Palo Alto Networks PAN-OS

This integration supports both Palo Alto Networks Panorama and Palo Alto Networks Firewall. You can create separate instances of each integration, and they are not necessarily related or dependent on one another.

This integration was integrated and tested with version 8.1.0 of Palo Alto Firewall, Palo Alto Panorama

Panorama Playbook

• PanoramaCommitConfiguration : Based on the playbook input, the Playbook will commit the configuration to Palo Alto Firewall, or push the configuration from Panorama to predefined device groups of firewalls. The integration is available from Demisto v3.0, but playbook uses the GenericPooling sub-playbook, which is only available from Demisto v4.0.
• (Deprecated) PanoramaQueryTrafficLogs : Use the Panorama Query Logs playbook instead.W raps the following commands with genericPolling to enable a complete flow to query traffic logs.
  • panorama-query-traffic-logs
  • panorama-check-traffic-logs-status
  • panorama-get-traffic-logs
• Panorama Query Logs : W raps several commands (listed below) with genericPolling to enable a complete flow to query the following log types: traffic, threat, URL, data-filtering, and Wildfire.
  • panorama-query-logs
  • panorama-check-logs-status
  • panorama-get-logs
• PAN-OS DAG Configuration
• PAN-OS EDL Setup

Use Cases

• Create custom security rules in Palo Alto Networks PAN-OS.
• Creating and updating address objects, address-groups, custom URL categories, URL filtering objects.
• Get URL Filtering category information from Palo Alto - Request Change is a known Palo Alto limitation.
• Add URL filtering objects including overrides to Palo Alto Panorama and Firewall
• Committing configuration to Palo Alto FW and to Panorama, and pushing configuration from Panorama to Pre-Defined Device-Groups of Firewalls.
• Block IP addresses using registered IP tags from PAN-OS without committing the PAN-OS instance. First you have to create a registered IP tag, DAG, and security rule, and commit the instance. You can then register additional IP addresses to the tag without committing the instance.

  1. Create a registered IP tag and add the necessary IP addresses by running the panorama-register-ip-tag command.

  2. Create a dynamic address group (DAG), by running the panorama-create-address-group command. Specify values for the following arguments: type="dynamic", match={ tagname }.

  3. Create a security rule using the DAG created in the previous step, by running the panorama-create-rule command.

  4. Commit the PAN-OS instance by running the PanoramaCommitConfiguration playbook.

  5. You can now register IP addresses to, or unregister IP addresses from, the IP tag by running the panorama-register-ip-tag command, or panorama-unregister-ip-tag command, respectively, without committing the PAN-OS instance.

• Create a predefined security profiles with the best practices by Palo Alto Networks.
• Get security profiles best practices as defined by Palo Alto Networks.
  For more inforamtion about Palo Alto Networks best practices, visit Palo Alto Networks best practices .
• Apply security profiles to specific rule.
• Set default categories to block in the URL filtering profile.
• Enforce WildFire best practice.
  1. Set file upload to the maximum size.
  2. WildFire Update Schedule is set to download and install updates every minute.
  3. All file types are forwarded.

Known Limitations

• Maximum commit queue length is 3. Running numerous Panorama commands simultaneously might cause errors.
• After you run panorama-create- commands and the object is not committed, then the panorama-edit commands or panorama-get commands might not run correctly.
• URL Filtering request change of a URL is not available via the API. Instead, you need to use the https://urlfiltering.paloaltonetworks.com website.
• If you do not specify a vsys (Firewall instances) or a device group (Panorama instances), you will only be able to execute certain commands.
  • panorama-get-url-category
  • panorama-commit
  • panorama-push-to-device-group
  • panorama-register-ip-tag
  • panorama-unregister-ip-tag
  • panorama-query-logs
  • panorama-check-logs-status
  • panorama-get-logs

Configure Panorama on Demisto

1. Navigate to Settings > Integrations > Servers & Services .
2. Search for Panorama.
3. Click Add instance to create and configure a new integration instance.
   • Name : a textual name for the integration instance.
   • Server URL (e.g. https://192.168.0.1 )
   • Port
   • API Key
   • Trust any certificate (not secure)
   • Use system proxy settings
   • Device group - Required for Panorama instance . If you want to use a shared location, the value in this field should be "shared".
   • Vsys - Required for Firewall instance (PAN-OS default is 'vsys1'): retrieve this from the Demisto URL, for example: <server_url>:port/<vsys_name>. If you have multiple vysys, select the one to configure on this instance.
4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Run any command supported in the Panorama API: panorama
2. Commit a configuration: panorama-commit
3. Push rules from Panorama to a device group: panorama-push-to-device-group
4. Get a list of addresses: panorama-list-addresses
5. Get address details: panorama-get-address
6. Create an address object: panorama-create-address
7. Delete an address: panorama-delete-address
8. Get a list of address groups: panorama-list-address-groups
9. Get details for an address group: panorama-get-address-group
10. Create an address group: panorama-create-address-group
11. Delete an address group: panorama-delete-address-group
12. Edit an address group: panorama-edit-address-group
13. Get details for a custom URL category: panorama-get-custom-url-category
14. Create a custom URL category: panorama-create-custom-url-category
15. Delete a custom URL category: panorama-delete-custom-url-category
16. Add/Remove sites from a custom URL category: panorama-edit-custom-url-category
17. Get details for a URL category: panorama-get-url-category
18. Get details for a URL filtering rule: panorama-get-url-filter
19. Create a URL filtering rule: panorama-create-url-filter
20. Edit a URL filter: panorama-edit-url-filter
21. Delete a URL filtering rule: panorama-delete-url-filter
22. Create a rule: panorama-create-rule
23. Create a custom block policy rule: panorama-custom-block-rule
24. Change the location of a policy rule: panorama-move-rule
25. Edit a policy rule: panorama-edit-rule
26. Delete a policy rule: panorama-delete-rule
27. Get a list of applications: panorama-list-applications
28. Get the commit status for a configuration: panorama-commit-status
29. Get the push status for a configuration: panorama-push-status
30. Get a list of services: panorama-list-services
31. Get information for a service: panorama-get-service
32. Create a service: panorama-create-service
33. Delete a service: panorama-delete-service
34. Get a list of service groups: panorama-list-service-groups
35. Get information for a service group: panorama-get-service-group
36. Create a service group: panorama-create-service-group
37. Delete a service group: panorama-delete-service-group
38. Edit a service group: panorama-edit-service group
39. Get information for PCAP files: panorama-get-pcap
40. Get a list of all PCAP files: panorama-list-pcaps
41. Get a list of EDLs: panorama-list-edls
42. Get information for an EDL: panorama-get-edl
43. Create an : panorama-create-edl
44. Edit an EDL: panorama-edit-edl
45. Delete an EDL: panorama-delete-edl
46. Refresh an EDL: panorama-refresh-edl
47. Register IP addresses to a tag: panorama-register-ip-tag
48. Unregister IP addresses from a tag: panorama-unregister-ip-tag
49. Query traffic logs: panorama-query-traffic-logs
50. Check the query status of traffic logs: panorama-check-traffic-logs-status
51. Get traffic logs: panorama-get-traffic-logs
52. Get a list of predefined security rules: panorama-list-rules
53. Query logs: panorama-query-logs
54. Check the query status of logs: panorama-check-logs-status
55. Get the data of a logs query: panorama-get-logs
56. Checks whether a session matches the specified security policy. This command is only available on Firewall instances: panorama-security-policy-match
57. Lists the static routes of a virtual router: panorama-list-static-routes
58. Returns the specified static route of a virtual router: panorama-get-static-route
59. Adds a static route: panorama-add-static-route
60. Deletes a static route: panorama-delete-static-route
61. Show firewall device software version: panorama-show-device-version
62. Downloads the latest content update: panorama-download-latest-content-update
63. Checks the download status of a content update: panorama-content-update-download-status
64. Installs the latest content update: panorama-install-latest-content-update
65. Gets the installation status of the content update: panorama-content-update-install-status
66. Checks the PAN-OS software version from the repository: panorama-check-latest-panos-software
67. Downloads the target PAN-OS software version to install on the target device: panorama-download-panos-version
68. Gets the download status of the target PAN-OS software: panorama-download-panos-status
69. Installs the target PAN-OS version on the specified target device: panorama-install-panos-version
70. Gets the installation status of the PAN-OS software: panorama-install-panos-status
71. Reboots the Firewall device: panorama-device-reboot
72. Show the IP location information: panorama-show-location-ip
73. Get information about PAN-OS available licenses and their statuses: panorama-get-licences
74. Get information about profiles: panorama-get-security-profiles
75. Apply profile to specific rules / rules with specific tag: panorama-apply-security-profile
76. Show ssl decryption rules under policies -> decryption -> rules: panorama-get-ssl-decryption-rules
77. Retrieve Wildfire Configuration: panorama-get-wildfire-configuration
78. Set default categories to block in the URL filtering profile: panorama-url-filtering-block-default-categories
79. Show anti-spyware best practices: panorama-get-anti-spyware-best-practice
80. Show file-blocking best practices: panorama-get-file-blocking-best-practice
81. Show anti-virus best practices: panorama-get-antivirus-best-practice
82. Show vulnerability-protection best practices: panorama-get-vulnerability-protection-best-practice
83. Show WildFire best practices: panorama-get-wildfire-best-practice
84. Show URL Filtering best practices: panorama-get-url-filtering-best-practice
85. Enforce wildfire file upload to the maximum size + all file types are forwarded and update schedule: panorama-enforce-wildfire-best-practice
86. Create antivirus best practice profile: panorama-create-antivirus-best-practice-profile
87. Create Anti Spyware best practice profile: panorama-create-anti-spyware-best-practice-profile
88. Create vulnerability protection best practice profile: panorama-create-vulnerability-best-practice-profile
89. Create URL filtering best practice profile: panorama-create-url-filtering-best-practice-profile
90. Create file blocking best practice profile: panorama-create-file-blocking-best-practice-profile
91. Create WildFire analysis best practice profile: panorama-create-wildfire-best-practice-profile

1. Run any command supported in the PAN-OS API

---

Run any command supported in the API.

Base Command

panorama

Input

Argument Name	Description	Required
action	Action to take. Can be: show, get, set, edit, delete, rename, clone, move, or override.	Optional
category	Category parameter. e.g. when exporting a configuration file use category=configuration.	Optional
cmd	Used for operations commands cmd specifies the xml struct that defines the command.	Optional
command	Run a command. e.g. "command = ".	Optional
dst	Specifies destination.	Optional
element	Used to define a new value for an object.	Optional
to	To parameter (used in specifying time and when cloning an object).	Optional
from	From parameter (used in specifying time and when cloning an object).	Optional
key	Sets a key value.	Optional
where	Specifies the type of a move operation (e.g. where=after, where=before, where=top, where=bottom).	Optional
period	Describe a time period. E.g. period=last-24-hrs.	Optional
xpath	Defines a location e.g. xpath=/config/predefined/application/entry[ @name ='hotmail']	Optional
pcap-id	The threat PCAP ID in the threat log.	Optional
serialno	Specifies the device serial number.	Optional
reporttype	Choose dynamic, predefined or custom report.	Optional
reportname	The report name.	Optional
log-type	Used for retrieving logs. e.g. log-type=threat for threat logs.	Optional
type	The request type (e.g. export, import, log, config).	Optional
search-time	Used for threat PCAPs, the time that the PCAP was received on the firewall.	Optional
target	Target number of the firewall (Panorama instance).	Optional

Context Output

There is no context output for this command.

