input
Argument Name Description Required
name Name of the external dynamic list to edit Required
element_to_change The element to change (“url”, “recurring”, “certificate_profile”, “description”). Required
element_value The element value. Required

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL.
Panorama.EDL.URL string URL in which the EDL is stored
Panorama.EDL.Description string Description of the EDL.
Panorama.EDL.CertificateProfile string EDL certificate profile.
Panorama.EDL.Recurring string Time interval that the EDL was pulled and updated.

Command Example
!panorama-edit-edl name=test_pb_domain_edl_DONT_DEL element_to_change=description element_value="new description3"
Human Readable Output

Screen Shot 2019-04-11 at 17 21 56

45. Delete an EDL


Deletes an external dynamic list.

Base Command

panorama-delete-edl

Input
Argument Name Description Required
name Name of the EDL to delete. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output
Path Type Description
Panorama.EDL.Name string Name of the EDL that was deleted.

Command Example
!panorama-delete-edl name=shani_uel33
Human Readable Output

Screen Shot 2019-04-11 at 17 22 38

46. Refresh an EDL


Refreshes the specified external dynamic list.

Base Command

panorama-refresh-edl

Input
Argument Name Description Required
name Name of the EDL. Required
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional

Context Output

There is no context output for this command.

Command Example
!panorama-refresh-edl name=domain_edl66
Human Readable Output

Screen Shot 2019-04-14 at 16 37 57

47. Register IP addresses to a tag


Registers IP addresses to a tag.

Base Command

panorama-register-ip-tag

Input
Argument Name Description Required
tag Tag to which to register IP addresses. Required
IPs IP addresses to register. Required
persistent Whether the IP addresses remain registered to the tag after device reboots (“True”:persistent, “False":non-persistent). Default is “True”. Optional

Context Output
Path Type Description
Panorama.DynamicTags.Tag string Name for the tag.
Panorama.DynamicTags.IPs string Registered IP addresses.

Command Example
!panorama-register-ip-tag tag=tag02 IPs=[“10.0.0.13”,“10.0.0.14”]
Context Example

Screen Shot 2019-04-16 at 9 57 58

Human Readable Output

Screen Shot 2019-04-16 at 9 58 32

48. Unregister IP addresses from a tag


Unregisters IP addresses from a tag.

Base Command

panorama-unregister-ip-tag

Input
Argument Name Description Required
tag Tag from which to unregister IP addresses. Required
IPs IP addresses to unregister. Required

Command Example
!panorama-unregister-ip-tag tag=tag02 IPs=`["10.0.0.13","10.0.0.14"]
Human Readable Output

Screen Shot 2019-04-16 at 9 58 18

49. Query traffic logs


Queries traffic logs.

Base Command

panorama-query-traffic-logs

Input
Argument Name Description Required
query Specifies the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. Optional
number_of_logs The number of logs to retrieve. Default is 100. Maximum is 5,000. Optional
direction Whether logs are shown oldest first (forward) or newest first (backward). Default is backward. Optional
source Source address for the query. Optional
destination Destination address for the query. Optional
receive_time Date and time after which logs were received, in the format: YYYY/MM/DD HH:MM:SS. Optional
application Application for the query. Optional
to_port Destination port for the query. Optional
action Action for the query. Optional

Context Output
Path Type Description
Panorama.TrafficLogs.JobID Number Job ID of the traffic logs query.
Panorama.TrafficLogs.Status String Status of the traffic logs query.

Command Example
!panorama-query-traffic-logs query="" number_of_logs="100" direction="backward" source="" destination="" receive_time="" application="" to_port="" action="allow"
Human Readable Output

Screen Shot 2019-07-02 at 10 41 45

50. Check the query status of traffic logs


Checks the query status of traffic logs.

Base Command

panorama-check-traffic-logs-status

Input
Argument Name Description Required
job_id Job ID of the query. Required

Context Output
Path Type Description
Panorama.TrafficLogs.JobID Number Job ID of the traffic logs query.
Panorama.TrafficLogs.Status String Status of the traffic logs query.

Command Example
!panorama-check-traffic-logs-status job_id="1865"
Human Readable Output

Screen Shot 2019-07-02 at 10 43 32

51. Get traffic logs


Retrieves traffic log query data by job id

Base Command

panorama-get-traffic-logs

Input
Argument Name Description Required
job_id Job ID of the query. Required

Context Output
Path Type Description
Panorama.TrafficLogs.JobID Number Job ID of the traffic logs query.
Panorama.TrafficLogs.Status String Status of the traffic logs query.
Panorama.TrafficLogs.Logs.Action String Action of the traffic log.
Panorama.TrafficLogs.Logs.ActionSource String Action source of the traffic log.
Panorama.TrafficLogs.Logs.Application String Application of the traffic log.
Panorama.TrafficLogs.Logs.Category String Category of the traffic log.
Panorama.TrafficLogs.Logs.DeviceName String Device name of the traffic log.
Panorama.TrafficLogs.Logs.Destination String Destination of the traffic log.
Panorama.TrafficLogs.Logs.DestinationPort String Destination port of the traffic log.
Panorama.TrafficLogs.Logs.FromZone String From zone of the traffic log.
Panorama.TrafficLogs.Logs.Protocol String Protocol of the traffic log.
Panorama.TrafficLogs.Logs.ReceiveTime String Receive time of the traffic log.
Panorama.TrafficLogs.Logs.Rule String Rule of the traffic log.
Panorama.TrafficLogs.Logs.SessionEndReason String Session end reason of the traffic log.
Panorama.TrafficLogs.Logs.Source String Source of the traffic log.
Panorama.TrafficLogs.Logs.SourcePort String Source port of the traffic log.
Panorama.TrafficLogs.Logs.StartTime String Start time of the traffic log.
Panorama.TrafficLogs.Logs.ToZone String To zone of the traffic log.

