Palo Alto Networks PAN-OS
This integration supports both Palo Alto Networks Panorama and Palo Alto Networks Firewall. You can create separate instances of each integration, and they are not necessarily related or dependent on one another.
This integration was integrated and tested with version 8.1.0 of Palo Alto Firewall, Palo Alto Panorama
Panorama Playbook
- PanoramaCommitConfiguration : Based on the playbook input, the Playbook will commit the configuration to Palo Alto Firewall, or push the configuration from Panorama to predefined device groups of firewalls. The integration is available from Demisto v3.0, but playbook uses the GenericPooling sub-playbook, which is only available from Demisto v4.0.
- (Deprecated) PanoramaQueryTrafficLogs : Use the Panorama Query Logs playbook instead.W raps the following commands with genericPolling to enable a complete flow to query traffic logs.
- Panorama Query Logs : W raps several commands (listed below) with genericPolling to enable a complete flow to query the following log types: traffic, threat, URL, data-filtering, and Wildfire.
- PAN-OS DAG Configuration
- PAN-OS EDL Setup
Use Cases
- Create custom security rules in Palo Alto Networks PAN-OS.
- Creating and updating address objects, address-groups, custom URL categories, URL filtering objects.
- Get URL Filtering category information from Palo Alto - Request Change is a known Palo Alto limitation.
- Add URL filtering objects including overrides to Palo Alto Panorama and Firewall
- Committing configuration to Palo Alto FW and to Panorama, and pushing configuration from Panorama to Pre-Defined Device-Groups of Firewalls.
-
Block IP addresses using registered IP tags from PAN-OS without committing the PAN-OS instance. First you have to create a registered IP tag, DAG, and security rule, and commit the instance. You can then register additional IP addresses to the tag without committing the instance.
-
Create a registered IP tag and add the necessary IP addresses by running the panorama-register-ip-tag command.
-
Create a dynamic address group (DAG), by running the panorama-create-address-group command. Specify values for the following arguments: type="dynamic", match={ tagname }.
-
Create a security rule using the DAG created in the previous step, by running the panorama-create-rule command.
-
Commit the PAN-OS instance by running the PanoramaCommitConfiguration playbook.
-
You can now register IP addresses to, or unregister IP addresses from, the IP tag by running the panorama-register-ip-tag command, or panorama-unregister-ip-tag command, respectively, without committing the PAN-OS instance.
-
Known Limitations
- Maximum commit queue length is 3. Running numerous Panorama commands simultaneously might cause errors.
-
After you run
panorama-create-commands and the object is not committed, then thepanorama-editcommands orpanorama-getcommands might not run correctly. -
URL Filtering
request changeof a URL is not available via the API. Instead, you need to use the https://urlfiltering.paloaltonetworks.com website. - If you do not specify a vsys (Firewall instances) or a device group (Panorama instances), you will only be able to execute certain commands.
Configure Panorama on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Panorama.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- Port
- API Key
- Trust any certificate (not secure)
- Use system proxy settings
- Device group - Required for Panorama instance . If you want to use a shared location, the value in this field should be "shared".
- Vsys - Required for Firewall instance (PAN-OS default is 'vsys1'): retrieve this from the Demisto URL, for example: <server_url>:port/<vsys_name>. If you have multiple vysys, select the one to configure on this instance.
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Run any command supported in the Panorama API: panorama
- Commit a configuration: panorama-commit
- Push rules from Panorama to a device group: panorama-push-to-device-group
- Get a list of addresses: panorama-list-addresses
- Get address details: panorama-get-address
- Create an address object: panorama-create-address
- Delete an address: panorama-delete-address
- Get a list of address groups: panorama-list-address-groups
- Get details for an address group: panorama-get-address-group
- Create an address group: panorama-create-address-group
- Delete an address group: panorama-delete-address-group
- Edit an address group: panorama-edit-address-group
- Get details for a custom URL category: panorama-get-custom-url-category
- Create a custom URL category: panorama-create-custom-url-category
- Delete a custom URL category: panorama-delete-custom-url-category
- Add/Remove sites from a custom URL category: panorama-edit-custom-url-category
- Get details for a URL category: panorama-get-url-category
- Get details for a URL filtering rule: panorama-get-url-filter
- Create a URL filtering rule: panorama-create-url-filter
- Edit a URL filter: panorama-edit-url-filter
- Delete a URL filtering rule: panorama-delete-url-filter
- Create a rule: panorama-create-rule
- Create a custom block policy rule: panorama-custom-block-rule
- Change the location of a policy rule: panorama-move-rule
- Edit a policy rule: panorama-edit-rule
- Delete a policy rule: panorama-delete-rule
- Get a list of applications: panorama-list-applications
- Get the commit status for a configuration: panorama-commit-status
- Get the push status for a configuration: panorama-push-status
- Get a list of services: panorama-list-services
- Get information for a service: panorama-get-service
- Create a service: panorama-create-service
- Delete a service: panorama-delete-service
- Get a list of service groups: panorama-list-service-groups
- Get information for a service group: panorama-get-service-group
- Create a service group: panorama-create-service-group
- Delete a service group: panorama-delete-service-group
- Edit a service group: panorama-edit-service group
- Get information for PCAP files: panorama-get-pcap
- Get a list of all PCAP files: panorama-list-pcaps
- Get a list of EDLs: panorama-list-edls
- Get information for an EDL: panorama-get-edl
- Create an : panorama-create-edl
- Edit an EDL: panorama-edit-edl
- Delete an EDL: panorama-delete-edl
- Refresh an EDL: panorama-refresh-edl
- Register IP addresses to a tag: panorama-register-ip-tag
- Unregister IP addresses from a tag: panorama-unregister-ip-tag
- Query traffic logs: panorama-query-traffic-logs
- Check the query status of traffic logs: panorama-check-traffic-logs-status
- Get traffic logs: panorama-get-traffic-logs
- Get a list of predefined security rules: panorama-list-rules
- Query logs: panorama-query-logs
- Check the query status of logs: panorama-check-logs-status
- Get the data of a logs query: panorama-get-logs
1. Run any command supported in the PAN-OS API
Run any command supported in the API.