2. Commit a configuration

---

Commits a configuration to Palo Alto Networks PAN-OS, but does not validate if the commit was successful. Committing toPAN-OS will not push the configuration to the Firewalls. To push the configuration, run the panorama-push-to-device-group command.

Base Command

panorama-commit

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.Commit.JobID	number	Job ID of the configuration to commit.
Panorama.Commit.Status	string	Commit status.

Command Example

!panorama-commit

Human Readable Output

3. Push rules from PAN-OS to a device group

---

Pushes rules fromPAN-OS to the configured device group.

Base Command

panorama-push-to-device-group

Input

Argument Name	Description	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.Push.DeviceGroup	string	Device group to which the policies were pushed.
Panorama.Push.JobID	number	Job ID of the configuration to be pushed.
Panorama.Push.Status	string	Push status.

Command Example

!panorama-push-to-device-group

Human Readable Output

4. Get a list of addresses

---

Returns a list of addresses.

Base Command

panorama-list-addresses

Input

Argument Name	Description	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
Tag	The tag for which to filter the list of addresses.	Optional

Context Output

Path	Type	Description
Panorama.Addresses.Name	string	Address name.
Panorama.Addresses.Description	string	Address description.
Panorama.Addresses.FQDN	string	Address FQDN.
Panorama.Addresses.IP_Netmask	string	Address IP netmask.
Panorama.Addresses.IP_Range	string	Address IP range.
Panorama.Addresses.DeviceGroup	string	Address device group.
Panorama.Addresses.Tages	string	Address tags.

Command Example

!panorama-list-addresses

Human Readable Output

5. Get address details

---

Returns address details for the supplied address name.

Base Command

panorama-get-address

Input

Argument Name	Description	Required
name	Address name.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.Addresses.Name	string	Address name.
Panorama.Addresses.Description	string	Address description.
Panorama.Addresses.FQDN	string	Address FQDN.
Panorama.Addresses.IP_Netmask	string	Address IP netmask.
Panorama.Addresses.IP_Range	string	Address IP range.
Panorama.Addresses.DeviceGroup	string	Address device group.
Panorama.Addresses.Tags	string	Address tags.

Command Example

!panorama-get-address name="Demisto address"

Human Readable Output

6. Create an address object

---

Creates an address object.

Base Command

panorama-create-address

Input

Argument Name	Description	Required
name	Name for the new address.	Required
description	A description of the new address.	Optional
fqdn	FQDN of the new address.	Optional
ip_netmask	IP netmask of the new address, e.g., 10.10.10.10/24.	Optional
ip_range	IP range of the new address, e.g., 10.10.10.0-10.10.10.255.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tag	The tag for the new address	Optional

Context Output

Path	Type	Description
Panorama.Addresses.Name	string	Address name.
Panorama.Addresses.Description	string	Address description.
Panorama.Addresses.FQDN	string	Address FQDN.
Panorama.Addresses.IP_Netmask	string	Address IP netmask.
Panorama.Addresses.IP_Range	string	Address IP range.
Panorama.Adddresses.DeviceGroup	string	Address Device Group.
Panorama.Addresses.Tag	string	Address tag.

Command Example

!panorama-create-address name="address_test_pb" description="just a desc" ip_range="10.10.10.9-10.10.10.10"

Human Readable Output

7. Delete an address object

---

Deletes an address object.

Base Command

panorama-delete-address

Input

Argument Name	Description	Required
name	Name of the address to delete.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.Addresses.Name	string	Name of the address that was deleted.

Command Example

!panorama-delete-address name="address_test_pb"

Human Readable Output

8. Get a list of address groups

---

Returns a list of address groups.

Base Command

panorama-list-address-groups

Input

Argument Name	Description	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tag	The tag for which to filter the address group.	Optional

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.AddressGroups.Name	string	Address group name.
Panorama.AddressGroups.Type	string	Address group type.
Panorama.AddressGroups.Match	string	Dynamic address group match.
Panorama.AddressGroups.Description	string	Address group description.
Panorama.AddressGroups.Addresses	string	Static address group addresses.
Panorama.AddressGroups.DeviceGroup	string	Address device group.
Panorama.AddressGroups.Tag	string	Address group tag.

Command Example

!panorama-list-address-groups

Human Readable Output

9. Get information for an address group. A dynamic address group with a tag will return only the tag name, not the IPs associated with this tag.

---

Returns details for the specified address group.

Base Command

panorama-get-address-group

Input

Argument Name	Description	Required
name	Address group name.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.AddressGroups.Name	string	Address group name.
Panorama.AddressGroups.Type	string	Address group type.
Panorama.AddressGroups.Match	string	Dynamic address group match.
Panorama.AddressGroups.Description	string	Address group description.
Panorama.AddressGroups.Addresses	string	Static address group addresses.
Panorama.AddressGroups.DeviceGroup	string	Address device group.
Panorama.AddressGroups.Tags	string	Address group tags.

Command Example

!panorama-get-address-group name=suspicious_address_group

Human Readable Output

10. Create an address group

---

Creates an address group; "static" or "dynamic".

Base Command

panorama-create-address-group

Input

Argument Name	Description	Required
name	Address group name.	Required
type	Address group type.	Required
match	Dynamic address group match. e.g., "1.1.1.1 or 2.2.2.2".	Optional
addresses	Static address group list of addresses.	Optional
description	Address group description.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tags	The tags for the address group.	Optional

Context Output

Path	Type	Description
Panorama.AddressGroups.Name	string	Address group name.
Panorama.AddressGroups.Type	string	Address group type.
Panorama.AddressGroups.Match	string	Dynamic address group match.
Panorama.AddressGroups.Addresses	string	Static address group list.
Panorama.AddressGroups.Description	string	Address group description.
Panorama.AddressGroups.DeviceGroup	string	Address device group.
Panorama.AddressGroups.Tag	string	Address group tags.

Command Example

!panorama-create-address-group name=suspicious_address_group type=dynamic match=1.1.1.1
          description="this ip is very bad"

Human Readable Output

11. Delete an address group

---

Deletes an address group.

Base Command

panorama-delete-address-group

Input

Argument Name	Description	Required
name	Name of address group to delete.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.AddressGroups.Name	string	Name of address group that was deleted.

Command Example

!panorama-delete-address-group name="dynamic_address_group_test_pb3"

Human Readable Output

12. Edit an address group

---

Edit an address group; "static" or "dynamic".

Base Command

panorama-edit-address-group

Input

Argument Name	Description	Required
name	Name of the address group to edit.	Required
type	Address group type.	Required
match	Address group new match, e.g., "1.1.1.1 and 2.2.2.2".	Optional
element_to_add	Element to add to the list of the static address group. Only existing Address objects can be added.	Optional
element_to_remove	Element to remove to the list of the static address group. Only existing Address objects can be added.	Optional
description	Address group new description.	Optional
tag	Address group tag to edit.	Optional

Context Output

Path	Type	Description
Panorama.AddressGroups.Name	string	Address group name.
Panorama.AddressGroups.Type	string	Address group type.
Panorama.AddressGroups.Filter	string	Dynamic address group match.
Panorama.AddressGroups.Description	string	Address group description.
Panorama.AddressGroups.Addresses	string	Static address group addresses.
Panorama.AddressGroups.DeviceGroup	string	Address device group.
Panorama.AddressGroups.Tags	string	Address group tags.

13. Get details for a custom URL category

---

Returns information for a custom URL category.

Base Command

panorama-get-custom-url-category

Input

Argument Name	Description	Required
name	Custom URL category name.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.CustomURLCategory.Name	string	Custom URL category name.
Panorama.CustomURLCategory.Description	string	Custom URL category description.
Panorama.CustomURLCategory.Sites	string	Custom URL category list of sites.

Command Example

!panorama-get-custom-url-category name=my_personal_url_category

Human Readable Output

14. Create a custom URL category

---

Creates a custom URL category.

Base Command

panorama-create-custom-url-category

Input

Argument Name	Description	Required
name	Name for the custom URL category to create.	Required
description	Description of the custom URL category to create.	Optional
sites	List of sites for the custom URL category.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.CustomURLCategory.Name	string	Custom URL category name
Panorama.CustomURLCategory.Description	string	Custom URL category description.
Panorama.CustomURLCategory.Sites	string	Custom URL category list of sites.

Command Example

!panorama-create-custom-url-category name=suspicious_address_group sites=["thepill.com","abortion.com"] description=momo

Human Readable Output

15. Delete a custom URL category

---

Deletes a custom URL category.

Base Command

panorama-delete-custom-url-category

Input

Argument Name	Description	Required
name	Name of the custom URL category to delete.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.CustomURLCategory.Name	string	Name of the custom URL category to delete.

Command Example

!panorama-delete-custom-url-category name=suspicious_address_group

Human Readable Output

16. Add/Remove sites from a custom URL category

---

Add sites to, or remove sites from a custom URL category.

Base Command

panorama-edit-custom-url-category

Input

Argument Name	Description	Required
name	Name of the custom URL category to which to add or remove sites.	Required
sites	CSV list of sites to add to the custom URL category.	Required
action	Add or remove sites; "add" or "remove".	Required

Context Output

Path	Type	Description
Panorama.CustomURLCategory.Name	string	Custom URL category name.
Panorama.CustomURLCategory.Description	string	Custom URL category description.
Panorama.CustomURLCategory.Sites	string	Custom URL category list of sites.

Human Readable Output

17. Get details for a URL category

---

Gets a URL category from URL Filtering.

Base Command

panorama-get-url-category

Input

Argument Name	Description	Required
url	URL to check.	Required

Context Output

Path	Type	Description
Panorama.URLFiltering.URL	string	URL.
Panorama.URLFiltering.Category	string	URL category.

Command Example

!panorama-get-url-category url="poker.com"

Human Readable Output

18. Get details for a URL filtering rule

---

Get information for a URL filtering rule.

Base Command

panorama-get-url-filter

Input

Argument Name	Description	Required
name	URL filter name.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.URLFilter.Name	string	URL filter name.
Panorama.URLFilter.Category.Name	string	URL filter category name.
Panorama.URLFilter.Category.Action	string	Action for the URL category.
Panorama.URLFilter.OverrideBlockList	string	URL filter override block list.
Panorama.URLFilter.OverrideAllowList	string	URL filter override allow list.
Panorama.URLFilter.Description	string	URL filter description.