Command Example
!panorama-get-traffic-logs job_id="1865"
Human Readable Output

Screen Shot 2019-07-02 at 10 44 12 copy

52. Get a list of predefined security rules


Returns a list of predefined security rules.

Base Command

panorama-list-rules

Input
Argument Name Description Required
pre_post Rules location. Can be "pre-rulebase" or "post-rulebase". Mandatory for Panorama instances. Optional
device-group The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. Optional
tag The tag for which to filter the rules. Optional

Context Output
Path Type Description
Panorama.SecurityRule.Name String Rule name.
Panorama.SecurityRule.Action String Action for the rule.
Panorama.SecurityRule.Location String Rule location.
Panorama.SecurityRule.Category String Rule category.
Panorama.SecurityRule.Application String Application for the rule.
Panorama.SecurityRule.Destination String Destination address.
Panorama.SecurityRule.From String Rule from.
Panorama.SecurityRule.Service String Service for the rule.
Panorama.SecurityRule.To String Rule to.
Panorama.SecurityRule.Source String Source address.
Panorama.SecurityRule.DeviceGroup String Device group for the rule (Panorama instances).
Panorama.SecurityRules.Tags String Rule tags.

Command Example
!panorama-list-rules
Human Readable Output

Screen Shot 2019-07-29 at 11 46 09
Screen Shot 2019-07-29 at 11 46 22

53. Query logs


Query logs in Panorama.

Base Command

panorama-query-logs

Input
Argument Name Description Required
log-type The log type. Can be "threat", "traffic", "wildfire", "url", or "data". Required
query The query string by which to match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. Optional
time-generated The time that the log was generated from the timestamp and prior to it. For example: "2019/08/11 01:10:44". Optional
addr-src Source address. Optional
ip The source or destination IP address.
addr-dst Destination address. Optional
zone-src Source zone. Optional
zone-dst Destination Source. Optional
action Rule action. Optional
port-dst Destination port. Optional
rule Rule name, for example: "Allow all outbound". Optional
url URL, for example: "safebrowsing.googleapis.com". Optional
filedigest File hash (for WildFIre logs only). Optional
number_of_logs Maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000. Optional

Context Output
Path Type Description
Panorama.Monitor.JobID String Job ID of the logs query.
Panorama.Monitor.Status String Status of the logs query.
Panorama.Monitor.Message String Message of the logs query.

Command Example
!panorama-query-logs log-type=data query=( addr.src in 192.168.1.12 )
Human Readable Output

Screen Shot 2019-08-19 at 12 59 42

Command Example
!panorama-query-logs log-type=wildfire filedigest=4f79697b40d0932e91105bd496908f8e02c130a0e36f6d3434d6243e79ef82e0
Human Readable Output

Screen Shot 2019-08-19 at 13 01 38

54. Check log query status


Checks the status of a logs query.

Base Command

panorama-check-logs-status

Input
Argument Name Description Required
job_id Job ID of the query. Required

Context Output
Path Type Description
Panorama.Monitor.JobID String Job ID of the logs query.
Panorama.Monitor.Status String Status of the logs query.

Command Example
!panorama-check-logs-status job_id=657
Human Readable Output

Screen Shot 2019-08-19 at 13 02 54

55. Get log query data


Retrieves the data of a logs query.

Base Command

panorama-get-logs

Input
Argument Name Description Required
job_id Job ID of the query. Required
ignore_auto_extract Whether to auto-enrich the War Room entry. If "true", entry is not auto-enriched. If "false", entry is auto-extracted. Default is "true". Optional

Context Output
Path Type Description
Panorama.Monitor.Action String Action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", of "block-url".
Panorama.Monitor.Application String Application associated with the session.
Panorama.Monitor.Bytes String Total log bytes.
Panorama.Monitor.BytesReceived String Log bytes received.
Panorama.Monitor.BytesSent String Log bytes sent.
Panorama.Monitor.Category String The URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware"’, or "benign". For other subtypes, the value is "any".
Panorama.Monitor.DeviceName String The hostname of the firewall on which the session was logged.
Panorama.Monitor.DestinationAddress String Original session destination IP address.
Panorama.Monitor.DestinationUser String Username of the user to which the session was destined.
Panorama.Monitor.DestinationCountry String Destination country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.DestinationPort String Destination port utilized by the session.
Panorama.Monitor.FileDigest String Only for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Panorama.Monitor.FileName String File name or file type when the subtype is file.File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire.
Panorama.Monitor.FileType String Only for the WildFire subtype, all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
Panorama.Monitor.FromZone String The zone from which the session was sourced.
Panorama.Monitor.URLOrFilename String The actual URI when the subtype is url. File name or file type when the subtype is file. File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire. URL or file name when the subtype is vulnerability (if applicable)
Panorama.Monitor.NATDestinationIP String If destination NAT performed, the post-NAT destination IP address.
Panorama.Monitor.NATDestinationPort String Post-NAT destination port.
Panorama.Monitor.NATSourceIP String If source NAT performed, the post-NAT source IP address.
Panorama.Monitor.NATSourcePort String Post-NAT source port.
Panorama.Monitor.PCAPid String The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
Panorama.Monitor.IPProtocol String IP protocol associated with the session.
Panorama.Monitor.Recipient String Only for the WildFire subtype, all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.Rule String Name of the rule that the session matched.
Panorama.Monitor.RuleID String ID of the rule that the session matched.
Panorama.Monitor.ReceiveTime String Time the log was received at the management plane.
Panorama.Monitor.Sender String Only for the WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.SessionID String An internal numerical identifier applied to each session.
Panorama.Monitor.DeviceSN String The serial number of the firewall on which the session was logged.
Panorama.Monitor.Severity String Severity associated with the threat. Can be "informational", "low", "medium", "high", or "critical".
Panorama.Monitor.SourceAddress String Original session source IP address.
Panorama.Monitor.SourceCountry String Source country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.SourceUser String Username of the user who initiated the session.
Panorama.Monitor.SourcePort String Source port utilized by the session.
Panorama.Monitor.ThreatCategory String Describes threat categories used to classify different types of threat signatures.
Panorama.Monitor.Name String Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier
Panorama.Monitor.ID String Palo Alto Networks ID for the threat.
Panorama.Monitor.ToZone String The zone to which the session was destined.
Panorama.Monitor.TimeGenerated String Time that the log was generated on the dataplane.
Panorama.Monitor.URLCategoryList String A list of the URL filtering categories that the firewall used to enforce the policy.

