Skip to main content

Palo Alto Networks PAN-OS

This Integration is part of the PAN-OS by Palo Alto Networks Pack.#

This integration supports both Palo Alto Networks Panorama and Palo Alto Networks Firewall. You can create separate instances of each integration, and they are not necessarily related or dependent on one another.

This integration enables you to manage the Palo Alto Networks Firewall and Panorama. For more information see the PAN-OS documentation. This integration was integrated and tested with versions 8.xx, 9.xx, and 10.xx of Palo Alto Firewall and Palo Alto Panorama.

Use Cases#

  • Create custom security rules in Palo Alto Networks PAN-OS.

  • Create and update address objects, address-groups, custom URL categories, and URL filtering objects.

  • Use the URL Filtering category information from Palo Alto Networks to enrich URLs by checking the use_url_filtering parameter. A valid license for the Firewall is required.

  • Get URL Filtering category information from Palo Alto. Request Change is a known Palo Alto limitation.

  • Add URL filtering objects including overrides to Palo Alto Panorama and Firewall.

  • Commit a configuration to Palo Alto Firewall and to Panorama, and push a configuration from Panorama to Pre-Defined Device-Groups of Firewalls.

  • Block IP addresses using registered IP tags from PAN-OS without committing the PAN-OS instance. First you have to create a registered IP tag, DAG, and security rule, and commit the instance. You can then register additional IP addresses to the tag without committing the instance.

    1. Create a registered IP tag and add the necessary IP addresses by running the pan-os-register-ip-tag command.
    2. Create a dynamic address group (DAG), by running the pan-os-create-address-group command. Specify values for the following arguments: type="dynamic", match={ tagname }.
    3. Create a security rule using the DAG created in the previous step, by running the pan-os-create-rule command.
    4. Commit the PAN-OS instance by running the PanoramaCommitConfiguration playbook.
    5. You can now register IP addresses to, or unregister IP addresses from the IP tag by running the pan-os-register-ip-tag command, or pan-os-unregister-ip-tag command, respectively, without committing the PAN-OS instance.
  • Create a predefined security profiles with the best practices by Palo Alto Networks.

  • Get security profiles best practices as defined by Palo Alto Networks. For more information about Palo Alto Networks best practices, visit Palo Alto Networks best practices.

  • Apply security profiles to specific rule.

  • Set default categories to block in the URL filtering profile.

  • Enforce WildFire best practice.

    1. Set file upload to the maximum size.
    2. Set WildFire Update Schedule to download and install updates every minute.
    3. All file types are forwarded.

Known Limitations#

Fetch Incidents#

The Panorama integration now supports fetch incidents. The incidents are fetched according to a number of different optional log type queries. The log types are: Traffic, Threat, URL, Data, Correlation, System, Wildfire, Decryption.

Max incidents per fetch#
  • The max incidents per fetch parameter specifies the maximum number of incidents to fetch per Log Type Query.
  • Important note: Cortex XSOAR standard setup is not designed to handle many hundreds of new incidents every minute. Therefore, it is strongly recommended to narrow your query by log type, severity, or other criteria to ensure that each fetch cycle retrieves no more than 200 incidents at a time.
Log Type#

The queries that will be included during the fetch are decided according to the "Log Type" parameter (Multiple select dropdown).

  • Selecting "All" will use all the log type queries in the fetch.
  • To choose a specific set of queries, select their log types from the dropdown (make sure "All" option is unselected).
Log Type Query#
  • Each log type has its own query field in the instance configuration.
  • Note that the default query values has some example text in it, make sure to enter a valid query.
  • Note: In case of multiple devices, for the sake of speed it is recommended to narrow the query to a specific device. For example: "and (device_name eq dummy_device)".
Log Type Query Examples#
Log TypeQuery Example
Traffic(addr.src in {source}) and (addr.dst in {destination}) and (action eq {action})
Threat(severity geq high)
URL((action eq block-override) or (action eq block-url)) and (severity geq high)
Data((action eq alert) or (action eq wildfire-upload-success) or (action eq forward)) and (severity geq high)
Correlation(hostid eq {host_id}) and (match_time in {last_x_time}) and (objectname eq {object_name}) and (severity geq '{severity}') and (src in {source_address})
System(subtype eq {sub_type}) and (severity geq {severity})
Wildfire Submission((action eq wildfire-upload-fail) or (action eq wildfire-upload-skip) or (action eq sinkhole))
Decryption(app eq {application}) and (policy_name geq {policy_name}) and ((src in {source}) or (dst in {destination}))
Classifiers and Mappers#

This integration supports a default Classifier (Panorama Classifier) and Mapper (Panorama Mapper) that handles incidents returned from the API.

Configure Panorama on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Panorama.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
serverServer URL (e.g., https://192.168.0.1\)True
portPort (e.g 443)False
keyAPI KeyTrue
device_groupDevice group - Panorama instances only (write shared for Shared location)False
vsysVsys - Firewall instances onlyFalse
templateTemplate - Panorama instances onlyFalse
use_url_filteringUse URL Filtering for auto enrichmentFalse
additional_suspiciousURL Filtering Additional suspicious categories. CSV list of categories that will be considered suspicious.False
additional_maliciousURL Filtering Additional malicious categories. CSV list of categories that will be considered malicious.False
insecureTrust any certificate (not secure)False
First fetch timestampFirst fetch time intervalFalse
Max incidents per fetchMax incidents per fetch for each selected Log Type QueryFalse
Log TypeLog Types incidents to fetchFalse
Log type max number of pull attemptsThe maximum number of attempts to try and pull results for each log type. Each attempt takes around 1 second. Increasing this value is useful in case there are many logs to pull from a given log type.Note: When increasing this number, in case fetching more than 4 logs types together, it is recommended to split different log types for different integration instanceFalse
Traffic Log Type QueryTraffic Query for fetch incidentsFalse
Threat Log Type QueryThreat Query for fetch incidentsFalse
URL Log Type QueryURL Query for fetch incidentsFalse
Data Log Type QueryData Query for fetch incidentsFalse
Correlation Log Type QueryCorrelation Query for fetch incidentsFalse
System Log Type QuerySystem Query for fetch incidentsFalse
Wildfire Submission Log Type QueryWildfire Submission Query for fetch incidentsFalse
Decryption Log Type QueryDecryption Query for fetch incidentsFalse
Incidents Fetch IntervalTime interval between incident fetchesFalse
  1. Click Test to validate the URLs, token, and connection.

Debugging in Panorama#

In order to ease the process of understanding what parameters are required to be used in the !pan-os command, it is highly recommended to use the debugging mode in Panorama to get the correct structure of a request.

Debugging Methods:

Several Examples of !pan-os for a configuration type commands:

1) Create a new address object named test123 for the test device-group.

Given the following debug-log from PAN-OS Web UI Debug after creating an address through the Panorama UI:

`

1.1.1.1`

The equivalent !pan-os command is:

!pan-os action=set xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='test']/address/entry[@name='test123'] type=config element=<ip-netmask>1.1.1.1</ip-netmask> | Argument | Description | | --- | --- | | action | Create/add an object. In this case we want to create a new address object, so we will use set - the Panorama debug log shows us its a 'set' action. | | xpath | /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='test']/address/entry[@name='test123'] - simply the location of the new object. | | type | This is a configuration type command, therefore use config. | | element | The object properties (similar to an API body request). |

2) Modify an existing address group object named test12345 under the test device group to use a different address object.

Given the following debug-log from PAN-OS Web UI Debug after editing an address group through the Panorama UI to use a different address object:

`

test123`

The equivalent !pan-os command is:

!pan-os action=edit xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='test']/address-group/entry[@name='test12345'] type=config element=<static><member>test123</member></static> | Argument | Description | | --- | --- | | action | Edit an object, in this case we want to edit an entry in an existing address group object, so we will use edit - the panorama debug log shows us its an 'edit' action. | | xpath | /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='test']/address-group/entry[@name='test12345' - simply the location of the object. | | type | This is a configuration type command, therefore use config. | element | The object properties (similar to an API body request).

3) Get a specific security pre-rule called test1.

Using the API browser, we can easily find the xpath for the security pre-rule object, therefore the pan-os command will be:

!pan-os xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='test']/pre-rulebase/security/rules/entry[@name='test1'], action=get type=config

ArgumentDescription
actionGet an object, in this case we want to get an object, so we will use 'get' as an action.
xpathBy using the API browser, we can find every object's xpath easily.
typeThis is a configuration type command, therefore use config.

Several examples of !pan-os for an operational type command:

1) Show system information - Can be viewed by using the API browser to get the structure of the request.

Show System Info Operational command

The equivalent !pan-os command is:

!pan-os type=op cmd=<show><system><info></info></system></show>

2) Show information about all the jobs - Can be viewed by using the API browser to get the structure of the request.

Show all jobs information

The equivalent !pan-os command is:

!pan-os type=op cmd=<show><jobs><all></all></jobs></show>

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

NOTE: The "create" commands function as UPSERT (UPDATE and INSERT), overriding existing data with new data if it already exists.

  1. Run any command supported in the Panorama API: pan-os
  2. Get pre-defined threats list from a Firewall or Panorama and stores as a JSON file in the context: panorama-get-predefined-threats-list
  3. Commit a configuration: panorama-commit
  4. Pushes rules from PAN-OS to the configured device group: panorama-push-to-device-group
  5. Returns a list of addresses: panorama-list-addresses
  6. Returns address details for the supplied address name: panorama-get-address
  7. Creates an address object: panorama-create-address
  8. Delete an address object: panorama-delete-address
  9. Returns a list of address groups: panorama-list-address-groups
  10. Get details for the specified address group: panorama-get-address-group
  11. Creates a static or dynamic address group: panorama-create-address-group
  12. Sets a vulnerability signature to block mode: panorama-block-vulnerability
  13. Deletes an address group: panorama-delete-address-group
  14. Edits a static or dynamic address group: panorama-edit-address-group
  15. Returns a list of addresses: panorama-list-services
  16. Returns service details for the supplied service name: panorama-get-service
  17. Creates a service: panorama-create-service
  18. Deletes a service: panorama-delete-service
  19. Returns a list of service groups: panorama-list-service-groups
  20. Returns details for the specified service group: panorama-get-service-group
  21. Creates a service group: panorama-create-service-group
  22. Deletes a service group: panorama-delete-service-group
  23. Edit a service group: panorama-edit-service-group
  24. Returns information for a custom URL category: panorama-get-custom-url-category
  25. Creates a custom URL category: panorama-create-custom-url-category
  26. Deletes a custom URL category: panorama-delete-custom-url-category
  27. Adds or removes sites to and from a custom URL category: panorama-edit-custom-url-category
  28. Gets a URL category from URL Filtering: panorama-get-url-category
  29. Gets a URL information: url
  30. Returns a URL category from URL Filtering in the cloud: panorama-get-url-category-from-cloud
  31. Returns a URL category from URL Filtering on the host: panorama-get-url-category-from-host
  32. Returns information for a URL filtering rule: panorama-get-url-filter
  33. Creates a URL filtering rule: panorama-create-url-filter
  34. Edit a URL filtering rule: panorama-edit-url-filter
  35. Deletes a URL filtering rule: panorama-delete-url-filter
  36. Returns a list of external dynamic lists: panorama-list-edls
  37. Returns information for an external dynamic list: panorama-get-edl
  38. Creates an external dynamic list: panorama-create-edl
  39. Modifies an element of an external dynamic list: panorama-edit-edl
  40. Deletes an external dynamic list: panorama-delete-edl
  41. Refreshes the specified external dynamic list: panorama-refresh-edl
  42. Creates a policy rule: panorama-create-rule
  43. Creates a custom block policy rule: panorama-custom-block-rule
  44. Changes the location of a policy rule: panorama-move-rule
  45. Edits a policy rule: panorama-edit-rule
  46. Deletes a policy rule: panorama-delete-rule
  47. Returns a list of applications: panorama-list-applications
  48. Returns commit status for a configuration: panorama-commit-status
  49. Returns the push status for a configuration: panorama-push-status
  50. Returns information for a Panorama PCAP file: panorama-get-pcap
  51. Returns a list of all PCAP files by PCAP type: panorama-list-pcaps
  52. Registers IP addresses to a tag: panorama-register-ip-tag
  53. Unregisters IP addresses from a tag: panorama-unregister-ip-tag
  54. Registers Users to a tag: panorama-register-user-tag
  55. Unregisters Users from a tag: panorama-unregister-user-tag
  56. Deprecated. Queries traffic logs: panorama-query-traffic-logs
  57. Deprecated. Checks the query status of traffic logs: panorama-check-traffic-logs-status
  58. Deprecated. Retrieves traffic log query data by job id: panorama-get-traffic-logs
  59. Returns a list of predefined Security Rules: panorama-list-rules
  60. Query logs in Panorama: panorama-query-logs
  61. Checks the status of a logs query: panorama-check-logs-status
  62. Retrieves the data of a logs query: panorama-get-logs
  63. Checks whether a session matches the specified security policy: panorama-security-policy-match
  64. Lists the static routes of a virtual router: panorama-list-static-routes
  65. Returns the specified static route of a virtual router: panorama-get-static-route
  66. Adds a static route: panorama-add-static-route
  67. Deletes a static route: panorama-delete-static-route
  68. Show firewall device software version: panorama-show-device-version
  69. Downloads the latest content update: panorama-download-latest-content-update
  70. Checks the download status of a content update: panorama-content-update-download-status
  71. Installs the latest content update: panorama-install-latest-content-update
  72. Gets the installation status of the content update: panorama-content-update-install-status
  73. Checks the PAN-OS software version from the repository: panorama-check-latest-panos-software
  74. Downloads the target PAN-OS software version to install on the target device: panorama-download-panos-version
  75. Gets the download status of the target PAN-OS software: panorama-download-panos-status
  76. Installs the target PAN-OS version on the specified target device: panorama-install-panos-version
  77. Gets the installation status of the PAN-OS software: panorama-install-panos-status
  78. Reboots the Firewall device: panorama-device-reboot
  79. Gets location information for an IP address: panorama-show-location-ip
  80. Gets information about available PAN-OS licenses and their statuses: panorama-get-licenses
  81. Gets information for the specified security profile: panorama-get-security-profiles
  82. Apply a security profile to specific rules or rules with a specific tag: panorama-apply-security-profile
  83. Removes a security profile to specific rules or rules with a specific tag
  84. Get SSL decryption rules: panorama-get-ssl-decryption-rules
  85. Retrieves the Wildfire configuration: panorama-get-wildfire-configuration
  86. Set default categories to block in the URL filtering profile: panorama-url-filtering-block-default-categories
  87. Get anti-spyware best practices: panorama-get-anti-spyware-best-practice
  88. Get file-blocking best practices: panorama-get-file-blocking-best-practice
  89. Get anti-virus best practices: panorama-get-antivirus-best-practice
  90. Get vulnerability-protection best practices: panorama-get-vulnerability-protection-best-practice
  91. View WildFire best practices: panorama-get-wildfire-best-practice
  92. View URL Filtering best practices: panorama-get-url-filtering-best-practice
  93. Enforces wildfire best practices to upload files to the maximum size, forwards all file types, and updates the schedule: panorama-enforce-wildfire-best-practice
  94. Creates an antivirus best practice profile: panorama-create-antivirus-best-practice-profile
  95. Creates an Anti-Spyware best practice profile: panorama-create-anti-spyware-best-practice-profile
  96. Creates a vulnerability protection best practice profile: panorama-create-vulnerability-best-practice-profile
  97. Creates a URL filtering best practice profile: panorama-create-url-filtering-best-practice-profile
  98. Creates a file blocking best practice profile: panorama-create-file-blocking-best-practice-profile
  99. Creates a WildFire analysis best practice profile: panorama-create-wildfire-best-practice-profile
  100. Shows the user ID interface configuration.
  101. Shows the zones configuration.
  102. Retrieves list of user-ID agents configured in the system.
  103. Gets global counter information from all the PAN-OS firewalls in the topology.
  104. Retrieves all BGP peer information from the PAN-OS firewalls in the topology.
  105. Check the devices for software that is available to be installed.
  106. Get the HA state and associated details from the given device and any other details.
  107. Get all the jobs from the devices in the environment, or a single job when ID is specified.
  108. Download The provided software version onto the device.
  109. Download the running configuration
  110. Download the merged configuration
  111. Create Nat-rule
  112. Create PBF-rule

pan-os#


Run any command supported in the API.

Base Command#

pan-os

Input#

Argument NameDescriptionRequired
actionAction to be taken, such as show, get, set, edit, delete, rename, clone, move, override, multi-move, multi-clone, or complete. Documentation - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/configuration-apiOptional
categoryCategory parameter. For example, when exporting a configuration file, use "category=configuration".Optional
cmdSpecifies the XML structure that defines the command. Used for operation commands (op type command). Can be retrieved from the PAN-OS web UI debugger or enabling debugging via the CLI using debug cli on.Optional
commandRun a command. For example, command =<show><arp><entry name='all'/></arp></show>Optional
dstSpecifies a destination.Optional
elementUsed to define a new value for an object. Should be an XML object, for example, test.Optional
toEnd time (used only when cloning an object).Optional
fromStart time (used only when cloning an object).Optional
keySets a key value.Optional
log-typeRetrieves log types. For example, log-type=threat for threat logs.Optional
whereSpecifies the type of a move operation (for example, where=after, where=before, where=top, where=bottom).Optional
periodTime period. For example, period=last-24-hrsOptional
xpathxpath location. xpath defines the location of the object. For example, xpath=/config/predefined/application/entry[@name='hotmail']. Documentation - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/about-the-pan-os-xml-api/structure-of-a-pan-os-xml-api-request/xml-and-xpath.Optional
pcap-idPCAP ID included in the threat log.Optional
serialnoSpecifies the device serial number.Optional
reporttypeChooses the report type, such as dynamic, predefined or custom.Optional
reportnameReport name.Optional
typeRequest type (e.g. export, import, log, config). Possible values are: keygen, config, commit, op, report, log, import, export, user-id, version. default is config.Optional
search-timeThe time that the PCAP was received on the firewall. Used for threat PCAPs.Optional
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
job-idJob ID.Optional
queryQuery string.Optional
vsysThe name of the virtual system to be configured. If no vsys is mentioned, this command will not use the vsys parameter.Optional

Context Output#

There is no context output for this command.

Command Example#

!pan-os xpath=ā€œ/config/devices/entry[@name=ā€˜localhost.localdomainā€™]/template/entry[@name=ā€˜testā€™]/config/devices/entry[@name=ā€˜localhost.localdomainā€™]/network/profiles/zone-protection-profile/entry[@name=ā€˜testā€™]/scan-white-list/entry[@name=ā€˜testā€™]/ipv4" type=config action=edit element=ā€œ<ipv4>1.1.1.1</ipv4>ā€

Human Readable Output#

Command was executed successfully.

pan-os-get-predefined-threats-list#


Gets the pre-defined threats list from a Firewall or Panorama and stores as a JSON file in the context.

Base Command#

pan-os-get-predefined-threats-list

Input#

Argument NameDescriptionRequired
targetThe firewall managed by Panorama from which to retrieve the predefined threats.Optional

Context Output#

PathTypeDescription
File.SizenumberFile size.
File.NamestringFile name.
File.TypestringFile type.
File.InfostringFile info.
File.ExtensionstringFile extension.
File.EntryIDstringFile entryID.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.SHA512stringSHA512 hash of the file.
File.SSDeepstringSSDeep hash of the file.

Command Example#

!pan-os-get-predefined-threats-list

pan-os-commit#


Commits a configuration to the Palo Alto firewall or Panorama, validates if a commit was successful if using polling="true", otherwise does not validate if the commit was successful. Committing to Panorama does not push the configuration to the firewalls. To push the configuration, run the panorama-push-to-device-group command.

Base Command#

pan-os-commit

Input#

Argument NameDescriptionRequired
descriptionThe commit description.Optional
admin_nameThe administrator name. To commit admin-level changes on a firewall, include the administrator name in the request.Optional
force_commitForces a commit. Possible values are: true, false.Optional
exclude_device_network_configurationPerforms a partial commit while excluding device and network configuration. Possible values are: true, false.Optional
exclude_shared_objectsPerforms a partial commit while excluding shared objects. Possible values are: true, false.Optional
pollingWhether to use polling. Possible values are: true, false. Default is false.Optional
timeoutThe timeout (in seconds) when polling. Default is 120.Optional
interval_in_secondsThe interval (in seconds) when polling. Default is 10.Optional

Context Output#

PathTypeDescription
Panorama.Commit.JobIDNumberThe job ID to commit.
Panorama.Commit.StatusStringThe commit status.
Panorama.Commit.DescriptionStringThe commit description from the the command input.

Command example with polling#

!pan-os-commit description=test polling=true interval_in_seconds=5 timeout=60

Human Readable Output#

Waiting for commit "test" with job ID 12345 to finish...

Commit Status:#

JobIDStatusDescription
12345Successtest

Context Example#

{
"Panorama": {
"Commit": {
"JobID": "12345",
"Status": "Success",
"Description": "test"
}
}
}

Command example without polling#

!pan-os-commit description=test

Human Readable Output#

Commit Status:#

JobIDStatusDescription
12345Pendingtest

Context Example#

{
"Panorama": {
"Commit": {
"JobID": "12345",
"Status": "Pending",
"Description": "test"
}
}
}

pan-os-push-to-device-group#


Pushes rules from PAN-OS to the configured device group. In order to push the configuration to Prisma Access managed tenants (single or multi tenancy), use the device group argument with the device group which is associated with the tenant ID. Validates if a push has been successful if polling="true".

Base Command#

pan-os-push-to-device-group

Input#

Argument NameDescriptionRequired
device-groupThe device group to which to push (Panorama instances).Optional
validate-onlyPre policy validation. Possible values are: true, false. Default is false.Optional
include-templateWhether to include template changes. Possible values are: true, false. Default is true.Optional
descriptionThe push description.Optional
serial_numberThe serial number for a virtual system commit. If provided, the commit will be a virtual system commit.Optional
pollingWhether to use polling. Possible values are: true, false. Default is false.Optional
timeoutThe timeout (in seconds) when polling. Default is 120.Optional
interval_in_secondsThe interval (in seconds) when polling. Default is 10.Optional

Context Output#

PathTypeDescription
Panorama.Push.DeviceGroupStringThe device group in which the policies were pushed.
Panorama.Push.JobIDNumberThe job ID of the policies that were pushed.
Panorama.Push.StatusStringThe push status.
Panorama.Push.WarningsStringThe push warnings.
Panorama.Push.ErrorsStringThe push errors.
Panorama.Push.DetailsStringThe job ID details.