Command Example

!panorama-get-url-filter name=demisto_default_url_filter

Human Readable Output

19. Create a URL filtering rule

---

Creates a URL filtering rule.

Base Command

panorama-create-url-filter

Input

Argument Name	Description	Required
name	Name of the URL filter to create.	Required
url_category	One or more URL categories.	Required
action	Action for the URL categories; "allow", "block", "alert", "continue", "override".	Required
override_allow_list	CSV list of URLs to exclude from the allow list.	Optional
override_block_list	CSV list of URLs to exclude from the block list.	Optional
description	URL filter description.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.URLFilter.Name	string	URL filter name
Panorama.URLFilter.Category.Name	string	URL filter category name
Panorama.URLFilter.Category.Action	string	Action for the URL category
Panorama.URLFilter.OverrideBlockList	string	URL filter override allow list
Panorama.URLFilter.OverrideBlockList	string	URL filter override block list
Panorama.URLFilter.Description	string	URL filter description.

20. Edit a URL filter

---

Name of the URL filter to edit.

Base Command

panorama-edit-url-filter

Input

Argument Name	Description	Required
name	URL filter to edit	Required
element_to_change	Element to change; "override_allow_list", "ovveride_block_list"	Required
element_value	Element value, limited to one value.	Required
add_remove_element	Add or remove an element from the Allow List field or Block List field, default is "add" the element_value to the list.	Optional

Context Output

Path	Type	Description
Panorama.URLFilter.Name	string	URL filter name.
Panorama.URLFilter.Description	string	URL filter description.
Panorama.URLFilter.Category.Name	string	URL filter category.
Panorama.URLFilter.Action	string	Action for the URL category.
Panorama.URLFilter.OverrideAllowList	string	Allow Overrides for the URL category.
Panorama.URLFilter.OverrideBlockList	string	Block Overrides for the URL category.

Command Example

!panorama-edit-url-filter name=demisto_default_url_filter element_to_change=override_allow_list element_value="poker.com" add_remove_element=add

Human Readable Output

21. Delete a URL filtering rule

---

Deletes a URL filtering rule.

Base Command

panorama-delete-url-filter

Input

Argument Name	Description	Required
name	Name of the URL filter rule to delete.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.URLFilter.Name	string	URL filter rule name that was deleted.

22. Create a policy rule

---

Creates a policy rule.

Base Command

panorama-create-rule

Input

Argument Name	Description	Required
rulename	Name of the rule to create.	Optional
description	Description of the rule to create.	Optional
action	Action for the rule; "allow", "deny", "drop".	Required
source	Source address; "address", "address group".	Optional
destination	Destination address; "address", "address group".	Optional
source_zone	A comma-separated list of source zones..	Optional
destination_zone	A comma-separated list of source zones..	Optional
negate_source	Whether to negate the source (address, address group); "Yes" or "No".	Optional
negate_destination	Whether to negate the destination (address, address group); "Yes" or "No".	Optional
service	Service for the rule (service object) to create.	Optional
disable	Whether to disable the rule; "Yes" or "No" (default is "No").	Optional
application	Application for the rule to create.	Optional
source_user	Source user for the rule to create.	Optional
pre_post	Pre rule or Post rule.	Optional
target	Specify a target firewall for the rule.	Optional
log_forwarding	Log forwarding profile (Panorama instances).	Optional
device-group	The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tags	Rule tags to create.	Optional

Context Output

Path	Type	Description
Panorama.SecurityRule.Name	string	Rule name.
Panorama.SecurityRule.Description	string	Rule description.
Panorama.SecurityRule.Action	string	Action for the rule.
Panorama.SecurityRule.Source	string	Source address.
Panorama.SecurityRule.Destination	string	Destination address.
Panorama.SecurityRule.NegateSource	boolean	Whether the source is negated (address, address group).
Panorama.SecurityRule.NegateDestination	boolean	Whether the destination is negated (address, address group).
Panorama.SecurityRule.Service	string	Service for the rule.
Panorama.SecurityRule.Disabled	string	Whether the rule is disabled.
Panorama.SecurityRule.Application	string	Application for the rule.
Panorama.SecurityRule.Target	string	Target firewall.
Panorama.SecurityRule.LogForwarding	string	Log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroup	string	Device group for the rule (Panorama instances).
Panorama.SecurityRules.Tags	string	Rule tags.

Command Example

!panorama-create-rule rulename="block_bad_application" description="do not play at work" action="deny" application="fortnite"

Human Readable Output

23. Create a custom block policy rule

---

Creates a custom block policy rule.

Base Command

panorama-custom-block-rule

Input

Argument Name	Description	Required
rulename	Name of the custom block policy rule to create.	Optional
object_type	Object type to block in the policy rule. Can be "ip", "address-group", "edl", or "custom-url-category".	Required
object_value	Object value.	Required
direction	Direction to block. Can be "to", "from", or "both". Default is "both". This argument is not applicable to the "custom-url-category" object_type.	Optional
pre_post	Pre rule or Post rule.	Optional
target	Specify a target firewall for the rule.	Optional
log_forwarding	Log forwarding profile (Panorama instances).	Optional
device-group	The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tags	The tags for the custom block policy rule.	Optional

Context Output

Path	Type	Description
Panorama.SecurityRule.Name	string	Rule name.
Panorama.SecurityRule.Object	string	Blocked object.
Panorama.SecurityRule.Direction	string	Direction blocked.
Panorama.SecurityRule.Target	string	Target firewall.
Panorama.SecurityRule.LogForwarding	string	Log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroup	string	Device group for the rule (Panorama instances).
Panorama.SecurityRule.Tags	string	Rule tags.

24. Change the location of a policy rule

---

Changes the location of a policy rule.

Base Command

panorama-move-rule

Input

Argument Name	Description	Required
rulename	Name of the rule to move.	Required
where	Where to move the rule to; "before", "after", "top", or "bottom". If you specify "up" or "down", you need to supply the "dst" argument.	Required
dst	Destination rule relative to the rule you are moving. Only supply this argument if you specified "up" or "down" for the "where" argument.	Optional
pre_post	Rule location.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.SecurityRule.Name	string	Rule name.

Command Example

!panorama-move-rule rulename="test_rule3" where="bottom"

Human Readable Output

25. Edit a policy rule

---

Edit a policy rule.

Base Command

panorama-edit-rule

Input

Argument Name	Description	Required
rulename	Name of the rule to edit.	Required
element_to_change	Parameter in the security rule to change. Can be "source", "destination", "application", "action", "category", "description", "disabled", "target", "log-forwarding", or "tag".	Required
element_value	New value for the parameter.	Required
pre_post	Pre rule or Post rule (Panorama instances).	Optional

Context Output

Path	Type	Description
Panorama.SecurityRule.Name	string	Rule name.
Panorama.SecurityRule.Description	string	Rule description.
Panorama.SecurityRule.Action	string	Action for the rule.
Panorama.SecurityRule.Source	string	Source address.
Panorama.SecurityRule.Destination	string	Destination address.
Panorama.SecurityRule.NegateSource	boolean	Is the source negated (address, address group).
Panorama.SecurityRule.NegateDestination	boolean	Is the destination negated (address, address group).
Panorama.SecurityRule.Service	string	Service for the rule.
Panorama.SecurityRule.Disabled	string	Is the rule disabled.
Panorama.SecurityRule.Application	string	Application for the rule.
Panorama.SecurityRule.Target	string	Target firewall (Panorama instances).
Panorama.SecurityRule.DeviceGroup	string	Device group for the rule (Panorama instances).
Panorama.SecurityRule.Tags	string	Tags for the rule.

Command Example

!panorama-edit-rule rulename="block_bad_application" element_to_change=action element_value=drop

Human Readable Output

26. Delete a policy rule

---

Deletes a policy rule.

Base Command

panorama-delete-rule

Input

Argument Name	Description	Required
rulename	Name of the rule to delete.	Required
pre_post	Pre rule or Post rule (Panorama instances).	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.SecurityRule.Name	string	Rule name.

Command Example

!panorama-delete-rule rulename=block_bad_application

Human Readable Output

27. Get a list of applications

---

Returns a list of predefined applications.

Base Command

panorama-list-applications

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.Applications.Name	string	Application name.
Panorama.Applications.Id	number	Application ID.
Panorama.Applications.Category	string	Application category.
Panorama.Applications.SubCategory	string	Application sub-category.
Panorama.Applications.Technology	string	Application technology.
Panorama.Applications.Risk	number	Application risk (1-5).
Panorama.Applications.Description	string	Application description.

Command Example

!panorama-list-applications

Human Readable Output

28. Get the commit status for a configuration

---

Get the commit status for a configuration.

Base Command

panorama-commit-status

Input

Argument Name	Description	Required
job_id	Job ID to check.	Required

Context Output

Path	Type	Description
Panorama.Commit.JobID	number	Job ID of the configuration to be committed.
Panorama.Commit.Status	string	Commit status.
Panorama.Commit.Details	string	Job ID details.
Panorama.Commit.Warnings	string	Job ID warnings.

Command Example

!panorama-commit-status job_id=948

Human Readable Output

29. Get the push status for a configuration

---

Get the push status for a configuration.

Base Command

panorama-push-status

Input

Argument Name	Description	Required
job_id	Job ID to check.	Required

Context Output

Path	Type	Description
Panorama.Push.DeviceGroup	string	Device group to which the policies were pushed.
Panorama.Push.JobID	number	Job ID of the configuration to be pushed.
Panorama.Push.Status	string	Push status.
Panorama.Push.Details	string	Job ID details.

Command Example

!panorama-push-status job_id=951

Human Readable Output

30. Get a list of services

---

Returns a list of all services.

Base Command

panorama-list-services

Input

Argument Name	Description	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tag	The tag for which to filter the service.	Optional

There is no input for this command.

Context Output

Path	Type	Description
Panorama.Services.Name	string	Service name.
Panorama.Services.Protocol	string	Service protocol.
Panorama.Services.Description	string	Service description.
Panorama.Services.DestinationPort	string	Service destination port.
Panorama.Services.SourcePort	string	Service source port.
Panorama.Services.DeviceGroup	string	Service device group.
Panorama.Services.Tags	string	Service tags.

Command Example

!panorama-list-services

Human Readable Output

31. Get information for a service

---

Returns service details for the supplied service name.

Base Command

panorama-get-service

Input

Argument Name	Description	Required
name	Service name.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.Services.Name	string	Service name.
Panorama.Services.Protocol	string	Service protocol.
Panorama.Services.Description	string	Service descriptions.
Panorama.Services.DestinationPort	string	Service destination port.
Panorama.Services.SourcePort	string	Service source port.
Panorama.Services.DeviceGroup	string	Service device group.
Panorama.Service.Tags	string	Service tags.