Command Example
!panorama-get-logs job_id=678
Human Readable Output

Screen Shot 2019-08-19 at 12 59 16

Command Example
!panorama-get-logs job_id=676
Human Readable Output

Screen Shot 2019-08-19 at 13 00 25

Playbook Videos

These video show how to set up and use the PAN-OS DAG Configuration playbook and PAN-OS EDL Setup playbook.

PAN-OS DAG Configuration

PAN-OS EDL Setup

77. panorama-get-licences


Get information about PAN-OS available licenses and their statuses.

Base Command

panorama-get-licences

Input
There are no inputs for this command.

Context Output
Path Type Description
Panorama.License.Authcode String License authentication code.
Panorama.License.Base-license-name String Base License name.
Panorama.License.Description String The License description.
Panorama.License.Expired String Is the license expired.
Panorama.License.Expires String When the license will be expired.
Panorama.License.Feature String The license feature.
Panorama.License.Issued String When the license was issued.
Panorama.License.Serial String The license serial.

Command Example

!panorama-get-licences

Human Readable Output
Authcode Description Feature Serial Expired Expires Issued
I9805928 NFR Support NFR Support 007DEMISTO1t no Never November 25, 2019

78. panorama-get-security-profiles


Get information about profiles.

Base Command

panorama-get-security-profiles

Input
Argument Name Description Required
security_profile The security profile to get. Optional

Context Output
Path Type Description
Panorama.Spyware.Name String Profile Name.
Panorama.Spyware.Rules.Action String The rule action
Panorama.Spyware.Rules.Cateogry String The category to apply the rule on.
Panorama.Spyware.Rules.Name String Rule name.
Panorama.Spyware.Rules.Packet-capture String Is packet capture enabled.
Panorama.Spyware.Rules.Severity String Rule severity.
Panorama.Spyware.Rules.Threat-name String Threat name to apply the rule.
Panorama.URLFilter.Name String Profile name.
Panorama.URLFilter.Rules.Category.Action String Rule action to apply on the category.
Panorama.URLFilter.Rules.Category.Name String Category name.
Panorama.WildFire.Name String WildFire profile name.
Panorama.WildFire.Rules.Analysis String Rule analysis.
Panorama.WildFire.Rules.Application String Application to apply the rule on.
Panorama.WildFire.Rules.File-type String File type to apply the rule on.
Panorama.WildFire.Rules.Name String Rule name.
Panorama.Vulnerability.Name String Vulnerability profile name.
Panorama.Vulnerability.Rules.Vendor-id String Vendor ID to apply the rule on.
Panorama.Vulnerability.Rules.Packet-capture String Is packet capture enabled.
Panorama.Vulnerability.Rules.Host String Rule host.
Panorama.Vulnerability.Rules.Name String Rule name.
Panorama.Vulnerability.Rules.Cateogry String Category to apply the rule on.
Panorama.Vulnerability.Rules.CVE String CVE to apply the rule on.
Panorama.Vulnerability.Rules.Action String Rule action.
Panorama.Vulnerability.Rules.Severity String Rule severity.
Panorama.Vulnerability.Rules.Threat-name String Threat to apply the rule on.
Panorama.Antivirus.Name String Antivirus profile name.
Panorama.Antivirus.Rules.Action String Rule action.
Panorama.Antivirus.Rules.Name String Rule name.
Panorama.Antivirus.Rules.WildFire-action String WildFire action.
Panorama.FileBlocking.Name String File blocking profile name.
Panorama.FileBlocking.Rules.Action String Rule action.
Panorama.FileBlocking.Rules.Application String Application to apply the rule.
Panorama.FileBlocking.Rules.File-type String File type to apply the rule.
Panorama.FileBlocking.Rules.Name String Rule name.
Panorama.DataFiltering.Name String Data filtering profile name.
Panorama.DataFiltering.Rules.Alert-threshold String Alert threshold.
Panorama.DataFiltering.Rules.Application String Application to apply the rule.
Panorama.DataFiltering.Rules.Block-threshold String Block threshold.
Panorama.DataFiltering.Rules.Data-object String Data object.
Panorama.DataFiltering.Rules.Direction String Rule direction.
Panorama.DataFiltering.Rules.File-type String File type to apply the rule on.
Panorama.DataFiltering.Rules.Log-severity String Log severity.
Panorama.DataFiltering.Rules.Name String Rule name.