Base Command
panorama
Input
| Argument Name | Description | Required |
|---|---|---|
| action | Action to take. Can be: show, get, set, edit, delete, rename, clone, move, or override. | Optional |
| category | Category parameter. e.g. when exporting a configuration file use category=configuration. | Optional |
| cmd | Used for operations commands cmd specifies the xml struct that defines the command. | Optional |
| command | Run a command. e.g. "command = ". | Optional |
| dst | Specifies destination. | Optional |
| element | Used to define a new value for an object. | Optional |
| to | To parameter (used in specifying time and when cloning an object). | Optional |
| from | From parameter (used in specifying time and when cloning an object). | Optional |
| key | Sets a key value. | Optional |
| where | Specifies the type of a move operation (e.g. where=after, where=before, where=top, where=bottom). | Optional |
| period | Describe a time period. E.g. period=last-24-hrs. | Optional |
| xpath | Defines a location e.g. xpath=/config/predefined/application/entry[ @name ='hotmail'] | Optional |
| pcap-id | The threat PCAP ID in the threat log. | Optional |
| serialno | Specifies the device serial number. | Optional |
| reporttype | Choose dynamic, predefined or custom report. | Optional |
| reportname | The report name. | Optional |
| log-type | Used for retrieving logs. e.g. log-type=threat for threat logs. | Optional |
| type | The request type (e.g. export, import, log, config). | Optional |
| search-time | Used for threat PCAPs, the time that the PCAP was received on the firewall. | Optional |
| target | Target number of the firewall (Panorama instance). | Optional |
Context Output
There is no context output for this command.
2. Commit a configuration
Commits a configuration to Palo Alto Networks PAN-OS, but does not validate if the commit was successful. Committing toPAN-OS will not push the configuration to the Firewalls. To push the configuration, run the panorama-push-to-device-group command.
Base Command
panorama-commit
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Commit.JobID | number | Job ID of the configuration to commit. |
| Panorama.Commit.Status | string | Commit status. |
Command Example
!panorama-commit
Human Readable Output
3. Push rules from PAN-OS to a device group
Pushes rules fromPAN-OS to the configured device group.
Base Command
panorama-push-to-device-group
Input
| Argument Name | Description | Required |
|---|---|---|
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Push.DeviceGroup | string | Device group to which the policies were pushed. |
| Panorama.Push.JobID | number | Job ID of the configuration to be pushed. |
| Panorama.Push.Status | string | Push status. |
Command Example
!panorama-push-to-device-group
Human Readable Output
4. Get a list of addresses
Returns a list of addresses.
Base Command
panorama-list-addresses
Input
| Argument Name | Description | Required |
|---|---|---|
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| Tag | The tag for which to filter the list of addresses. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Addresses.Name | string | Address name. |
| Panorama.Addresses.Description | string | Address description. |
| Panorama.Addresses.FQDN | string | Address FQDN. |
| Panorama.Addresses.IP_Netmask | string | Address IP netmask. |
| Panorama.Addresses.IP_Range | string | Address IP range. |
| Panorama.Addresses.DeviceGroup | string | Address device group. |
| Panorama.Addresses.Tages | string | Address tags. |
Command Example
!panorama-list-addresses
Human Readable Output
5. Get address details
Returns address details for the supplied address name.
Base Command
panorama-get-address
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Address name. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Addresses.Name | string | Address name. |
| Panorama.Addresses.Description | string | Address description. |
| Panorama.Addresses.FQDN | string | Address FQDN. |
| Panorama.Addresses.IP_Netmask | string | Address IP netmask. |
| Panorama.Addresses.IP_Range | string | Address IP range. |
| Panorama.Addresses.DeviceGroup | string | Address device group. |
| Panorama.Addresses.Tags | string | Address tags. |
Command Example
!panorama-get-address name="Demisto address"
Human Readable Output
6. Create an address object
Creates an address object.
Base Command
panorama-create-address
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name for the new address. | Required |
| description | A description of the new address. | Optional |
| fqdn | FQDN of the new address. | Optional |
| ip_netmask | IP netmask of the new address, e.g., 10.10.10.10/24. | Optional |
| ip_range | IP range of the new address, e.g., 10.10.10.0-10.10.10.255. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tag | The tag for the new address | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Addresses.Name | string | Address name. |
| Panorama.Addresses.Description | string | Address description. |
| Panorama.Addresses.FQDN | string | Address FQDN. |
| Panorama.Addresses.IP_Netmask | string | Address IP netmask. |
| Panorama.Addresses.IP_Range | string | Address IP range. |
| Panorama.Adddresses.DeviceGroup | string | Address Device Group. |
| Panorama.Addresses.Tag | string | Address tag. |
Command Example
!panorama-create-address name="address_test_pb" description="just a desc" ip_range="10.10.10.9-10.10.10.10"
Human Readable Output
7. Delete an address object
Deletes an address object.
Base Command
panorama-delete-address
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the address to delete. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Addresses.Name | string | Name of the address that was deleted. |
Command Example
!panorama-delete-address name="address_test_pb"
Human Readable Output
8. Get a list of address groups
Returns a list of address groups.
Base Command
panorama-list-address-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tag | The tag for which to filter the address group. | Optional |
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.AddressGroups.Name | string | Address group name. |
| Panorama.AddressGroups.Type | string | Address group type. |
| Panorama.AddressGroups.Match | string | Dynamic address group match. |
| Panorama.AddressGroups.Description | string | Address group description. |
| Panorama.AddressGroups.Addresses | string | Static address group addresses. |
| Panorama.AddressGroups.DeviceGroup | string | Address device group. |
| Panorama.AddressGroups.Tag | string | Address group tag. |
Command Example
!panorama-list-address-groups
Human Readable Output
9. Get information for an address group
Returns details for the specified address group.
Base Command
panorama-get-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Address group name. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.AddressGroups.Name | string | Address group name. |
| Panorama.AddressGroups.Type | string | Address group type. |
| Panorama.AddressGroups.Match | string | Dynamic address group match. |
| Panorama.AddressGroups.Description | string | Address group description. |
| Panorama.AddressGroups.Addresses | string | Static address group addresses. |
| Panorama.AddressGroups.DeviceGroup | string | Address device group. |
| Panorama.AddressGroups.Tags | string | Address group tags. |
Command Example
!panorama-get-address-group name=suspicious_address_group
Human Readable Output
10. Create an address group
Creates an address group; "static" or "dynamic".