Command Example

!panorama-get-service name=guy_ser3

Human Readable Output

32. Create a service

---

Creates a service.

Base Command

panorama-create-service

Input

Argument Name	Description	Required
name	Name for the new service.	Required
protocol	Protocol for the new service.	Required
destination_port	Destination port for the new service.	Required
source_port	Source port for the new service.	Optional
description	Description of the new service.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tags	The tags for the new service.	Optional

Context Output

Path	Type	Description
Panorama.Services.Name	string	Service name.
Panorama.Services.Protocol	string	Service protocol.
Panorama.Services.Description	string	Service descriptions.
Panorama.Services.DestinationPort	string	Service destination port.
Panorama.Services.SourcePort	string	Service source port.
Panorama.Services.DeviceGroup	string	Service device group.
Panorama.Services.Tags	string	Service tags.

Command Example

!panorama-create-service name=guy_ser3 protocol=udp destination_port=36 description=bfds

Human Readable Output

placeholder

33. Delete a service

---

Deletes a service.

Base Command

panorama-delete-service

Input

Argument Name	Description	Required
name	Name of the service to delete.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.Services.Name	string	Service name.

Command Example

!panorama-delete-service name=guy_ser3

Human Readable Output

placeholder

34. Get a list of service groups

---

Returns a list of service groups.

Base Command

panorama-list-service-groups

Input

Argument Name	Description	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panarama.ServiceGroups.Name	string	Service group name
Panorama.ServiceGroups.Services	string	Service group related services
Panorama.ServiceGroups.DeviceGroup	string	Service device group.
Panorama.ServiceGroups.Tags	string	Service tags.

Command Example

!panorama-list-service-groups

Human Readable Output

placeholder

35. Get information for a service group

---

Returns details for the specified service group.

Base Command

panorama-get-service-group

Input

Argument Name	Description	Required
name	Service group name.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panarama.ServiceGroups.Name	string	Service group name.
Panorama.ServiceGroups.Services	string	Service group related services.
Panorama.ServiceGroups.DeviceGroup	string	Service device group.
Panorama.ServiceGroups.Tags	string	Service group tags.

Command Example

!panorama-get-service-group name=ser_group6

Human Readable Output

placeholder

36. Create a service group

---

Creates a service group.

Base Command

panorama-create-service-group

Input

Argument Name	Description	Required
name	Service group Name.	Required
services	Service group related services.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tags	The tags for which to filter the service groups.	Optional

Context Output

Path	Type	Description
Panarama.ServiceGroups.Name	string	Service group name.
Panorama.ServiceGroups.Services	string	Service group related services.
Panorama.ServiceGroups.DeviceGroup	string	Service device group.
Panorama.ServiceGroups.Tags	string	Service group tags.

Command Example

    !panorama-create-service-group name=lalush_sg4 services=`["demisto_service1","demi_service_test_pb"]
  

Human Readable Output

placeholder

37. Delete a service group

---

Deletes a service group.

Base Command

panorama-delete-service-group

Input

Argument Name	Description	Required
name	Name of the service group to delete.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panarama.ServiceGroups.Name	string	Name of the service group that was deleted.
Panorama.ServiceGroups.DeviceGroup	string	Device group for the service group that was deleted (Panorama instances).

Command Example

!panorama-delete-service-group name=lalush_sg4

Human Readable Output

placeholder

38. Edit a service group

---

Modifies details of a service group.

Base Command

panorama-edit-service-group

Input

Argument Name	Description	Required
name	Service group name	Required
services_to_remove	Services to remove from the service group. Only existing Services objects can be removed.	Optional
services_to_add	Services to add to the service group. Only existing Services objects can be added.	Optional
tags	Services group tag to edit.	Optional

Context Output

Path	Type	Description
Panarama.ServiceGroups.Name	string	Service group name.
Panorama.ServiceGroups.Services	string	Service group related services.
Panorama.ServiceGroups.DeviceGroup	string	Service device group.
Panorama.ServiceGroups.Tags	string	Service group tags.

Command Example

    panorama-edit-service-group name=lalush_sg4 services_to_remove=`["serice_udp_test_pb","demisto_service1"]
  

Human Readable Output

39. Get information for a PCAP file

---

Returns information for a Panorama PCAP file. The recommended maximum file size is 5 MB. If the limit is exceeded, you might need to SSH the firewall and run the scp export command to export the PCAP file. For more information, see the Palo Alto Networks documentation .

Base Command

panorama-get-pcap

Input

Argument Name	Description	Required
pcapType	The type of packet capture.	Required
from	The file name for the PCAP type ("dlp-pcap", "filters-pcap", "application-pcap".	Optional
localName	The new name for the PCAP file after downloading. If this argument is not specified, the file name will be the PCAP file name that was set in the firewall.	Optional
serialNo	The serial number for the request. For more information, see the Panorama XML API Documentation.	Optional
searchTime	The search time for the request. For more information, see the Panorama XML API Documentation.	Optional
pcapID	The ID of the PCAP for the request. For more information, see the Panorama XML API Documentation.	Optional
password	The password for Panorama. This is only required for the "dlp-pcap" PCAP type.	Optional

Context Output

Path	Type	Description
File.Size	number	The file size.
File.Name	string	The file name.
File.Type	string	The file type.
File.Info	string	The file info.
File.Extenstion	string	The file extension.
File.EntryID	string	The file entryID.
File.MD5	string	The MD5 hash of the file.
File.SHA1	string	The SHA-1 hash of the file.
File.SHA256	string	The SHA-256 hash of the file.

Command Example

!panorama-get-pcaps pcapType="filter-pcap" from=pcap_test

Human Readable Output

40. Get a list of all PCAP files

---

Returns a list of all Panorama PCAP files, by PCAP type.

Base Command

panorama-list-pcaps

Input

Argument Name	Description	Required
pcapType	The type of packet capture.	Required
from	The file name for the PCAP type (“dlp-pcap”, “filters-pcap”, “application-pcap”). For “application-pcap”, also use .	Optional
password	The password for Panorama. This is only required for the “dlp-pcap” PCAP type.	Optional

Context Output

Path	Type	Description
Panorama.Pcaps.Name	string	The PCAP name.

Command Example

!panorama-list-pcaps pcapType=“filter-pcap”

Human Readable Output

41. Get a list of EDLs

---

Returns a list of external dynamic lists.

Base Command

panorama-list-edls

Input

Argument Name	Description	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.EDL.Name	string	Name of the EDL.
Panorama.EDL.Type	string	The type of EDL.
Panorama.EDL.URL	string	URL in which the EDL is stored.
Panorama.EDL.Description	string	Description of the EDL.
Panorama.EDL.CertificateProfile	string	EDL certificate profile.
Panorama.EDL.Recurring	string	Time interval that the EDL was pulled and updated.

Command Example

!panorama-list-edls

Human Readable Output

42. Get information for an EDL

---

Returns information for an external dynamic list.

Base Command

panorama-get-edl

Input

Argument Name	Description	Required
name	Name of the EDL.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.EDL.Name	string	Name of the EDL.
Panorama.EDL.Type	string	The type of EDL.
Panorama.EDL.URL	string	URL in which the EDL is stored.
Panorama.EDL.Description	string	Description of the EDL.
Panorama.EDL.CertificateProfile	string	EDL certificate profile.
Panorama.EDL.Recurring	string	Time interval that the EDL was pulled and updated.

Command Example

!panorama-get-edl name=test_pb_domain_edl_DONT_DEL

Human Readable Output

43. Create an EDL

---

Creates an external dynamic list.

Base Command

panorama-create-edl

Input

Argument Name	Description	Required
name	Name of the EDL.	Required
url	URL from which to pull the EDL.	Required
type	The type of EDL.	Required
recurring	Time interval for pulling and updating the EDL.	Required
certificate_profile	Certificate Profile name for the URL that was previously uploaded to PAN OS.	Optional
description	Description of the EDL.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.EDL.Name	string	Name of the EDL.
Panorama.EDL.Type	string	The type of EDL.
Panorama.EDL.URL	string	URL in which the EDL is stored.
Panorama.EDL.Description	string	Description of the EDL.
Panorama.EDL.CertificateProfile	string	EDL certificate profile.
Panorama.EDL.Recurring	string	Time interval that the EDL was pulled and updated.

44. Edit an EDL

---

Modifies an element of an external dynamic list.

Base Command

panorama-edit-edl

Input

Argument Name	Description	Required
name	Name of the external dynamic list to edit	Required
element_to_change	The element to change (“url”, “recurring”, “certificate_profile”, “description”).	Required
element_value	The element value.	Required

Context Output

Path	Type	Description
Panorama.EDL.Name	string	Name of the EDL.
Panorama.EDL.URL	string	URL in which the EDL is stored
Panorama.EDL.Description	string	Description of the EDL.
Panorama.EDL.CertificateProfile	string	EDL certificate profile.
Panorama.EDL.Recurring	string	Time interval that the EDL was pulled and updated.

Command Example

!panorama-edit-edl name=test_pb_domain_edl_DONT_DEL element_to_change=description element_value="new description3"

Human Readable Output

45. Delete an EDL

---

Deletes an external dynamic list.

Base Command

panorama-delete-edl

Input

Argument Name	Description	Required
name	Name of the EDL to delete.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

Path	Type	Description
Panorama.EDL.Name	string	Name of the EDL that was deleted.

Command Example

!panorama-delete-edl name=shani_uel33

Human Readable Output

46. Refresh an EDL

---

Refreshes the specified external dynamic list.

Base Command

panorama-refresh-edl

Input

Argument Name	Description	Required
name	Name of the EDL.	Required
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional

Context Output

There is no context output for this command.

Command Example

!panorama-refresh-edl name=domain_edl66

Human Readable Output

47. Register IP addresses to a tag

---

Registers IP addresses to a tag.

Base Command

panorama-register-ip-tag

Input

Argument Name	Description	Required
tag	Tag to which to register IP addresses.	Required
IPs	IP addresses to register.	Required
persistent	Whether the IP addresses remain registered to the tag after device reboots (“True”:persistent, “False":non-persistent). Default is “True”.	Optional

Context Output

Path	Type	Description
Panorama.DynamicTags.Tag	string	Name for the tag.
Panorama.DynamicTags.IPs	string	Registered IP addresses.

Command Example

!panorama-register-ip-tag tag=tag02 IPs=[“10.0.0.13”,“10.0.0.14”]

Context Example

Human Readable Output

48. Unregister IP addresses from a tag

---

Unregisters IP addresses from a tag.

Base Command

panorama-unregister-ip-tag

Input

Argument Name	Description	Required
tag	Tag from which to unregister IP addresses.	Required
IPs	IP addresses to unregister.	Required

Command Example

!panorama-unregister-ip-tag tag=tag02 IPs=`["10.0.0.13","10.0.0.14"]

Human Readable Output

49. Query traffic logs

---

Queries traffic logs.