Command example with polling=true#

!pan-os-push-to-device-group description=test polling=true interval_in_seconds=5 timeout=60

Context Example#

{
"Panorama": {
"Push": {
"Details": [
"commit succeeded with warnings",
"commit succeeded with warnings"
],
"Errors": ,
"JobID": "31377",
"Status": "Completed",
"Warnings": [
"Interface loopback.645 has no zone configuration.",
"External Dynamic List test_pb_domain_edl_DONT_DEL is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - IP EDL-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - URL EDL-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - URL EDL tamarcat3-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - IP EDL tamarcat3-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List minemeld is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List edl-webinar-malicious-urls-OLD is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List edl-webinar-malicious-ips is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List edl-webinar-malicious-domains is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"Warning: No valid Antivirus content package exists",
"(Module: device)"
]
}
}
}

Human Readable Output#

Waiting for Job-ID 31374 to finish push changes to device-group Lab-Devices..

Push to Device Group status:#

JobIDStatusDetailsErrorsWarnings
31377Completedcommit succeeded with warnings,
commit succeeded with warnings
Interface loopback.645 has no zone configuration.,
External Dynamic List test_pb_domain_edl_DONT_DEL is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - IP EDL-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - URL EDL-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - URL EDL tamarcat3-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - IP EDL tamarcat3-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List minemeld is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List edl-webinar-malicious-urls-OLD is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List edl-webinar-malicious-ips is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List edl-webinar-malicious-domains is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
Warning: No valid Antivirus content package exists,
(Module: device)

Command example with polling=false#

!pan-os-push-to-device-group description=test polling=false

Human Readable Output#

Push to Device Group status:#

JobIDStatusDescription
113198Pendingtest

Context Example#

{
"Panorama": {
"Push": {
"JobID": "113198",
"Status": "Pending",
"Description": "test",
"DeviceGroup": "device group name"
}
}
}

pan-os-list-addresses#


Returns a list of addresses.

Base Command#

pan-os-list-addresses

Input#

Argument NameDescriptionRequired
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagTag for which to filter the list of addresses.Optional

Context Output#

PathTypeDescription
Panorama.Addresses.NamestringAddress name.
Panorama.Addresses.DescriptionstringAddress description.
Panorama.Addresses.FQDNstringAddress FQDN.
Panorama.Addresses.IP_NetmaskstringAddress IP Netmask.
Panorama.Addresses.IP_RangestringAddress IP range.
Panorama.Addresses.DeviceGroupStringAddress device group.
Panorama.Addresses.TagsStringAddress tags.

Command Example#

!pan-os-list-addresses

Context Example#

{
"Panorama": {
"Addresses": [
{
"IP_Netmask": "10.10.10.1/24",
"Name": "Demisto address"
},
{
"Description": "a",
"IP_Netmask": "1.1.1.1",
"Name": "test1"
}
]
}
}

Human Readable Output#

Addresses:#

NameIP_NetmaskIP_RangeFQDN
Demisto address10.10.10.1/24
test11.1.1.1

pan-os-get-address#


Returns address details for the supplied address name.

Base Command#

pan-os-get-address

Input#

Argument NameDescriptionRequired
nameAddress name.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.Addresses.NamestringAddress name.
Panorama.Addresses.DescriptionstringAddress description.
Panorama.Addresses.FQDNstringAddress FQDN.
Panorama.Addresses.IP_NetmaskstringAddress IP Netmask.
Panorama.Addresses.IP_RangestringAddress IP range.
Panorama.Addresses.DeviceGroupStringDevice group for the address (Panorama instances).
Panorama.Addresses.TagsStringAddress tags.

Command Example#

!pan-os-get-address name="Demisto address"

Context Example#

{
"Panorama": {
"Addresses": {
"IP_Netmask": "10.10.10.1/24",
"Name": "Demisto address"
}
}
}

Human Readable Output#

Address:#

NameIP_Netmask
Demisto address10.10.10.1/24

pan-os-create-address#


Creates an address object.

Base Command#

pan-os-create-address

Input#

Argument NameDescriptionRequired
nameNew address name.Required
descriptionNew address description.Optional
fqdnFQDN of the new address.Optional
ip_netmaskIP Netmask of the new address. For example, 10.10.10.10/24Optional
ip_rangeIP range of the new address IP. For example, 10.10.10.0-10.10.10.255Optional
ip_wildcardThe IP wildcard of the new address. For example, 10.20.1.0/0.0.248.255Optional
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagThe tag for the new address.Optional
create_tagWhether to create the tag if it does not exist.Optional

Context Output#

PathTypeDescription
Panorama.Addresses.NamestringAddress name.
Panorama.Addresses.DescriptionstringAddress description.
Panorama.Addresses.FQDNstringAddress FQDN.
Panorama.Addresses.IP_NetmaskstringAddress IP Netmask.
Panorama.Addresses.IP_RangestringAddress IP range.
Panorama.Addresses.DeviceGroupStringDevice group for the address (Panorama instances).
Panorama.Addresses.TagsStringAddress tags.

Command Example#

!pan-os-create-address name="address_test_pb" description="just a desc" ip_range="10.10.10.9-10.10.10.10"

Context Example#

{
"Panorama": {
"Addresses": {
"Description": "just a desc",
"IP_Range": "10.10.10.9-10.10.10.10",
"Name": "address_test_pb"
}
}
}

Human Readable Output#

Address was created successfully.

pan-os-delete-address#


Delete an address object

Base Command#

pan-os-delete-address

Input#

Argument NameDescriptionRequired
nameName of the address to delete.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.Addresses.NamestringAddress name that was deleted.
Panorama.Addresses.DeviceGroupStringDevice group for the address (Panorama instances).

Command Example#

!pan-os-delete-address name="address_test_pb"

Context Example#

{
"Panorama": {
"Addresses": {
"Name": "address_test_pb"
}
}
}

Human Readable Output#

Address was deleted successfully.

pan-os-list-address-groups#


Returns a list of address groups.

Base Command#

pan-os-list-address-groups

Input#

Argument NameDescriptionRequired
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagTag for which to filter the Address groups.Optional

Context Output#

PathTypeDescription
Panorama.AddressGroups.NamestringAddress group name.
Panorama.AddressGroups.TypestringAddress group type.
Panorama.AddressGroups.MatchstringDynamic Address group match.
Panorama.AddressGroups.DescriptionstringAddress group description.
Panorama.AddressGroups.AddressesStringStatic Address group addresses.
Panorama.AddressGroups.DeviceGroupStringDevice group for the address group (Panorama instances).
Panorama.AddressGroups.TagsStringAddress group tags.

Command Example#

!pan-os-list-address-groups

Context Example#

{
"Panorama": {
"AddressGroups": [
{
"Match": "2.2.2.2",
"Name": "a_g_1",
"Type": "dynamic"
},
{
"Addresses": [
"Demisto address",
"test3",
"test_demo3"
],
"Name": "Demisto group",
"Type": "static"
},
{
"Description": "jajja",
"Match": "4.4.4.4",
"Name": "dynamic2",
"Type": "dynamic"
},
{
"Addresses": [
"test4",
"test2"
],
"Name": "static2",
"Type": "static"
}
]
}
}

Human Readable Output#

Address groups:#

NameTypeAddressesMatchDescriptionTags
a_g_1dynamic2.2.2.2
Demisto groupstaticDemisto address,
test3,
test_demo3
dynamic2dynamic4.4.4.4jajja
static2statictest4,
test2

pan-os-get-address-group#


Get details for the specified address group

Base Command#

pan-os-get-address-group

Input#

Argument NameDescriptionRequired
nameAddress group name.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.AddressGroups.NamestringAddress group name.
Panorama.AddressGroups.TypestringAddress group type.
Panorama.AddressGroups.MatchstringDynamic Address group match.
Panorama.AddressGroups.DescriptionstringAddress group description.
Panorama.AddressGroups.AddressesstringStatic Address group addresses.
Panorama.AddressGroups.DeviceGroupStringDevice group for the address group (Panorama instances).
Panorama.AddressGroups.TagsStringAddress group tags.

Command Example#

!pan-os-get-address-group name=suspicious_address_group

Human Readable Output#

Address groups:#

NameTypeAddressesMatchDescription
suspicious_address_groupdynamic1.1.1.1this ip is very bad

pan-os-create-address-group#


Creates a static or dynamic address group.

Base Command#

pan-os-create-address-group

Input#

Argument NameDescriptionRequired
nameAddress group name.Required
typeAddress group type.Required
matchDynamic Address group match. e.g: "1.1.1.1 or 2.2.2.2"Optional
addressesStatic address group list of addresses.Optional
descriptionAddress group description.Optional
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagsThe tags for the Address group.Optional

Context Output#

PathTypeDescription
Panorama.AddressGroups.NamestringAddress group name.
Panorama.AddressGroups.TypestringAddress group type.
Panorama.AddressGroups.MatchstringDynamic Address group match.
Panorama.AddressGroups.AddressesstringStatic Address group list of addresses.
Panorama.AddressGroups.DescriptionstringAddress group description.
Panorama.AddressGroups.DeviceGroupStringDevice group for the address group (Panorama instances).
Panorama.AddressGroups.TagsStringAddress group tags.

Command Example#

!pan-os-create-address-group name=suspicious_address_group type=dynamic match=1.1.1.1 description="this ip is very bad"

Context Example#

{
"Panorama": {
"AddressGroups": {
"Description": "this ip is very bad",
"Match": "1.1.1.1",
"Name": "suspicious_address_group",
"Type": "dynamic"
}
}
}

Human Readable Output#

Address group was created successfully.

pan-os-block-vulnerability#


Sets a vulnerability signature to block mode.

Base Command#

pan-os-block-vulnerability

Input#

Argument NameDescriptionRequired
drop_modeType of session rejection. Possible values are: "drop", "alert", "block-ip", "reset-both", "reset-client", and "reset-server".' Default is "drop".Optional
vulnerability_profileName of vulnerability profile.Required
threat_idNumerical threat ID.Required

Context Output#

PathTypeDescription
Panorama.Vulnerability.IDstringID of vulnerability that has been blocked/overridden.
Panorama.Vulnerability.NewActionstringNew action for the vulnerability.

Command Example#

!pan-os-block-vulnerability threat_id=18250 vulnerability_profile=name

Human Readable Output#

Threat with ID 18250 overridden.

pan-os-delete-address-group#


Deletes an address group.

Base Command#

pan-os-delete-address-group

Input#

Argument NameDescriptionRequired
nameName of address group to delete.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.AddressGroups.NamestringName of address group that was deleted.
Panorama.AddressGroups.DeviceGroupStringDevice group for the address group (Panorama instances).

Command Example#

!pan-os-delete-address-group name="dynamic_address_group_test_pb3"

Human Readable Output#

Address group was deleted successfully

pan-os-edit-address-group#


Edits a static or dynamic address group.

Base Command#

pan-os-edit-address-group

Input#

Argument NameDescriptionRequired
nameName of the address group to edit.Required
typeAddress group type.Required
matchAddress group new match. For example, '1.1.1.1 and 2.2.2.2'.Optional
element_to_addElement to add to the list of the static address group. Only existing Address objects can be added.Optional
element_to_removeElement to remove from the list of the static address group. Only existing Address objects can be removed.Optional
descriptionAddress group new description.Optional
tagsThe tag of the Address group to edit.Optional
device-groupThe device group in which the address group belongs to.Optional

Context Output#

PathTypeDescription
Panorama.AddressGroups.NamestringAddress group name.
Panorama.AddressGroups.TypestringAddress group type.
Panorama.AddressGroups.FilterstringDynamic Address group match.
Panorama.AddressGroups.DescriptionstringAddress group description.
Panorama.AddressGroups.AddressesstringStatic Address group addresses.
Panorama.AddressGroups.DeviceGroupStringDevice group for the address group (Panorama instances).
Panorama.AddressGroups.TagsStringAddress group tags.

pan-os-list-services#


Returns a list of addresses.

Base Command#

pan-os-list-services

Input#

Argument NameDescriptionRequired
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagTag for which to filter the Services.Optional

Context Output#

PathTypeDescription
Panorama.Services.NamestringService name.
Panorama.Services.ProtocolstringService protocol.
Panorama.Services.DescriptionstringService description.
Panorama.Services.DestinationPortstringService destination port.
Panorama.Services.SourcePortstringService source port.
Panorama.Services.DeviceGroupstringDevice group in which the service was configured (Panorama instances).
Panorama.Services.TagsStringService tags.

Command Example#

!pan-os-list-services

Context Example#

{
"Panorama": {
"Services": [
{
"Description": "rgfg",
"DestinationPort": "55",
"Name": "demisto_service1",
"Protocol": "tcp",
"SourcePort": "567-569"
},
{
"Description": "mojo",
"DestinationPort": "55",
"Name": "demi_service_test_pb",
"Protocol": "sctp",
"SourcePort": "60"
},
]
}
}

Human Readable Output#

Services:#

NameProtocolSourcePortDestinationPortDescription
demisto_service1tcp567-56955rgfg
demi_service_test_pbsctp6055mojo

pan-os-get-service#


Returns service details for the supplied service name.

Base Command#

pan-os-get-service

Input#

Argument NameDescriptionRequired
nameService name.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.Services.NamestringService name.
Panorama.Services.ProtocolstringService protocol.
Panorama.Services.DescriptionstringService description.
Panorama.Services.DestinationPortstringService destination port.
Panorama.Services.SourcePortstringService source port.
Panorama.Services.DeviceGroupstringDevice group for the service (Panorama instances).
Panorama.Service.TagsStringService tags.

Command Example#

!pan-os-get-service name=demisto_service1

Human Readable Output#

Address#

NameProtocolSourcePortDestinationPortDescription
demisto_service1tcp567-56955rgfg

pan-os-create-service#


Creates a service.

Base Command#

pan-os-create-service

Input#

Argument NameDescriptionRequired
nameThe name for the new service.Required
protocolThe protocol for the new service. Possible values are: tcp, udp, sctp.Required
destination_portThe destination port for the new service.Required
source_portThe source port for the new service.Optional
descriptionThe description for the new service.Optional
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagsThe tags for the new service.Optional

Context Output#

PathTypeDescription
Panorama.Services.NamestringThe service name.
Panorama.Services.ProtocolstringThe service protocol.
Panorama.Services.DescriptionstringThe service description.
Panorama.Services.DestinationPortstringThe service destination port.
Panorama.Services.SourcePortstringThe service source port.
Panorama.Services.DeviceGroupstringThe device group for the service (Panorama instances).
Panorama.Services.TagsStringThe service tags.

Command Example#

!pan-os-create-service name=guy_ser3 protocol=udp destination_port=36 description=bfds

Context Example#

{
"Panorama": {
"Services": {
"Description": "bfds",
"DestinationPort": "36",
"Name": "guy_ser3",
"Protocol": "udp"
}
}
}

Human Readable Output#

Service was created successfully.

pan-os-delete-service#


Deletes a service.

Base Command#

pan-os-delete-service

Input#

Argument NameDescriptionRequired
nameName of the service to delete.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.Services.NamestringName of the deleted service.
Panorama.Services.DeviceGroupstringDevice group for the service (Panorama instances).

Command Example#

!pan-os-delete-service name=guy_ser3

Context Example#

{
"Panorama": {
"Services": {
"Name": "guy_ser3"
}
}
}

Human Readable Output#

Service was deleted successfully.

pan-os-list-service-groups#


Returns a list of service groups.

Base Command#

pan-os-list-service-groups

Input#

Argument NameDescriptionRequired
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagTags for which to filter the Service groups.Optional

Context Output#

PathTypeDescription
Panorama.ServiceGroups.NamestringService group name.
Panorama.ServiceGroups.ServicesstringService group related services.
Panorama.ServiceGroups.DeviceGroupstringDevice group for the service group (Panorama instances).
Panorama.ServiceGroups.TagsStringService group tags.

Command Example#

!pan-os-list-service-groups

Context Example#

{
"Panorama": {
"ServiceGroups": [
{
"Name": "demisto_default_service_groups",
"Services": [
"service-http",
"service-https"
]
},
{
"Name": "demisto_test_pb_service_group",
"Services": "serice_tcp_test_pb"
}
]
}
}

Human Readable Output#

Service groups:#

NameServices
demisto_default_service_groupsservice-http,
service-https
demisto_test_pb_service_groupservice_tcp_test_pb

pan-os-get-service-group#


Returns details for the specified service group.

Base Command#

pan-os-get-service-group

Input#

Argument NameDescriptionRequired
nameService group name.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.ServiceGroups.NamestringService group name.
Panorama.ServiceGroups.ServicesstringService group related services.
Panorama.ServiceGroups.DeviceGroupstringDevice group for the service group (Panorama instances).
Panorama.ServiceGroups.TagsStringService group tags.

Command Example#

!pan-os-get-service-group name=ser_group6

Context Example#

{
"Panorama": {
"ServiceGroups": {
"Name": "ser_group6",
"Services": [
"serice_tcp_test_pb",
"demi_service_test_pb"
]
}
}
}

Human Readable Output#

Service group:#

NameServices
ser_group6serice_tcp_test_pb,
demi_service_test_pb

pan-os-create-service-group#


Creates a service group.

Base Command#

pan-os-create-service-group

Input#

Argument NameDescriptionRequired
nameService group name.Required
servicesService group related services.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagsTags for which to filter Service groups.Optional

Context Output#

PathTypeDescription
Panorama.ServiceGroups.NamestringService group name.
Panorama.ServiceGroups.ServicesstringService group related services.
Panorama.ServiceGroups.DeviceGroupstringDevice group for the service group (Panorama instances).
Panorama.ServiceGroups.TagsStringService group tags.

Command Example#

!pan-os-create-service-group name=lalush_sg4 services=`["demisto_service1","demi_service_test_pb"]

pan-os-delete-service-group#


Deletes a service group.

Base Command#

pan-os-delete-service-group

Input#

Argument NameDescriptionRequired
nameName of the service group to delete.Required
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.ServiceGroups.NamestringName of the deleted service group.
Panorama.ServiceGroups.DeviceGroupstringDevice group for the service group (Panorama instances).

Command Example#

!pan-os-delete-service-group name=lalush_sg4

pan-os-edit-service-group#


Edit a service group.

Base Command#

pan-os-edit-service-group

Input#

Argument NameDescriptionRequired
nameName of the service group to edit.Required
services_to_addServices to add to the service group. Only existing Services objects can be added.Optional
services_to_removeServices to remove from the service group. Only existing Services objects can be removed.Optional
tagsTag of the Service group to edit.Optional
device-groupThe device group in which the service group belongs to.Optional

Context Output#

PathTypeDescription
Panorama.ServiceGroups.NamestringService group name.
Panorama.ServiceGroups.ServicesstringService group related services.
Panorama.ServiceGroups.DeviceGroupstringDevice group for the service group (Panorama instances).
Panorama.ServiceGroups.TagsStringService group tags.

Command Example#

!pan-os-edit-service-group name=lalush_sg4 services_to_remove=`["serice_udp_test_pb","demisto_service1"]

Human Readable Output#

Service group was edited successfully

pan-os-get-custom-url-category#


Returns information for a custom URL category.

Base Command#

pan-os-get-custom-url-category

Input#

Argument NameDescriptionRequired
nameCustom URL category name.Required
device-groupThe device group for which to return addresses for the custom URL category (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.CustomURLCategory.NameStringThe category name of the custom URL.
Panorama.CustomURLCategory.DescriptionStringThe category description of the custom URL.
Panorama.CustomURLCategory.SitesStringThe list of sites of the custom URL category.
Panorama.CustomURLCategory.DeviceGroupStringThe device group for the custom URL Category (Panorama instances).
Panorama.CustomURLCategory.CategoriesStringThe list of categories of the custom URL category.
Panorama.CustomURLCategory.TypeStringThe category type of the custom URL.

Command Example#

!pan-os-get-custom-url-category name=my_personal_url_category

Human Readable Output#

Custom URL Category:#

NameSites
my_personal_url_categorythepill.com,
abortion.com

pan-os-create-custom-url-category#


Creates a custom URL category.

Base Command#

pan-os-create-custom-url-category

Input#

Argument NameDescriptionRequired
nameThe name of the custom URL category to create.Required
descriptionDescription of the custom URL category to create.Optional
sitesList of sites for the custom URL category.Optional
device-groupThe device group for which to return addresses for the custom URL category (Panorama instances).Optional
typeThe category type of the URL. Relevant from PAN-OS v9.x.Optional
categoriesThe list of categories. Relevant from PAN-OS v9.x.Optional

Context Output#

PathTypeDescription
Panorama.CustomURLCategory.NameStringCustom URL category name.
Panorama.CustomURLCategory.DescriptionStringCustom URL category description.
Panorama.CustomURLCategory.SitesStringCustom URL category list of sites.
Panorama.CustomURLCategory.DeviceGroupStringDevice group for the Custom URL Category (Panorama instances).
Panorama.CustomURLCategory.SitesStringCustom URL category list of categories.
Panorama.CustomURLCategory.TypeStringCustom URL category type.

Command Example#

!pan-os-create-custom-url-category name=suspicious_address_group sites=["thepill.com","abortion.com"] description=momo

Context Example#

{
"Panorama": {
"CustomURLCategory": {
"Description": "momo",
"Name": "suspicious_address_group",
"Sites": [
"thepill.com",
"abortion.com"
]
}
}
}

Human Readable Output#

Created Custom URL Category:#

NameSitesDescription
suspicious_address_groupthepill.com,
abortion.com
momo

pan-os-delete-custom-url-category#


Deletes a custom URL category.

Base Command#

pan-os-delete-custom-url-category

Input#

Argument NameDescriptionRequired
nameName of the custom URL category to delete.Optional
device-groupThe device group for which to return addresses (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.CustomURLCategory.NamestringName of the custom URL category to delete.
Panorama.CustomURLCategory.DeviceGroupstringDevice group for the Custom URL Category (Panorama instances).

Command Example#

!pan-os-delete-custom-url-category name=suspicious_address_group

Context Example#

{
"Panorama": {
"CustomURLCategory": {
"Name": "suspicious_address_group"
}
}
}

Human Readable Output#

Custom URL category was deleted successfully.

pan-os-edit-custom-url-category#


Adds or removes sites to and from a custom URL category.

Base Command#

pan-os-edit-custom-url-category

Input#

Argument NameDescriptionRequired
nameName of the custom URL category to add or remove sites.Required
sitesA comma separated list of sites to add to the custom URL category.Optional
actionAdds or removes sites or categories. Possible values are: add, removeRequired
categoriesA comma separated list of categories to add to the custom URL category.Optional
device-groupThe device group in which the URL category belongs to.Optional

Context Output#

PathTypeDescription
Panorama.CustomURLCategory.NamestringCustom URL category name.
Panorama.CustomURLCategory.DescriptionstringCustom URL category description.
Panorama.CustomURLCategory.SitesstringCustom URL category list of sites.
Panorama.CustomURLCategory.DeviceGroupstringDevice group for the Custom URL Category (Panorama instances).

pan-os-get-url-category#


Gets a URL category from URL Filtering. This command is only available on Firewall devices.