Base Command
panorama-create-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Address group name. | Required |
| type | Address group type. | Required |
| match | Dynamic address group match. e.g., "1.1.1.1 or 2.2.2.2". | Optional |
| addresses | Static address group list of addresses. | Optional |
| description | Address group description. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tags | The tags for the address group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.AddressGroups.Name | string | Address group name. |
| Panorama.AddressGroups.Type | string | Address group type. |
| Panorama.AddressGroups.Match | string | Dynamic address group match. |
| Panorama.AddressGroups.Addresses | string | Static address group list. |
| Panorama.AddressGroups.Description | string | Address group description. |
| Panorama.AddressGroups.DeviceGroup | string | Address device group. |
| Panorama.AddressGroups.Tag | string | Address group tags. |
Command Example
!panorama-create-address-group name=suspicious_address_group type=dynamic match=1.1.1.1
description="this ip is very bad"
Human Readable Output
11. Delete an address group
Deletes an address group.
Base Command
panorama-delete-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of address group to delete. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.AddressGroups.Name | string | Name of address group that was deleted. |
Command Example
!panorama-delete-address-group name="dynamic_address_group_test_pb3"
Human Readable Output
12. Edit an address group
Edit an address group; "static" or "dynamic".
Base Command
panorama-edit-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the address group to edit. | Required |
| type | Address group type. | Required |
| match | Address group new match, e.g., "1.1.1.1 and 2.2.2.2". | Optional |
| element_to_add | Element to add to the list of the static address group. Only existing Address objects can be added. | Optional |
| element_to_remove | Element to remove to the list of the static address group. Only existing Address objects can be added. | Optional |
| description | Address group new description. | Optional |
| tag | Address group tag to edit. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.AddressGroups.Name | string | Address group name. |
| Panorama.AddressGroups.Type | string | Address group type. |
| Panorama.AddressGroups.Filter | string | Dynamic address group match. |
| Panorama.AddressGroups.Description | string | Address group description. |
| Panorama.AddressGroups.Addresses | string | Static address group addresses. |
| Panorama.AddressGroups.DeviceGroup | string | Address device group. |
| Panorama.AddressGroups.Tags | string | Address group tags. |
13. Get details for a custom URL category
Returns information for a custom URL category.
Base Command
panorama-get-custom-url-category
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Custom URL category name. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.CustomURLCategory.Name | string | Custom URL category name. |
| Panorama.CustomURLCategory.Description | string | Custom URL category description. |
| Panorama.CustomURLCategory.Sites | string | Custom URL category list of sites. |
Command Example
!panorama-get-custom-url-category name=my_personal_url_category
Human Readable Output
14. Create a custom URL category
Creates a custom URL category.
Base Command
panorama-create-custom-url-category
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name for the custom URL category to create. | Required |
| description | Description of the custom URL category to create. | Optional |
| sites | List of sites for the custom URL category. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.CustomURLCategory.Name | string | Custom URL category name |
| Panorama.CustomURLCategory.Description | string | Custom URL category description. |
| Panorama.CustomURLCategory.Sites | string | Custom URL category list of sites. |
Command Example
!panorama-create-custom-url-category name=suspicious_address_group sites=["thepill.com","abortion.com"] description=momo
Human Readable Output
15. Delete a custom URL category
Deletes a custom URL category.
Base Command
panorama-delete-custom-url-category
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the custom URL category to delete. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.CustomURLCategory.Name | string | Name of the custom URL category to delete. |
Command Example
!panorama-delete-custom-url-category name=suspicious_address_group
Human Readable Output
16. Add/Remove sites from a custom URL category
Add sites to, or remove sites from a custom URL category.
Base Command
panorama-edit-custom-url-category
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the custom URL category to which to add or remove sites. | Required |
| sites | CSV list of sites to add to the custom URL category. | Required |
| action | Add or remove sites; "add" or "remove". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.CustomURLCategory.Name | string | Custom URL category name. |
| Panorama.CustomURLCategory.Description | string | Custom URL category description. |
| Panorama.CustomURLCategory.Sites | string | Custom URL category list of sites. |
Human Readable Output
17. Get details for a URL category
Gets a URL category from URL Filtering.
Base Command
panorama-get-url-category
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.URLFiltering.URL | string | URL. |
| Panorama.URLFiltering.Category | string | URL category. |
Command Example
!panorama-get-url-category url="poker.com"
Human Readable Output
18. Get details for a URL filtering rule
Get information for a URL filtering rule.
Base Command
panorama-get-url-filter
Input
| Argument Name | Description | Required |
|---|---|---|
| name | URL filter name. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.URLFilter.Name | string | URL filter name. |
| Panorama.URLFilter.Category.Name | string | URL filter category name. |
| Panorama.URLFilter.Category.Action | string | Action for the URL category. |
| Panorama.URLFilter.OverrideBlockList | string | URL filter override block list. |
| Panorama.URLFilter.OverrideAllowList | string | URL filter override allow list. |
| Panorama.URLFilter.Description | string | URL filter description. |
Command Example
!panorama-get-url-filter name=demisto_default_url_filter
Human Readable Output
19. Create a URL filtering rule
Creates a URL filtering rule.
Base Command
panorama-create-url-filter
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the URL filter to create. | Required |
| url_category | One or more URL categories. | Required |
| action | Action for the URL categories; "allow", "block", "alert", "continue", "override". | Required |
| override_allow_list | CSV list of URLs to exclude from the allow list. | Optional |
| override_block_list | CSV list of URLs to exclude from the block list. | Optional |
| description | URL filter description. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.URLFilter.Name | string | URL filter name |
| Panorama.URLFilter.Category.Name | string | URL filter category name |
| Panorama.URLFilter.Category.Action | string | Action for the URL category |
| Panorama.URLFilter.OverrideBlockList | string | URL filter override allow list |
| Panorama.URLFilter.OverrideBlockList | string | URL filter override block list |
| Panorama.URLFilter.Description | string | URL filter description. |
20. Edit a URL filter
Name of the URL filter to edit.