Base Command

panorama-query-traffic-logs

Input

Argument Name	Description	Required
query	Specifies the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs.	Optional
number_of_logs	The number of logs to retrieve. Default is 100. Maximum is 5,000.	Optional
direction	Whether logs are shown oldest first (forward) or newest first (backward). Default is backward.	Optional
source	Source address for the query.	Optional
destination	Destination address for the query.	Optional
receive_time	Date and time after which logs were received, in the format: YYYY/MM/DD HH:MM:SS.	Optional
application	Application for the query.	Optional
to_port	Destination port for the query.	Optional
action	Action for the query.	Optional

Context Output

Path	Type	Description
Panorama.TrafficLogs.JobID	Number	Job ID of the traffic logs query.
Panorama.TrafficLogs.Status	String	Status of the traffic logs query.

Command Example

!panorama-query-traffic-logs query="" number_of_logs="100" direction="backward" source="" destination="" receive_time="" application="" to_port="" action="allow"

Human Readable Output

50. Check the query status of traffic logs

---

Checks the query status of traffic logs.

Base Command

panorama-check-traffic-logs-status

Input

Argument Name	Description	Required
job_id	Job ID of the query.	Required

Context Output

Path	Type	Description
Panorama.TrafficLogs.JobID	Number	Job ID of the traffic logs query.
Panorama.TrafficLogs.Status	String	Status of the traffic logs query.

Command Example

!panorama-check-traffic-logs-status job_id="1865"

Human Readable Output

51. Get traffic logs

---

Retrieves traffic log query data by job id

Base Command

panorama-get-traffic-logs

Input

Argument Name	Description	Required
job_id	Job ID of the query.	Required

Context Output

Path	Type	Description
Panorama.TrafficLogs.JobID	Number	Job ID of the traffic logs query.
Panorama.TrafficLogs.Status	String	Status of the traffic logs query.
Panorama.TrafficLogs.Logs.Action	String	Action of the traffic log.
Panorama.TrafficLogs.Logs.ActionSource	String	Action source of the traffic log.
Panorama.TrafficLogs.Logs.Application	String	Application of the traffic log.
Panorama.TrafficLogs.Logs.Category	String	Category of the traffic log.
Panorama.TrafficLogs.Logs.DeviceName	String	Device name of the traffic log.
Panorama.TrafficLogs.Logs.Destination	String	Destination of the traffic log.
Panorama.TrafficLogs.Logs.DestinationPort	String	Destination port of the traffic log.
Panorama.TrafficLogs.Logs.FromZone	String	From zone of the traffic log.
Panorama.TrafficLogs.Logs.Protocol	String	Protocol of the traffic log.
Panorama.TrafficLogs.Logs.ReceiveTime	String	Receive time of the traffic log.
Panorama.TrafficLogs.Logs.Rule	String	Rule of the traffic log.
Panorama.TrafficLogs.Logs.SessionEndReason	String	Session end reason of the traffic log.
Panorama.TrafficLogs.Logs.Source	String	Source of the traffic log.
Panorama.TrafficLogs.Logs.SourcePort	String	Source port of the traffic log.
Panorama.TrafficLogs.Logs.StartTime	String	Start time of the traffic log.
Panorama.TrafficLogs.Logs.ToZone	String	To zone of the traffic log.

Command Example

!panorama-get-traffic-logs job_id="1865"

Human Readable Output

52. Get a list of predefined security rules

---

Returns a list of predefined security rules.

Base Command

panorama-list-rules

Input

Argument Name	Description	Required
pre_post	Rules location. Can be "pre-rulebase" or "post-rulebase". Mandatory for Panorama instances.	Optional
device-group	The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied.	Optional
tag	The tag for which to filter the rules.	Optional

Context Output

Path	Type	Description
Panorama.SecurityRule.Name	String	Rule name.
Panorama.SecurityRule.Action	String	Action for the rule.
Panorama.SecurityRule.Location	String	Rule location.
Panorama.SecurityRule.Category	String	Rule category.
Panorama.SecurityRule.Application	String	Application for the rule.
Panorama.SecurityRule.Destination	String	Destination address.
Panorama.SecurityRule.From	String	Rule from.
Panorama.SecurityRule.Service	String	Service for the rule.
Panorama.SecurityRule.To	String	Rule to.
Panorama.SecurityRule.Source	String	Source address.
Panorama.SecurityRule.DeviceGroup	String	Device group for the rule (Panorama instances).
Panorama.SecurityRules.Tags	String	Rule tags.

Command Example

!panorama-list-rules

Human Readable Output

53. Query logs

---

Query logs in Panorama.

Base Command

panorama-query-logs

Input

Argument Name	Description	Required
log-type	The log type. Can be "threat", "traffic", "wildfire", "url", or "data".	Required
query	The query string by which to match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs.	Optional
time-generated	The time that the log was generated from the timestamp and prior to it. For example: "2019/08/11 01:10:44".	Optional
addr-src	Source address.	Optional
ip	The source or destination IP address.
addr-dst	Destination address.	Optional
zone-src	Source zone.	Optional
zone-dst	Destination Source.	Optional
action	Rule action.	Optional
port-dst	Destination port.	Optional
rule	Rule name, for example: "Allow all outbound".	Optional
url	URL, for example: "safebrowsing.googleapis.com".	Optional
filedigest	File hash (for WildFIre logs only).	Optional
number_of_logs	Maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000.	Optional

Context Output

Path	Type	Description
Panorama.Monitor.JobID	String	Job ID of the logs query.
Panorama.Monitor.Status	String	Status of the logs query.
Panorama.Monitor.Message	String	Message of the logs query.

Command Example

!panorama-query-logs log-type=data query=( addr.src in 192.168.1.12 )

Human Readable Output

Command Example

!panorama-query-logs log-type=wildfire filedigest=4f79697b40d0932e91105bd496908f8e02c130a0e36f6d3434d6243e79ef82e0

Human Readable Output

54. Check log query status

---

Checks the status of a logs query.

Base Command

panorama-check-logs-status

Input

Argument Name	Description	Required
job_id	Job ID of the query.	Required

Context Output

Path	Type	Description
Panorama.Monitor.JobID	String	Job ID of the logs query.
Panorama.Monitor.Status	String	Status of the logs query.

Command Example

!panorama-check-logs-status job_id=657

Human Readable Output

55. Get log query data

---

Retrieves the data of a logs query.

Base Command

panorama-get-logs

Input

Argument Name	Description	Required
job_id	Job ID of the query.	Required
ignore_auto_extract	Whether to auto-enrich the War Room entry. If "true", entry is not auto-enriched. If "false", entry is auto-extracted. Default is "true".	Optional

Context Output

Path	Type	Description
Panorama.Monitor.Action	String	Action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", of "block-url".
Panorama.Monitor.Application	String	Application associated with the session.
Panorama.Monitor.Bytes	String	Total log bytes.
Panorama.Monitor.BytesReceived	String	Log bytes received.
Panorama.Monitor.BytesSent	String	Log bytes sent.
Panorama.Monitor.Category	String	The URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware"’, or "benign". For other subtypes, the value is "any".
Panorama.Monitor.DeviceName	String	The hostname of the firewall on which the session was logged.
Panorama.Monitor.DestinationAddress	String	Original session destination IP address.
Panorama.Monitor.DestinationUser	String	Username of the user to which the session was destined.
Panorama.Monitor.DestinationCountry	String	Destination country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.DestinationPort	String	Destination port utilized by the session.
Panorama.Monitor.FileDigest	String	Only for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Panorama.Monitor.FileName	String	File name or file type when the subtype is file.File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire.
Panorama.Monitor.FileType	String	Only for the WildFire subtype, all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
Panorama.Monitor.FromZone	String	The zone from which the session was sourced.
Panorama.Monitor.URLOrFilename	String	The actual URI when the subtype is url. File name or file type when the subtype is file. File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire. URL or file name when the subtype is vulnerability (if applicable)
Panorama.Monitor.NATDestinationIP	String	If destination NAT performed, the post-NAT destination IP address.
Panorama.Monitor.NATDestinationPort	String	Post-NAT destination port.
Panorama.Monitor.NATSourceIP	String	If source NAT performed, the post-NAT source IP address.
Panorama.Monitor.NATSourcePort	String	Post-NAT source port.
Panorama.Monitor.PCAPid	String	The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
Panorama.Monitor.IPProtocol	String	IP protocol associated with the session.
Panorama.Monitor.Recipient	String	Only for the WildFire subtype, all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.Rule	String	Name of the rule that the session matched.
Panorama.Monitor.RuleID	String	ID of the rule that the session matched.
Panorama.Monitor.ReceiveTime	String	Time the log was received at the management plane.
Panorama.Monitor.Sender	String	Only for the WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.SessionID	String	An internal numerical identifier applied to each session.
Panorama.Monitor.DeviceSN	String	The serial number of the firewall on which the session was logged.
Panorama.Monitor.Severity	String	Severity associated with the threat. Can be "informational", "low", "medium", "high", or "critical".
Panorama.Monitor.SourceAddress	String	Original session source IP address.
Panorama.Monitor.SourceCountry	String	Source country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.SourceUser	String	Username of the user who initiated the session.
Panorama.Monitor.SourcePort	String	Source port utilized by the session.
Panorama.Monitor.ThreatCategory	String	Describes threat categories used to classify different types of threat signatures.
Panorama.Monitor.Name	String	Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier
Panorama.Monitor.ID	String	Palo Alto Networks ID for the threat.
Panorama.Monitor.ToZone	String	The zone to which the session was destined.
Panorama.Monitor.TimeGenerated	String	Time that the log was generated on the dataplane.
Panorama.Monitor.URLCategoryList	String	A list of the URL filtering categories that the firewall used to enforce the policy.

Command Example

!panorama-get-logs job_id=678

Human Readable Output

Command Example

!panorama-get-logs job_id=676

Human Readable Output

Playbook Videos

These video show how to set up and use the PAN-OS DAG Configuration playbook and PAN-OS EDL Setup playbook.

PAN-OS DAG Configuration

PAN-OS EDL Setup

77. panorama-get-licences

---

Get information about PAN-OS available licenses and their statuses.

Base Command

panorama-get-licences

Input

There are no inputs for this command.

Context Output

Path	Type	Description
Panorama.License.Authcode	String	License authentication code.
Panorama.License.Base-license-name	String	Base License name.
Panorama.License.Description	String	The License description.
Panorama.License.Expired	String	Is the license expired.
Panorama.License.Expires	String	When the license will be expired.
Panorama.License.Feature	String	The license feature.
Panorama.License.Issued	String	When the license was issued.
Panorama.License.Serial	String	The license serial.

Command Example

!panorama-get-licences

Human Readable Output

Authcode	Description	Feature	Serial	Expired	Expires	Issued
I9805928	NFR Support	NFR Support	007DEMISTO1t	no	Never	November 25, 2019

78. panorama-get-security-profiles

---

Get information about profiles.