Base Command#

pan-os-get-url-category

Input#

Argument NameDescriptionRequired
urlURL to check.Optional
targetSerial number of the firewall on which to run the command. Use only for a Panorama instanceOptional

Context Output#

PathTypeDescription
Panorama.URLFilter.URLstringURL.
Panorama.URLFilter.CategorystringURL category.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
URL.DataStringThe URL address.
URL.CategoryStringThe URL Category.

Command Example#

!pan-os-get-url-category url="poker.com"

Context Example#

{
"DBotScore": {
"Indicator": "poker.com",
"Score": 1,
"Type": "url",
"Vendor": "PAN-OS"
},
"Panorama": {
"URLFilter": {
"Category": "gambling",
"URL": [
"poker.com"
]
}
},
"URL": {
"Category": "gambling",
"Data": "poker.com"
}
}

Human Readable Output#

URL Filtering:#

URLCategory
poker.comgambling

url#


Gets a URL category from URL Filtering. This command is only available on Firewall devices.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to check.Optional

Context Output#

PathTypeDescription
Panorama.URLFilter.URLstringURL.
Panorama.URLFilter.CategorystringThe URL category.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
URL.DataStringThe URL address.
URL.CategoryStringThe URL category.

pan-os-get-url-category-from-cloud#


Returns a URL category from URL filtering. This command is only available on Firewall devices.

Base Command#

pan-os-get-url-category-from-cloud

Input#

Argument NameDescriptionRequired
urlURL to check.Required

Context Output#

PathTypeDescription
Panorama.URLFilter.URLstringThe URL.
Panorama.URLFilter.CategorystringURL category.

Command Example#

!pan-os-get-url-category-from-cloud url=google.com

Human Readable Output#

URL Filtering from cloud:#

URLCategory
google.comsearch-engines

pan-os-get-url-category-from-host#


Returns a URL category from URL Filtering.

Base Command#

pan-os-get-url-category-from-host

Input#

Argument NameDescriptionRequired
urlURL to check.Required

Context Output#

PathTypeDescription
Panorama.URLFilter.URLstringThe URL.
Panorama.URLFilter.CategorystringThe URL category.

Command Example#

!pan-os-get-url-category-from-host url=google.com

Human Readable Output#

URL Filtering from host:#

URLCategory
google.comsearch-engines

pan-os-get-url-filter#


Returns information for a URL filtering rule.

Base Command#

pan-os-get-url-filter

Input#

Argument NameDescriptionRequired
nameURL Filter name.Required
device-groupThe device group for which to return addresses for the URL Filter (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.URLFilter.NamestringURL Filter name.
Panorama.URLFilter.Category.NamestringURL Filter category name.
Panorama.URLFilter.Category.ActionstringAction for the URL category.
Panorama.URLFilter.OverrideBlockListstringURL Filter override block list.
Panorama.URLFilter.OverrideAllowListstringURL Filter override allow list.
Panorama.URLFilter.DescriptionstringURL Filter description.
Panorama.URLFilter.DeviceGroupstringDevice group for the URL Filter (Panorama instances).

Command Example#

!pan-os-get-url-filter name=demisto_default_url_filter

Human Readable Output#

URL Filter:#

NameCategoryOverrideAllowListDescription
demisto_default_url_filter{'Action': 'block', 'Name': u'abortion'},
{'Action': 'block', 'Name': u'abuse-drugs'}
888.com,
777.com
gres

pan-os-create-url-filter#


Creates a URL filtering rule.

Base Command#

pan-os-create-url-filter

Input#

Argument NameDescriptionRequired
nameName of the URL filter to create.Required
url_categoryURL categories.Required
actionAction for the URL categories. Can be "allow", "block", "alert", "continue", or "override".Required
override_allow_listCSV list of URLs to exclude from the allow list.Optional
override_block_listCSV list of URLs to exclude from the blocked list.Optional
descriptionURL Filter description.Optional
device-groupThe device group for which to return addresses for the URL Filter (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.URLFilter.NamestringURL Filter name.
Panorama.URLFilter.Category.NamestringURL Filter category name.
Panorama.URLFilter.Category.ActionstringAction for the URL category.
Panorama.URLFilter.OverrideBlockListstringURL Filter override allow list.
Panorama.URLFilter.OverrideBlockListstringURL Filter override blocked list.
Panorama.URLFilter.DescriptionstringURL Filter description.
Panorama.URLFilter.DeviceGroupstringDevice group for the URL Filter (Panorama instances).

Command Example#

!pan-os-create-url-filter action=block name=gambling_url url_category=gambling

Context Example#

{
"Panorama": {
"URLFilter": {
"Category": [
{
"Action": "block",
"Name": "gambling"
}
],
"Name": "gambling_url"
}
}
}

Human Readable Output#

URL Filter was created successfully.

pan-os-edit-url-filter#


Edit a URL filtering rule.

Base Command#

pan-os-edit-url-filter

Input#

Argument NameDescriptionRequired
nameName of the URL filter to edit.Required
element_to_changeElement to change.Required
element_valueElement value. Limited to one value.Required
add_remove_elementAdd or remove an element from the Allow List or Block List fields. Default is to 'add' the element_value to the list.Optional
device-groupThe device group in which the URL-filter belongs to.Optional

Context Output#

PathTypeDescription
Panorama.URLFilter.NamestringURL Filter name.
Panorama.URLFilter.DescriptionstringURL Filter description.
Panorama.URLFilter.Category.NamestringURL Filter category.
Panorama.URLFilter.ActionstringAction for the URL category.
Panorama.URLFilter.OverrideAllowListstringAllow Overrides for the URL category.
Panorama.URLFilter.OverrideBlockListstringBlock Overrides for the URL category.
Panorama.URLFilter.DeviceGroupstringDevice group for the URL Filter (Panorama instances).

Command Example#

!pan-os-edit-url-filter name=demisto_default_url_filter element_to_change=override_allow_list element_value="poker.com" add_remove_element=add

Human Readable Output#

URL Filter was edited successfully

pan-os-delete-url-filter#


Deletes a URL filtering rule.

Base Command#

pan-os-delete-url-filter

Input#

Argument NameDescriptionRequired
nameName of the URL filter rule to delete.Required
device-groupThe device group for which to return addresses for the URL filter (Panorama instances)Optional

Context Output#

PathTypeDescription
Panorama.URLFilter.NamestringURL filter rule name.
Panorama.URLFilter.DeviceGroupstringDevice group for the URL Filter (Panorama instances).

Command Example#

!pan-os-delete-url-filter name=gambling_url

Context Example#

{
"Panorama": {
"URLFilter": {
"Name": "gambling_url"
}
}
}

Human Readable Output#

URL Filter was deleted successfully.

pan-os-list-edls#


Returns a list of external dynamic lists.

Base Command#

pan-os-list-edls

Input#

Argument NameDescriptionRequired
device-groupThe device group for which to return addresses for the EDL (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.EDL.NamestringName of the EDL.
Panorama.EDL.TypestringThe type of EDL.
Panorama.EDL.URLstringURL in which the EDL is stored.
Panorama.EDL.DescriptionstringDescription of the EDL.
Panorama.EDL.CertificateProfilestringEDL certificate profile.
Panorama.EDL.RecurringstringTime interval that the EDL was pulled and updated.
Panorama.EDL.DeviceGroupstringDevice group for the EDL (Panorama instances).

Command Example#

!pan-os-list-edls

Context Example#

{
"Panorama": {
"EDL": [
{
"Description": "6u4ju7",
"Name": "blabla3",
"Recurring": "hourly",
"Type": "url",
"URL": "lolo"
},
{
"Description": "ip",
"Name": "bad_ip_edl_demisot_web_server",
"Recurring": "five-minute",
"Type": "ip",
"URL": "http://192.168.1.15/files/very_bad_ip2.txt"
}
]
}
}

Human Readable Output#

External Dynamic Lists:#

NameTypeURLRecurringDescription
blabla3urllolohourly6u4ju7
bad_ip_edl_demisot_web_serveriphttp://192.168.1.15/files/very_bad_ip2.txtfive-minuteip

pan-os-get-edl#


Returns information for an external dynamic list

Base Command#

pan-os-get-edl

Input#

Argument NameDescriptionRequired
nameName of the EDL.Required
device-groupThe device group for which to return addresses for the EDL (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.EDL.NamestringName of the EDL.
Panorama.EDL.TypestringThe type of EDL.
Panorama.EDL.URLstringURL in which the EDL is stored.
Panorama.EDL.DescriptionstringDescription of the EDL.
Panorama.EDL.CertificateProfilestringEDL certificate profile.
Panorama.EDL.RecurringstringTime interval that the EDL was pulled and updated.
Panorama.EDL.DeviceGroupstringDevice group for the EDL (Panorama instances).

Command Example#

!pan-os-get-edl name=test_pb_domain_edl_DONT_DEL

Context Example#

{
"Panorama": {
"EDL": {
"Description": "new description3",
"Name": "test_pb_domain_edl_DONT_DEL",
"Recurring": "hourly",
"Type": "url",
"URL": "https://test_pb_task.not.real"
}
}
}

Human Readable Output#

External Dynamic List:#

NameTypeURLRecurringDescription
test_pb_domain_edl_DONT_DELurlhttps://test_pb_task.not.realhourlynew description3

pan-os-create-edl#


Creates an external dynamic list.

Base Command#

pan-os-create-edl

Input#

Argument NameDescriptionRequired
nameName of the EDL.Required
urlURL from which to pull the EDL.Required
typeThe type of EDL.Required
recurringTime interval for pulling and updating the EDL.Required
certificate_profileCertificate Profile name for the URL that was previously uploaded. to PAN OS.Optional
descriptionDescription of the EDL.Optional
device-groupThe device group for which to return addresses for the EDL (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.EDL.NamestringName of theEDL.
Panorama.EDL.TypestringType of the EDL.
Panorama.EDL.URLstringURL in which the EDL is stored.
Panorama.EDL.DescriptionstringDescription of the EDL.
Panorama.EDL.CertificateProfilestringEDL certificate profile.
Panorama.EDL.RecurringstringTime interval that the EDL was pulled and updated.
Panorama.EDL.DeviceGroupstringDevice group for the EDL (Panorama instances).

Command Example#

!pan-os-create-edl name=new_EDL recurring="five-minute" type=url url="gmail.com"

Context Example#

{
"Panorama": {
"EDL": {
"Name": "new_EDL",
"Recurring": "five-minute",
"Type": "url",
"URL": "gmail.com"
}
}
}

Human Readable Output#

External Dynamic List was created successfully.

pan-os-edit-edl#


Modifies an element of an external dynamic list.

Base Command#

pan-os-edit-edl

Input#

Argument NameDescriptionRequired
nameName of the external dynamic list to edit.Required
element_to_changeThe element to change (ā€œurlā€, ā€œrecurringā€, ā€œcertificate_profileā€, ā€œdescriptionā€).Required
element_valueThe element value.Required
device-groupThe device group in which the EDL belongs to.Optional

Context Output#

PathTypeDescription
Panorama.EDL.NamestringName of the EDL.
Panorama.EDL.URLstringURL where the EDL is stored.
Panorama.EDL.DescriptionstringDescription of the EDL.
Panorama.EDL.CertificateProfilestringEDL certificate profile.
Panorama.EDL.RecurringstringTime interval that the EDL was pulled and updated.
Panorama.EDL.DeviceGroupstringDevice group for the EDL (Panorama instances).

Command Example#

!pan-os-edit-edl name=test_pb_domain_edl_DONT_DEL element_to_change=description element_value="new description3"

Context Example#

{
"Panorama": {
"EDL": {
"Description": "new description3",
"Name": "test_pb_domain_edl_DONT_DEL"
}
}
}

Human Readable Output#

External Dynamic List was edited successfully

pan-os-delete-edl#


Deletes an external dynamic list.

Base Command#

pan-os-delete-edl

Input#

Argument NameDescriptionRequired
nameName of the EDL to delete.Required
device-groupThe device group for which to return addresses for the EDL (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.EDL.NamestringName of the EDL that was deleted.
Panorama.EDL.DeviceGroupstringDevice group for the EDL (Panorama instances).

Command Example#

!pan-os-delete-edl name=new_EDL

Context Example#

{
"Panorama": {
"EDL": {
"Name": "new_EDL"
}
}
}

Human Readable Output#

External Dynamic List was deleted successfully

pan-os-refresh-edl#


Refreshes the specified external dynamic list.

Base Command#

pan-os-refresh-edl

Input#

Argument NameDescriptionRequired
nameName of the EDLRequired
device-groupThe device group for which to return addresses for the EDL (Panorama instances).Optional
edl_typeThe type of the EDL. Required when refreshing an EDL object which is configured on Panorama.Optional
locationThe location of the EDL. Required when refreshing an EDL object which is configured on Panorama.Optional
vsysThe Vsys of the EDL. Required when refreshing an EDL object which is configured on Panorama.Optional

Context Output#

There is no context output for this command.

Command Example#

!pan-os-refresh-edl name=test_pb_domain_edl_DONT_DEL

Human Readable Output#

Refreshed External Dynamic List successfully

pan-os-create-rule#


Creates a policy rule.

Base Command#

pan-os-create-rule

Input#

Argument NameDescriptionRequired
rulenameName of the rule to create.Optional
descriptionDescription of the rule to create.Optional
actionAction for the rule. Can be "allow", "deny", or "drop".Required
sourceA comma-separated list of address object names, address group object names, or EDL object names.Optional
destinationA comma-separated list of address object names, address group object names, or EDL object names.Optional
source_zoneA comma-separated list of source zones.Optional
destination_zoneA comma-separated list of destination zones.Optional
negate_sourceWhether to negate the source (address, address group). Can be "Yes" or "No".Optional
negate_destinationWhether to negate the destination (address, address group). Can be "Yes" or "No".Optional
serviceA comma-separated list of service object names for the rule.Optional
disableWhether to disable the rule. Can be "Yes" or "No" (default is "No").Optional
applicationA comma-separated list of application object names for the rule.Optional
source_userA comma-separated list of source users for the rule to create.Optional
pre_postPre rule or Post rule (Panorama instances).Optional
targetSpecifies a target firewall for the rule (Panorama instances).Optional
log_forwardingLog forwarding profile.Optional
device-groupThe device group for which to return addresses for the rule (Panorama instances).Optional
tagsRule tags to create.Optional
categoryA comma-separated list of URL categories.Optional
profile_settingA profile setting group.Optional
whereWhere to move the rule. Can be "before", "after", "top", or "bottom". If you specify "before" or "after", you need to supply the "dst" argument.Optional
dstDestination rule relative to the rule that you are moving. This field is only relevant if you specify "before" or "after" in the "where" argument.Optional
audit_commentAn audit comment for the rule.Optional

Context Output#

PathTypeDescription
Panorama.SecurityRule.NamestringRule name.
Panorama.SecurityRule.DescriptionstringRule description.
Panorama.SecurityRule.ActionstringAction for the rule.
Panorama.SecurityRule.SourcestringSource address.
Panorama.SecurityRule.DestinationstringDestination address.
Panorama.SecurityRule.NegateSourcebooleanWhether the source is negated (address, address group).
Panorama.SecurityRule.NegateDestinationbooleanWhether the destination negated (address, address group).
Panorama.SecurityRule.ServicestringService for the rule.
Panorama.SecurityRule.DisabledstringWhether the rule is disabled.
Panorama.SecurityRule.ApplicationstringApplication for the rule.
Panorama.SecurityRule.TargetstringTarget firewall (Panorama instances).
Panorama.SecurityRule.LogForwardingstringLog forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroupstringDevice group for the rule (Panorama instances).
Panorama.SecurityRules.TagsStringRule tags.
Panorama.SecurityRules.ProfileSettingStringProfile setting group.

Command Example#

!pan-os-create-rule rulename="block_bad_application" description="do not play at work" action="deny" application="fortnite"

Context Example#

{
"Panorama": {
"SecurityRule": {
"Action": "deny",
"Application": "fortnite",
"Description": "do not play at work",
"Disabled": "No",
"Name": "block_bad_application",
"SourceUser": "any"
}
}
}

Human Readable Output#

Rule configured successfully.

pan-os-custom-block-rule#


Creates a custom block policy rule.

Base Command#

pan-os-custom-block-rule

Input#

Argument NameDescriptionRequired
rulenameThe name of the custom block policy rule to create.Optional
object_typeThe object type to block in the policy rule. Possible values are: ip, address-group, application, url-category, edl.Required
object_valueA comma-separated list of object values for the object_type argument.Required
directionThe direction to block. This argument is not applicable for the "custom-url-category" object_type. Possible values are: to, from, both. Default is both.Optional
pre_postThe pre-rule or post-rule (Panorama instances). Possible values are: pre-rulebase, post-rulebase.Optional
targetSpecifies a target firewall for the rule (Panorama instances).Optional
log_forwardingThe log forwarding profile.Optional
device-groupThe device group for which to return addresses for the rule (Panorama instances).Optional
tagsThe tags to use for the custom block policy rule.Optional
whereWhere to move the rule. If you specify "before" or "after", you need to supply the "dst" argument. Possible values are: before, after, top, bottom. Default is bottom.Optional
dstThe destination rule relative to the rule that you are moving. This field is only relevant if you specify "before" or "after" in the "where" argument.Optional

Context Output#

PathTypeDescription
Panorama.SecurityRule.NamestringThe rule name.
Panorama.SecurityRule.ObjectstringThe blocked object.
Panorama.SecurityRule.DirectionstringThe direction blocked.
Panorama.SecurityRule.TargetstringThe target firewall (Panorama instances).
Panorama.SecurityRule.LogForwardingstringThe log forwarding profile (Panorama instances).
Panorama.SecurityRule.DeviceGroupstringThe device group for the rule (Panorama instances).
Panorama.SecurityRule.TagsStringThe rule tags.
Panorama.SecurityRules.ProfileSettingStringThe profile setting group.

Command Example#

!pan-os-custom-block-rule object_type=application object_value=fortnite

Context Example#

{
"Panorama": {
"SecurityRule": {
"Application": [
"fortnite"
],
"Direction": "both",
"Disabled": false,
"Name": "demisto-9c9ed15a"
}
}
}

Human Readable Output#

Object was blocked successfully.

pan-os-move-rule#


Changes the location of a policy rule.

Base Command#

pan-os-move-rule

Input#

Argument NameDescriptionRequired
rulenameName of the rule to move.Required
whereWhere to move the rule. Can be "before", "after", "top", or "bottom". If you specify "before" or "after", you need to supply the "dst" argument.Required
dstDestination rule relative to the rule that you are moving. This field is only relevant if you specify "before" or "after" in the "where" argument.Optional
pre_postRule location. Mandatory for Panorama instances.Optional
device-groupThe device group for which to return addresses for the rule (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.SecurityRule.NamestringRule name.
Panorama.SecurityRule.DeviceGroupstringDevice group for the rule (Panorama instances).

Command Example#

!pan-os-move-rule rulename="test_rule3" where="bottom"

Human Readable Output#

Rule test_rule3 moved successfully

pan-os-edit-rule#


Edits a policy rule.

Base Command#

pan-os-edit-rule

Input#

Argument NameDescriptionRequired
rulenameName of the rule to edit.Required
element_to_changeParameter in the security rule to change. Can be 'source', 'destination', 'application', 'action', 'category', 'description', 'disabled', 'target', 'log-forwarding', 'tag', 'source-user', 'service' or 'profile-setting'.Required
element_valueThe new value for the parameter.Required
pre_postPre-rule or post-rule (Panorama instances).Optional
behaviourWhether to replace, add, or remove the element_value from the current rule object value.Optional
device-groupThe device group in which the rule belongs to.Optional

Context Output#

PathTypeDescription
Panorama.SecurityRule.NamestringRule name.
Panorama.SecurityRule.DescriptionstringRule description.
Panorama.SecurityRule.ActionstringAction for the rule.
Panorama.SecurityRule.SourcestringSource address.
Panorama.SecurityRule.DestinationstringDestination address.
Panorama.SecurityRule.NegateSourcebooleanWhether the source is negated (address, address group).
Panorama.SecurityRule.NegateDestinationbooleanWhether the destination is negated (address, address group).
Panorama.SecurityRule.ServicestringService for the rule.
Panorama.SecurityRule.DisabledstringWhether the rule is disabled.
Panorama.SecurityRule.ApplicationstringApplication for the rule.
Panorama.SecurityRule.TargetstringTarget firewall (Panorama instances).
Panorama.SecurityRule.DeviceGroupstringDevice group for the rule (Panorama instances).
Panorama.SecurityRule.CategorystringThe category of the rule.
Panorama.SecurityRule.LogForwardingstringThe log forwarding of the rule.
Panorama.SecurityRule.ProfileSettingstringThe profile setting of the rule.
Panorama.SecurityRule.SourceUserstringThe source user of the rule.
Panorama.SecurityRule.AuditCommentstringThe audit comment of the rule.
Panorama.SecurityRule.TagsStringTags for the rule.
Panorama.SecurityRules.ProfileSettingStringProfile setting group.

Command Example#

!pan-os-edit-rule rulename="block_bad_application" element_to_change=action element_value=drop

Context Example#

{
"Panorama": {
"SecurityRule": {
"Action": "drop",
"Name": "block_bad_application"
}
}
}

Human Readable Output#

Rule edited successfully.

pan-os-delete-rule#


Deletes a policy rule.

Base Command#

pan-os-delete-rule

Input#

Argument NameDescriptionRequired
rulenameName of the rule to delete.Required
pre_postPre rule or Post rule (Panorama instances).Optional
device-groupThe device group for which to return addresses for the rule (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.SecurityRule.NamestringRule name.
Panorama.SecurityRule.DeviceGroupstringDevice group for the rule (Panorama instances).

Command Example#

!pan-os-delete-rule rulename=block_bad_application

Human Readable Output#

Rule deleted successfully.

pan-os-list-applications#


Returns a list of applications.