Base Command
panorama-edit-url-filter
Input
| Argument Name | Description | Required |
|---|---|---|
| name | URL filter to edit | Required |
| element_to_change | Element to change; "override_allow_list", "ovveride_block_list" | Required |
| element_value | Element value, limited to one value. | Required |
| add_remove_element | Add or remove an element from the Allow List field or Block List field, default is "add" the element_value to the list. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.URLFilter.Name | string | URL filter name. |
| Panorama.URLFilter.Description | string | URL filter description. |
| Panorama.URLFilter.Category.Name | string | URL filter category. |
| Panorama.URLFilter.Action | string | Action for the URL category. |
| Panorama.URLFilter.OverrideAllowList | string | Allow Overrides for the URL category. |
| Panorama.URLFilter.OverrideBlockList | string | Block Overrides for the URL category. |
Command Example
!panorama-edit-url-filter name=demisto_default_url_filter element_to_change=override_allow_list element_value="poker.com" add_remove_element=add
Human Readable Output
21. Delete a URL filtering rule
Deletes a URL filtering rule.
Base Command
panorama-delete-url-filter
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the URL filter rule to delete. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.URLFilter.Name | string | URL filter rule name that was deleted. |
22. Create a policy rule
Creates a policy rule.
Base Command
panorama-create-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| rulename | Name of the rule to create. | Optional |
| description | Description of the rule to create. | Optional |
| action | Action for the rule; "allow", "deny", "drop". | Required |
| source | Source address; "address", "address group". | Optional |
| destination | Destination address; "address", "address group". | Optional |
| source_zone | A comma-separated list of source zones.. | Optional |
| destination_zone | A comma-separated list of source zones.. | Optional |
| negate_source | Whether to negate the source (address, address group); "Yes" or "No". | Optional |
| negate_destination | Whether to negate the destination (address, address group); "Yes" or "No". | Optional |
| service | Service for the rule (service object) to create. | Optional |
| disable | Whether to disable the rule; "Yes" or "No" (default is "No"). | Optional |
| application | Application for the rule to create. | Optional |
| source_user | Source user for the rule to create. | Optional |
| pre_post | Pre rule or Post rule. | Optional |
| target | Specify a target firewall for the rule. | Optional |
| log_forwarding | Log forwarding profile (Panorama instances). | Optional |
| device-group | The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tags | Rule tags to create. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.SecurityRule.Name | string | Rule name. |
| Panorama.SecurityRule.Description | string | Rule description. |
| Panorama.SecurityRule.Action | string | Action for the rule. |
| Panorama.SecurityRule.Source | string | Source address. |
| Panorama.SecurityRule.Destination | string | Destination address. |
| Panorama.SecurityRule.NegateSource | boolean | Whether the source is negated (address, address group). |
| Panorama.SecurityRule.NegateDestination | boolean | Whether the destination is negated (address, address group). |
| Panorama.SecurityRule.Service | string | Service for the rule. |
| Panorama.SecurityRule.Disabled | string | Whether the rule is disabled. |
| Panorama.SecurityRule.Application | string | Application for the rule. |
| Panorama.SecurityRule.Target | string | Target firewall. |
| Panorama.SecurityRule.LogForwarding | string | Log forwarding profile (Panorama instances). |
| Panorama.SecurityRule.DeviceGroup | string | Device group for the rule (Panorama instances). |
| Panorama.SecurityRules.Tags | string | Rule tags. |
Command Example
!panorama-create-rule rulename="block_bad_application" description="do not play at work" action="deny" application="fortnite"
Human Readable Output
23. Create a custom block policy rule
Creates a custom block policy rule.
Base Command
panorama-custom-block-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| rulename | Name of the custom block policy rule to create. | Optional |
| object_type | Object type to block in the policy rule. Can be "ip", "address-group", "edl", or "custom-url-category". | Required |
| object_value | Object value. | Required |
| direction | Direction to block. Can be "to", "from", or "both". Default is "both". This argument is not applicable to the "custom-url-category" object_type. | Optional |
| pre_post | Pre rule or Post rule. | Optional |
| target | Specify a target firewall for the rule. | Optional |
| log_forwarding | Log forwarding profile (Panorama instances). | Optional |
| device-group | The device group for which to return addresses for the rule (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tags | The tags for the custom block policy rule. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.SecurityRule.Name | string | Rule name. |
| Panorama.SecurityRule.Object | string | Blocked object. |
| Panorama.SecurityRule.Direction | string | Direction blocked. |
| Panorama.SecurityRule.Target | string | Target firewall. |
| Panorama.SecurityRule.LogForwarding | string | Log forwarding profile (Panorama instances). |
| Panorama.SecurityRule.DeviceGroup | string | Device group for the rule (Panorama instances). |
| Panorama.SecurityRule.Tags | string | Rule tags. |
24. Change the location of a policy rule
Changes the location of a policy rule.
Base Command
panorama-move-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| rulename | Name of the rule to move. | Required |
| where | Where to move the rule to; "before", "after", "top", or "bottom". If you specify "up" or "down", you need to supply the "dst" argument. | Required |
| dst | Destination rule relative to the rule you are moving. Only supply this argument if you specified "up" or "down" for the "where" argument. | Optional |
| pre_post | Rule location. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.SecurityRule.Name | string | Rule name. |
Command Example
!panorama-move-rule rulename="test_rule3" where="bottom"
Human Readable Output
25. Edit a policy rule
Edit a policy rule.