Command Example

!panorama-get-security-profiles security_profile=spyware

Human Readable Output

Name Rules
best-practice {'Name': 'simple-critical', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'critical', 'Threat-name': 'any', 'Packet-capture': 'disable'},

{'Name': 'simple-high', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'high', 'Threat-name': 'any', 'Packet-capture': 'disable'},

{'Name': 'simple-medium', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'medium', 'Threat-name': 'any', 'Packet-capture': 'disable'},

{'Name': 'simple-informational', 'Action': {'default': None}, 'Category': 'any', 'Severity': 'informational', 'Threat-name': 'any', 'Packet-capture': 'disable'},

{'Name': 'simple-low', 'Action': {'default': None}, 'Category': 'any', 'Severity': 'low', 'Threat-name': 'any', 'Packet-capture': 'disable'}

79. panorama-apply-security-profile


Apply profile to specific rules / rules with specific tag.

Base Command

panorama-apply-security-profile

Input
Argument Name Description Required
profile_type Security profile type. Required
rule_name The rule name to apply. Required
profile_name The profile name to apply to the rule. Required
pre_post Rules location. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances. Optional

Context Output
There are no context output for this command.

Command Example

!panorama-apply-security-profile profile_name=test profile_type=spyware rule_name=rule1 pre_post="pre-rulebase"

Human Readable Output

The profile test has been applied to the rule rule1

80. panorama-get-ssl-decryption-rules


Show ssl decryption rules under policies -> decryption -> rules

Base Command

panorama-get-ssl-decryption-rules

Input
Argument Name Description Required
pre_post Rules location. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances. Optional

Context Output
Path Type Description
Panorama.SSLRule.From String SSL rule from source.
Panorama.SSLRule.Name String Name of the SSL rule.
Panorama.SSLRule.Destination String Destination of the SSL rule.
Panorama.SSLRule.Target String The target od the SSL rule.
Panorama.SSLRule.Service String SSL rule service.
Panorama.SSLRule.Action String SSL rule action.
Panorama.SSLRule.Type String SSL rule type.
Panorama.SSLRule.Source String The source of the SSL rule.
Panorama.SSLRule.To String SSL rule to destination.
Panorama.SSLRule.UUID String SSl rule UUID.
Panorama.SSLRule.Description String SSL rule description.
Panorama.SSLRule.Source-user String SSL rule source user.
Panorama.SSLRule.Category String SSL rule category.

Command Example

!panorama-get-ssl-decryption-rules pre_post="pre-rulebase"

Human Readable Output

SSL Decryption Rules

Name UUID Target Service Category Type From To Source Destination Action Source-user
test cd3f0487-3872-4691-8387-1a15e7de142b negate: no any member: any ssl-forward-proxy: null any any any any no-decrypt any

81. panorama-get-wildfire-configuration


Retrieve Wildfire Configuration

Base Command

panorama-get-wildfire-configuration

Input
Argument Name Description Required
template The template name. Required

Context Output
Path Type Description
Panorama.WildFire.Name String File type.
Panorama.WildFire.Size-limit String File size limit.
Panorama.WildFire.recurring String Schedule recurring

Command Example

!panorama-get-wildfire-configuration template=WildFire

Context Example
{
    "Panorama.WildFire": [
        {
            "Name": "pe",
            "Size-limit": "10"
        },
        {
            "Name": "apk",
            "Size-limit": "30"
        },
        {
            "Name": "pdf",
            "Size-limit": "1000"
        },
        {
            "Name": "ms-office",
            "Size-limit": "2000"
        },
        {
            "Name": "jar",
            "Size-limit": "5"
        },
        {
            "Name": "flash",
            "Size-limit": "5"
        },
        {
            "Name": "MacOSX",
            "Size-limit": "1"
        },
        {
            "Name": "archive",
            "Size-limit": "10"
        },
        {
            "Name": "linux",
            "Size-limit": "2"
        },
        {
            "Name": "script",
            "Size-limit": "20"
        }
    ],
    "Panorama.WildFire.Schedule": {
        "recurring": {
            "every-min": {
                "action": "download-and-install"
            }
        }
    }
}
Human Readable Output

WildFire Configuration

Report Grayware File: yes

Name Size-limit
pe 10
apk 30
pdf 1000
ms-office 2000
jar 5
flash 5
MacOSX 1
archive 10
linux 2
script 20

The updated schedule for Wildfire

recurring
every-min: {"action": "download-and-install"}

82. panorama-url-filtering-block-default-categories


Set default categories to block in the URL filtering profile.

Base Command

panorama-url-filtering-block-default-categories

Input
Argument Name Description Required
profile_name The url-filtering profile name. Get the name by running get-security-profiles command. Required

Context Output
There are no context output for this command.

Command Example

!panorama-url-filtering-block-default-categories profile_name=test

Human Readable Output

The default categories to block has been set successfully to test

83. panorama-get-anti-spyware-best-practice


Show anti-spyware best practices.

Base Command

panorama-get-anti-spyware-best-practice

Input
There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Spyware.BotentDomain.Name String Botnet domain name.
Panorama.Spyware.BotentDomain.Action String Botnet domain action.
Panorama.Spyware.BotentDomain.Packet-capture String Is packet capture enabled.
Panorama.Spyware.BotentDomain.Sinkhole.ipv4-address String Botnet domain ipv4 address.
Panorama.Spyware.BotentDomain.Sinkhole.ipv6-address String Botnet domain ipv6 address.
Panorama.Spyware.Rule.Cateogry String Rule category.
Panorama.Spyware.Rule.Action String Rule action.
Panorama.Spyware.Rule.Name String Rule name.
Panorama.Spyware.Rule.Severity String Rule severity.
Panorama.Spyware.Rule.Threat-name String Rule threat name.
Panorama.Spyware.BotentDomain.Max_version String Botnet domain max version.