Base Command#

pan-os-list-applications

Input#

Argument NameDescriptionRequired
predefinedWhether to list predefined applications. Possible values are: true, false. Default is false.Optional
device-groupThe device group for which to return applications.Optional
name_matchWhen specified, the results returned in the list are limited to applications whose names match the specified string.Optional
name_containWhen specified, the results returned in the list are limited to applications whose names contain the specified string.Optional
riskThe application risk (1 to 5). Possible values are: 1, 2, 3, 4, 5.Optional
categoryThe application category. Possible values are: collaboration, business-systems, networking, media.Optional
sub_categoryThe application sub-category.Optional
technologyThe application technology. Possible values are: browser-based, client-server, network-protocol, peer-to-peer.Optional
characteristicsA comma-separated list of characteristics. Possible values are: 'virus-ident', 'evasive-behavior', 'file-type-ident', 'consume-big-bandwidth', 'used-by-malware', 'able-to-transfer-file', 'has-known-vulnerability', 'tunnel-other-application', 'prone-to-misuse', 'pervasive-use', 'file-forward', 'is-saas'.Optional
limitThe maximum number of rules to retrieve. Will be used by default if page argument was not provided. Default is 50.Optional
page_sizeThe page size of the applications to return. Default is 50.Optional
pageThe page at which to start listing applications. Must be a positive number.Optional

Context Output#

PathTypeDescription
Panorama.Applications.NamestringThe application name.
Panorama.Applications.IdnumberThe application ID.
Panorama.Applications.CategorystringThe application category.
Panorama.Applications.SubCategorystringThe application sub-category.
Panorama.Applications.TechnologystringThe application technology.
Panorama.Applications.RisknumberThe application risk (1 to 5).
Panorama.Applications.DescriptionstringThe application description.
Panorama.Applications.CharacteristicsstringThe application characteristics.

Command Example#

!pan-os-list-applications

Context Example#

{
"Panorama": {
"Applications": {
"Description": "lala",
"Id": null,
"Name": "demisto_fw_app3",
"Risk": "1",
"SubCategory": "ip-protocol",
"Technology": "peer-to-peer"
}
}
}

Human Readable Output#

Applications#

IdNameRiskCategorySubCategoryTechnologyDescription
demisto_fw_app31ip-protocolpeer-to-peerlala

pan-os-commit#


Commits a configuration to the Palo Alto firewall or Panorama, validates if a commit was successful if using polling="true" otherwiese does not validate if the commit was successful. Committing to Panorama does not push the configuration to the firewalls. To push the configuration, run the panorama-push-to-device-group command.

Base Command#

pan-os-commit

Input#

Argument NameDescriptionRequired
descriptionThe commit description.Optional
admin_nameThe administrator name. To commit admin-level changes on a firewall, include the administrator name in the request.Optional
force_commitForces a commit. Possible values are: true, false.Optional
exclude_device_network_configurationPerforms a partial commit while excluding device and network configuration. Possible values are: true, false.Optional
exclude_shared_objectsPerforms a partial commit while excluding shared objects. Possible values are: true, false.Optional
pollingWhether to use polling. Possible values are: true, false. Default is false.Optional
commit_job_idcommit job ID to use in polling commands. (automatically filled by polling).Optional
timeoutThe timeout (in seconds) when polling. Default is 120.Optional
interval_in_secondsThe interval (in seconds) when polling. Default is 10.Optional

Context Output#

PathTypeDescription
Panorama.Commit.JobIDNumberThe job ID to commit.
Panorama.Commit.StatusStringThe commit status.
Panorama.Commit.DescriptionStringThe commit description from the the command input.

Command example#

!pan-os-commit description=test polling=true interval_in_seconds=5 timeout=60

Human Readable Output#

Waiting for commit "test" with job ID 7304 to finish...

pan-os-push-status#


Returns the push status for a configuration.

Base Command#

pan-os-push-status

Input#

Argument NameDescriptionRequired
job_idThe job ID to check.Required

Context Output#

PathTypeDescription
Panorama.Push.DeviceGroupstringThe device group to which the policies were pushed.
Panorama.Push.JobIDnumberThe job ID of the configuration to be pushed.
Panorama.Push.StatusstringThe push status.
Panorama.Push.DetailsstringThe job ID details.
Panorama.Push.WarningsStringThe job ID warnings

Command example#

!pan-os-push-status job_id=31377

Context Example#

{
"Panorama": {
"Push": {
"Details": [
"commit succeeded with warnings",
"commit succeeded with warnings"
],
"Errors": [],
"JobID": "31377",
"Status": "Completed",
"Warnings": [
"Interface loopback.645 has no zone configuration.",
"External Dynamic List test_pb_domain_edl_DONT_DEL is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - IP EDL-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - URL EDL-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - URL EDL tamarcat3-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List Cortex XSOAR Remediation - IP EDL tamarcat3-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List minemeld is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List edl-webinar-malicious-urls-OLD is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List edl-webinar-malicious-ips is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"External Dynamic List edl-webinar-malicious-domains is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.",
"Warning: No valid Antivirus content package exists",
"(Module: device)"
]
}
}
}

Human Readable Output#

Push to Device Group status:#

JobIDStatusDetailsErrorsWarnings
31377Completedcommit succeeded with warnings,
commit succeeded with warnings
Interface loopback.645 has no zone configuration.,
External Dynamic List test_pb_domain_edl_DONT_DEL is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - IP EDL-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - URL EDL-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - URL EDL tamarcat3-url-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List Cortex XSOAR Remediation - IP EDL tamarcat3-ip-edl-object is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List minemeld is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List edl-webinar-malicious-urls-OLD is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List edl-webinar-malicious-ips is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
External Dynamic List edl-webinar-malicious-domains is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.,
Warning: No valid Antivirus content package exists,
(Module: device)

pan-os-get-pcap#


Returns information for a Panorama PCAP file. The recommended maximum file size is 5 MB. If the limit is exceeded, you might need to SSH the firewall and run the scp export command to export the PCAP file. For more information, see the Palo Alto Networks documentation.

When trying to retrieve threat-PCAPs of a firewall through a panorama instance, be sure to forward the log containing the threat PCAP file from the firewall to the panorama instance.

For more information follow instructions from here.

Base Command#

pan-os-get-pcap

PCAPs api docs#

You can find information about required/optional arguments for each pcap type here:

filter pcap api

dlp pcap api

application pcap api

threat pcap api

Input#

Argument NameDescriptionRequired
pcapTypeType of Packet Capture.Required
serialNumberThe serial number of the firewall to download the PCAP from.Optional
fromThe file name for the PCAP type ('dlp-pcap', 'filter-pcap', or 'application-pcap'). Required for 'filter-pcap'.Optional
localNameThe new name for the PCAP file after downloading. If this argument is not specified, the file name is the PCAP file name set in the firewall.Optional
serialNoSerial number for the request. For further information, see the Panorama XML API Documentation.Optional
searchTimeThe Search time for the request. For example: "2019/12/26 00:00:00", "2020/01/10". For more information, see the Panorama XML API documentation. Required for "threat-pcap".Optional
pcapIDThe ID of the PCAP for the request. For further information, see the Panorama XML API Documentation. Required for 'threat-pcap'.Optional
passwordPassword for Panorama, needed for the 'dlp-pcap' PCAP type only.Optional
deviceNameThe Device Name on which the PCAP is stored. For further information, see the Panorama XML API Documentation. Required for 'threat-pcap' in pan-os firewalls < 9.0.7 versions.Optional
sessionIDThe Session ID of the PCAP. For further information, see the Panorama XML API Documentation. Required for 'threat-pcap' in pan-os firewalls < 9.0.7 versions.Optional

Context Output#

PathTypeDescription
File.SizenumberFile size.
File.NamestringFile name.
File.TypestringFile type.
File.InfostringFile info.
File.ExtensionstringFile extension.
File.EntryIDstringFIle entryID.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.SHA512stringSHA512 hash of the file.
File.SSDeepstringSSDeep hash of the file.

Command Example#

!pan-os-get-pcap pcapType="filter-pcap" from=pcap_test

pan-os-list-pcaps#


Returns a list of all PCAP files by PCAP type. Not available for threat PCAPs.

Base Command#

pan-os-list-pcaps

Input#

Argument NameDescriptionRequired
pcapTypeType of Packet Capture.Required
serialNumberThe serial number of the firewall to download the PCAP from.Optional
passwordPassword for Panorama. Relevant for the 'dlp-pcap' PCAP type.Optional

Context Output#

There is no context output for this command.

Command Example#

!pan-os-list-pcaps pcapType=ā€œfilter-pcapā€

Human Readable Output#

List of Pcaps:#

Pcap name
pcam_name

pan-os-register-ip-tag#


Registers IP addresses to a tag.

Base Command#

pan-os-register-ip-tag

Input#

Argument NameDescriptionRequired
tagTag for which to register IP addresses.Required
IPsIP addresses to register.Required
persistentWhether the IP addresses remain registered to the tag after the device reboots ('true':persistent, 'false':non-persistent). Default is 'true'.Optional

Context Output#

PathTypeDescription
Panorama.DynamicTags.TagstringName of the tag.
Panorama.DynamicTags.IPsstringRegistered IP addresses.

Command Example#

!pan-os-register-ip-tag tag=tag02 IPs=[ā€œ10.0.0.13ā€,ā€œ10.0.0.14ā€]

Human Readable Output#

Registered ip-tag successfully

pan-os-unregister-ip-tag#


Unregisters IP addresses from a tag.

Base Command#

pan-os-unregister-ip-tag

Input#

Argument NameDescriptionRequired
tagTag for which to unregister IP addresses.Required
IPsIP addresses to unregister.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-unregister-ip-tag tag=tag02 IPs=["10.0.0.13","10.0.0.14"]

Human Readable Output#

Unregistered ip-tag successfully

pan-os-register-user-tag#


Registers users to a tag. This command is only available for PAN-OS version 9.x and above.

Base Command#

pan-os-register-user-tag

Input#

Argument NameDescriptionRequired
tagTag for which to register users.Required
UsersA comma-separated list of users to register.Required

Context Output#

PathTypeDescription
Panorama.DynamicTags.TagstringName of the tag.
Panorama.DynamicTags.UsersstringList of registered users.

Command Example#

!pan-os-register-user-tag tag-tag02 Users=Username

Human Readable Output#

Registered user-tag successfully

pan-os-unregister-user-tag#


Unregisters users from a tag. This command is only available for PAN-OS version 9.x and above.

Base Command#

pan-os-unregister-user-tag

Input#

Argument NameDescriptionRequired
tagTag from which to unregister Users.Required
UsersA comma-separated list of users to unregister.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-unregister-user-tag tag-tag02 Users=Username

Human Readable Output#

Unregistered user-tag successfully

pan-os-query-traffic-logs#


Deprecated. Queries traffic logs.

Base Command#

pan-os-query-traffic-logs

Input#

Argument NameDescriptionRequired
querySpecifies the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs.Optional
number_of_logsThe number of logs to retrieve. Default is 100. Maximum is 5,000.Optional
directionWhether logs are shown oldest first (forward) or newest first (backward). Default is backward.Optional
sourceSource address for the query.Optional
destinationDestination address for the query.Optional
receive_timeDate and time after which logs were received, in the format: YYYY/MM/DD HH:MM:SS.Optional
applicationApplication for the query.Optional
to_portDestination port for the query.Optional
actionAction for the query.Optional

Context Output#

PathTypeDescription
Panorama.TrafficLogs.JobIDnumberJob ID of the traffic logs query.
Panorama.TrafficLogs.StatusstringStatus of the traffic logs query.

Command Example#

!pan-os-query-traffic-logs query="" number_of_logs="100" direction="backward" source="" destination="" receive_time="" application="" to_port="" action="allow"

Human Readable Output#

Query Traffic Logs:#

JobIDStatus
1858Pending

pan-os-check-traffic-logs-status#


Deprecated. Checks the query status of traffic logs.

Base Command#

pan-os-check-traffic-logs-status

Input#

Argument NameDescriptionRequired
job_idJob ID of the query.Required

Context Output#

PathTypeDescription
Panorama.TrafficLogs.JobIDnumberJob ID of the traffic logs query.
Panorama.TrafficLogs.StatusstringStatus of the traffic logs query.

Command Example#

!pan-os-check-traffic-logs-status job_id="1865"

Human Readable Output#

Query Traffic Logs status:#

JobIDStatus
1858Pending

pan-os-get-traffic-logs#


Deprecated. Retrieves traffic log query data by job id.

Base Command#

pan-os-get-traffic-logs

Input#

Argument NameDescriptionRequired
job_idJob ID of the query.Required

Context Output#

PathTypeDescription
Panorama.TrafficLogs.JobIDnumberJob ID of the traffic logs query.
Panorama.TrafficLogs.StatusstringStatus of the traffic logs query.
Panorama.TrafficLogs.Logs.ActionstringAction of the traffic log.
Panorama.TrafficLogs.Logs.ActionSourcestringAction source of the traffic log.
Panorama.TrafficLogs.Logs.ApplicationstringApplication of the traffic log.
Panorama.TrafficLogs.Logs.BytesstringThe total log bytes.
Panorama.TrafficLogs.Logs.BytesReceivedstringThe log bytes received.
Panorama.TrafficLogs.Logs.BytesSentstringThe log bytes sent.
Panorama.TrafficLogs.Logs.CategorystringCategory of the traffic log.
Panorama.TrafficLogs.Logs.DeviceNamestringDevice name of the traffic log.
Panorama.TrafficLogs.Logs.DestinationstringDestination of the traffic log.
Panorama.TrafficLogs.Logs.DestinationPortstringDestination port of the traffic log.
Panorama.TrafficLogs.Logs.FromZonestringFrom zone of the traffic log.
Panorama.TrafficLogs.Logs.ProtocolstringProtocol of the traffic log.
Panorama.TrafficLogs.Logs.ReceiveTimestringReceive time of the traffic log.
Panorama.TrafficLogs.Logs.RulestringRule of the traffic log.
Panorama.TrafficLogs.Logs.SessionEndReasonstringSession end reason of the traffic log.
Panorama.TrafficLogs.Logs.SourcestringSource of the traffic log.
Panorama.TrafficLogs.Logs.SourcePortstringSource port of the traffic log.
Panorama.TrafficLogs.Logs.StartTimestringStart time of the traffic log.
Panorama.TrafficLogs.Logs.ToZonestringTo zone of the traffic log.

Command Example#

!pan-os-get-traffic-logs job_id="1865"

pan-os-list-rules#


Returns a list of predefined Security Rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want).

Base Command#

pan-os-list-rules

Input#

Argument NameDescriptionRequired
pre_postThe rules location. Mandatory for Panorama instances. Possible values are: pre-rulebase, post-rulebase.Optional
device-groupThe device group for which to return addresses (Panorama instances).Optional
tagThe tag to filter the rules.Optional
tagsA comma-separated list of tags by which to filter the rules.Optional
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
rulenameThe name of the rule to retrieve. If not mentioned, will retrieve all the rules.Optional
disabledWhether to retrieve the disabled rules or not. If not mentioned, will retrieve all the rules. Possible values are: yes, no.Optional
actionThe action of the rules to retrieve. If not mentioned, will retrieve all the rules. Possible values are: allow, deny, drop.Optional
queryFree query to retrieve rules. If not mentioned, will retrieve all the rules. When passing a query, all other arguments are overridden.Optional

Context Output#

PathTypeDescription
Panorama.SecurityRule.LocationStringThe location of the security rule.
Panorama.SecurityRule.NegateDestinationStringIndicates whether the destination is negated in the security rule.
Panorama.SecurityRule.DisabledStringIndicates whether the security rule is disabled.
Panorama.SecurityRule.ICMPUnreachableStringSpecifies the behavior for ICMP unreachable messages.
Panorama.SecurityRule.DescriptionStringThe description of the security rule.
Panorama.SecurityRule.GroupTagStringThe group tag of the security rule.
Panorama.SecurityRule.LogForwardingProfileStringThe log forwarding profile applied to the security rule.
Panorama.SecurityRule.NegateSourceStringIndicates whether the source is negated in the security rule.
Panorama.SecurityRule.SecurityProfileGroupStringThe security profile group assigned to the security rule.
Panorama.SecurityRule.SecurityProfileUnknownThe security profile settings applied to the security rule.
Panorama.SecurityRule.SecurityProfile.url-filteringStringThe security profile setting for url-filtering in the security rule.
Panorama.SecurityRule.SecurityProfile.data-filteringStringThe security profile setting for data-filtering in the security rule.
Panorama.SecurityRule.SecurityProfile.file-blockingStringThe security profile setting for file-blocking in the security rule.
Panorama.SecurityRule.SecurityProfile.virusStringThe security profile setting for viruses in the security rule.
Panorama.SecurityRule.SecurityProfile.spywareStringThe security profile setting for spyware in the security rule.
Panorama.SecurityRule.SecurityProfile.vulnerabilityStringThe security profile setting for vulnerability in the security rule.
Panorama.SecurityRule.SecurityProfile.wildfire-analysisStringThe security profile setting for wildfire-analysis in the security rule.
Panorama.SecurityRule.Target.negateStringIndicates whether the target is negated in the security rule.
Panorama.SecurityRule.NameStringThe name of the security rule.
Panorama.SecurityRule.FromStringThe source zone of the security rule.
Panorama.SecurityRule.DestinationDeviceStringThe destination device of the security rule.
Panorama.SecurityRule.ActionStringThe action taken by the security rule.
Panorama.SecurityRule.SourceDeviceStringThe source device of the security rule.
Panorama.SecurityRule.TagsStringThe tags associated with the security rule.
Panorama.SecurityRule.SourceUserStringThe source user of the security rule.
Panorama.SecurityRule.ApplicationStringThe application used in the security rule.
Panorama.SecurityRule.ServiceStringThe service used in the security rule.
Panorama.SecurityRule.ToStringThe destination zone of the security rule.
Panorama.SecurityRule.SourceStringThe source address of the security rule.
Panorama.SecurityRule.CustomUrlCategoryStringThe custom URL category targeted by the security rule.
Panorama.SecurityRule.DestinationStringThe destination address of the security rule.
Panorama.SecurityRule.Options.LogAtSessionStartStringIndicates whether the session start is logged.
Panorama.SecurityRule.Options.LogForwardingStringIndicates whether log forwarding is enabled for the security rule.
Panorama.SecurityRule.Options.ScheduleStringThe schedule applied to the security rule.
Panorama.SecurityRule.Options.QoSMarkingStringThe QoS marking applied to the security rule.
Panorama.SecurityRule.Options.DisableServerResponseInspectionStringSpecifies whether to disable server response inspection for the security rule.
Panorama.SecurityRule.DeviceGroupStringThe device group of the security rule (Panorama instances only).
Panorama.SecurityRule.TypeStringRepresents the type of the security rule (e.g., pre-rule, post-rule, intra-zone, inter-zone).

Command Example#

!pan-os-list-rules pre_post=ā€œpre-rulebaseā€

Context Example#

{
"Panorama": {
"SecurityRule": [
{
"DeviceGroup": "TestDevice",
"Location": "TestDevice",
"NegateDestination": "",
"Disabled": "no",
"ICMPUnreachable": "",
"Description": "",
"GroupTag": "",
"LogForwardingProfile": "",
"NegateSource": "",
"SecurityProfileGroup": "TestGroup",
"SecurityProfile": {
"url-filtering": "",
"data-filtering": "",
"file-blocking": "",
"vulnerability": "",
"wildfire-analysis": "",
"spyware": "",
"virus": ""
},
"Target": {
"devices": "007051000185487",
"negate": "no"
},
"Name": "block rule",
"Type": "",
"From": [
"TestName",
"TestName2"
],
"DestinationDevice": "any",
"Action": "drop",
"SourceDevice": "any",
"Tags": [
"TestTag1",
"TestTag2",
"TestTag3"
],
"SourceUser": "any",
"Application": [
"cortex-xdr",
"jira",
"zoom"
],
"Service": "application-default",
"To": [
"TestName",
"TestName2"
],
"Source": [
"1.1.1.1",
"8.8.4.4",
"8.8.8.8"
],
"CustomUrlCategory": [
"abortion",
"adult",
"alcohol-and-tobacco",
"hacking"
],
"Destination": [
"1.1.1.1",
"8.8.8.8"
],
"Options": {
"LogAtSessionStart": "",
"LogForwarding": "",
"Schedule": "",
"QoSMarking": "",
"DisableServerResponseInspection": ""
}
},
{
"DeviceGroup": "TestDevice",
"Location": "TestDevice",
"NegateDestination": "",
"Disabled": "",
"ICMPUnreachable": "yes",
"Description": "bbbbbbbbbb",
"GroupTag": "TestGroupTag",
"LogForwardingProfile": "Log forwarding for SA",
"NegateSource": "",
"SecurityProfileGroup": "",
"SecurityProfile": {
"url-filtering": "default",
"spyware": "testing",
"virus": "default",
"data-filtering": "",
"file-blocking": "",
"vulnerability": "",
"wildfire-analysis": ""
},
"Target": {
"devices": [
"007051000185487",
"007051000188986"
],
"negate": "no"
},
"Name": "jl-test-1",
"Type": "intrazone",
"From": "internal",
"DestinationDevice": "bad nam",
"Action": "reset-server",
"SourceDevice": "good name",
"Tags": [
"APIiiiiii",
"test2shared"
],
"SourceUser": "me",
"Application": "8x8",
"Service": [
"new group",
"service-http",
"service-https"
],
"To": "internal",
"Source": "1.1.1.1",
"CustomUrlCategory": [
"alcohol-and-tobacco",
"auctions"
],
"Destination": "my_shared_address_object_test",
"Options": {
"LogAtSessionStart": "yes",
"LogForwarding": "Log forwarding for SA",
"Schedule": "test-schedule",
"QoSMarking": "ip-precedence",
"DisableServerResponseInspection": "yes"
}
}
]
}
}

Human Readable Output#

Security Rules:#

NameLocationTagsTypeSource ZoneSource AddressSource UserSource DeviceDestination ZoneDestination AddressDestination DeviceApplicationServiceUrl CategoryActionProfilesProfile GroupOptionsTarget
block ruleTestDeviceTestTag1,
TestTag2,
TestTag3
TestName,
TestName2
1.1.1.1,
8.8.4.4,
8.8.8.8
anyanyTestName,
TestName2
1.1.1.1,
8.8.8.8
anycortex-xdr,
jira,
zoom
application-defaultabortion,
adult,
alcohol-and-tobacco,
hacking
dropurl-filtering:
data-filtering:
file-blocking:
virus:
spyware:
vulnerability:
wildfire-analysis:
TestGroupLogAtSessionStart:
LogForwarding:
Schedule:
QoSMarking:
DisableServerResponseInspection:
devices: 007051000185487
negate: no
jl-test-1TestDeviceAPIiiiiii,
test2shared
intrazoneinternal1.1.1.1megood nameinternalmy_shared_address_object_testbad nam8x8new group,
service-http,
service-https
alcohol-and-tobacco,
auctions
reset-serverurl-filtering: default
data-filtering:
file-blocking:
virus: default
spyware: testing
vulnerability:
wildfire-analysis:
LogAtSessionStart: yes
LogForwarding: Log forwarding for SA
Schedule: test-schedule
QoSMarking: ip-precedence
DisableServerResponseInspection: yes
devices: 007051000185487,
007051000188986
negate: no

pan-os-query-logs#


The query logs in Panorama.