Base Command
panorama-edit-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| rulename | Name of the rule to edit. | Required |
| element_to_change | Parameter in the security rule to change. Can be "source", "destination", "application", "action", "category", "description", "disabled", "target", "log-forwarding", or "tag". | Required |
| element_value | New value for the parameter. | Required |
| pre_post | Pre rule or Post rule (Panorama instances). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.SecurityRule.Name | string | Rule name. |
| Panorama.SecurityRule.Description | string | Rule description. |
| Panorama.SecurityRule.Action | string | Action for the rule. |
| Panorama.SecurityRule.Source | string | Source address. |
| Panorama.SecurityRule.Destination | string | Destination address. |
| Panorama.SecurityRule.NegateSource | boolean | Is the source negated (address, address group). |
| Panorama.SecurityRule.NegateDestination | boolean | Is the destination negated (address, address group). |
| Panorama.SecurityRule.Service | string | Service for the rule. |
| Panorama.SecurityRule.Disabled | string | Is the rule disabled. |
| Panorama.SecurityRule.Application | string | Application for the rule. |
| Panorama.SecurityRule.Target | string | Target firewall (Panorama instances). |
| Panorama.SecurityRule.DeviceGroup | string | Device group for the rule (Panorama instances). |
| Panorama.SecurityRule.Tags | string | Tags for the rule. |
Command Example
!panorama-edit-rule rulename="block_bad_application" element_to_change=action element_value=drop
Human Readable Output
26. Delete a policy rule
Deletes a policy rule.
Base Command
panorama-delete-rule
Input
| Argument Name | Description | Required |
|---|---|---|
| rulename | Name of the rule to delete. | Required |
| pre_post | Pre rule or Post rule (Panorama instances). | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.SecurityRule.Name | string | Rule name. |
Command Example
!panorama-delete-rule rulename=block_bad_application
Human Readable Output
27. Get a list of applications
Returns a list of predefined applications.
Base Command
panorama-list-applications
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Applications.Name | string | Application name. |
| Panorama.Applications.Id | number | Application ID. |
| Panorama.Applications.Category | string | Application category. |
| Panorama.Applications.SubCategory | string | Application sub-category. |
| Panorama.Applications.Technology | string | Application technology. |
| Panorama.Applications.Risk | number | Application risk (1-5). |
| Panorama.Applications.Description | string | Application description. |
Command Example
!panorama-list-applications
Human Readable Output
28. Get the commit status for a configuration
Get the commit status for a configuration.
Base Command
panorama-commit-status
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Commit.JobID | number | Job ID of the configuration to be committed. |
| Panorama.Commit.Status | string | Commit status. |
| Panorama.Commit.Details | string | Job ID details. |
| Panorama.Commit.Warnings | string | Job ID warnings. |
Command Example
!panorama-commit-status job_id=948
Human Readable Output
29. Get the push status for a configuration
Get the push status for a configuration.
Base Command
panorama-push-status
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Push.DeviceGroup | string | Device group to which the policies were pushed. |
| Panorama.Push.JobID | number | Job ID of the configuration to be pushed. |
| Panorama.Push.Status | string | Push status. |
| Panorama.Push.Details | string | Job ID details. |
Command Example
!panorama-push-status job_id=951
Human Readable Output
30. Get a list of services
Returns a list of all services.
Base Command
panorama-list-services
Input
| Argument Name | Description | Required |
|---|---|---|
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tag | The tag for which to filter the service. | Optional |
There is no input for this command.
Context Output
| Path | Type | Description |
| Panorama.Services.Name | string | Service name. |
| Panorama.Services.Protocol | string | Service protocol. |
| Panorama.Services.Description | string | Service description. |
| Panorama.Services.DestinationPort | string | Service destination port. |
| Panorama.Services.SourcePort | string | Service source port. |
| Panorama.Services.DeviceGroup | string | Service device group. |
| Panorama.Services.Tags | string | Service tags. |
Command Example
!panorama-list-services
Human Readable Output
31. Get information for a service
Returns service details for the supplied service name.
Base Command
panorama-get-service
Input
| Argument Name | Description | Required |
| name | Service name. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
| Panorama.Services.Name | string | Service name. |
| Panorama.Services.Protocol | string | Service protocol. |
| Panorama.Services.Description | string | Service descriptions. |
| Panorama.Services.DestinationPort | string | Service destination port. |
| Panorama.Services.SourcePort | string | Service source port. |
| Panorama.Services.DeviceGroup | string | Service device group. |
| Panorama.Service.Tags | string | Service tags. |
Command Example
!panorama-get-service name=guy_ser3
Human Readable Output
32. Create a service
Creates a service.
Base Command
panorama-create-service
Input
| Argument Name | Description | Required |
| name | Name for the new service. | Required |
| protocol | Protocol for the new service. | Required |
| destination_port | Destination port for the new service. | Required |
| source_port | Source port for the new service. | Optional |
| description | Description of the new service. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tags | The tags for the new service. | Optional |
Context Output
| Path | Type | Description |
| Panorama.Services.Name | string | Service name. |
| Panorama.Services.Protocol | string | Service protocol. |
| Panorama.Services.Description | string | Service descriptions. |
| Panorama.Services.DestinationPort | string | Service destination port. |
| Panorama.Services.SourcePort | string | Service source port. |
| Panorama.Services.DeviceGroup | string | Service device group. |
| Panorama.Services.Tags | string | Service tags. |
Command Example
!panorama-create-service name=guy_ser3 protocol=udp destination_port=36 description=bfds
Human Readable Output
placeholder
33. Delete a service
Deletes a service.
Base Command
panorama-delete-service
Input
| Argument Name | Description | Required |
| name | Name of the service to delete. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
| Panorama.Services.Name | string | Service name. |
Command Example
!panorama-delete-service name=guy_ser3
Human Readable Output
placeholder
34. Get a list of service groups
Returns a list of service groups.
Base Command
panorama-list-service-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panarama.ServiceGroups.Name | string | Service group name |
| Panorama.ServiceGroups.Services | string | Service group related services |
| Panorama.ServiceGroups.DeviceGroup | string | Service device group. |
| Panorama.ServiceGroups.Tags | string | Service tags. |
Command Example
!panorama-list-service-groups
Human Readable Output
placeholder
35. Get information for a service group
Returns details for the specified service group.
Base Command
panorama-get-service-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Service group name. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panarama.ServiceGroups.Name | string | Service group name. |
| Panorama.ServiceGroups.Services | string | Service group related services. |
| Panorama.ServiceGroups.DeviceGroup | string | Service device group. |
| Panorama.ServiceGroups.Tags | string | Service group tags. |
Command Example
!panorama-get-service-group name=ser_group6
Human Readable Output
placeholder
36. Create a service group
Creates a service group.