Command Example

!panorama-get-anti-spyware-best-practice

Context Example
{
    "Panorama.Spyware.BotentDomain": [
        {
            "Action": {
                "sinkhole": null
            },
            "Name": "default-paloalto-dns",
            "Packet-capture": "disable"
        },
        {
            "Action": {
                "allow": null
            },
            "Max_version": "9.1.9",
            "Name": "default-paloalto-cloud",
            "Packet-capture": "disable"
        }
    ],
    "Panorama.Spyware.BotentDomain.Sinkhole": [
        {
            "ipv4-address": "pan-sinkhole-default-ip",
            "ipv6-address": "::1"
        }
    ],
    "Panorama.Spyware.Rule": [
        {
            "Action": {
                "reset-both": null
            },
            "Category": "any",
            "Name": "simple-critical",
            "Severity": "critical",
            "Threat-name": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "Category": "any",
            "Name": "simple-high",
            "Severity": "high",
            "Threat-name": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "Category": "any",
            "Name": "simple-medium",
            "Severity": "medium",
            "Threat-name": "any"
        },
        {
            "Action": {
                "default": null
            },
            "Category": "any",
            "Name": "simple-informational",
            "Severity": "informational",
            "Threat-name": "any"
        },
        {
            "Action": {
                "default": null
            },
            "Category": "any",
            "Name": "simple-low",
            "Severity": "low",
            "Threat-name": "any"
        }
    ]
}
Human Readable Output

Anti Spyware Botnet-Domains Best Practice

Name Action Packet-capture ipv4-address ipv6-address
default-paloalto-dns sinkhole: null disable
default-paloalto-cloud allow: null disable
pan-sinkhole-default-ip ::1

Anti Spyware Best Practice Rules

Name Severity Action Category Threat-name
simple-critical critical reset-both: null any any
simple-high high reset-both: null any any
simple-medium medium reset-both: null any any
simple-informational informational default: null any any
simple-low low default: null any any

84. panorama-get-file-blocking-best-practice


Show file-blocking best practices.

Base Command

panorama-get-file-blocking-best-practice

Input
There are no input arguments for this command.

Context Output
Path Type Description
Panorama.FileBlocking.Rule.Action String Rule action.
Panorama.FileBlocking.Rule.Application String Rule application.
Panorama.FileBlocking.Rule.File-type String Rule file type.
Panorama.FileBlocking.Rule.Name String Rule name.

Command Example

!panorama-get-file-blocking-best-practice

Context Example
{
    "Panorama.FileBlocking.Rule": [
        {
            "Action": "block",
            "Application": "any",
            "File-type": [
                "7z",
                "bat",
                "cab",
                "chm",
                "class",
                "cpl",
                "dll",
                "exe",
                "flash",
                "hlp",
                "hta",
                "jar",
                "msi",
                "Multi-Level-Encoding",
                "ocx",
                "PE",
                "pif",
                "rar",
                "scr",
                "tar",
                "torrent",
                "vbe",
                "wsf"
            ],
            "Name": "Block all risky file types"
        },
        {
            "Action": "block",
            "Application": "any",
            "File-type": [
                "encrypted-rar",
                "encrypted-zip"
            ],
            "Name": "Block encrypted files"
        },
        {
            "Action": "alert",
            "Application": "any",
            "File-type": "any",
            "Name": "Log all other file types"
        }
    ]
}
Human Readable Output

File Blocking Profile Best Practice

Name Action File-type Application
Block all risky file types block 7z,
bat,
cab,
chm,
class,
cpl,
dll,
exe,
flash,
hlp,
hta,
jar,
msi,
Multi-Level-Encoding,
ocx,
PE,
pif,
rar,
scr,
tar,
torrent,
vbe,
wsf
any
Block encrypted files block encrypted-rar,
encrypted-zip
any
Log all other file types alert any any

85. panorama-get-antivirus-best-practice


Show anti-virus best practices.

Base Command

panorama-get-antivirus-best-practice

Input
There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Antivirus.Decoder.Action String Rule action.
Panorama.Antivirus.Decoder.Name String Rule name.
Panorama.Antivirus.Decoder.WildFire-action String WildFire action.

Command Example

!panorama-get-antivirus-best-practice

Context Example
{
    "Panorama.Antivirus.Decoder": [
        {
            "Action": "default",
            "Name": "http",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "http2",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "smtp",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "imap",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "pop3",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "ftp",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "smb",
            "WildFire-action": "default"
        }
    ]
}
Human Readable Output

Antivirus Best Practice Profile

Name Action WildFire-action
http default default
http2 default default
smtp default default
imap default default
pop3 default default
ftp default default
smb default default

86. panorama-get-vulnerability-protection-best-practice


Show vulnerability-protection best practices.

Base Command

panorama-get-vulnerability-protection-best-practice

Input
There are no input arguments for this command.

Context Output
Path Type Description
Panorama.Vulnerability.Rule.Action String Rule action.
Panorama.Vulnerability.Rule.CVE String Rule CVE.
Panorama.Vulnerability.Rule.Cateogry String Rule category.
Panorama.Vulnerability.Rule.Host String The rule host.
Panorama.Vulnerability.Rule.Name String Rule name.
Panorama.Vulnerability.Rule.Severity String The rule severity.
Panorama.Vulnerability.Rule.Threat-name String The threat name.
Panorama.Vulnerability.Rule.Vendor-id String The vendor ID.