Base Command#

pan-os-query-logs

Input#

Argument NameDescriptionRequired
log-typeThe log type. Can be "threat", "traffic", "wildfire", "url", or "data". Possible values are: threat, traffic, wildfire, url, data.Required
queryThe query string by which to match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs.Optional
time-generatedThe time the log was generated from the timestamp and prior to it.
For example "2019/08/11 01:10:44", 3 days ago.
Optional
time-generated-afterThe time the log was generated from the timestamp and later then it.
For example "2019/08/11 01:10:44", 3 days ago.
Optional
addr-srcThe source address.Optional
addr-dstThe destination address.Optional
ipThe source or destination IP address.Optional
zone-srcThe source zone.Optional
zone-dstThe destination source.Optional
actionThe rule action.Optional
port-dstThe destination port.Optional
ruleThe rule name, for example "Allow all outbound".Optional
urlThe URL, for example "safebrowsing.googleapis.com".Optional
filedigestThe file hash (for WildFire logs only).Optional
number_of_logsThe maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000. Default is 100.Optional
pollingWhether to use polling. Possible values are: true, false. Default is false.Optional
timeoutThe timeout (in seconds) when polling. Default is 120.Optional
interval_in_secondsThe interval (in seconds) when polling. Default is 10.Optional
show-detailWhether to show only after-change-preview, and before-change-preview, or get full data for it. The full data are under the fields after-change-detail, and before-change-detail. Possible values are: yes, no. Default is no.Optional

Context Output#

PathTypeDescription
Panorama.Monitor.JobIDStringThe job ID of the logs query.
Panorama.Monitor.StatusStringThe status of the logs query.
Panorama.Monitor.MessageStringThe message of the logs query.
Panorama.Monitor.Logs.ActionStringThe action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", or "block-url".
Panorama.Monitor.Logs.ApplicationStringThe application associated with the session.
Panorama.Monitor.Logs.CategoryStringThe URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware", or "benign". For other subtypes, the value is "any".
Panorama.Monitor.Logs.DeviceNameStringThe hostname of the firewall on which the session was logged.
Panorama.Monitor.Logs.DestinationAddressStringThe original session destination IP address.
Panorama.Monitor.Logs.DestinationUserStringThe username of the user to which the session was destined.
Panorama.Monitor.Logs.DestinationCountryStringThe destination country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.Logs.DestinationPortStringThe destination port utilized by the session.
Panorama.Monitor.Logs.FileDigestStringOnly for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Panorama.Monitor.Logs.FileNameStringFile name or file type when the subtype is file.

File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire. | | Panorama.Monitor.Logs.FileType | String | Only for the WildFire subtype, all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis. | | Panorama.Monitor.Logs.FromZone | String | The zone from which the session was sourced. | | Panorama.Monitor.Logs.URLOrFilename | String | The actual URL when the subtype is url. The file name or file type when the subtype is file. The file name when the subtype is virus. The file name when the subtype is wildfire-virus. The file name when the subtype is wildfire. The URL or file name when the subtype is vulnerability (if applicable). | | Panorama.Monitor.Logs.NATDestinationIP | String | The post-NAT destination IP address if destination NAT was performed. | | Panorama.Monitor.Logs.NATDestinationPort | String | The post-NAT destination port. | | Panorama.Monitor.Logs.NATSourceIP | String | The post-NAT source IP address if source NAT was performed. | | Panorama.Monitor.Logs.NATSourcePort | String | The post-NAT source port. | | Panorama.Monitor.Logs.PCAPid | String | The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file. | | Panorama.Monitor.Logs.IPProtocol | String | The IP protocol associated with the session. | | Panorama.Monitor.Logs.Recipient | String | Only for the WildFire subtype, all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. | | Panorama.Monitor.Logs.Rule | String | The name of the rule that the session matched. | | Panorama.Monitor.Logs.RuleID | String | The ID of the rule that the session matched. | | Panorama.Monitor.Logs.ReceiveTime | String | The time the log was received at the management plane. | | Panorama.Monitor.Logs.Sender | String | Only for the WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. | | Panorama.Monitor.Logs.SessionID | String | An internal numerical identifier applied to each session. | | Panorama.Monitor.Logs.DeviceSN | String | The serial number of the firewall on which the session was logged. | | Panorama.Monitor.Logs.Severity | String | The severity associated with the threat. Can be "informational", "low", "medium", "high", or "critical". | | Panorama.Monitor.Logs.SourceAddress | String | The original session source IP address. | | Panorama.Monitor.Logs.SourceCountry | String | The source country or internal region for private addresses. Maximum length is 32 bytes. | | Panorama.Monitor.Logs.SourceUser | String | The username of the user who initiated the session. | | Panorama.Monitor.Logs.SourcePort | String | The source port utilized by the session. | | Panorama.Monitor.Logs.ThreatCategory | String | The threat categories used to classify different types of threat signatures. | | Panorama.Monitor.Logs.Name | String | The Palo Alto Networks identifier for the threat. A description string followed by a 64-bit numerical identifier. | | Panorama.Monitor.Logs.ID | String | The Palo Alto Networks ID for the threat. | | Panorama.Monitor.Logs.ToZone | String | The zone to which the session was destined. | | Panorama.Monitor.Logs.TimeGenerated | String | The time the log was generated on the data plane. | | Panorama.Monitor.Logs.URLCategoryList | String | A list of the URL filtering categories the firewall used to enforce the policy. | | Panorama.Monitor.Logs.Bytes | String | The total log bytes. | | Panorama.Monitor.Logs.BytesReceived | String | The log bytes received. | | Panorama.Monitor.Logs.BytesSent | String | The log bytes sent. | | Panorama.Monitor.Logs.Vsys | String | The VSYS on the firewall that generated the log. |

Command example with polling#

!pan-os-query-logs log-type=traffic number_of_logs=1 polling=true show-detail=yes

Context example#

{
"Panorama": {
"Monitor": {
"JobID": "1291",
"LogType": "traffic",
"Logs": {
"TimeGenerated": "2019/07/24 08:50:24",
"SourceAddress": "1.1.1.1",
"DestinationAddress": "2.3.4.5",
"Application": "web-browsing",
"Action": "deny",
"Rule": "any - any accept"
},
"Status": "Completed"
}
}
}

Human Readable Output#

Fetching traffic logs for job ID 1291...

Query traffic Logs:#

TimeGeneratedSourceAddressDestinationAddressApplicationActionRule
2019/07/24 08:50:241.1.1.12.3.4.5web-browsingdenyany - any accept

Command example without polling#

!pan-os-query-logs log-type=traffic number_of_logs=1

Context Example#

{
"Panorama": {
"Monitor": {
"JobID": "1283",
"LogType": "traffic",
"Message": "query job enqueued with jobid 1283",
"Status": "Pending"
}
}
}

Human Readable Output#

Query Logs:#

JobIDStatus
1283Pending

pan-os-check-logs-status#


Checks the status of a logs query.

Base Command#

pan-os-check-logs-status

Input#

Argument NameDescriptionRequired
job_idJob ID of the query.Required

Context Output#

PathTypeDescription
Panorama.Monitor.JobIDStringJob ID of the logs query.
Panorama.Monitor.StatusStringStatus of the logs query.

Command Example#

!pan-os-check-logs-status job_id=657

Human Readable Output#

Query Logs Status:#

JobIDStatus
657Completed

pan-os-get-logs#


Retrieves the data of a logs query.

Base Command#

pan-os-get-logs

Input#

Argument NameDescriptionRequired
job_idJob ID of the query.Required
ignore_auto_extractWhether to auto-enrich the War Room entry. If "true", entry is not auto-enriched. If "false", entry is auto-extracted. Default is "true".Optional

Context Output#

PathTypeDescription
Panorama.Monitor.Logs.ActionStringAction taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", or "block-url".
Panorama.Monitor.Logs.ApplicationStringApplication associated with the session.
Panorama.Monitor.Logs.CategoryStringThe URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware"ā€™, or "benign". For other subtypes, the value is "any".
Panorama.Monitor.Logs.DeviceNameStringThe hostname of the firewall on which the session was logged.
Panorama.Monitor.Logs.DestinationAddressStringOriginal session destination IP address.
Panorama.Monitor.Logs.DestinationUserStringUsername of the user to which the session was destined.
Panorama.Monitor.Logs.DestinationCountryStringDestination country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.Logs.DestinationPortStringDestination port utilized by the session.
Panorama.Monitor.Logs.FileDigestStringOnly for the WildFire subtype, all other types do not use this field. The file digest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Panorama.Monitor.Logs.FileNameStringFile name or file type when the subtype is file.
File name when the subtype is virus.
File name when the subtype is wildfire-virus.
File name when the subtype is wildfire.
Panorama.Monitor.Logs.FileTypeStringOnly for the WildFire subtype, all other types do not use this field.
Specifies the type of file that the firewall forwarded for WildFire analysis.
Panorama.Monitor.Logs.FromZoneStringThe zone from which the session was sourced.
Panorama.Monitor.Logs.URLOrFilenameStringThe actual URL when the subtype is url.
File name or file type when the subtype is file.
File name when the subtype is virus.
File name when the subtype is wildfire-virus.
File name when the subtype is wildfire.
URL or file name when the subtype is vulnerability (if applicable).
Panorama.Monitor.Logs.NATDestinationIPStringIf destination NAT performed, the post-NAT destination IP address.
Panorama.Monitor.Logs.NATDestinationPortStringPost-NAT destination port.
Panorama.Monitor.Logs.NATSourceIPStringIf source NAT performed, the post-NAT source IP address.
Panorama.Monitor.Logs.NATSourcePortStringPost-NAT source port.
Panorama.Monitor.Logs.PCAPidStringThe packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
Panorama.Monitor.Logs.IPProtocolStringIP protocol associated with the session.
Panorama.Monitor.Logs.RecipientStringOnly for the WildFire subtype, all other types do not use this field.
Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.Logs.RuleStringName of the rule that the session matched.
Panorama.Monitor.Logs.RuleIDStringID of the rule that the session matched.
Panorama.Monitor.Logs.ReceiveTimeStringTime the log was received at the management plane.
Panorama.Monitor.Logs.SenderStringOnly for the WildFire subtype; all other types do not use this field.
Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Panorama.Monitor.Logs.SessionIDStringAn internal numerical identifier applied to each session.
Panorama.Monitor.Logs.DeviceSNStringThe serial number of the firewall on which the session was logged.
Panorama.Monitor.Logs.SeverityStringSeverity associated with the threat. Can be "informational", "low", "medium", "high", or "critical".
Panorama.Monitor.Logs.SourceAddressStringOriginal session source IP address.
Panorama.Monitor.Logs.SourceCountryStringSource country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.Logs.SourceUserStringUsername of the user who initiated the session.
Panorama.Monitor.Logs.SourcePortStringSource port utilized by the session.
Panorama.Monitor.Logs.ThreatCategoryStringDescribes threat categories used to classify different types of threat signatures.
Panorama.Monitor.Logs.NameStringPalo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier.
Panorama.Monitor.Logs.IDStringPalo Alto Networks ID for the threat.
Panorama.Monitor.Logs.ToZoneStringThe zone to which the session was destined.
Panorama.Monitor.Logs.TimeGeneratedStringTime that the log was generated on the dataplane.
Panorama.Monitor.Logs.URLCategoryListStringA list of the URL filtering categories that the firewall used to enforce the policy.
Panorama.Monitor.Logs.BytesStringTotal log bytes.
Panorama.Monitor.Logs.BytesReceivedStringLog bytes received.
Panorama.Monitor.Logs.BytesSentStringLog bytes sent.
Panorama.Monitor.Logs.VsysStringVsys on the firewall that generated the log.

Command Example#

!pan-os-get-logs job_id=678

Human Readable Output#

Query data Logs:#

TimeGeneratedSourceAddressDestinationAddressApplicationActionRule
2019/07/24 08:50:241.1.1.12.3.4.5web-browsingdenyany - any accept

pan-os-security-policy-match#


Checks whether a session matches a specified security policy. This command is only available on Firewall instances.

Base Command#

pan-os-security-policy-match

Input#

Argument NameDescriptionRequired
applicationThe application name.Optional
categoryThe category name.Optional
destinationThe destination IP address.Required
destination-portThe destination port.Optional
fromThe from zone.Optional
toThe to zone.Optional
protocolThe IP protocol value.Required
sourceThe source IP address.Required
source-userThe source user.Optional
targetTarget number of the firewall. Use only on a Panorama instance.Optional

Context Output#

PathTypeDescription
Panorama.SecurityPolicyMatch.QueryStringQuery for the session to test.
Panorama.SecurityPolicyMatch.Rules.NameStringThe matching rule name.
Panorama.SecurityPolicyMatch.Rules.ActionStringThe matching rule action.
Panorama.SecurityPolicyMatch.Rules.CategoryStringThe matching rule category.
Panorama.SecurityPolicyMatch.Rules.DestinationStringThe matching rule destination.
Panorama.SecurityPolicyMatch.Rules.FromStringThe matching rule from zone.
Panorama.SecurityPolicyMatch.Rules.SourceStringThe matching rule source.
Panorama.SecurityPolicyMatch.Rules.ToStringThe matching rule to zone.
Panorama.SecurityPolicyMatch.QueryFields.ApplicationStringThe application name.
Panorama.SecurityPolicyMatch.QueryFields.CategoryStringThe category name.
Panorama.SecurityPolicyMatch.QueryFields.DestinationStringThe destination IP address.
Panorama.SecurityPolicyMatch.QueryFields.DestinationPortNumberThe destination port.
Panorama.SecurityPolicyMatch.QueryFields.FromStringThe from zone.
Panorama.SecurityPolicyMatch.QueryFields.ToStringThe to zone.
Panorama.SecurityPolicyMatch.QueryFields.ProtocolStringThe IP protocol value.
Panorama.SecurityPolicyMatch.QueryFields.SourceStringThe destination IP address.
Panorama.SecurityPolicyMatch.QueryFields.SourceUserStringThe source user.

Command Example#

!pan-os-security-policy-match destination=1.2.3.4 protocol=1 source=2.3.4.5

Context Example#

{
"Panorama": {
"SecurityPolicyMatch": {
"Query": "<test><security-policy-match><source>2.3.4.5</source><destination>1.2.3.4</destination><protocol>1</protocol></security-policy-match></test>",
"QueryFields": {
"Destination": "1.2.3.4",
"Protocol": "1",
"Source": "2.3.4.5"
},
"Rules": {
"Action": "allow",
"Category": "any",
"Destination": "any",
"From": "any",
"Name": "any - any accept",
"Source": "any",
"To": "any"
}
}
}
}

Human Readable Output#

Matching Security Policies:#

NameActionFromToSourceDestination
any - any acceptallowanyanyanyany

pan-os-list-static-routes#


Lists the static routes of a virtual router.

Base Command#

pan-os-list-static-routes

Input#

Argument NameDescriptionRequired
virtual_routerThe name of the virtual router for which to list static routes.Required
templateThe template to use to run the command. Overrides the template parameter (Panorama instances).Optional
show_uncommittedWhether to show an uncommitted configuration. Default is "false"Optional

Context Output#

PathTypeDescription
Panorama.StaticRoutes.NameStringThe name of the static route.
Panorama.StaticRoutes.BFDProfileStringThe BFD profile of the static route.
Panorama.StaticRoutes.DestinationStringThe destination of the static route.
Panorama.StaticRoutes.MetricNumberThe metric (port) of the static route.
Panorama.StaticRoutes.NextHopStringThe next hop of the static route. Can be an IP address, FQDN, or a virtual router.
Panorama.StaticRoutes.RouteTableStringThe route table of a static route.
Panorama.StaticRoutes.VirtualRouterStringThe virtual router to which the static router belongs.
Panorama.StaticRoutes.TemplateStringThe template in which the static route is defined (Panorama instances only).
Panorama.StaticRoutes.UncommittedBooleanWhether the static route is committed.

Command Example#

!pan-os-list-static-routes virtual_router=virtual_router_test_DONT_DELETE

Context Example#

{
"Panorama": {
"StaticRoutes": [
{
"BFDprofile": "None",
"Destination": "2.3.4.5/32",
"Metric": 14,
"Name": "static_route_ip",
"NextHop": "3.3.3.3",
"RouteTable": "Unicast",
"VirtualRouter": "virtual_router_test_DONT_DELETE"
},
{
"Destination": "1.1.1.1/32",
"Metric": 1012,
"Name": "test_maya",
"NextHop": "3.3.3.3",
"VirtualRouter": "virtual_router_test_DONT_DELETE"
}
]
}
}

Human Readable Output#

Displaying all Static Routes for the Virtual Router: virtual_router_test_DONT_DELETE#

NameDestinationNextHopRouteTableMetricBFDprofile
static_route_ip2.3.4.5/323.3.3.3Unicast14None
test_maya1.1.1.1/323.3.3.31012

pan-os-get-static-route#


Returns the specified static route of a virtual router.

Base Command#

pan-os-get-static-route

Input#

Argument NameDescriptionRequired
virtual_routerName of the virtual router for which to display the static route.Required
static_routeName of the static route to display.Required
templateThe template for which to run the command. Overrides the template parameter (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.StaticRoutes.NameStringThe name of the static route.
Panorama.StaticRoutes.BFDProfileStringThe BFD profile of the static route.
Panorama.StaticRoutes.DestinationStringThe destination of the static route.
Panorama.StaticRoutes.MetricNumberThe metric (port) of the static route.
Panorama.StaticRoutes.NextHopStringThe next hop of the static route. Can be an IP address, FQDN, or a virtual router.
Panorama.StaticRoutes.RouteTableStringThe route table of the static route.
Panorama.StaticRoutes.VirtualRouterStringThe virtual router to which the static router belongs.
Panorama.StaticRoutes.TemplateStringThe template in which the static route is defined (Panorama instances only).

Command Example#

!pan-os-get-static-route static_route=static_route_ip virtual_router=virtual_router_test_DONT_DELETE

Context Example#

{
"Panorama": {
"StaticRoutes": {
"BFDprofile": "None",
"Destination": "2.3.4.5/32",
"Metric": 14,
"Name": "static_route_ip",
"NextHop": "3.3.3.3",
"RouteTable": "Unicast",
"VirtualRouter": "virtual_router_test_DONT_DELETE"
}
}
}

Human Readable Output#

Static route: static_route_ip#

BFDprofileDestinationMetricNameNextHopRouteTableVirtualRouter
None2.3.4.5/3214static_route_ip3.3.3.3Unicastvirtual_router_test_DONT_DELETE

pan-os-add-static-route#


Adds a static route.

Base Command#

pan-os-add-static-route

Input#

Argument NameDescriptionRequired
virtual_routerVirtual Router to which the routes will be added.Required
static_routeThe name of the static route to add. The argument is limited to a maximum of 31 characters, is case-sensitive, and supports letters, numbers, spaces, hyphens, and underscores.Required
destinationThe IP address and network mask in Classless Inter-domain Routing (CIDR) notation: ip_address/mask. For example, 192.168.0.1/24 for IPv4 or 2001:db8::/32 for IPv6).Required
nexthop_typeThe type for the nexthop. Can be: "ip-address", "next-vr", "fqdn" or "discard".Required
nexthop_valueThe next hop value.Required
metricThe metric port for the static route (1-65535).Optional
interfaceThe interface name in which to add the static route.Optional
templateThe template to use to run the command. Overrides the template parameter (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.StaticRoutes.NameStringThe name of the static route.
Panorama.StaticRoutes.BFDProfileStringThe BFD profile of the static route.
Panorama.StaticRoutes.DestinationStringThe destination of the static route.
Panorama.StaticRoutes.MetricNumberThe metric (port) of the static route.
Panorama.StaticRoutes.NextHopStringThe next hop of the static route. Can be an IP address, FQDN, or a virtual router.
Panorama.StaticRoutes.RouteTableStringThe route table of the static route.
Panorama.StaticRoutes.VirtualRouterStringThe virtual router to which the static router belongs.
Panorama.StaticRoutes.TemplateStringThe template in which the static route is defined (Panorama instances only).

Command Example#

!pan-os-add-static-route destination=2.3.4.5/32 nexthop_type="ip-address" nexthop_value=3.3.3.3 static_route=my_temp_route virtual_router=virtual_router_test_DONT_DELETE

Context Example#

{
"Panorama": {
"StaticRoutes": {
"@code": "20",
"@status": "success",
"msg": "command succeeded"
}
}
}

Human Readable Output#

New uncommitted static route my_temp_route configuration added.

pan-os-delete-static-route#


Deletes a static route.

Base Command#

pan-os-delete-static-route

Input#

Argument NameDescriptionRequired
route_nameThe name of the static route to delete.Required
virtual_routerThe virtual router from which the routes will be deleted.Required
templateThe template for to use to run the command. Overrides the template parameter (Panorama instances).Optional

Context Output#

PathTypeDescription
Panorama.StaticRoutes.NameStringThe name of the static route.
Panorama.StaticRoutes.BFDProfileStringThe BFD profile of the static route.
Panorama.StaticRoutes.DestinationStringThe destination of the static route.
Panorama.StaticRoutes.MetricNumberThe metric (port) of the static route.
Panorama.StaticRoutes.NextHopStringThe next hop of the static route. Can be an IP address, FQDN, or a virtual router.
Panorama.StaticRoutes.RouteTableStringThe route table of the static route.
Panorama.StaticRoutes.VirtualRouterStringThe virtual router to which the static router belongs.
Panorama.StaticRoutes.TemplateStringThe template in which the static route is defined (Panorama instances only).
Panorama.StaticRoutes.DeletedBooleanWhether the static route was deleted.

Command Example#

!pan-os-delete-static-route route_name=my_temp_route virtual_router=virtual_router_test_DONT_DELETE

Context Example#

{
"Panorama": {
"StaticRoutes": {
"Deleted": true,
"Name": "my_temp_route"
}
}
}

Human Readable Output#

The static route: my_temp_route was deleted. Changes are not committed.

pan-os-show-device-version#


Show firewall device software version.

Base Command#

pan-os-show-device-version

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional

Context Output#

PathTypeDescription
Panorama.Device.Info.DevicenameStringDevicename of the PAN-OS.
Panorama.Device.Info.ModelStringModel of the PAN-OS.
Panorama.Device.Info.SerialStringSerial number of the PAN-OS.
Panorama.Device.Info.VersionStringVersion of the PAN-OS.