Base Command
panorama-create-service-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Service group Name. | Required |
| services | Service group related services. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tags | The tags for which to filter the service groups. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panarama.ServiceGroups.Name | string | Service group name. |
| Panorama.ServiceGroups.Services | string | Service group related services. |
| Panorama.ServiceGroups.DeviceGroup | string | Service device group. |
| Panorama.ServiceGroups.Tags | string | Service group tags. |
Command Example
!panorama-create-service-group name=lalush_sg4 services=`["demisto_service1","demi_service_test_pb"]
Human Readable Output
placeholder
37. Delete a service group
Deletes a service group.
Base Command
panorama-delete-service-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the service group to delete. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panarama.ServiceGroups.Name | string | Name of the service group that was deleted. |
| Panorama.ServiceGroups.DeviceGroup | string | Device group for the service group that was deleted (Panorama instances). |
Command Example
!panorama-delete-service-group name=lalush_sg4
Human Readable Output
placeholder
38. Edit a service group
Modifies details of a service group.
Base Command
panorama-edit-service-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Service group name | Required |
| services_to_remove |
Services to remove from the service group. Only existing Services
objects can be removed. |
Optional |
| services_to_add |
Services to add to the service group. Only existing Services objects
can be added. |
Optional |
| tags | Services group tag to edit. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panarama.ServiceGroups.Name | string | Service group name. |
| Panorama.ServiceGroups.Services | string | Service group related services. |
| Panorama.ServiceGroups.DeviceGroup | string | Service device group. |
| Panorama.ServiceGroups.Tags | string | Service group tags. |
Command Example
panorama-edit-service-group name=lalush_sg4 services_to_remove=`["serice_udp_test_pb","demisto_service1"]
Human Readable Output
39. Get information for a PCAP file
Returns information for a Panorama PCAP file. The recommended maximum file size is 5 MB. If the limit is exceeded, you might need to SSH the firewall and run the
scp export
command to export the PCAP file. For more information, see the
Palo Alto Networks documentation
.
Base Command
panorama-get-pcap
Input
| Argument Name | Description | Required |
|---|---|---|
| pcapType | The type of packet capture. | Required |
| from | The file name for the PCAP type ("dlp-pcap", "filters-pcap", "application-pcap". | Optional |
| localName | The new name for the PCAP file after downloading. If this argument is not specified, the file name will be the PCAP file name that was set in the firewall. | Optional |
| serialNo | The serial number for the request. For more information, see the Panorama XML API Documentation. | Optional |
| searchTime | The search time for the request. For more information, see the Panorama XML API Documentation. | Optional |
| pcapID | The ID of the PCAP for the request. For more information, see the Panorama XML API Documentation. | Optional |
| password | The password for Panorama. This is only required for the "dlp-pcap" PCAP type. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.Size | number | The file size. |
| File.Name | string | The file name. |
| File.Type | string | The file type. |
| File.Info | string | The file info. |
| File.Extenstion | string | The file extension. |
| File.EntryID | string | The file entryID. |
| File.MD5 | string | The MD5 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| File.SHA256 | string | The SHA-256 hash of the file. |
Command Example
!panorama-get-pcaps pcapType="filter-pcap" from=pcap_test
Human Readable Output
40. Get a list of all PCAP files
Returns a list of all Panorama PCAP files, by PCAP type.
Base Command
panorama-list-pcaps
Input
| Argument Name | Description | Required |
|---|---|---|
| pcapType | The type of packet capture. | Required |
| from | The file name for the PCAP type (“dlp-pcap”, “filters-pcap”, “application-pcap”). For “application-pcap”, also use . | Optional |
| password | The password for Panorama. This is only required for the “dlp-pcap” PCAP type. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Pcaps.Name | string | The PCAP name. |
Command Example
!panorama-list-pcaps pcapType=“filter-pcap”
Human Readable Output
41. Get a list of EDLs
Returns a list of external dynamic lists.
Base Command
panorama-list-edls
Input
| Argument Name | Description | Required |
|---|---|---|
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.EDL.Name | string | Name of the EDL. |
| Panorama.EDL.Type | string | The type of EDL. |
| Panorama.EDL.URL | string | URL in which the EDL is stored. |
| Panorama.EDL.Description | string | Description of the EDL. |
| Panorama.EDL.CertificateProfile | string | EDL certificate profile. |
| Panorama.EDL.Recurring | string | Time interval that the EDL was pulled and updated. |
Command Example
!panorama-list-edls
Human Readable Output
42. Get information for an EDL
Returns information for an external dynamic list.
Base Command
panorama-get-edl
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the EDL. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.EDL.Name | string | Name of the EDL. |
| Panorama.EDL.Type | string | The type of EDL. |
| Panorama.EDL.URL | string | URL in which the EDL is stored. |
| Panorama.EDL.Description | string | Description of the EDL. |
| Panorama.EDL.CertificateProfile | string | EDL certificate profile. |
| Panorama.EDL.Recurring | string | Time interval that the EDL was pulled and updated. |
Command Example
!panorama-get-edl name=test_pb_domain_edl_DONT_DEL
Human Readable Output
43. Create an EDL
Creates an external dynamic list.
Base Command
panorama-create-edl
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the EDL. | Required |
| url | URL from which to pull the EDL. | Required |
| type | The type of EDL. | Required |
| recurring | Time interval for pulling and updating the EDL. | Required |
| certificate_profile | Certificate Profile name for the URL that was previously uploaded to PAN OS. | Optional |
| description | Description of the EDL. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.EDL.Name | string | Name of the EDL. |
| Panorama.EDL.Type | string | The type of EDL. |
| Panorama.EDL.URL | string | URL in which the EDL is stored. |
| Panorama.EDL.Description | string | Description of the EDL. |
| Panorama.EDL.CertificateProfile | string | EDL certificate profile. |
| Panorama.EDL.Recurring | string | Time interval that the EDL was pulled and updated. |
44. Edit an EDL
Modifies an element of an external dynamic list.