Base Command

panorama-get-security-profiles

Input

Argument Name	Description	Required
security_profile	The security profile to get.	Optional

Context Output

Path	Type	Description
Panorama.Spyware.Name	String	Profile Name.
Panorama.Spyware.Rules.Action	String	The rule action
Panorama.Spyware.Rules.Cateogry	String	The category to apply the rule on.
Panorama.Spyware.Rules.Name	String	Rule name.
Panorama.Spyware.Rules.Packet-capture	String	Is packet capture enabled.
Panorama.Spyware.Rules.Severity	String	Rule severity.
Panorama.Spyware.Rules.Threat-name	String	Threat name to apply the rule.
Panorama.URLFilter.Name	String	Profile name.
Panorama.URLFilter.Rules.Category.Action	String	Rule action to apply on the category.
Panorama.URLFilter.Rules.Category.Name	String	Category name.
Panorama.WildFire.Name	String	WildFire profile name.
Panorama.WildFire.Rules.Analysis	String	Rule analysis.
Panorama.WildFire.Rules.Application	String	Application to apply the rule on.
Panorama.WildFire.Rules.File-type	String	File type to apply the rule on.
Panorama.WildFire.Rules.Name	String	Rule name.
Panorama.Vulnerability.Name	String	Vulnerability profile name.
Panorama.Vulnerability.Rules.Vendor-id	String	Vendor ID to apply the rule on.
Panorama.Vulnerability.Rules.Packet-capture	String	Is packet capture enabled.
Panorama.Vulnerability.Rules.Host	String	Rule host.
Panorama.Vulnerability.Rules.Name	String	Rule name.
Panorama.Vulnerability.Rules.Cateogry	String	Category to apply the rule on.
Panorama.Vulnerability.Rules.CVE	String	CVE to apply the rule on.
Panorama.Vulnerability.Rules.Action	String	Rule action.
Panorama.Vulnerability.Rules.Severity	String	Rule severity.
Panorama.Vulnerability.Rules.Threat-name	String	Threat to apply the rule on.
Panorama.Antivirus.Name	String	Antivirus profile name.
Panorama.Antivirus.Rules.Action	String	Rule action.
Panorama.Antivirus.Rules.Name	String	Rule name.
Panorama.Antivirus.Rules.WildFire-action	String	WildFire action.
Panorama.FileBlocking.Name	String	File blocking profile name.
Panorama.FileBlocking.Rules.Action	String	Rule action.
Panorama.FileBlocking.Rules.Application	String	Application to apply the rule.
Panorama.FileBlocking.Rules.File-type	String	File type to apply the rule.
Panorama.FileBlocking.Rules.Name	String	Rule name.
Panorama.DataFiltering.Name	String	Data filtering profile name.
Panorama.DataFiltering.Rules.Alert-threshold	String	Alert threshold.
Panorama.DataFiltering.Rules.Application	String	Application to apply the rule.
Panorama.DataFiltering.Rules.Block-threshold	String	Block threshold.
Panorama.DataFiltering.Rules.Data-object	String	Data object.
Panorama.DataFiltering.Rules.Direction	String	Rule direction.
Panorama.DataFiltering.Rules.File-type	String	File type to apply the rule on.
Panorama.DataFiltering.Rules.Log-severity	String	Log severity.
Panorama.DataFiltering.Rules.Name	String	Rule name.

Command Example

!panorama-get-security-profiles security_profile=spyware

Human Readable Output

Name

Rules

best-practice

{'Name': 'simple-critical', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'critical', 'Threat-name': 'any', 'Packet-capture': 'disable'}, {'Name': 'simple-high', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'high', 'Threat-name': 'any', 'Packet-capture': 'disable'}, {'Name': 'simple-medium', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'medium', 'Threat-name': 'any', 'Packet-capture': 'disable'}, {'Name': 'simple-informational', 'Action': {'default': None}, 'Category': 'any', 'Severity': 'informational', 'Threat-name': 'any', 'Packet-capture': 'disable'}, {'Name': 'simple-low', 'Action': {'default': None}, 'Category': 'any', 'Severity': 'low', 'Threat-name': 'any', 'Packet-capture': 'disable'}

79. panorama-apply-security-profile

---

Apply profile to specific rules / rules with specific tag.

Base Command

panorama-apply-security-profile

Input

Argument Name	Description	Required
profile_type	Security profile type.	Required
rule_name	The rule name to apply.	Required
profile_name	The profile name to apply to the rule.	Required
pre_post	Rules location. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances.	Optional

Context Output

There are no context output for this command.

Command Example

!panorama-apply-security-profile profile_name=test profile_type=spyware rule_name=rule1 pre_post="pre-rulebase"

Human Readable Output

The profile test has been applied to the rule rule1

80. panorama-get-ssl-decryption-rules

---

Show ssl decryption rules under policies -> decryption -> rules

Base Command

panorama-get-ssl-decryption-rules

Input

Argument Name	Description	Required
pre_post	Rules location. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances.	Optional

Context Output

Path	Type	Description
Panorama.SSLRule.From	String	SSL rule from source.
Panorama.SSLRule.Name	String	Name of the SSL rule.
Panorama.SSLRule.Destination	String	Destination of the SSL rule.
Panorama.SSLRule.Target	String	The target od the SSL rule.
Panorama.SSLRule.Service	String	SSL rule service.
Panorama.SSLRule.Action	String	SSL rule action.
Panorama.SSLRule.Type	String	SSL rule type.
Panorama.SSLRule.Source	String	The source of the SSL rule.
Panorama.SSLRule.To	String	SSL rule to destination.
Panorama.SSLRule.UUID	String	SSl rule UUID.
Panorama.SSLRule.Description	String	SSL rule description.
Panorama.SSLRule.Source-user	String	SSL rule source user.
Panorama.SSLRule.Category	String	SSL rule category.

Command Example

!panorama-get-ssl-decryption-rules pre_post="pre-rulebase"

Human Readable Output

SSL Decryption Rules

Name	UUID	Target	Service	Category	Type	From	To	Source	Destination	Action	Source-user
test	cd3f0487-3872-4691-8387-1a15e7de142b	negate: no	any	member: any	ssl-forward-proxy: null	any	any	any	any	no-decrypt	any

81. panorama-get-wildfire-configuration

---

Retrieve Wildfire Configuration

Base Command

panorama-get-wildfire-configuration

Input

Argument Name	Description	Required
template	The template name.	Required

Context Output

Path	Type	Description
Panorama.WildFire.Name	String	File type.
Panorama.WildFire.Size-limit	String	File size limit.
Panorama.WildFire.recurring	String	Schedule recurring

Command Example

!panorama-get-wildfire-configuration template=WildFire

Context Example

{
    "Panorama.WildFire": [
        {
            "Name": "pe",
            "Size-limit": "10"
        },
        {
            "Name": "apk",
            "Size-limit": "30"
        },
        {
            "Name": "pdf",
            "Size-limit": "1000"
        },
        {
            "Name": "ms-office",
            "Size-limit": "2000"
        },
        {
            "Name": "jar",
            "Size-limit": "5"
        },
        {
            "Name": "flash",
            "Size-limit": "5"
        },
        {
            "Name": "MacOSX",
            "Size-limit": "1"
        },
        {
            "Name": "archive",
            "Size-limit": "10"
        },
        {
            "Name": "linux",
            "Size-limit": "2"
        },
        {
            "Name": "script",
            "Size-limit": "20"
        }
    ],
    "Panorama.WildFire.Schedule": {
        "recurring": {
            "every-min": {
                "action": "download-and-install"
            }
        }
    }
}

Human Readable Output

WildFire Configuration

Report Grayware File: yes

Name	Size-limit
pe	10
apk	30
pdf	1000
ms-office	2000
jar	5
flash	5
MacOSX	1
archive	10
linux	2
script	20

The updated schedule for Wildfire

recurring
every-min: {"action": "download-and-install"}

82. panorama-url-filtering-block-default-categories

---

Set default categories to block in the URL filtering profile.

Base Command

panorama-url-filtering-block-default-categories

Input

Argument Name	Description	Required
profile_name	The url-filtering profile name. Get the name by running get-security-profiles command.	Required

Context Output

There are no context output for this command.

Command Example

!panorama-url-filtering-block-default-categories profile_name=test

Human Readable Output

The default categories to block has been set successfully to test

83. panorama-get-anti-spyware-best-practice

---

Show anti-spyware best practices.

Base Command

panorama-get-anti-spyware-best-practice

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.Spyware.BotentDomain.Name	String	Botnet domain name.
Panorama.Spyware.BotentDomain.Action	String	Botnet domain action.
Panorama.Spyware.BotentDomain.Packet-capture	String	Is packet capture enabled.
Panorama.Spyware.BotentDomain.Sinkhole.ipv4-address	String	Botnet domain ipv4 address.
Panorama.Spyware.BotentDomain.Sinkhole.ipv6-address	String	Botnet domain ipv6 address.
Panorama.Spyware.Rule.Cateogry	String	Rule category.
Panorama.Spyware.Rule.Action	String	Rule action.
Panorama.Spyware.Rule.Name	String	Rule name.
Panorama.Spyware.Rule.Severity	String	Rule severity.
Panorama.Spyware.Rule.Threat-name	String	Rule threat name.
Panorama.Spyware.BotentDomain.Max_version	String	Botnet domain max version.

Command Example

!panorama-get-anti-spyware-best-practice

Context Example

{
    "Panorama.Spyware.BotentDomain": [
        {
            "Action": {
                "sinkhole": null
            },
            "Name": "default-paloalto-dns",
            "Packet-capture": "disable"
        },
        {
            "Action": {
                "allow": null
            },
            "Max_version": "9.1.9",
            "Name": "default-paloalto-cloud",
            "Packet-capture": "disable"
        }
    ],
    "Panorama.Spyware.BotentDomain.Sinkhole": [
        {
            "ipv4-address": "pan-sinkhole-default-ip",
            "ipv6-address": "::1"
        }
    ],
    "Panorama.Spyware.Rule": [
        {
            "Action": {
                "reset-both": null
            },
            "Category": "any",
            "Name": "simple-critical",
            "Severity": "critical",
            "Threat-name": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "Category": "any",
            "Name": "simple-high",
            "Severity": "high",
            "Threat-name": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "Category": "any",
            "Name": "simple-medium",
            "Severity": "medium",
            "Threat-name": "any"
        },
        {
            "Action": {
                "default": null
            },
            "Category": "any",
            "Name": "simple-informational",
            "Severity": "informational",
            "Threat-name": "any"
        },
        {
            "Action": {
                "default": null
            },
            "Category": "any",
            "Name": "simple-low",
            "Severity": "low",
            "Threat-name": "any"
        }
    ]
}

Human Readable Output

Anti Spyware Botnet-Domains Best Practice

Name	Action	Packet-capture	ipv4-address	ipv6-address
default-paloalto-dns	sinkhole: null	disable
default-paloalto-cloud	allow: null	disable
			pan-sinkhole-default-ip	::1

Anti Spyware Best Practice Rules

Name	Severity	Action	Category	Threat-name
simple-critical	critical	reset-both: null	any	any
simple-high	high	reset-both: null	any	any
simple-medium	medium	reset-both: null	any	any
simple-informational	informational	default: null	any	any
simple-low	low	default: null	any	any

84. panorama-get-file-blocking-best-practice

---

Show file-blocking best practices.