Command Example#

!pan-os-show-device-version

Context Example#

{
"Panorama": {
"Device": {
"Info": {
"Devicename": "PA-VM",
"Model": "PA-VM",
"Serial": "000000000000000",
"Version": "8.1.7"
}
}
}
}

Human Readable Output#

Device Version:#

DevicenameModelSerialVersion
PA-VMPA-VM0000000000000008.1.7

pan-os-download-latest-content-update#


Downloads the latest content update.

Base Command#

pan-os-download-latest-content-update

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instanceOptional

Context Output#

PathTypeDescription
Panorama.Content.Download.JobIDStringJob ID of the content download.
Panorama.Content.Download.StatusStringContent download status.

Command Example#

!pan-os-download-latest-content-update

Human Readable Output#

Content download:#

JobIDStatus
657Pending

pan-os-content-update-download-status#


Checks the download status of a content update.

Base Command#

pan-os-content-update-download-status

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
job_idJob ID to check.Required

Context Output#

PathTypeDescription
Panorama.Content.Download.JobIDStringJob ID to monitor.
Panorama.Content.Download.StatusStringDownload status.
Panorama.Content.Download.DetailsStringJob ID details.

Command Example#

!pan-os-content-update-download-status job_id=678

Human Readable Output#

Content download status:#

JobIDStatusDetails
678Completeddownload succeeded with warnings

pan-os-install-latest-content-update#


Installs the latest content update.

Base Command#

pan-os-install-latest-content-update

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instanceOptional

Context Output#

PathTypeDescription
Panorama.Content.Install.JobIDStringJob ID of the installation.
Content.Install.StatusStringInstallation status.

Command Example#

!pan-os-install-latest-content-update

Human Readable Output#

Result:#

JobIDStatus
878Pending

pan-os-content-update-install-status#


Gets the installation status of the content update.

Base Command#

pan-os-content-update-install-status

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
job_idJob ID of the content installation.Required

Context Output#

PathTypeDescription
Panorama.Content.Install.JobIDStringJob ID of the content installation.
Panorama.Content.Install.StatusStringContent installation status.
Panorama.Content.Install.DetailsStringContent installation status details.

Command Example#

!pan-os-content-update-install-status job_id=878

Human Readable Output#

Content install status:#

JobIDStatusDetails
878Completedinstallation succeeded with warnings

pan-os-check-latest-panos-software#


Checks the PAN-OS software version from the repository.

Base Command#

pan-os-check-latest-panos-software

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional

Context Output#

PathTypeDescription
Panorama.LatestVersionsunknownLatest software versions.

Command Example#

!pan-os-check-latest-panos-software

pan-os-download-panos-version#


Downloads the target PAN-OS software version to install on the target device.

Base Command#

pan-os-download-panos-version

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
target_versionThe target version number to install.Required

Context Output#

PathTypeDescription
Panorama.PANOS.Download.JobIDNumberJob ID of the PAN-OS download.
Panorama.PANOS.Download.StatusStringStatus of the PAN-OS download.

Command Example#

!pan-os-download-panos-version target_version=1

Human Readable Output#

Result:#

JobIDStatus
111Pending

pan-os-download-panos-status#


Gets the download status of the target PAN-OS software.

Base Command#

pan-os-download-panos-status

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
job_idJob ID to check.Required

Context Output#

PathTypeDescription
Panorama.PANOS.Download.JobIDStringJob ID of the PAN-OS download.
Panorama.PANOS.Download.StatusStringPAN-OS download status.
Panorama.PANOS.Download.DetailsStringPAN-OS download details.

Command Example#

!pan-os-download-panos-status job_id=999

Human Readable Output#

PAN-OS download status:#

JobIDStatusDetails
999Completeddownload succeeded with warnings

pan-os-install-panos-version#


Installs the target PAN-OS version on the specified target device.

Base Command#

pan-os-install-panos-version

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
target_versionTarget PAN-OS version to install.Required

Context Output#

PathTypeDescription
Panorama.PANOS.Install.JobIDstringJob ID from the PAN-OS installation.
Panorama.PANOS.Install.StatusStringStatus of the PAN-OS installation.

Command Example#

!pan-os-install-panos-version target_version=1

Human Readable Output#

PAN-OS Installation:#

JobIDStatus
111Pending

pan-os-install-panos-status#


Gets the installation status of the PAN-OS software.

Base Command#

pan-os-install-panos-status

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional
job_idJob ID to check.Required

Context Output#

PathTypeDescription
Panorama.PANOS.Install.JobIDNumberJob ID of the PAN-OS installation.
Panorama.PANOS.Install.StatusStringStatus of the PAN-OS installation.
Panorama.PANOS.Install.DetailsStringPAN-OS installation details.

Command Example#

!pan-os-install-panos-status job_id=878

Human Readable Output#

PAN-OS installation status:#

JobIDStatusDetails
878Completedinstallation succeeded with warnings

pan-os-device-reboot#


Reboots the Firewall device.

Base Command#

pan-os-device-reboot

Input#

Argument NameDescriptionRequired
targetSerial number of the firewall on which to run the command. Use only for a Panorama instance.Optional

Context Output#

There is no context output for this command.

Command Example#

!pan-os-device-reboot

pan-os-show-location-ip#


Gets location information for an IP address.

Base Command#

pan-os-show-location-ip

Input#

Argument NameDescriptionRequired
ip_addressThe IP address from which to return information.Required

Context Output#

PathTypeDescription
Panorama.Location.IP.country_codeStringThe IP address location country code.
Panorama.Location.IP.country_nameStringThe IP addres location country name.
Panorama.Location.IP.ip_addressStringThe IP address.
Panorama.Location.IP.StatusStringWhether the IP address was found.

Command Example#

!pan-os-show-location-ip ip_address=8.8.8.8

Context Example#

{
"Panorama": {
"Location": {
"IP": {
"country_code": "US",
"country_name": "United States",
"ip_address": "8.8.8.8",
"status": "Found"
}
}
}
}

Human Readable Output#

IP 8.8.8.8 location:#

ip_addresscountry_namecountry_code
8.8.8.8United StatesUS

pan-os-get-licenses#


Gets information about available PAN-OS licenses and their statuses.

Base Command#

pan-os-get-licenses

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.License.AuthcodeStringThe authentication code of the license.
Panorama.License.Base-license-nameStringThe base license name.
Panorama.License.DescriptionStringThe description of the license.
Panorama.License.ExpiredStringWhether the license has expired.
Panorama.License.ExpiresStringWhen the license will expire.
Panorama.License.FeatureStringThe feature of the license.
Panorama.License.IssuedStringWhen the license was issued.
Panorama.License.SerialStringThe serial number of the license.

Command Example#

!pan-os-get-licences

Human Readable Output#

AuthcodeDescriptionFeatureSerialExpiredExpiresIssued
I9805928NFR SupportNFR Support007DEMISTO1tnoNeverNovember 25, 2019

pan-os-get-security-profiles#


Gets information for the specified security profile.

Base Command#

pan-os-get-security-profiles

Input#

Argument NameDescriptionRequired
security_profileThe security profile for which to get information. Possible values are: data-filtering, file-blocking, spyware, url-filtering, virus, vulnerability, wildfire-analysis.Optional
device-groupThe device group for which to return security profiles.Optional

Context Output#

PathTypeDescription
Panorama.Spyware.NameStringThe profile name.
Panorama.Spyware.Rules.ActionStringThe rule action.
Panorama.Spyware.Rules.CategoryStringThe category for which to apply the rule.
Panorama.Spyware.Rules.NameStringThe rule name.
Panorama.Spyware.Rules.Packet-captureStringWhether packet capture is enabled.
Panorama.Spyware.Rules.SeverityStringThe rule severity.
Panorama.Spyware.Rules.Threat-nameStringThe threat name to apply for the rule.
Panorama.URLFilter.NameStringThe profile name.
Panorama.URLFilter.Rules.Category.ActionStringThe rule action to apply to the category.
Panorama.URLFilter.Rules.Category.NameStringThe category name.
Panorama.WildFire.NameStringThe WildFire profile name.
Panorama.WildFire.Rules.AnalysisStringThe rule analysis.
Panorama.WildFire.Rules.ApplicationStringThe application to apply for the rule.
Panorama.WildFire.Rules.File-typeStringThe file type to apply for the rule.
Panorama.WildFire.Rules.NameStringThe rule name.
Panorama.Vulnerability.NameStringThe vulnerability profile name.
Panorama.Vulnerability.Rules.Vendor-idStringThe vendor ID to apply for the rule.
Panorama.Vulnerability.Rules.Packet-captureStringWhether packet capture is enabled.
Panorama.Vulnerability.Rules.HostStringThe rule host.
Panorama.Vulnerability.Rules.NameStringThe rule name.
Panorama.Vulnerability.Rules.CategoryStringThe category to apply for the rule.
Panorama.Vulnerability.Rules.CVEStringThe CVE to apply for the rule.
Panorama.Vulnerability.Rules.ActionStringThe rule action.
Panorama.Vulnerability.Rules.SeverityStringThe rule severity.
Panorama.Vulnerability.Rules.Threat-nameStringThe threat to apply for the rule.
Panorama.Antivirus.NameStringThe antivirus profile name.
Panorama.Antivirus.Rules.ActionStringThe rule action.
Panorama.Antivirus.Rules.NameStringThe rule name.
Panorama.Antivirus.Rules.WildFire-actionStringThe WildFire action.
Panorama.FileBlocking.NameStringThe file blocking profile name.
Panorama.FileBlocking.Rules.ActionStringThe rule action.
Panorama.FileBlocking.Rules.ApplicationStringThe application to apply for the rule.
Panorama.FileBlocking.Rules.File-typeStringThe file type to apply for the rule.
Panorama.FileBlocking.Rules.NameStringThe rule name.
Panorama.DataFiltering.NameStringThe data filtering profile name.
Panorama.DataFiltering.Rules.Alert-thresholdStringThe alert threshold.
Panorama.DataFiltering.Rules.ApplicationStringThe application to apply for the rule.
Panorama.DataFiltering.Rules.Block-thresholdStringThe block threshold.
Panorama.DataFiltering.Rules.Data-objectStringThe data object.
Panorama.DataFiltering.Rules.DirectionStringThe rule direction.
Panorama.DataFiltering.Rules.File-typeStringThe file type to apply for the rule.
Panorama.DataFiltering.Rules.Log-severityStringThe log severity.
Panorama.DataFiltering.Rules.NameStringThe rule name.

Command Example#

!pan-os-get-security-profiles security_profile=spyware

Human Readable Output#

NameRules
best-practice{'Name': 'simple-critical', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'critical', 'Threat-name': 'any', 'Packet-capture': 'disable'},
{'Name': 'simple-high', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'high', 'Threat-name': 'any', 'Packet-capture': 'disable'},
{'Name': 'simple-medium', 'Action': {'reset-both': None}, 'Category': 'any', 'Severity': 'medium', 'Threat-name': 'any', 'Packet-capture': 'disable'},
{'Name': 'simple-informational', 'Action': {'default': None}, 'Category': 'any', 'Severity': 'informational', 'Threat-name': 'any', 'Packet-capture': 'disable'},
{'Name': 'simple-low', 'Action': {'default': None}, 'Category': 'any', 'Severity': 'low', 'Threat-name': 'any', 'Packet-capture': 'disable'}

pan-os-apply-security-profile#


Apply a security profile to specific rules or rules with a specific tag.

Base Command#

pan-os-apply-security-profile

Input#

Argument NameDescriptionRequired
profile_typeSecurity profile type. Can be 'data-filtering', 'file-blocking', 'spyware', 'url-filtering', 'virus, 'vulnerability', or wildfire-analysis.'Required
rule_nameThe rule name to apply.Required
profile_nameThe profile name to apply to the rule.Required
pre_postThe location of the rules. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances.Optional
device-groupThe device group for which to apply security profiles.Optional

Context Output#

There is no context output for this command.

Command Example#

!pan-os-apply-security-profile profile_name=test profile_type=spyware rule_name=rule1 pre_post="pre-rulebase"

Human Readable Output#

The profile spyware = test has been applied to the rule rule1

pan-os-remove-security-profile#


Removes a security profile to specific rules or rules with a specific tag.

Base Command#

pan-os-remove-security-profile

Input#

Argument NameDescriptionRequired
profile_typeThe security profile type. Possible values are: data-filtering, file-blocking, spyware, url-filtering, virus, vulnerability, wildfire-analysis.Required
rule_nameThe rule name to apply.Required
pre_postThe location of the rules. Mandatory for Panorama instances. Possible values are: pre-rulebase, post-rulebase.Optional
device-groupThe device group for which to apply security profiles.Optional

Human Readable Output#

The profile test has been removed from the rule rule1

pan-os-get-ssl-decryption-rules#


Get SSL decryption rules.

Base Command#

pan-os-get-ssl-decryption-rules

Input#

Argument NameDescriptionRequired
pre_postThe location of the rules. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances.Optional

Context Output#

PathTypeDescription
Panorama.SSLRule.FromStringThe SSL rule from the source.
Panorama.SSLRule.NameStringThe name of the SSL rule.
Panorama.SSLRule.DestinationStringThe destination of the SSL rule.
Panorama.SSLRule.TargetStringThe target of the SSL rule.
Panorama.SSLRule.ServiceStringThe SSL rule service.
Panorama.SSLRule.ActionStringThe SSL rule action.
Panorama.SSLRule.TypeStringThe SSL rule type.
Panorama.SSLRule.SourceStringThe source of the SSL rule.
Panorama.SSLRule.ToStringThe SSL rule to destination.
Panorama.SSLRule.UUIDStringThe SSL rule UUID.
Panorama.SSLRule.DescriptionStringThe SSL rule description.
Panorama.SSLRule.Source-userStringThe SSL rule source user.
Panorama.SSLRule.CategoryStringThe SSL rule category.

Command Example#

!pan-os-get-ssl-decryption-rules pre_post="pre-rulebase"

Human Readable Output#

NameUUIDTargetServiceCategoryTypeFromToSourceDestenationActionSource-user
testsome_uuidnegate: noanymember: anyssl-forward-proxy: nullanyanyanyanyno-decryptany

pan-os-get-wildfire-configuration#


Retrieves the Wildfire configuration.

Base Command#

pan-os-get-wildfire-configuration

Input#

Argument NameDescriptionRequired
templateThe template name.Required

Context Output#

PathTypeDescription
Panorama.WildFire.NameStringThe file type.
Panorama.WildFire.Size-limitStringThe file size limit.
Panorama.WildFire.recurringStringThe schedule that is recurring.

Command Example#

!pan-os-get-wildfire-configuration template=WildFire

WildFire Configuration#

Report Grayware File: yes |Name|Size-limit| |---|---| | pe | 10 | | apk | 30 |

The updated schedule for Wildfire#

recurring
every-min: {"action": "download-and-install"}

pan-os-url-filtering-block-default-categories#


Set default categories to block in the URL filtering profile.

Base Command#

pan-os-url-filtering-block-default-categories

Input#

Argument NameDescriptionRequired
profile_nameThe url-filtering profile name. Get the name by running the get-security-profiles command.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-url-filtering-block-default-categories profile_name=test

Human Readable Output#

The default categories to block has been set successfully to test

pan-os-get-anti-spyware-best-practice#


Get anti-spyware best practices.

Base Command#

pan-os-get-anti-spyware-best-practice

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.Spyware.BotentDomain.NameStringThe botnet domain name.
Panorama.Spyware.BotentDomain.ActionStringThe botnet domain action.
Panorama.Spyware.BotentDomain.Packet-captureStringWhether packet capture is enabled.
Panorama.Spyware.BotentDomain.Sinkhole.ipv4-addressStringThe botnet domain IPv4 address.
Panorama.Spyware.BotentDomain.Sinkhole.ipv6-addressStringThe Botnet domain IPv6 address.
Panorama.Spyware.Rule.CategoryStringThe rule category.
Panorama.Spyware.Rule.ActionStringThe rule action.
Panorama.Spyware.Rule.NameStringThe rule name.
Panorama.Spyware.Rule.SeverityStringThe rule severity.
Panorama.Spyware.Rule.Threat-nameStringThe rule threat name.
Panorama.Spyware.BotentDomain.Max_versionStringThe botnet domain max version.

Command Example#

!pan-os-get-anti-spyware-best-practice

Human Readable Output#

Anti Spyware Botnet-Domains Best Practice#

NameActionPacket-captureipv4-addressipv6-address
default-paloalto-dnssinkhole: nulldisable
default-paloalto-cloudallow: nulldisable
pan-sinkhole-default-ip::1

Anti Spyware Best Practice Rules#

NameSeverityActionCategoryThreat-name
simple-criticalcriticalreset-both: nullanyany
simple-highhighreset-both: nullanyany

pan-os-get-file-blocking-best-practice#


Get file-blocking best practices.

Base Command#

pan-os-get-file-blocking-best-practice

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.FileBlocking.Rule.ActionStringThe rule action.
Panorama.FileBlocking.Rule.ApplicationStringThe rule application.
Panorama.FileBlocking.Rule.File-typeStringThe rule file type.
Panorama.FileBlocking.Rule.NameStringThe rule name.

Command Example#

!pan-os-get-file-blocking-best-practice

Human Readable Output#

File Blocking Profile Best Practice#

NameActionFile-typeAplication
Block all risky file typesblock7z,
bat,
cab,
chm,
class,
cpl
any
Block encrypted filesblockencrypted-rar,
encrypted-zip
any

pan-os-get-antivirus-best-practice#


Get anti-virus best practices.

Base Command#

pan-os-get-antivirus-best-practice

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.Antivirus.Decoder.ActionStringThe rule action.
Panorama.Antivirus.Decoder.NameStringThe rule name.
Panorama.Antivirus.Decoder.WildFire-actionStringThe WildFire action.

Command Example#

!pan-os-get-antivirus-best-practice

Human Readable Output#

Antivirus Best Practice Profile#

NameActionWildFire-action
httpdefaultdefault
smtp defaultdefault

pan-os-get-vulnerability-protection-best-practice#


Get vulnerability-protection best practices.

Base Command#

pan-os-get-vulnerability-protection-best-practice

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.Vulnerability.Rule.ActionStringThe rule action.
Panorama.Vulnerability.Rule.CVEStringThe rule CVE.
Panorama.Vulnerability.Rule.CategoryStringThe rule category.
Panorama.Vulnerability.Rule.HostStringThe rule host.
Panorama.Vulnerability.Rule.NameStringThe rule name.
Panorama.Vulnerability.Rule.SeverityStringThe rule severity.
Panorama.Vulnerability.Rule.Threat-nameStringThe threat name.
Panorama.Vulnerability.Rule.Vendor-idStringThe vendor ID.

Command Example#

!pan-os-get-vulnerability-protection-best-practice

Human Readable Output#

vulnerability Protection Best Practice Profile#

NameActionHostSeverityCategoryThreat-nameCVEVendor-id
simple-client-criticalreset-both: nullclientcriticalanyanyanyany
simple-client-highreset-both: nullclienthighanyanyanyany

pan-os-get-wildfire-best-practice#


View WildFire best practices.

Base Command#

pan-os-get-wildfire-best-practice

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.WildFire.AnalysisStringThe WildFire analysis.
Panorama.WildFire.ApplicationStringThe WildFire application.
Panorama.WildFire.File.File-sizeStringThe recommended file size.
Panorama.WildFire.File.NameStringThe file name.
Panorama.WildFire.File-typeStringThe WildFire profile file type.
Panorama.WildFire.NameStringThe WildFire profile name.
Panorama.WildFire.SSLDecryptStringThe SSL decrypt content.
Panorama.WildFire.Schedule.ActionStringThe WildFire schedule action.
Panorama.WildFire.Schedule.RecurringStringThe WildFire schedule recurring.

Command Example#

!pan-os-get-wildfire-best-practice

Human Readable Output#

WildFire Best Practice Profile#

NameAnalysisAplicationFile-type
defaultpublic-cloudanyany

Wildfire Best Practice Schedule#

ActionRecurring
download-and-installevery-minute

Wildfire SSL Decrypt Settings#

allow-forward-decrypted-content
yes

Wildfire System Settings#

report-grayware-file: yes |Name|File-size| |---|---| | pe | 10 | | apk | 30 |

pan-os-get-url-filtering-best-practice#


View URL Filtering best practices.

Base Command#

pan-os-get-url-filtering-best-practice

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Panorama.URLFilter.Category.ActionStringThe action to perform on the category.
Panorama.URLFilter.Category.NameStringThe category name.
Panorama.URLFilter.DeviceGroupStringThe device group name.
Panorama.URLFilter.NameStringThe Profile name.
Panorama.URLFilter.Header.log-container-page-onlyStringThe log container page only.
Panorama.URLFilter.Header.log-http-hdr-refererStringThe log HTTP header referer.
Panorama.URLFilter.Header.log-http-hdr-userStringThe log HTTP header user.
Panorama.URLFilter.Header.log-http-hdr-xffStringThe log HTTP header xff.

Command Example#

!pan-os-get-url-filtering-best-practice

Human Readable Output#

URL Filtering Best Practice Profile Categories#

CategoryDeviceGroupName
{'Name': 'abortion', 'Action': 'alert'},
{'Name': 'abused-drugs', 'Action': 'alert'}
Demisto sales labbest-practice

Best Practice Headers#

log-container-page-onlylog-http-hdr-refererlog-http-hdr-userlog-http-hdr-xff
yesyesyesyes

pan-os-enforce-wildfire-best-practice#


Enforces wildfire best practices to upload files to the maximum size, forwards all file types, and updates the schedule.

Base Command#

pan-os-enforce-wildfire-best-practice

Input#

Argument NameDescriptionRequired
templateThe template name.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-enforce-wildfire-best-practice template=WildFire

Human Readable Output#

The schedule was updated according to the best practice. Recurring every minute with the action of "download and install" The file upload for all file types is set to the maximum size.

pan-os-create-antivirus-best-practice-profile#


Creates an antivirus best practice profile.

Base Command#

pan-os-create-antivirus-best-practice-profile

Input#

Argument NameDescriptionRequired
profile_nameThe name of the profile to create.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-create-antivirus-best-practice-profile profile_name=test

Human Readable Output#

The profile test was created successfully.

pan-os-create-anti-spyware-best-practice-profile#


Creates an Anti-Spyware best practice profile.

Base Command#

pan-os-create-anti-spyware-best-practice-profile

Input#

Argument NameDescriptionRequired
profile_nameThe profile name to create.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-create-anti-spyware-best-practice-profile profile_name=test

Human Readable Output#

The profile test was created successfully.

pan-os-create-vulnerability-best-practice-profile#


Creates a vulnerability protection best practice profile.