Base Command
panorama-edit-edl
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the external dynamic list to edit | Required |
| element_to_change | The element to change (“url”, “recurring”, “certificate_profile”, “description”). | Required |
| element_value | The element value. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.EDL.Name | string | Name of the EDL. |
| Panorama.EDL.URL | string | URL in which the EDL is stored |
| Panorama.EDL.Description | string | Description of the EDL. |
| Panorama.EDL.CertificateProfile | string | EDL certificate profile. |
| Panorama.EDL.Recurring | string | Time interval that the EDL was pulled and updated. |
Command Example
!panorama-edit-edl name=test_pb_domain_edl_DONT_DEL element_to_change=description element_value="new description3"
Human Readable Output
45. Delete an EDL
Deletes an external dynamic list.
Base Command
panorama-delete-edl
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the EDL to delete. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.EDL.Name | string | Name of the EDL that was deleted. |
Command Example
!panorama-delete-edl name=shani_uel33
Human Readable Output
46. Refresh an EDL
Refreshes the specified external dynamic list.
Base Command
panorama-refresh-edl
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the EDL. | Required |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
Context Output
There is no context output for this command.
Command Example
!panorama-refresh-edl name=domain_edl66
Human Readable Output
47. Register IP addresses to a tag
Registers IP addresses to a tag.
Base Command
panorama-register-ip-tag
Input
| Argument Name | Description | Required |
|---|---|---|
| tag | Tag to which to register IP addresses. | Required |
| IPs | IP addresses to register. | Required |
| persistent | Whether the IP addresses remain registered to the tag after device reboots (“True”:persistent, “False":non-persistent). Default is “True”. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.DynamicTags.Tag | string | Name for the tag. |
| Panorama.DynamicTags.IPs | string | Registered IP addresses. |
Command Example
!panorama-register-ip-tag tag=tag02 IPs=[“10.0.0.13”,“10.0.0.14”]
Context Example
Human Readable Output
48. Unregister IP addresses from a tag
Unregisters IP addresses from a tag.
Base Command
panorama-unregister-ip-tag
Input
| Argument Name | Description | Required |
|---|---|---|
| tag | Tag from which to unregister IP addresses. | Required |
| IPs | IP addresses to unregister. | Required |
Command Example
!panorama-unregister-ip-tag tag=tag02 IPs=`["10.0.0.13","10.0.0.14"]
Human Readable Output
49. Query traffic logs
Queries traffic logs.
Base Command
panorama-query-traffic-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Specifies the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. | Optional |
| number_of_logs | The number of logs to retrieve. Default is 100. Maximum is 5,000. | Optional |
| direction | Whether logs are shown oldest first (forward) or newest first (backward). Default is backward. | Optional |
| source | Source address for the query. | Optional |
| destination | Destination address for the query. | Optional |
| receive_time | Date and time after which logs were received, in the format: YYYY/MM/DD HH:MM:SS. | Optional |
| application | Application for the query. | Optional |
| to_port | Destination port for the query. | Optional |
| action | Action for the query. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.TrafficLogs.JobID | Number | Job ID of the traffic logs query. |
| Panorama.TrafficLogs.Status | String | Status of the traffic logs query. |
Command Example
!panorama-query-traffic-logs query="" number_of_logs="100" direction="backward" source="" destination="" receive_time="" application="" to_port="" action="allow"
Human Readable Output
50. Check the query status of traffic logs
Checks the query status of traffic logs.
Base Command
panorama-check-traffic-logs-status
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID of the query. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.TrafficLogs.JobID | Number | Job ID of the traffic logs query. |
| Panorama.TrafficLogs.Status | String | Status of the traffic logs query. |
Command Example
!panorama-check-traffic-logs-status job_id="1865"
Human Readable Output
51. Get traffic logs
Retrieves traffic log query data by job id
Base Command
panorama-get-traffic-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID of the query. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.TrafficLogs.JobID | Number | Job ID of the traffic logs query. |
| Panorama.TrafficLogs.Status | String | Status of the traffic logs query. |
| Panorama.TrafficLogs.Logs.Action | String | Action of the traffic log. |
| Panorama.TrafficLogs.Logs.ActionSource | String | Action source of the traffic log. |
| Panorama.TrafficLogs.Logs.Application | String | Application of the traffic log. |
| Panorama.TrafficLogs.Logs.Category | String | Category of the traffic log. |
| Panorama.TrafficLogs.Logs.DeviceName | String | Device name of the traffic log. |
| Panorama.TrafficLogs.Logs.Destination | String | Destination of the traffic log. |
| Panorama.TrafficLogs.Logs.DestinationPort | String | Destination port of the traffic log. |
| Panorama.TrafficLogs.Logs.FromZone | String | From zone of the traffic log. |
| Panorama.TrafficLogs.Logs.Protocol | String | Protocol of the traffic log. |
| Panorama.TrafficLogs.Logs.ReceiveTime | String | Receive time of the traffic log. |
| Panorama.TrafficLogs.Logs.Rule | String | Rule of the traffic log. |
| Panorama.TrafficLogs.Logs.SessionEndReason | String | Session end reason of the traffic log. |
| Panorama.TrafficLogs.Logs.Source | String | Source of the traffic log. |
| Panorama.TrafficLogs.Logs.SourcePort | String | Source port of the traffic log. |
| Panorama.TrafficLogs.Logs.StartTime | String | Start time of the traffic log. |
| Panorama.TrafficLogs.Logs.ToZone | String | To zone of the traffic log. |
Command Example
!panorama-get-traffic-logs job_id="1865"
Human Readable Output
52. Get a list of predefined security rules
Returns a list of predefined security rules.
Base Command
panorama-list-rules
Input
| Argument Name | Description | Required |
|---|---|---|
| pre_post | Rules location. Can be "pre-rulebase" or "post-rulebase". Mandatory for Panorama instances. | Optional |
| device-group | The device group for which to return addresses (Panorama instances). If no value is supplied, the default group configured integration parameter is applied. | Optional |
| tag | The tag for which to filter the rules. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.SecurityRule.Name | String | Rule name. |
| Panorama.SecurityRule.Action | String | Action for the rule. |
| Panorama.SecurityRule.Location | String | Rule location. |
| Panorama.SecurityRule.Category | String | Rule category. |
| Panorama.SecurityRule.Application | String | Application for the rule. |
| Panorama.SecurityRule.Destination | String | Destination address. |
| Panorama.SecurityRule.From | String | Rule from. |
| Panorama.SecurityRule.Service | String | Service for the rule. |
| Panorama.SecurityRule.To | String | Rule to. |
| Panorama.SecurityRule.Source | String | Source address. |
| Panorama.SecurityRule.DeviceGroup | String | Device group for the rule (Panorama instances). |
| Panorama.SecurityRules.Tags | String | Rule tags. |
Command Example
!panorama-list-rules
Human Readable Output
53. Query logs
Query logs in Panorama.