Base Command

panorama-get-file-blocking-best-practice

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.FileBlocking.Rule.Action	String	Rule action.
Panorama.FileBlocking.Rule.Application	String	Rule application.
Panorama.FileBlocking.Rule.File-type	String	Rule file type.
Panorama.FileBlocking.Rule.Name	String	Rule name.

Command Example

!panorama-get-file-blocking-best-practice

Context Example

{
    "Panorama.FileBlocking.Rule": [
        {
            "Action": "block",
            "Application": "any",
            "File-type": [
                "7z",
                "bat",
                "cab",
                "chm",
                "class",
                "cpl",
                "dll",
                "exe",
                "flash",
                "hlp",
                "hta",
                "jar",
                "msi",
                "Multi-Level-Encoding",
                "ocx",
                "PE",
                "pif",
                "rar",
                "scr",
                "tar",
                "torrent",
                "vbe",
                "wsf"
            ],
            "Name": "Block all risky file types"
        },
        {
            "Action": "block",
            "Application": "any",
            "File-type": [
                "encrypted-rar",
                "encrypted-zip"
            ],
            "Name": "Block encrypted files"
        },
        {
            "Action": "alert",
            "Application": "any",
            "File-type": "any",
            "Name": "Log all other file types"
        }
    ]
}

Human Readable Output

File Blocking Profile Best Practice

Name	Action	File-type	Application
Block all risky file types	block	7z, bat, cab, chm, class, cpl, dll, exe, flash, hlp, hta, jar, msi, Multi-Level-Encoding, ocx, PE, pif, rar, scr, tar, torrent, vbe, wsf	any
Block encrypted files	block	encrypted-rar, encrypted-zip	any
Log all other file types	alert	any	any

85. panorama-get-antivirus-best-practice

---

Show anti-virus best practices.

Base Command

panorama-get-antivirus-best-practice

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.Antivirus.Decoder.Action	String	Rule action.
Panorama.Antivirus.Decoder.Name	String	Rule name.
Panorama.Antivirus.Decoder.WildFire-action	String	WildFire action.

Command Example

!panorama-get-antivirus-best-practice

Context Example

{
    "Panorama.Antivirus.Decoder": [
        {
            "Action": "default",
            "Name": "http",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "http2",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "smtp",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "imap",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "pop3",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "ftp",
            "WildFire-action": "default"
        },
        {
            "Action": "default",
            "Name": "smb",
            "WildFire-action": "default"
        }
    ]
}

Human Readable Output

Antivirus Best Practice Profile

Name	Action	WildFire-action
http	default	default
http2	default	default
smtp	default	default
imap	default	default
pop3	default	default
ftp	default	default
smb	default	default

86. panorama-get-vulnerability-protection-best-practice

---

Show vulnerability-protection best practices.

Base Command

panorama-get-vulnerability-protection-best-practice

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.Vulnerability.Rule.Action	String	Rule action.
Panorama.Vulnerability.Rule.CVE	String	Rule CVE.
Panorama.Vulnerability.Rule.Cateogry	String	Rule category.
Panorama.Vulnerability.Rule.Host	String	The rule host.
Panorama.Vulnerability.Rule.Name	String	Rule name.
Panorama.Vulnerability.Rule.Severity	String	The rule severity.
Panorama.Vulnerability.Rule.Threat-name	String	The threat name.
Panorama.Vulnerability.Rule.Vendor-id	String	The vendor ID.

Command Example

!panorama-get-vulnerability-protection-best-practice

Context Example

{
    "Panorama.Vulnerability.Rule": [
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-critical",
            "Severity": "critical",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-high",
            "Severity": "high",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-medium",
            "Severity": "medium",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-informational",
            "Severity": "informational",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "client",
            "Name": "simple-client-low",
            "Severity": "low",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-critical",
            "Severity": "critical",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-high",
            "Severity": "high",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "reset-both": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-medium",
            "Severity": "medium",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-informational",
            "Severity": "informational",
            "Threat-name": "any",
            "Vendor-id": "any"
        },
        {
            "Action": {
                "default": null
            },
            "CVE": "any",
            "Category": "any",
            "Host": "server",
            "Name": "simple-server-low",
            "Severity": "low",
            "Threat-name": "any",
            "Vendor-id": "any"
        }
    ]
}

Human Readable Output

vulnerability Protection Best Practice Profile

Name	Action	Host	Severity	Category	Threat-name	CVE	Vendor-id
simple-client-critical	reset-both: null	client	critical	any	any	any	any
simple-client-high	reset-both: null	client	high	any	any	any	any
simple-client-medium	reset-both: null	client	medium	any	any	any	any
simple-client-informational	default: null	client	informational	any	any	any	any
simple-client-low	default: null	client	low	any	any	any	any
simple-server-critical	reset-both: null	server	critical	any	any	any	any
simple-server-high	reset-both: null	server	high	any	any	any	any
simple-server-medium	reset-both: null	server	medium	any	any	any	any
simple-server-informational	default: null	server	informational	any	any	any	any
simple-server-low	default: null	server	low	any	any	any	any

87. panorama-get-wildfire-best-practice

---

Show WildFire best practices.

Base Command

panorama-get-wildfire-best-practice

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.WildFire.Analysis	String	WildFire analysis.
Panorama.WildFire.Application	String	WildFire application.
Panorama.WildFire.File.File-size	String	Recommended file size.
Panorama.WildFire.File.Name	String	File name.
Panorama.WildFire.File-type	String	WildFire profile file type.
Panorama.WildFire.Name	String	WildFire profile name.
Panorama.WildFire.SSLDecrypt	String	SSL decrypt content.
Panorama.WildFire.Schedule.Action	String	WildFire schedule action.
Panorama.WildFire.Schedule.Recurring	String	WildFire schedule recurring.

Command Example

!panorama-get-wildfire-best-practice

Context Example

{
    "Panorama.WildFire": {
        "Analysis": "public-cloud",
        "Application": "any",
        "File-type": "any",
        "Name": "default"
    },
    "Panorama.WildFire.File": [
        {
            "File-size": "10",
            "Name": "pe"
        },
        {
            "File-size": "30",
            "Name": "apk"
        },
        {
            "File-size": "1000",
            "Name": "pdf"
        },
        {
            "File-size": "2000",
            "Name": "ms-office"
        },
        {
            "File-size": "5",
            "Name": "jar"
        },
        {
            "File-size": "5",
            "Name": "flash"
        },
        {
            "File-size": "1",
            "Name": "MacOS"
        },
        {
            "File-size": "10",
            "Name": "archive"
        },
        {
            "File-size": "2",
            "Name": "linux"
        },
        {
            "File-size": "20",
            "Name": "script"
        }
    ],
    "Panorama.WildFire.SSLDecrypt": {
        "allow-forward-decrypted-content": "yes"
    },
    "Panorama.WildFire.Schedule": {
        "Action": "download-and-install",
        "Recurring": "every-minute"
    }
}

Human Readable Output

WildFire Best Practice Profile

Name	Analysis	Application	File-type
default	public-cloud	any	any

Wildfire Best Practice Schedule

Action	Recurring
download-and-install	every-minute

Wildfire SSL Decrypt Settings

allow-forward-decrypted-content
yes

Wildfire System Settings

report-grayware-file: yes

Name	File-size
pe	10
apk	30
pdf	1000
ms-office	2000
jar	5
flash	5
MacOS	1
archive	10
linux	2
script	20

88. panorama-get-url-filtering-best-practice

---

Show URL Filtering best practices.

Base Command

panorama-get-url-filtering-best-practice

Input

There are no input arguments for this command.

Context Output

Path	Type	Description
Panorama.URLFilter.Category.Action	String	The action to perform on the category.
Panorama.URLFilter.Category.Name	String	Category name.
Panorama.URLFilter.DeviceGroup	String	Device group name.
Panorama.URLFilter.Name	String	Profile name.
Panorama.URLFilter.Header.log-container-page-only	String	Log container page only.
Panorama.URLFilter.Header.log-http-hdr-referer	String	Log HTTP header referer.
Panorama.URLFilter.Header.log-http-hdr-user	String	Log HTTP header user.
Panorama.URLFilter.Header.log-http-hdr-xff	String	Log HTTP header xff.