Base Command#

pan-os-create-vulnerability-best-practice-profile

Input#

Argument NameDescriptionRequired
profile_nameThe profile name.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-create-vulnerability-best-practice-profile profile_name=test

Human Readable Output#

The profile test was created successfully.

pan-os-create-url-filtering-best-practice-profile#


Creates a URL filtering best practice profile.

Base Command#

pan-os-create-url-filtering-best-practice-profile

Input#

Argument NameDescriptionRequired
profile_nameThe profile name.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-create-url-filtering-best-practice-profile profile_name=test

Human Readable Output#

The profile test was created successfully.

pan-os-create-file-blocking-best-practice-profile#


Creates a file blocking best practice profile.

Base Command#

pan-os-create-file-blocking-best-practice-profile

Input#

Argument NameDescriptionRequired
profile_nameThe name of the profile.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-create-file-blocking-best-practice-profile profile_name=test

Human Readable Output#

The profile test was created successfully.

pan-os-create-wildfire-best-practice-profile#


Creates a WildFire analysis best practice profile.

Base Command#

pan-os-create-wildfire-best-practice-profile

Input#

Argument NameDescriptionRequired
profile_nameThe name of the profile.Required

Context Output#

There is no context output for this command.

Command Example#

!pan-os-create-wildfire-best-practice-profile profile_name=test

Human Readable Output#

The profile test was created successfully.

pan-os-show-user-id-interfaces-config#


Shows the user ID interface configuration.

Base Command#

pan-os-show-user-id-interfaces-config

Input#

Argument NameDescriptionRequired
templateThe template to use when running the command. Overrides the template parameter (Panorama instances). If not given, will use the integration parameter.Optional
template_stackThe template stack to use when running the command.Optional
vsysThe name of the virtual system to be configured. Will use the configured VSYS parameter if exists. If given a value, will override the VSYS parameter. If neither the VSYS parameter and this argument are entered, will default to 'vsys1'. .Optional

Context Output#

PathTypeDescription
Panorama.UserInterfaces.NameStringThe name of the user interface.
Panorama.UserInterfaces.ZoneStringThe zone to which the interface is connected
Panorama.UserInterfaces.EnableUserIdentificationStringWhether user identification is enabled.

Command Example#

!pan-os-show-user-id-interfaces-config

Context Example#

{
"Panorama": {
"UserInterfaces": {
"EnableUserIdentification": "no",
"Name": "ethernet1/1",
"Zone": "test_zone"
}
}
}

Human Readable Output#

User Interface Configuration:#

NameZoneEnableUserIdentification
ethernet1/1test_zoneno

pan-os-show-zones-config#


Shows the zones configuration.

Base Command#

pan-os-show-zones-config

Input#

Argument NameDescriptionRequired
templateThe template to use when running the command. Overrides the template parameter (Panorama instances). If not given, will use the integration parameter.Optional
template_stackThe template stack to use when running the command.Optional
vsysThe name of the virtual system to be configured. Will use the configured VSYS parameter if exists. If given a value, will override the VSYS parameter. If neither the VSYS parameter and this argument are entered, will default to 'vsys1'. .Optional

Context Output#

PathTypeDescription
Panorama.Zone.NameStringThe name of the zone.
Panorama.Zone.NetworkStringThe network to which the zone connected
Panorama.Zone.EnableUserIdentificationStringWhether user identification is enabled.
Panorama.Zone.ZoneProtectionProfileStringThe zone protection profile.
Panorama.Zone.LogSettingStringThe log setting for the zone

Command Example#

!pan-os-show-zones-config

Context Example#

{
"Panorama": {
"Zone": {
"EnableUserIdentification": "no",
"LogSetting": null,
"Name": "test_zone",
"Network": {
"tap": {
"member": "ethernet1/1"
}
},
"ZoneProtectionProfile": null
}
}
}

Human Readable Output#

Zone Configuration:#

NameNetworkEnableUserIdentification
test_zonetap: {"member": "ethernet1/1"}no

pan-os-list-configured-user-id-agents#


Retrieves list of user-ID agents configured in the system.

Base Command#

pan-os-list-configured-user-id-agents

Input#

Argument NameDescriptionRequired
templateThe template to use when running the command. Overrides the template parameter (Panorama instances). If not given, will use the integration parameter.Optional
template_stackThe template stack to use when running the command.Optional
vsysThe name of the virtual system to be configured. Will use the configured VSYS parameter if exists. If given a value, will override the VSYS parameter. If neither the VSYS parameter and this argument are entered, will default to 'vsys1'. .Optional

Context Output#

PathTypeDescription
Panorama.UserIDAgents.NameStringThe user-ID Agent name.
Panorama.UserIDAgents.HostStringThe user-ID Agent host.
Panorama.UserIDAgents.PortNumberThe user-ID Agent port.
Panorama.UserIDAgents.LdapProxyStringWhether LDAP proxy is used in the user-ID agent.
Panorama.UserIDAgents.NtlmAuthStringWhether NLTM authentication is used in the user-ID agent.
Panorama.UserIDAgents.EnableHipCollectionStringWhether HIP collection is enabled in the user-ID agent.
Panorama.UserIDAgents.IpUserMappingStringWhether IP user mapping is enabled in the user-ID agent.
Panorama.UserIDAgents.SerialNumberUnknownThe serial number associated with the user-ID agent.
Panorama.UserIDAgents.CollectorNameStringThe user-ID agent collector name.
Panorama.UserIDAgents.SecretStringThe user-ID agent secret.
Panorama.UserIDAgents.DisabledStringWhether the user-ID agent is disbaled.

Command Example#

!pan-os-list-configured-user-id-agents

Context Example#

{
"Panorama": {
"UserIDAgents": [
{
"CollectorName": "demisto",
"Disabled": "yes",
"EnableHipCollection": null,
"Host": "mine",
"IpUserMapping": null,
"LdapProxy": "yes",
"Name": "testing",
"NtlmAuth": "yes",
"Port": "12",
"Secret": "secret",
"SerialNumber": null
},
{
"CollectorName": null,
"Disabled": null,
"EnableHipCollection": null,
"Host": null,
"IpUserMapping": null,
"LdapProxy": null,
"Name": "withSerial",
"NtlmAuth": null,
"Port": null,
"Secret": null,
"SerialNumber": "panorama"
}
]
}
}

Human Readable Output#

User ID Agents:#

NameSerialNumberHostPortCollectorNameLdapProxyNtlmAuth
testingmine12demistoyesyes
withSerialpanorama

pan-os-upload-content-update-file#


Uploads a content file to Panorama.

Base Command#

pan-os-upload-content-update-file

Input#

Argument NameDescriptionRequired
entryIDEntry ID of the file to upload.Required
categoryThe category of the content. Possible values are: wildfire, anti-virus, content.Required

Context Output#

PathTypeDescription
Panorama.Content.Upload.StatusstringContent upload status.
Panorama.Content.Upload.MessagestringContent upload message.

Command Example#

pan-os-upload-content-update-file entryID="32@14183" category="content"

Human Readable Output#

Results#

StatusMessage
Successline: <file_name> saved

pan-os-install-file-content-update#


Installs specific content update file.

Base Command#

pan-os-install-file-content-update

Input#

Argument NameDescriptionRequired
version_nameUpdate file name to be installed on PAN-OS.Required
categoryThe category of the content. Possible values are: wildfire, anti-virus, content.Required
skip_validity_checkSkips file validity check with PAN-OS update server. Use this option for air-gapped networks and only if you trust the content file. Possible values are: yes, no. Default is no.Required

Context Output#

PathTypeDescription
Panorama.Content.Install.JobIDstringJobID of the installation.
Panorama.Content.Install.StatusstringInstallation status.

Command Example#

pan-os-install-file-content-update version_name="panupv2-all-contents-8322-6317" category="content" skip_validity_check="yes"

Human Readable Output#

Results#

JobIDStatus
30Pending

pan-os-platform-get-arp-tables#


Gets all ARP tables from all firewalls in the topology.

Base Command#

pan-os-platform-get-arp-tables

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.ShowArp.Summary.hostidStringID of the PAN-OS host
PANOS.ShowArp.Summary.maxStringMaximum number of supported ARP entries.
PANOS.ShowArp.Summary.totalStringTotal number of current ARP entries.
PANOS.ShowArp.Summary.timeoutStringARP entry timeout.
PANOS.ShowArp.Summary.dpStringFirewall dataplane associated with the entry.
PANOS.ShowArp.Result.hostidStringID of the PAN-OS host.
PANOS.ShowArp.Result.interfaceStringNetwork interface learned ARP entry.
PANOS.ShowArp.Result.ipStringLayer 3 address.
PANOS.ShowArp.Result.macStringLayer 2 address.
PANOS.ShowArp.Result.portStringNetwork interface matching entry.
PANOS.ShowArp.Result.statusStringARP entry status.
PANOS.ShowArp.Result.ttlStringTime to live.

Command example#

!pan-os-platform-get-arp-tables

Context Example#

{
"PANOS": {
"ShowArp": {
"Result": [
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.1",
"mac": "00:66:4b:da:ce:61",
"port": "ethernet1/1",
"status": " c ",
"ttl": "1799"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "1.1.1.1",
"mac": "00:0c:29:31:bf:8b",
"port": "ethernet1/1",
"status": " c ",
"ttl": "991"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.11",
"mac": "4c:32:75:c2:b2:49",
"port": "ethernet1/1",
"status": " c ",
"ttl": "533"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.12",
"mac": "28:f0:76:79:63:b0",
"port": "ethernet1/1",
"status": " c ",
"ttl": "1721"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.13",
"mac": "a8:60:b6:20:ba:5c",
"port": "ethernet1/1",
"status": " c ",
"ttl": "1723"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.14",
"mac": "20:79:18:93:5a:94",
"port": "ethernet1/1",
"status": " c ",
"ttl": "19"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.15",
"mac": "68:ff:7b:2e:ef:f2",
"port": "ethernet1/1",
"status": " c ",
"ttl": "1396"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"ip": "192.168.1.16",
"mac": "00:d8:61:52:b2:ee",
"port": "ethernet1/1",
"status": " c ",
"ttl": "794"
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/2",
"ip": "10.10.0.12",
"mac": "00:0c:29:ba:d7:d2",
"port": "ethernet1/2",
"status": " c ",
"ttl": "1558"
}
],
"Summary": [
{
"dp": "dp0",
"hostid": "0111112222333444",
"max": "1500",
"timeout": "1800",
"total": "9"
}
]
}
}
}

Human Readable Output#

PAN-OS ARP Table#

dphostidmaxtimeouttotal
dp00111112222333444150018009

pan-os-platform-get-route-summary#


Pulls all route summary information from the topology.

Base Command#

pan-os-platform-get-route-summary

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.ShowRouteSummary.Summary.hostidNumberID of the PAN-OS host.
PANOS.ShowRouteSummary.Summary.totalNumberTotal number of routes.
PANOS.ShowRouteSummary.Summary.limitNumberMaximum number of routes for the platform.
PANOS.ShowRouteSummary.Summary.activeNumberActive routes in the routing table .

Command example#

!pan-os-platform-get-route-summary

Context Example#

{
"PANOS": {
"ShowRouteSummary": {
"Summary": [
{
"active": 5,
"hostid": "0111112222333444",
"limit": 2500,
"total": 5
}
]
}
}
}

Human Readable Output#

PAN-OS Route Summary#

activehostidlimittotal
5011111222233344425005

pan-os-platform-get-routes#


Pulls all route information from the topology.

Base Command#

pan-os-platform-get-routes

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.ShowRoute.Summary.hostidStringID of the PAN-OS host.
PANOS.ShowRoute.Summary.interfaceStringNext hop interface.
PANOS.ShowRoute.Summary.route_countNumberTotal number of routes seen on the virtual router interface.
PANOS.ShowRoute.Result.hostidStringID of the PAN-OS host.
PANOS.ShowRoute.Result.virtual_routerStringVirtual router this route belongs to.
PANOS.ShowRoute.Result.destinationStringNetwork destination of the route.
PANOS.ShowRoute.Result.nexthopStringNext hop to destination.
PANOS.ShowRoute.Result.metricStringRoute metric.
PANOS.ShowRoute.Result.flagsStringRoute flags.
PANOS.ShowRoute.Result.ageNumberAge of the route.
PANOS.ShowRoute.Result.interfaceStringNext hop interface.
PANOS.ShowRoute.Result.route_tableStringThe route table this route belongs to.

Command example#

!pan-os-platform-get-routes

Context Example#

{
"PANOS": {
"ShowRoute": {
"Result": [
{
"age": null,
"destination": "0.0.0.0/0",
"flags": "A S ",
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"metric": "10",
"nexthop": "192.168.1.1",
"route_table": "unicast",
"virtual_router": "default"
},
{
"age": null,
"destination": "10.10.0.0/24",
"flags": "A C ",
"hostid": "0111112222333444",
"interface": "ethernet1/2",
"metric": "0",
"nexthop": "10.10.0.1",
"route_table": "unicast",
"virtual_router": "default"
},
{
"age": null,
"destination": "10.10.0.1/32",
"flags": "A H ",
"hostid": "0111112222333444",
"interface": null,
"metric": "0",
"nexthop": "0.0.0.0",
"route_table": "unicast",
"virtual_router": "default"
},
{
"age": null,
"destination": "192.168.1.0/24",
"flags": "A C ",
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"metric": "0",
"nexthop": "192.168.1.139",
"route_table": "unicast",
"virtual_router": "default"
},
{
"age": null,
"destination": "192.168.1.139/32",
"flags": "A H ",
"hostid": "0111112222333444",
"interface": null,
"metric": "0",
"nexthop": "0.0.0.0",
"route_table": "unicast",
"virtual_router": "default"
}
],
"Summary": [
{
"hostid": "0111112222333444",
"interface": "ethernet1/1",
"route_count": 2
},
{
"hostid": "0111112222333444",
"interface": "ethernet1/2",
"route_count": 1
},
{
"hostid": "0111112222333444",
"interface": null,
"route_count": 2
}
]
}
}
}

Human Readable Output#

PAN-OS Routes#

hostidinterfaceroute_count
0111112222333444ethernet1/12
0111112222333444ethernet1/21
01111122223334442

pan-os-platform-get-system-info#


Gets information from all PAN-OS systems in the topology.

Base Command#

pan-os-platform-get-system-info

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.ShowSystemInfo.Summary.hostidStringID of the PAN-OS host.
PANOS.ShowSystemInfo.Summary.ip_addressStringManagement IP address.
PANOS.ShowSystemInfo.Summary.sw_versionStringSystem software version.
PANOS.ShowSystemInfo.Summary.familyStringPlatform family.
PANOS.ShowSystemInfo.Summary.modelStringPlatform model.
PANOS.ShowSystemInfo.Summary.uptimeStringTotal system uptime.
PANOS.ShowSystemInfo.Summary.hostnameStringSystem hostname.
PANOS.ShowSystemInfo.Result.hostidStringID of the PAN-OS host.
PANOS.ShowSystemInfo.Result.ip_addressStringManagement IP address.
PANOS.ShowSystemInfo.Result.netmaskStringManagement netmask.
PANOS.ShowSystemInfo.Result.mac_addressStringManagement MAC address.
PANOS.ShowSystemInfo.Result.uptimeStringTotal system uptime.
PANOS.ShowSystemInfo.Result.familyStringPlatform family.
PANOS.ShowSystemInfo.Result.modelStringPlatform model.
PANOS.ShowSystemInfo.Result.sw_versionStringSystem software version.
PANOS.ShowSystemInfo.Result.operational_modeStringCurrent operational mode.
PANOS.ShowSystemInfo.Result.ipv6_addressStringManagement IPv6 address.
PANOS.ShowSystemInfo.Result.default_gatewayStringManagement default gateway.
PANOS.ShowSystemInfo.Result.public_ip_addressStringFirewall public IP address.
PANOS.ShowSystemInfo.Result.hostnameStringDevice hostname.
PANOS.ShowSystemInfo.Result.av_versionStringSystem anti-virus version.
PANOS.ShowSystemInfo.Result.av_release_dateStringRelease date of the antivirus content,
PANOS.ShowSystemInfo.Result.app_versionStringApp content version,
PANOS.ShowSystemInfo.Result.app_release_dateStringRelease date of the application content.
PANOS.ShowSystemInfo.Result.threat_versionStringThreat content version.
PANOS.ShowSystemInfo.Result.threat_release_dateStringRelease date of the threat content.
PANOS.ShowSystemInfo.Result.wildfire_versionStringWildfire content version.
PANOS.ShowSystemInfo.Result.wildfire_release_dateStringWildfire release date.
PANOS.ShowSystemInfo.Result.url_filtering_versionStringURL filtering content version.

Command example#

!pan-os-platform-get-system-info

Context Example#

{
"PANOS": {
"ShowSystemInfo": {
"Result": [
{
"app_release_date": "",
"app_version": "8475-7000",
"av_release_date": "",
"av_version": "0",
"default_gateway": "192.168.1.1",
"family": "vm",
"hostid": "0111112222333444",
"hostname": "vm-lab-fw1",
"ip_address": "2.2.2.2",
"ipv6_address": "unknown",
"mac_address": "00:0c:29:eb:35:ad",
"model": "PA-VM",
"netmask": "255.255.255.0",
"operational_mode": "normal",
"public_ip_address": "unknown",
"sw_version": "10.0.5",
"threat_release_date": "",
"threat_version": "8475-7000",
"uptime": "22 days, 0:20:49",
"url_filtering_version": "20220218.20012",
"wildfire_release_date": "",
"wildfire_version": "0"
},
{
"app_release_date": "2021/12/06 18:49:44 PST",
"app_version": "8496-7089",
"av_release_date": "",
"av_version": "0",
"default_gateway": "192.168.1.1",
"family": "pc",
"hostid": "1.1.1.1",
"hostname": "Panorama",
"ip_address": "1.1.1.1",
"ipv6_address": "unknown",
"mac_address": "00:0c:29:31:bf:8b",
"model": "Panorama",
"netmask": "255.255.255.0",
"operational_mode": "normal",
"public_ip_address": "unknown",
"sw_version": "10.0.7",
"threat_release_date": "",
"threat_version": "",
"uptime": "3 days, 13:56:06",
"url_filtering_version": "",
"wildfire_release_date": "",
"wildfire_version": "0"
}
],
"Summary": [
{
"family": "vm",
"hostid": "0111112222333444",
"hostname": "vm-lab-fw1",
"ip_address": "2.2.2.2",
"model": "PA-VM",
"sw_version": "10.0.5",
"uptime": "22 days, 0:20:49"
},
{
"family": "pc",
"hostid": "1.1.1.1",
"hostname": "Panorama",
"ip_address": "1.1.1.1",
"model": "Panorama",
"sw_version": "10.0.7",
"uptime": "3 days, 13:56:06"
}
]
}
}
}

Human Readable Output#

PAN-OS System Info#

familyhostidhostnameip_addressmodelsw_versionuptime
vm0111112222333444vm-lab-fw12.2.2.2PA-VM10.0.522 days, 0:20:49
pc1.1.1.1Panorama1.1.1.1Panorama10.0.73 days, 13:56:06

pan-os-platform-get-device-groups#


Gets the operational information of the device groups in the topology(only device groups with associated devices will be listed by this command).

Base Command#

pan-os-platform-get-device-groups

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional

Context Output#

PathTypeDescription
PANOS.DeviceGroupOp.hostidStringID of the PAN-OS host.
PANOS.DeviceGroupOp.serialStringSerial number of the firewall.
PANOS.DeviceGroupOp.connectedStringWhether the firewall is currently connected.
PANOS.DeviceGroupOp.hostnameStringFirewall hostname.
PANOS.DeviceGroupOp.last_commit_all_state_spStringState of the last commit.
PANOS.DeviceGroupOp.nameStringDevice group name.

pan-os-platform-get-template-stacks#


Gets the operational information of the template stacks in the topology.

Base Command#

pan-os-platform-get-template-stacks

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional

Context Output#

PathTypeDescription
PANOS.TemplateStackOp.hostidStringID of the PAN-OS host.
PANOS.TemplateStackOp.serialStringSerial number of the firewall.
PANOS.TemplateStackOp.connectedStringWhether the firewall is currently connected.
PANOS.TemplateStackOp.hostnameStringFirewall hostname.
PANOS.TemplateStackOp.last_commit_all_state_tplStringState of last commit.
PANOS.TemplateStackOp.nameStringTemplate stack name.

Command example#

!pan-os-platform-get-template-stacks

Context Example#

{
"PANOS": {
"TemplateStackOp": [
{
"connected": "yes",
"hostid": "1.1.1.1",
"hostname": "vm-lab-fw1",
"last_commit_all_state_tpl": "commit succeeded with warnings",
"name": "LAB-STACK",
"serial": "0111112222333444"
},
{
"connected": "no",
"hostid": "1.1.1.1",
"hostname": "vm-lab-fw02",
"last_commit_all_state_tpl": "commit succeeded with warnings",
"name": "LAB-STACK",
"serial": "0111112222333455"
}
]
}
}

Human Readable Output#

PAN-OS Operational Template Stack status#

connectedhostidhostnamelast_commit_all_state_tplnameserial
yes1.1.1.1vm-lab-fw1commit succeeded with warningsLAB-STACK0111112222333444
no1.1.1.1vm-lab-fw02commit succeeded with warningsLAB-STACK0111112222333455

pan-os-platform-get-global-counters#


Gets global counter information from all the PAN-OS firewalls in the topology.

Base Command#

pan-os-platform-get-global-counters

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.ShowCounters.Summary.hostidStringHost ID.
PANOS.ShowCounters.Summary.nameStringHuman readable counter name.
PANOS.ShowCounters.Summary.valueNumberCurrent counter value.
PANOS.ShowCounters.Summary.rateNumberPackets per second rate.
PANOS.ShowCounters.Summary.descStringHuman readable counter description.
PANOS.ShowCounters.Result.hostidStringHost ID.
PANOS.ShowCounters.Result.categoryStringThe counter category.
PANOS.ShowCounters.Result.nameStringHuman readable counter name.
PANOS.ShowCounters.Result.valueNumberCurrent counter value.
PANOS.ShowCounters.Result.rateNumberPackets per second rate.
PANOS.ShowCounters.Result.aspectStringPAN-OS aspect.
PANOS.ShowCounters.Result.descStringHuman readable counter description.
PANOS.ShowCounters.Result.idStringCounter ID.
PANOS.ShowCounters.Result.severityStringCounter severity.