Base Command
panorama-query-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| log-type | The log type. Can be "threat", "traffic", "wildfire", "url", or "data". | Required |
| query | The query string by which to match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. | Optional |
| time-generated | The time that the log was generated from the timestamp and prior to it. For example: "2019/08/11 01:10:44". | Optional |
| addr-src | Source address. | Optional |
| ip | The source or destination IP address. | |
| addr-dst | Destination address. | Optional |
| zone-src | Source zone. | Optional |
| zone-dst | Destination Source. | Optional |
| action | Rule action. | Optional |
| port-dst | Destination port. | Optional |
| rule | Rule name, for example: "Allow all outbound". | Optional |
| url | URL, for example: "safebrowsing.googleapis.com". | Optional |
| filedigest | File hash (for WildFIre logs only). | Optional |
| number_of_logs | Maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Monitor.JobID | String | Job ID of the logs query. |
| Panorama.Monitor.Status | String | Status of the logs query. |
| Panorama.Monitor.Message | String | Message of the logs query. |
Command Example
!panorama-query-logs log-type=data query=( addr.src in 192.168.1.12 )
Human Readable Output
Command Example
!panorama-query-logs log-type=wildfire filedigest=4f79697b40d0932e91105bd496908f8e02c130a0e36f6d3434d6243e79ef82e0
Human Readable Output
54. Check log query status
Checks the status of a logs query.
Base Command
panorama-check-logs-status
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID of the query. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Monitor.JobID | String | Job ID of the logs query. |
| Panorama.Monitor.Status | String | Status of the logs query. |
Command Example
!panorama-check-logs-status job_id=657
Human Readable Output
55. Get log query data
Retrieves the data of a logs query.
Base Command
panorama-get-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID of the query. | Required |
| ignore_auto_extract | Whether to auto-enrich the War Room entry. If "true", entry is not auto-enriched. If "false", entry is auto-extracted. Default is "true". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Panorama.Monitor.Action | String | Action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", of "block-url". |
| Panorama.Monitor.Application | String | Application associated with the session. |
| Panorama.Monitor.Bytes | String | Total log bytes. |
| Panorama.Monitor.BytesReceived | String | Log bytes received. |
| Panorama.Monitor.BytesSent | String | Log bytes sent. |
| Panorama.Monitor.Category | String | The URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware"’, or "benign". For other subtypes, the value is "any". |
| Panorama.Monitor.DeviceName | String | The hostname of the firewall on which the session was logged. |
| Panorama.Monitor.DestinationAddress | String | Original session destination IP address. |
| Panorama.Monitor.DestinationUser | String | Username of the user to which the session was destined. |
| Panorama.Monitor.DestinationCountry | String | Destination country or internal region for private addresses. Maximum length is 32 bytes. |
| Panorama.Monitor.DestinationPort | String | Destination port utilized by the session. |
| Panorama.Monitor.FileDigest | String | Only for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service. |
| Panorama.Monitor.FileName | String | File name or file type when the subtype is file.File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire. |
| Panorama.Monitor.FileType | String | Only for the WildFire subtype, all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis. |
| Panorama.Monitor.FromZone | String | The zone from which the session was sourced. |
| Panorama.Monitor.URLOrFilename | String | The actual URI when the subtype is url. File name or file type when the subtype is file. File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire. URL or file name when the subtype is vulnerability (if applicable) |
| Panorama.Monitor.NATDestinationIP | String | If destination NAT performed, the post-NAT destination IP address. |
| Panorama.Monitor.NATDestinationPort | String | Post-NAT destination port. |
| Panorama.Monitor.NATSourceIP | String | If source NAT performed, the post-NAT source IP address. |
| Panorama.Monitor.NATSourcePort | String | Post-NAT source port. |
| Panorama.Monitor.PCAPid | String | The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file. |
| Panorama.Monitor.IPProtocol | String | IP protocol associated with the session. |
| Panorama.Monitor.Recipient | String | Only for the WildFire subtype, all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. |
| Panorama.Monitor.Rule | String | Name of the rule that the session matched. |
| Panorama.Monitor.RuleID | String | ID of the rule that the session matched. |
| Panorama.Monitor.ReceiveTime | String | Time the log was received at the management plane. |
| Panorama.Monitor.Sender | String | Only for the WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. |
| Panorama.Monitor.SessionID | String | An internal numerical identifier applied to each session. |
| Panorama.Monitor.DeviceSN | String | The serial number of the firewall on which the session was logged. |
| Panorama.Monitor.Severity | String | Severity associated with the threat. Can be "informational", "low", "medium", "high", or "critical". |
| Panorama.Monitor.SourceAddress | String | Original session source IP address. |
| Panorama.Monitor.SourceCountry | String | Source country or internal region for private addresses. Maximum length is 32 bytes. |
| Panorama.Monitor.SourceUser | String | Username of the user who initiated the session. |
| Panorama.Monitor.SourcePort | String | Source port utilized by the session. |
| Panorama.Monitor.ThreatCategory | String | Describes threat categories used to classify different types of threat signatures. |
| Panorama.Monitor.Name | String | Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier |
| Panorama.Monitor.ID | String | Palo Alto Networks ID for the threat. |
| Panorama.Monitor.ToZone | String | The zone to which the session was destined. |
| Panorama.Monitor.TimeGenerated | String | Time that the log was generated on the dataplane. |
| Panorama.Monitor.URLCategoryList | String | A list of the URL filtering categories that the firewall used to enforce the policy. |
Command Example
!panorama-get-logs job_id=678
Human Readable Output
Command Example
!panorama-get-logs job_id=676
Human Readable Output
Playbook Videos
These video show how to set up and use the PAN-OS DAG Configuration playbook and PAN-OS EDL Setup playbook.
PAN-OS DAG Configuration