Command Example

!panorama-get-vulnerability-protection-best-practice

Context Example
{
    "Panorama.Vulnerability.Rule": [
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-critical",
            "Severity": "critical",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-high",
            "Severity": "high",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-medium",
            "Severity": "medium",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-informational",
            "Severity": "informational",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-low",
            "Severity": "low",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-critical",
            "Severity": "critical",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-high",
            "Severity": "high",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-medium",
            "Severity": "medium",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-informational",
            "Severity": "informational",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-low",
            "Severity": "low",
            "Threat-name": "any",
            "Vendor-id": "any"
        }
    ]
}
Human Readable Output

vulnerability Protection Best Practice Profile

Name Action Host Severity Category Threat-name CVE Vendor-id
simple-client-critical reset-both: null client critical any any any any
simple-client-high reset-both: null client high any any any any
simple-client-medium reset-both: null client medium any any any any
simple-client-informational default: null client informational any any any any
simple-client-low default: null client low any any any any
simple-server-critical reset-both: null server critical any any any any
simple-server-high reset-both: null server high any any any any
simple-server-medium reset-both: null server medium any any any any
simple-server-informational default: null server informational any any any any
simple-server-low default: null server low any any any any

87. panorama-get-wildfire-best-practice


Show WildFire best practices.

Base Command

panorama-get-wildfire-best-practice

Input
There are no input arguments for this command.

Context Output
Path Type Description
Panorama.WildFire.Analysis String WildFire analysis.
Panorama.WildFire.Application String WildFire application.
Panorama.WildFire.File.File-size String Recommended file size.
Panorama.WildFire.File.Name String File name.
Panorama.WildFire.File-type String WildFire profile file type.
Panorama.WildFire.Name String WildFire profile name.
Panorama.WildFire.SSLDecrypt String SSL decrypt content.
Panorama.WildFire.Schedule.Action String WildFire schedule action.
Panorama.WildFire.Schedule.Recurring String WildFire schedule recurring.

Command Example

!panorama-get-wildfire-best-practice

Context Example
{
    "Panorama.WildFire": {
        "Analysis": "public-cloud",
        "Application": "any",
        "File-type": "any",
        "Name": "default"
    },
    "Panorama.WildFire.File": [
        {
            "File-size": "10",
            "Name": "pe"
        },
        {
            "File-size": "30",
            "Name": "apk"
        },
        {
            "File-size": "1000",
            "Name": "pdf"
        },
        {
            "File-size": "2000",
            "Name": "ms-office"
        },
        {
            "File-size": "5",
            "Name": "jar"
        },
        {
            "File-size": "5",
            "Name": "flash"
        },
        {
            "File-size": "1",
            "Name": "MacOS"
        },
        {
            "File-size": "10",
            "Name": "archive"
        },
        {
            "File-size": "2",
            "Name": "linux"
        },
        {
            "File-size": "20",
            "Name": "script"
        }
    ],
    "Panorama.WildFire.SSLDecrypt": {
        "allow-forward-decrypted-content": "yes"
    },
    "Panorama.WildFire.Schedule": {
        "Action": "download-and-install",
        "Recurring": "every-minute"
    }
}
Human Readable Output

WildFire Best Practice Profile

Name Analysis Application File-type
default public-cloud any any

Wildfire Best Practice Schedule

Action Recurring
download-and-install every-minute

Wildfire SSL Decrypt Settings

allow-forward-decrypted-content
yes

Wildfire System Settings

report-grayware-file: yes

Name File-size
pe 10
apk 30
pdf 1000
ms-office 2000
jar 5
flash 5
MacOS 1
archive 10
linux 2
script 20

88. panorama-get-url-filtering-best-practice


Show URL Filtering best practices.

Base Command

panorama-get-url-filtering-best-practice

Input
There are no input arguments for this command.

Context Output
Path Type Description
Panorama.URLFilter.Category.Action String The action to perform on the category.
Panorama.URLFilter.Category.Name String Category name.
Panorama.URLFilter.DeviceGroup String Device group name.
Panorama.URLFilter.Name String Profile name.
Panorama.URLFilter.Header.log-container-page-only String Log container page only.
Panorama.URLFilter.Header.log-http-hdr-referer String Log HTTP header referer.
Panorama.URLFilter.Header.log-http-hdr-user String Log HTTP header user.
Panorama.URLFilter.Header.log-http-hdr-xff String Log HTTP header xff.