Command Example

!panorama-get-url-filtering-best-practice

Context Example

{
    "Panorama.URLFilter": {
        "Category": [
            {
                "Action": "alert",
                "Name": "abortion"
            },
            {
                "Action": "alert",
                "Name": "abused-drugs"
            },
            {
                "Action": "alert",
                "Name": "adult"
            },
            {
                "Action": "alert",
                "Name": "alcohol-and-tobacco"
            },
            {
                "Action": "alert",
                "Name": "auctions"
            },
            {
                "Action": "alert",
                "Name": "business-and-economy"
            },
            {
                "Action": "alert",
                "Name": "computer-and-internet-info"
            },
            {
                "Action": "alert",
                "Name": "content-delivery-networks"
            },
            {
                "Action": "alert",
                "Name": "cryptocurrency"
            },
            {
                "Action": "alert",
                "Name": "dating"
            },
            {
                "Action": "alert",
                "Name": "educational-institutions"
            },
            {
                "Action": "alert",
                "Name": "entertainment-and-arts"
            },
            {
                "Action": "alert",
                "Name": "financial-services"
            },
            {
                "Action": "alert",
                "Name": "gambling"
            },
            {
                "Action": "alert",
                "Name": "games"
            },
            {
                "Action": "alert",
                "Name": "government"
            },
            {
                "Action": "alert",
                "Name": "grayware"
            },
            {
                "Action": "alert",
                "Name": "health-and-medicine"
            },
            {
                "Action": "alert",
                "Name": "high-risk"
            },
            {
                "Action": "alert",
                "Name": "home-and-garden"
            },
            {
                "Action": "alert",
                "Name": "hunting-and-fishing"
            },
            {
                "Action": "alert",
                "Name": "insufficient-content"
            },
            {
                "Action": "alert",
                "Name": "internet-communications-and-telephony"
            },
            {
                "Action": "alert",
                "Name": "internet-portals"
            },
            {
                "Action": "alert",
                "Name": "job-search"
            },
            {
                "Action": "alert",
                "Name": "legal"
            },
            {
                "Action": "alert",
                "Name": "low-risk"
            },
            {
                "Action": "alert",
                "Name": "medium-risk"
            },
            {
                "Action": "alert",
                "Name": "military"
            },
            {
                "Action": "alert",
                "Name": "motor-vehicles"
            },
            {
                "Action": "alert",
                "Name": "music"
            },
            {
                "Action": "alert",
                "Name": "newly-registered-domain"
            },
            {
                "Action": "alert",
                "Name": "news"
            },
            {
                "Action": "alert",
                "Name": "not-resolved"
            },
            {
                "Action": "alert",
                "Name": "nudity"
            },
            {
                "Action": "alert",
                "Name": "online-storage-and-backup"
            },
            {
                "Action": "alert",
                "Name": "peer-to-peer"
            },
            {
                "Action": "alert",
                "Name": "personal-sites-and-blogs"
            },
            {
                "Action": "alert",
                "Name": "philosophy-and-political-advocacy"
            },
            {
                "Action": "alert",
                "Name": "private-ip-addresses"
            },
            {
                "Action": "alert",
                "Name": "questionable"
            },
            {
                "Action": "alert",
                "Name": "real-estate"
            },
            {
                "Action": "alert",
                "Name": "recreation-and-hobbies"
            },
            {
                "Action": "alert",
                "Name": "reference-and-research"
            },
            {
                "Action": "alert",
                "Name": "religion"
            },
            {
                "Action": "alert",
                "Name": "search-engines"
            },
            {
                "Action": "alert",
                "Name": "sex-education"
            },
            {
                "Action": "alert",
                "Name": "shareware-and-freeware"
            },
            {
                "Action": "alert",
                "Name": "shopping"
            },
            {
                "Action": "alert",
                "Name": "social-networking"
            },
            {
                "Action": "alert",
                "Name": "society"
            },
            {
                "Action": "alert",
                "Name": "sports"
            },
            {
                "Action": "alert",
                "Name": "stock-advice-and-tools"
            },
            {
                "Action": "alert",
                "Name": "streaming-media"
            },
            {
                "Action": "alert",
                "Name": "swimsuits-and-intimate-apparel"
            },
            {
                "Action": "alert",
                "Name": "training-and-tools"
            },
            {
                "Action": "alert",
                "Name": "translation"
            },
            {
                "Action": "alert",
                "Name": "travel"
            },
            {
                "Action": "alert",
                "Name": "weapons"
            },
            {
                "Action": "alert",
                "Name": "web-advertisements"
            },
            {
                "Action": "alert",
                "Name": "web-based-email"
            },
            {
                "Action": "alert",
                "Name": "web-hosting"
            },
            {
                "Action": "block",
                "Name": "command-and-control"
            },
            {
                "Action": "block",
                "Name": "copyright-infringement"
            },
            {
                "Action": "block",
                "Name": "dynamic-dns"
            },
            {
                "Action": "block",
                "Name": "extremism"
            },
            {
                "Action": "block",
                "Name": "hacking"
            },
            {
                "Action": "block",
                "Name": "malware"
            },
            {
                "Action": "block",
                "Name": "parked"
            },
            {
                "Action": "block",
                "Name": "phishing"
            },
            {
                "Action": "block",
                "Name": "proxy-avoidance-and-anonymizers"
            },
            {
                "Action": "block",
                "Name": "unknown"
            }
        ],
        "DeviceGroup": "Demisto sales lab",
        "Name": "best-practice"
    },
    "Panorama.URLFilter.Header": {
        "log-container-page-only": "no",
        "log-http-hdr-referer": "yes",
        "log-http-hdr-user": "yes",
        "log-http-hdr-xff": "yes"
    }
}

Human Readable Output

URL Filtering Best Practice Profile Categories

Category	DeviceGroup	Name
{'Name': 'abortion', 'Action': 'alert'}, {'Name': 'abused-drugs', 'Action': 'alert'}, {'Name': 'adult', 'Action': 'alert'}, {'Name': 'alcohol-and-tobacco', 'Action': 'alert'}, {'Name': 'auctions', 'Action': 'alert'}, {'Name': 'business-and-economy', 'Action': 'alert'}, {'Name': 'computer-and-internet-info', 'Action': 'alert'}, {'Name': 'content-delivery-networks', 'Action': 'alert'}, {'Name': 'cryptocurrency', 'Action': 'alert'}, {'Name': 'dating', 'Action': 'alert'}, {'Name': 'educational-institutions', 'Action': 'alert'}, {'Name': 'entertainment-and-arts', 'Action': 'alert'}, {'Name': 'financial-services', 'Action': 'alert'}, {'Name': 'gambling', 'Action': 'alert'}, {'Name': 'games', 'Action': 'alert'}, {'Name': 'government', 'Action': 'alert'}, {'Name': 'grayware', 'Action': 'alert'}, {'Name': 'health-and-medicine', 'Action': 'alert'}, {'Name': 'high-risk', 'Action': 'alert'}, {'Name': 'home-and-garden', 'Action': 'alert'}, {'Name': 'hunting-and-fishing', 'Action': 'alert'}, {'Name': 'insufficient-content', 'Action': 'alert'}, {'Name': 'internet-communications-and-telephony', 'Action': 'alert'}, {'Name': 'internet-portals', 'Action': 'alert'}, {'Name': 'job-search', 'Action': 'alert'}, {'Name': 'legal', 'Action': 'alert'}, {'Name': 'low-risk', 'Action': 'alert'}, {'Name': 'medium-risk', 'Action': 'alert'}, {'Name': 'military', 'Action': 'alert'}, {'Name': 'motor-vehicles', 'Action': 'alert'}, {'Name': 'music', 'Action': 'alert'}, {'Name': 'newly-registered-domain', 'Action': 'alert'}, {'Name': 'news', 'Action': 'alert'}, {'Name': 'not-resolved', 'Action': 'alert'}, {'Name': 'nudity', 'Action': 'alert'}, {'Name': 'online-storage-and-backup', 'Action': 'alert'}, {'Name': 'peer-to-peer', 'Action': 'alert'}, {'Name': 'personal-sites-and-blogs', 'Action': 'alert'}, {'Name': 'philosophy-and-political-advocacy', 'Action': 'alert'}, {'Name': 'private-ip-addresses', 'Action': 'alert'}, {'Name': 'questionable', 'Action': 'alert'}, {'Name': 'real-estate', 'Action': 'alert'}, {'Name': 'recreation-and-hobbies', 'Action': 'alert'}, {'Name': 'reference-and-research', 'Action': 'alert'}, {'Name': 'religion', 'Action': 'alert'}, {'Name': 'search-engines', 'Action': 'alert'}, {'Name': 'sex-education', 'Action': 'alert'}, {'Name': 'shareware-and-freeware', 'Action': 'alert'}, {'Name': 'shopping', 'Action': 'alert'}, {'Name': 'social-networking', 'Action': 'alert'}, {'Name': 'society', 'Action': 'alert'}, {'Name': 'sports', 'Action': 'alert'}, {'Name': 'stock-advice-and-tools', 'Action': 'alert'}, {'Name': 'streaming-media', 'Action': 'alert'}, {'Name': 'swimsuits-and-intimate-apparel', 'Action': 'alert'}, {'Name': 'training-and-tools', 'Action': 'alert'}, {'Name': 'translation', 'Action': 'alert'}, {'Name': 'travel', 'Action': 'alert'}, {'Name': 'weapons', 'Action': 'alert'}, {'Name': 'web-advertisements', 'Action': 'alert'}, {'Name': 'web-based-email', 'Action': 'alert'}, {'Name': 'web-hosting', 'Action': 'alert'}, {'Name': 'command-and-control', 'Action': 'block'}, {'Name': 'copyright-infringement', 'Action': 'block'}, {'Name': 'dynamic-dns', 'Action': 'block'}, {'Name': 'extremism', 'Action': 'block'}, {'Name': 'hacking', 'Action': 'block'}, {'Name': 'malware', 'Action': 'block'}, {'Name': 'parked', 'Action': 'block'}, {'Name': 'phishing', 'Action': 'block'}, {'Name': 'proxy-avoidance-and-anonymizers', 'Action': 'block'}, {'Name': 'unknown', 'Action': 'block'}	Demisto sales lab	best-practice

Best Practice Headers

log-container-page-only	log-http-hdr-referer	log-http-hdr-user	log-http-hdr-xff
no	yes	yes	yes

89. panorama-enforce-wildfire-best-practice

---

Enforce wildfire file upload to the maximum size + all file types are forwarded and update schedule.

Base Command

panorama-enforce-wildfire-best-practice

Input

Argument Name	Description	Required
template	The template name.	Required

Context Output

There are no context output for this command.

Command Example

!panorama-enforce-wildfire-best-practice template=WildFire

Human Readable Output

The schedule was updated according to the best practice. Recurring every minute with the action of "download and install" The file upload for all file types is set to the maximum size.

90. panorama-create-antivirus-best-practice-profile

---

Create antivirus best practice profile.

Base Command

panorama-create-antivirus-best-practice-profile

Input

Argument Name	Description	Required
profile_name	The name of the profile	Required

Context Output

There are no context output for this command.

Command Example

!panorama-create-antivirus-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

91. panorama-create-anti-spyware-best-practice-profile

---

Create Anti Spyware best practice profile.

Base Command

panorama-create-anti-spyware-best-practice-profile

Input

Argument Name	Description	Required
profile_name	The profile name.	Required

Context Output

There are no context output for this command.

Command Example

!panorama-create-anti-spyware-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

92. panorama-create-vulnerability-best-practice-profile

---

Create vulnerability protection best practice profile.

Base Command

panorama-create-vulnerability-best-practice-profile

Input

Argument Name	Description	Required
profile_name	The profile name.	Required

Context Output

There are no context output for this command.

Command Example

!panorama-create-vulnerability-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

93. panorama-create-url-filtering-best-practice-profile

---

Create URL filtering best practice profile.

Base Command

panorama-create-url-filtering-best-practice-profile

Input

Argument Name	Description	Required
profile_name	The profile name.	Required

Context Output

There are no context output for this command.

Command Example

!panorama-create-url-filtering-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

94. panorama-create-file-blocking-best-practice-profile

---

Create file blocking best practice profile.

Base Command

panorama-create-file-blocking-best-practice-profile

Argument Name	Description	Required
profile_name	The name of the profile.	Required

Context Output

There are no context output for this command.

Command Example

!panorama-create-file-blocking-best-practice-profile profile_name=test

Human Readable Output

The profile test was created successfully.

95. panorama-create-wildfire-best-practice-profile

---

Create WildFire analysis best practice profile.

Base Command

panorama-create-wildfire-best-practice-profile

Input

Argument Name	Description	Required
profile_name	The name of the profile.	Required

Context Output

There are no context output for this command.

Command Example

 !panorama-create-wildfire-best-practice-profile profile_name=test 

Human Readable Output

The profile test was created successfully.