Command Example

!panorama-get-url-filtering-best-practice

Context Example
{
    "Panorama.URLFilter": {
        "Category": [
            {
                "Action": "alert",
                "Name": "abortion"
            },
            {
                "Action": "alert",
                "Name": "abused-drugs"
            },
            {
                "Action": "alert",
                "Name": "adult"
            },
            {
                "Action": "alert",
                "Name": "alcohol-and-tobacco"
            },
            {
                "Action": "alert",
                "Name": "auctions"
            },
            {
                "Action": "alert",
                "Name": "business-and-economy"
            },
            {
                "Action": "alert",
                "Name": "computer-and-internet-info"
            },
            {
                "Action": "alert",
                "Name": "content-delivery-networks"
            },
            {
                "Action": "alert",
                "Name": "cryptocurrency"
            },
            {
                "Action": "alert",
                "Name": "dating"
            },
            {
                "Action": "alert",
                "Name": "educational-institutions"
            },
            {
                "Action": "alert",
                "Name": "entertainment-and-arts"
            },
            {
                "Action": "alert",
                "Name": "financial-services"
            },
            {
                "Action": "alert",
                "Name": "gambling"
            },
            {
                "Action": "alert",
                "Name": "games"
            },
            {
                "Action": "alert",
                "Name": "government"
            },
            {
                "Action": "alert",
                "Name": "grayware"
            },
            {
                "Action": "alert",
                "Name": "health-and-medicine"
            },
            {
                "Action": "alert",
                "Name": "high-risk"
            },
            {
                "Action": "alert",
                "Name": "home-and-garden"
            },
            {
                "Action": "alert",
                "Name": "hunting-and-fishing"
            },
            {
                "Action": "alert",
                "Name": "insufficient-content"
            },
            {
                "Action": "alert",
                "Name": "internet-communications-and-telephony"
            },
            {
                "Action": "alert",
                "Name": "internet-portals"
            },
            {
                "Action": "alert",
                "Name": "job-search"
            },
            {
                "Action": "alert",
                "Name": "legal"
            },
            {
                "Action": "alert",
                "Name": "low-risk"
            },
            {
                "Action": "alert",
                "Name": "medium-risk"
            },
            {
                "Action": "alert",
                "Name": "military"
            },
            {
                "Action": "alert",
                "Name": "motor-vehicles"
            },
            {
                "Action": "alert",
                "Name": "music"
            },
            {
                "Action": "alert",
                "Name": "newly-registered-domain"
            },
            {
                "Action": "alert",
                "Name": "news"
            },
            {
                "Action": "alert",
                "Name": "not-resolved"
            },
            {
                "Action": "alert",
                "Name": "nudity"
            },
            {
                "Action": "alert",
                "Name": "online-storage-and-backup"
            },
            {
                "Action": "alert",
                "Name": "peer-to-peer"
            },
            {
                "Action": "alert",
                "Name": "personal-sites-and-blogs"
            },
            {
                "Action": "alert",
                "Name": "philosophy-and-political-advocacy"
            },
            {
                "Action": "alert",
                "Name": "private-ip-addresses"
            },
            {
                "Action": "alert",
                "Name": "questionable"
            },
            {
                "Action": "alert",
                "Name": "real-estate"
            },
            {
                "Action": "alert",
                "Name": "recreation-and-hobbies"
            },
            {
                "Action": "alert",
                "Name": "reference-and-research"
            },
            {
                "Action": "alert",
                "Name": "religion"
            },
            {
                "Action": "alert",
                "Name": "search-engines"
            },
            {
                "Action": "alert",
                "Name": "sex-education"
            },
            {
                "Action": "alert",
                "Name": "shareware-and-freeware"
            },
            {
                "Action": "alert",
                "Name": "shopping"
            },
            {
                "Action": "alert",
                "Name": "social-networking"
            },
            {
                "Action": "alert",
                "Name": "society"
            },
            {
                "Action": "alert",
                "Name": "sports"
            },
            {
                "Action": "alert",
                "Name": "stock-advice-and-tools"
            },
            {
                "Action": "alert",
                "Name": "streaming-media"
            },
            {
                "Action": "alert",
                "Name": "swimsuits-and-intimate-apparel"
            },
            {
                "Action": "alert",
                "Name": "training-and-tools"
            },
            {
                "Action": "alert",
                "Name": "translation"
            },
            {
                "Action": "alert",
                "Name": "travel"
            },
            {
                "Action": "alert",
                "Name": "weapons"
            },
            {
                "Action": "alert",
                "Name": "web-advertisements"
            },
            {
                "Action": "alert",
                "Name": "web-based-email"
            },
            {
                "Action": "alert",
                "Name": "web-hosting"
            },
            {
                "Action": "block",
                "Name": "command-and-control"
            },
            {
                "Action": "block",
                "Name": "copyright-infringement"
            },
            {
                "Action": "block",
                "Name": "dynamic-dns"
            },
            {
                "Action": "block",
                "Name": "extremism"
            },
            {
                "Action": "block",
                "Name": "hacking"
            },
            {
                "Action": "block",
                "Name": "malware"
            },
            {
                "Action": "block",
                "Name": "parked"
            },
            {
                "Action": "block",
                "Name": "phishing"
            },
            {
                "Action": "block",
                "Name": "proxy-avoidance-and-anonymizers"
            },
            {
                "Action": "block",
                "Name": "unknown"
            }
        ],
        "DeviceGroup": "Demisto sales lab",
        "Name": "best-practice"
    },
    "Panorama.URLFilter.Header": {
        "log-container-page-only": "no",
        "log-http-hdr-referer": "yes",
        "log-http-hdr-user": "yes",
        "log-http-hdr-xff": "yes"
    }
}
Human Readable Output

URL Filtering Best Practice Profile Categories

Category DeviceGroup Name
{'Name': 'abortion', 'Action': 'alert'},
{'Name': 'abused-drugs', 'Action': 'alert'},
{'Name': 'adult', 'Action': 'alert'},
{'Name': 'alcohol-and-tobacco', 'Action': 'alert'},
{'Name': 'auctions', 'Action': 'alert'},
{'Name': 'business-and-economy', 'Action': 'alert'},
{'Name': 'computer-and-internet-info', 'Action': 'alert'},
{'Name': 'content-delivery-networks', 'Action': 'alert'},
{'Name': 'cryptocurrency', 'Action': 'alert'},
{'Name': 'dating', 'Action': 'alert'},
{'Name': 'educational-institutions', 'Action': 'alert'},
{'Name': 'entertainment-and-arts', 'Action': 'alert'},
{'Name': 'financial-services', 'Action': 'alert'},
{'Name': 'gambling', 'Action': 'alert'},
{'Name': 'games', 'Action': 'alert'},
{'Name': 'government', 'Action': 'alert'},
{'Name': 'grayware', 'Action': 'alert'},
{'Name': 'health-and-medicine', 'Action': 'alert'},
{'Name': 'high-risk', 'Action': 'alert'},
{'Name': 'home-and-garden', 'Action': 'alert'},
{'Name': 'hunting-and-fishing', 'Action': 'alert'},
{'Name': 'insufficient-content', 'Action': 'alert'},
{'Name': 'internet-communications-and-telephony', 'Action': 'alert'},
{'Name': 'internet-portals', 'Action': 'alert'},
{'Name': 'job-search', 'Action': 'alert'},
{'Name': 'legal', 'Action': 'alert'},
{'Name': 'low-risk', 'Action': 'alert'},
{'Name': 'medium-risk', 'Action': 'alert'},
{'Name': 'military', 'Action': 'alert'},
{'Name': 'motor-vehicles', 'Action': 'alert'},
{'Name': 'music', 'Action': 'alert'},
{'Name': 'newly-registered-domain', 'Action': 'alert'},
{'Name': 'news', 'Action': 'alert'},
{'Name': 'not-resolved', 'Action': 'alert'},
{'Name': 'nudity', 'Action': 'alert'},
{'Name': 'online-storage-and-backup', 'Action': 'alert'},
{'Name': 'peer-to-peer', 'Action': 'alert'},
{'Name': 'personal-sites-and-blogs', 'Action': 'alert'},
{'Name': 'philosophy-and-political-advocacy', 'Action': 'alert'},
{'Name': 'private-ip-addresses', 'Action': 'alert'},
{'Name': 'questionable', 'Action': 'alert'},
{'Name': 'real-estate', 'Action': 'alert'},
{'Name': 'recreation-and-hobbies', 'Action': 'alert'},
{'Name': 'reference-and-research', 'Action': 'alert'},
{'Name': 'religion', 'Action': 'alert'},
{'Name': 'search-engines', 'Action': 'alert'},
{'Name': 'sex-education', 'Action': 'alert'},
{'Name': 'shareware-and-freeware', 'Action': 'alert'},
{'Name': 'shopping', 'Action': 'alert'},
{'Name': 'social-networking', 'Action': 'alert'},
{'Name': 'society', 'Action': 'alert'},
{'Name': 'sports', 'Action': 'alert'},
{'Name': 'stock-advice-and-tools', 'Action': 'alert'},
{'Name': 'streaming-media', 'Action': 'alert'},
{'Name': 'swimsuits-and-intimate-apparel', 'Action': 'alert'},
{'Name': 'training-and-tools', 'Action': 'alert'},
{'Name': 'translation', 'Action': 'alert'},
{'Name': 'travel', 'Action': 'alert'},
{'Name': 'weapons', 'Action': 'alert'},
{'Name': 'web-advertisements', 'Action': 'alert'},
{'Name': 'web-based-email', 'Action': 'alert'},
{'Name': 'web-hosting', 'Action': 'alert'},
{'Name': 'command-and-control', 'Action': 'block'},
{'Name': 'copyright-infringement', 'Action': 'block'},
{'Name': 'dynamic-dns', 'Action': 'block'},
{'Name': 'extremism', 'Action': 'block'},
{'Name': 'hacking', 'Action': 'block'},
{'Name': 'malware', 'Action': 'block'},
{'Name': 'parked', 'Action': 'block'},
{'Name': 'phishing', 'Action': 'block'},
{'Name': 'proxy-avoidance-and-anonymizers', 'Action': 'block'},
{'Name': 'unknown', 'Action': 'block'}
Demisto sales lab best-practice

Best Practice Headers

log-container-page-only log-http-hdr-referer log-http-hdr-user log-http-hdr-xff
no yes yes yes

89. panorama-enforce-wildfire-best-practice


Enforce wildfire file upload to the maximum size + all file types are forwarded and update schedule.

Base Command

panorama-enforce-wildfire-best-practice

Input
Argument Name Description Required
template The template name. Required

Context Output
There are no context output for this command.

Command Example

!panorama-enforce-wildfire-best-practice template=WildFire

Human Readable Output

The schedule was updated according to the best practice. Recurring every minute with the action of "download and install" The file upload for all file types is set to the maximum size.

90. panorama-create-antivirus-best-practice-profile


Create antivirus best practice profile.

Base Command

panorama-create-antivirus-best-practice-profile

Input
Argument Name Description Required
profile_name The name of the profile Required

Context Output
There are no context output for this command.

Command Example

!panorama-create-antivirus-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

91. panorama-create-anti-spyware-best-practice-profile


Create Anti Spyware best practice profile.

Base Command

panorama-create-anti-spyware-best-practice-profile

Input
Argument Name Description Required
profile_name The profile name. Required

Context Output
There are no context output for this command.

Command Example

!panorama-create-anti-spyware-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

92. panorama-create-vulnerability-best-practice-profile


Create vulnerability protection best practice profile.

Base Command

panorama-create-vulnerability-best-practice-profile

Input
Argument Name Description Required
profile_name The profile name. Required

Context Output
There are no context output for this command.

Command Example

!panorama-create-vulnerability-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

93. panorama-create-url-filtering-best-practice-profile


Create URL filtering best practice profile.

Base Command

panorama-create-url-filtering-best-practice-profile

Input
Argument Name Description Required
profile_name The profile name. Required

Context Output
There are no context output for this command.

Command Example

!panorama-create-url-filtering-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

94. panorama-create-file-blocking-best-practice-profile


Create file blocking best practice profile.

Base Command

panorama-create-file-blocking-best-practice-profile

Argument Name Description Required
profile_name The name of the profile. Required

Context Output
There are no context output for this command.

Command Example

!panorama-create-file-blocking-best-practice-profile profile_name=test

Human Readable Output
The profile test was created successfully.

95. panorama-create-wildfire-best-practice-profile


Create WildFire analysis best practice profile.

Base Command

panorama-create-wildfire-best-practice-profile

Input
Argument Name Description Required
profile_name The name of the profile. Required

Context Output
There are no context output for this command.

Command Example

 !panorama-create-wildfire-best-practice-profile profile_name=test 

Human Readable Output

The profile test was created successfully.