Command example#

!pan-os-platform-get-global-counters

Context Example#

{
"PANOS": {
"ShowCounters": {
"Result": [
{
"aspect": "pktproc",
"category": "packet",
"desc": "Packets received",
"hostid": "11111111111111",
"id": "17",
"name": "pkt_recv",
"rate": 15,
"severity": "info",
"value": 17981379
"severity": "info",
"value": 2
},
{
"aspect": "pktproc",
"category": "ssl",
"desc": "Number of failures when receiving SSL session cache msg from MP",
"hostid": "11111111111111",
"id": "3185",
"name": "ssl_sess_cache_msg_from_mp_failure",
"rate": 0,
"severity": "info",
"value": 1834071
}
],
"Summary": [
{
"desc": "Packets received",
"hostid": "11111111111111",
"name": "pkt_recv",
"rate": 15,
"value": 17981379
},
]
}
}
}

Human Readable Output#

PAN-OS Global Counters#

deschostidnameratevalue
Packets received11111111111111pkt_recv1517981379
Full Burst Packets received on retry11111111111111pkt_recv_retry0422240
Packet receive error11111111111111pkt_recv_err0225
Packets drop due to passive VM in dpdk mode11111111111111pkt_recv_flush_passive02351
Packets transmitted11111111111111pkt_sent35334628
Packets successfully transmitted to host interface11111111111111pkt_sent_host0685046
STP BPDU packets received11111111111111pkt_stp_rcv11271742
Sessions allocated11111111111111session_allocated0537466
Sessions freed11111111111111session_freed0537440
Sessions installed11111111111111session_installed0449506
Session aging timer modified by unverified RST11111111111111session_unverified_rst015579
Session is closing or closed and still receive TCP pkt11111111111111session_pkt_in_closed_state03
Session notifications retransmitted to offload processor11111111111111session_renotify03
Packets dropped: 802.1q tag not configured11111111111111flow_rcv_dot1q_tag_err024
Packets dropped: invalid interface11111111111111flow_no_interface024
Packets dropped: IPv6 disabled on interface11111111111111flow_ipv6_disabled11505760
Non-SYN TCP packets without session match11111111111111flow_tcp_non_syn083
Packets dropped: non-SYN TCP without session match11111111111111flow_tcp_non_syn_drop083
Packets dropped: unhandled IP broadcast11111111111111flow_fwd_l3_bcast_drop0254789
Packets dropped: no route for IP multicast11111111111111flow_fwd_l3_mcast_drop22450999
Packets dropped: no ARP11111111111111flow_fwd_l3_noarp0204
Packet dropped at forwarding: noxmit11111111111111flow_fwd_drop_noxmit0294
Packets dropped: Packet too short to cover IP header11111111111111flow_parse_ip_hdr04
Packets dropped: IPv6 packet truncated11111111111111flow_parse_ip6_truncated04
Packets received: IPv6 multicast pkts with flow off11111111111111flow_ip6_mcast_off11505760
IP broadcast pkt received11111111111111flow_bcast_pkt_rcv0255147
DHCP broadcast pkt received11111111111111flow_dhcp_bcast_pkt_rcv04
ARP packets received11111111111111flow_arp_pkt_rcv34069186
ARP packets transmitted11111111111111flow_arp_pkt_xmt087285
ARP requests replied11111111111111flow_arp_pkt_replied082094
ARP entry learned11111111111111flow_arp_pkt_learned068
Gratuitous ARP packets received11111111111111flow_arp_rcv_gratuitous021524
ARP receive error11111111111111flow_arp_rcv_err021202
ARP resolution packets transmitted11111111111111flow_arp_resolve_xmt02477
ND entry GC11111111111111flow_nd_neigh_gc01060
Packets received from control plane11111111111111flow_host_pkt_rcv0137018
Packets transmitted to control plane11111111111111flow_host_pkt_xmt0685046
Packets dropped: receive error from control plane11111111111111flow_host_rcv_err011
Packets dropped: decapsulation error from control plane11111111111111flow_host_decap_err026
Device management session allowed11111111111111flow_host_service_allow0136965
Device management session denied11111111111111flow_host_service_deny038658
Host vardata not sent: rate limit ok11111111111111flow_host_vardata_rate_limit_ok03
Packet on VxLAN port without I bit11111111111111flow_tci_vxlan_without_vni02
netconfig temporarily unavailable11111111111111device_invalid_netconf0404
netconfig switched11111111111111device_netconf_switch04
tundconfig switched11111111111111device_tundconf_switch01
Packets for which IP checksum validation was done in software11111111111111flow_ip_cksm_sw_validation68478257
Packets not allowed to egress for pre-negotiation11111111111111flow_drop_preneg_egress02
Application identified by simple signature11111111111111appid_ident_by_simple_sig092740
Application identified by L4 dport first11111111111111appid_ident_by_dport_first0174358
The number of packets processed by Application identification11111111111111appid_proc0177586
The number of unknown applications caused by max. packets reached11111111111111appid_unknown_max_pkts09
The number of unknown UDP applications after app engine11111111111111appid_unknown_udp0271
The number of unknown applications because of no data11111111111111appid_unknown_fini_empty097562
The total number of dynamic_ip_port NAT translate called11111111111111nat_dynamic_port_xlat0242839
The total number of dynamic_ip_port NAT release called11111111111111nat_dynamic_port_release0242825
The total number of dfa match using software11111111111111dfa_sw11096816
tcp reassembly case 111111111111111tcp_case_101
tcp reassembly case 211111111111111tcp_case_20346
out-of-window packets dropped11111111111111tcp_drop_out_of_wnd0116
The number of sessions with sml exit in detector i11111111111111ctd_sml_exit_detector_i0200010
The number of decoder resume requests11111111111111ctd_sml_unset_suspend030
Handle reset and url exit11111111111111ctd_handle_reset_and_url_exit030
ctd switch decoder11111111111111ctd_switch_decoder010
ctd stops to process packet11111111111111ctd_stop_proc010
run detector_i11111111111111ctd_run_detector_i0200020
SML VM opcode exit11111111111111ctd_sml_vm_run_impl_opcodeexit0199980
Forward to varrcvr error: TCP in establishment when session went away11111111111111ctd_fwd_err_tcp_state094652
The total usage of software for pscan11111111111111ctd_pscan_sw11170516
appid was changed11111111111111ctd_appid_reassign060011
decoder was changed11111111111111ctd_decoder_reassign010
session processed by ctd11111111111111ctd_process0351954
Packets processed by slowpath11111111111111ctd_pkt_slowpath11186304
Number of Policy Hit Count periodical update11111111111111ctd_hitcount_period_update04237
Number of url logs11111111111111log_url_cnt06060
Number of uid request logs11111111111111log_uid_req_cnt0241849
Number of traffic logs11111111111111log_traffic_cnt0449480
Time (us) spent on writing packet-diag logs11111111111111log_pkt_diag_us016
Number of URL database request11111111111111url_db_request01965
Number of URL reply11111111111111url_db_reply94419218
The number of packets get dropped because of waiting for url category request11111111111111url_request_pkt_drop01771
The session is not waiting for url11111111111111url_session_not_in_wait010
The number of HSM up/down events received11111111111111ssl_hsm_up_down_event_rcv02
Number of failures when receiving SSL session cache msg from MP11111111111111ssl_sess_cache_msg_from_mp_failure01834071

pan-os-platform-get-bgp-peers#


Retrieves all BGP peer information from the PAN-OS firewalls in the topology.

Base Command#

pan-os-platform-get-bgp-peers

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.ShowBGPPeers.Summary.hostidStringHost ID.
PANOS.ShowBGPPeers.Summary.peerStringName of the BGP peer.
PANOS.ShowBGPPeers.Summary.statusStringPeer connection status.
PANOS.ShowBGPPeers.Summary.incoming_acceptedStringTotal accepted routes from the peer.
PANOS.ShowBGPPeers.Result.hostidStringHost ID.
PANOS.ShowBGPPeers.Result.peerStringName of the BGP peer.
PANOS.ShowBGPPeers.Result.vrStringVirtual router in which the peer resides.
PANOS.ShowBGPPeers.Result.remote_asStringRemote AS (Autonomous System) of the peers
PANOS.ShowBGPPeers.Result.statusStringPeer connection statuss
PANOS.ShowBGPPeers.Result.peer_addressStringIP address and port of the peers
PANOS.ShowBGPPeers.Result.local_addressStringLocal router address and port of the peer.
PANOS.ShowBGPPeers.Result.incoming_totalStringTotal incoming routes from the peer.
PANOS.ShowBGPPeers.Result.incoming_acceptedStringTotal accepted routes from the peer.
PANOS.ShowBGPPeers.Result.incoming_rejectedStringTotal rejected routes from the peer.
PANOS.ShowBGPPeers.Result.policy_rejectedStringTotal routes rejected by the peer by policy.
PANOS.ShowBGPPeers.Result.outgoing_totalStringTotal routes advertised to the peer.
PANOS.ShowBGPPeers.Result.outgoing_advertisedStringNumber of advertised routes to the peer.

Command example#

!pan-os-platform-get-bgp-peers

Context Example#

{
"PANOS": {
"ShowBGPPeers": {
"Result": [
{
"hostid": "11111111111111",
"incoming_accepted": 0,
"incoming_rejected": 0,
"incoming_total": 0,
"local_address": "10.10.0.1",
"outgoing_advertised": 0,
"outgoing_total": 0,
"peer": "testlab-server",
"peer_address": "10.10.0.12",
"policy_rejected": 0,
"remote_as": "64511",
"status": "Active",
"vr": "default"
}
],
"Summary": [
{
"hostid": "11111111111111",
"incoming_accepted": 0,
"peer": "testlab-server",
"status": "Active"
}
]
}
}
}

Human Readable Output#

PAN-OS BGP Peers#

hostidincoming_acceptedpeerstatus
111111111111110testlab-serverActive

pan-os-platform-get-available-software#


Check the devices for software that is available to be installed.

Base Command#

pan-os-platform-get-available-software

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.SoftwareVersions.Summary.hostidStringHost ID.
PANOS.SoftwareVersions.Summary.versionStringThe software version in Major.Minor.Maint format.
PANOS.SoftwareVersions.Summary.filenameStringSoftware version filename.
PANOS.SoftwareVersions.Summary.sizeStringSize of the software in MB.
PANOS.SoftwareVersions.Summary.size_kbStringSize of the software in KB.
PANOS.SoftwareVersions.Summary.release_notesStringLink to version release notes on PAN knowledge base.
PANOS.SoftwareVersions.Summary.downloadedBooleanTrue if the software version is present on the system.
PANOS.SoftwareVersions.Summary.currentBooleanTrue if this is the currently installed software on the system.
PANOS.SoftwareVersions.Summary.latestBooleanTrue if this is the most recently released software for this platform.
PANOS.SoftwareVersions.Summary.uploadedBooleanTrue if the software version has been uploaded to the system.

Command example#

!pan-os-platform-get-available-software

Context Example#

{
"PANOS": {
"SoftwareVersions": {
"Summary": [
{
"current": false,
"downloaded": false,
"filename": "PanOS_vm-10.2.0",
"hostid": "11111111111111",
"latest": true,
"release_notes": "https://www.paloaltonetworks.com/documentation/10-2/pan-os/pan-os-release-notes",
"size": "1010",
"size_kb": "1034657",
"uploaded": false,
"version": "10.2.0"
}
]
}
}
}

Human Readable Output#

PAN-OS Available Software Versions#

currentdownloadedfilenamehostidlatestrelease_notessizesize_kbuploadedversion
falsefalsePanOS_vm-10.2.011111111111111truehttps://www.paloaltonetworks.com/documentation/10-2/pan-os/pan-os-release-notes10101034657false10.2.0
falsefalsePanOS_vm-10.1.511111111111111falsehttps://www.paloaltonetworks.com/documentation/10-1/pan-os/pan-os-release-notes457468174false10.1.5
falsefalsePanOS_vm-10.1.4-h411111111111111falsehttps://www.paloaltonetworks.com/documentation/10-1/pan-os/pan-os-release-notes407416843false10.1.4-h4

pan-os-platform-get-ha-state#


Get the HA state and associated details from the given device and any other details.

Base Command#

pan-os-platform-get-ha-state

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.HAState.hostidStringHost ID.
PANOS.HAState.activeBooleanWhether this is the active firewall in a pair. True if standalone as well.
PANOS.HAState.statusStringString HA status.
PANOS.HAState.peerStringHA peer.

Command example#

!pan-os-platform-get-ha-state

Context Example#

{
"PANOS": {
"HAState": [
{
"active": true,
"hostid": "11111111111111",
"peer": "",
"status": "HA Not enabled."
},
{
"active": true,
"hostid": "192.168.1.145",
"peer": "",
"status": "HA Not enabled."
}
]
}
}

Human Readable Output#

PAN-OS HA State#

activehostidstatus
true11111111111111HA Not enabled.
true192.168.1.145HA Not enabled.

pan-os-platform-get-jobs#


Get all the jobs from the devices in the environment, or a single job when ID is specified.

Base Command#

pan-os-platform-get-jobs

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter the results to only show specific hostnames or serial numbers.Optional
targetSingle serial number to target with this commandOptional
statusFilter to return jobs by status.Optional
job_typeFilter to return jobs by type.Optional
idFilter by ID.Optional

Context Output#

PathTypeDescription
PANOS.JobStatus.hostidStringHost ID.
PANOS.JobStatus.idNumberID of job.
PANOS.JobStatus.typeStringJob type.
PANOS.JobStatus.tfinStringTime finished.
PANOS.JobStatus.statusStringStatus of the job.
PANOS.JobStatus.resultStringThe result of the job.
PANOS.JobStatus.userStringThe user who initiated the job.
PANOS.JobStatus.tenqStringThe time the job was enqueued into the system.
PANOS.JobStatus.stoppableStringWhether the job can be stopped after it started.
PANOS.JobStatus.descriptionStringThe job description.
PANOS.JobStatus.positionInQStringThe position of the job in the current job queue.
PANOS.JobStatus.progressStringThe numerical progress of the job.
PANOS.JobStatus.warningsStringThe warnings of the job.

Command example#

!pan-os-platform-get-jobs

Context Example#

{
"PANOS": {
"JobStatus": [
{
"description": null,
"hostid": "11111111111111",
"id": 1,
"positionInQ": "0",
"progress": "01:02:18",
"result": "OK",
"status": "FIN",
"stoppable": "no",
"tenq": "2022/03/30 01:02:04",
"tfin": "01:02:18",
"type": "Downld",
"user": null,
"warnings": null
},
{
"description": null,
"hostid": "22222222222222",
"id": 2,
"positionInQ": "0",
"progress": "100",
"result": "OK",
"status": "FIN",
"stoppable": "no",
"tenq": "2022/03/15 14:16:32",
"tfin": "14:16:33",
"type": "BuildXMLCache",
"user": null,
"warnings": null
}
]
}
}

Human Readable Output#

PAN-OS Job Status#

hostididpositionInQprogressresultstatusstoppabletenqtfintypeuserwarnings
1111111111111110100OKFINno2022/03/15 14:17:1614:18:17Downld
222222222222222001:02:15OKFINno2022/03/16 01:02:0401:02:15BuildXMLCache

pan-os-platform-download-software#


Download the provided software version onto the device.

Base Command#

pan-os-platform-download-software

Input#

Argument NameDescriptionRequired
versionThe software version to upgrade to, for example, 9.1.2.Required
device_filter_stringString by which to filter the results to only install to sepecific devices or serial numbers.Optional
targetSingle serial number to target with this commandOptional
syncIf provided, runs the download synchronously. Make sure 'execution-timeout' is increased.Optional

Context Output#

PathTypeDescription
PANOS.DownloadStatus.Summary.hostidStringHost ID.
PANOS.DownloadStatus.Summary.startedStringWhether the download process started.

Command example#

!pan-os-platform-download-software version=9.1.0

Context Example#

{
"PANOS": {
"DownloadStatus": {
"Summary": [
{
"hostid": "11111111111111",
"started": true
},
{
"hostid": "192.168.1.145",
"started": true
}
]
}
}
}

Human Readable Output#

PAN-OS Software Download request Status#

hostidstarted
11111111111111true
192.168.1.145true

pan-os-apply-dns-signature-policy#


Allows assigning of EDL to the Anti-Spyware profile under "DNS Signature Policies".

Base Command#

pan-os-apply-dns-signature-policy

Input#

Argument NameDescriptionRequired
anti_spyware_profile_nameThe name of the anti spyware profile. If the profile exists, the command will operate on it, otherwise, if a new name is given, a new Anti-Spyware profile will be created.Required
dns_signature_sourceThe EDL name to link to the profile.Required
actionAction on the DNS queries. Possible values are: alert, allow, block, sinkhole.Required
packet_captureAllows capturing packets on match. Select "single-packet" to capture the first packet of the session or "extended-capture" to set between 1-50 packets. Packet capture can be very CPU intensive and can degrade firewall performance. Only use this feature when necessary and make sure you turn it off after you have collected the required packets. Possible values are: disable, single-packet, extended-capture. Default is disable.Optional

Context Output#

There is no context output for this command.

Human Readable Output#

success

pan-os-platform-reboot#


Reboot the given device by hostid. Warning: This command has no confirmation and the device will immediately reboot.

Base Command#

pan-os-platform-reboot

Input#

Argument NameDescriptionRequired
targetID of host (serial or hostname) to reboot.Required

Context Output#

PathTypeDescription
PANOS.RestartStatus.Summary.hostidStringHost ID.
PANOS.RestartStatus.Summary.startedStringWhether the system reboot has started.

Command example#

!pan-os-platform-reboot target=11111111111111

Context Example#

{
"PANOS": {
"RestartStatus": {
"Summary": [
{
"hostid": "11111111111111",
"started": true
}
]
}
}
}

pan-os-platform-get-system-status#


Checks the status of the given device, checking whether it's up or down and if the operational mode is normal.

Base Command#

pan-os-platform-get-system-status

Input#

Argument NameDescriptionRequired
targetID of host (serial or hostname) to check.Required

Context Output#

PathTypeDescription
PANOS.SystemStatus.hostidStringHost ID.
PANOS.SystemStatus.upStringWhether the host device is up or still unavailable.

Command example#

!pan-os-platform-get-system-status target=11111111111111

Context Example#

{
"PANOS": {
"SystemStatus": {
"hostid": "11111111111111",
"up": true
}
}
}

pan-os-platform-update-ha-state#


Checks the status of the given device, checking whether it's up or down and the operational mode normal.

Base Command#

pan-os-platform-update-ha-state

Input#

Argument NameDescriptionRequired
hostidID of host (serial or hostname) to update the state.Required
stateNew state.Required

Context Output#

PathTypeDescription
PANOS.HAStateUpdate.hostidStringHost ID.
PANOS.HAStateUpdate.stateStringNew HA state.

Command example#

!pan-os-platform-update-ha-state hostid=11111111111111 state=functional

Context Example#

{
"PANOS": {
"HAStateUpdate": {
"hostid": "11111111111111",
"state": "functional"
}
}
}

pan-os-hygiene-check-log-forwarding#


Checks that at least one log forwarding profile is configured according to best practices.

Base Command#

pan-os-hygiene-check-log-forwarding

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter so that only the given device is checked.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the hygiene check.
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check.
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed.
PANOS.ConfigurationHygiene.Summary.issue_countStringTotal number of matching issues.
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringThe parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue.
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of the issue.
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name.

Command example#

!pan-os-hygiene-check-log-forwarding

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Result": [
{
"container_name": "LAB",
"description": "Log forwarding profile missing log type 'threat'.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile-1"
},
{
"container_name": "LAB",
"description": "Log forwarding profile missing log type 'threat'.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile-1-1"
},
{
"container_name": "shared",
"description": "Log forwarding profile missing log type 'threat'.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile"
}
],
"Summary": [
{
"description": "Fails if there are no valid log forwarding profiles configured.",
"issue_code": "BP-V-1",
"issue_count": 0,
"result": "\u2714\ufe0f"
},
{
"description": "Fails if the configured log forwarding profile has no match list.",
"issue_code": "BP-V-2",
"issue_count": 3,
"result": "\u274c"
},
{
"description": "Fails if enhanced application logging is not configured.",
"issue_code": "BP-V-3",
"issue_count": 0,
"result": "\u2714\ufe0f"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails if there are no valid log forwarding profiles configured.BP-V-10āœ”ļø
Fails if the configured log forwarding profile has no match list.BP-V-23āŒ
Fails if enhanced application logging is not configured.BP-V-30āœ”ļø

pan-os-hygiene-check-vulnerability-profiles#


Checks the configured vulnerability profiles to ensure at least one meets best practices.

Base Command#

pan-os-hygiene-check-vulnerability-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter so that only the given device is checked.Optional
minimum_block_severitiesComma-separated list of severities that must be in drop/reset/block-ip mode. Default is critical,high.Optional
minimum_alert_severitiesComma-separated list of severities that must be in alert/default or higher mode. Default is medium,low.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the hygiene check.
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check.
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed.
PANOS.ConfigurationHygiene.Summary.issue_countNunberTotal number of matching issues.
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringThe parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue.
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of the issue.
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name

Command example#

!pan-os-hygiene-check-vulnerability-profiles

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Summary": [
{
"description": "Fails if no vulnerability profile is configured for visibility.",
"issue_code": "BP-V-4",
"issue_count": 0,
"result": "\u2714\ufe0f"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails if no vulnerability profile is configured for visibility.BP-V-40āœ”ļø

pan-os-platform-install-software#


Install the given software version onto the device. Download the software first with panorama-download-panos-version.

Base Command#

pan-os-platform-install-software

Input#

Argument NameDescriptionRequired
versionSoftware version to upgrade to, for example: 9.1.2.Required
device_filter_stringSString by which to filter to only install to specific devices or serial numbers.Optional
syncIf provided, runs the download synchronously. Make sure 'execution-timeout' is increased.Optional
targetSingle serial number to target with this commandOptional

Context Output#

PathTypeDescription
PANOS.InstallStatus.Summary.hostidStringHost ID,
PANOS.InstallStatus.Summary.startedStringWhether the download process has started.

Command example#

!pan-os-platform-install-software version=9.1.0

Context Example#

{
"PANOS": {
"InstallStatus": {
"Summary": [
{
"hostid": "1111111111111",
"started": true
},
{
"hostid": "192.168.1.145",
"started": true
}
]
}
}
}

Human Readable Output#

PAN-OS Software Install request Status#

hostidstarted
1111111111111true
192.168.1.145true

pan-os-hygiene-check-log-forwarding#


Checks that at least one log forwarding profile is configured according to best practices.

Base Command#

pan-os-hygiene-check-log-forwarding

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter so that only the given device is checked.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the hygiene check.
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check.
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed.
PANOS.ConfigurationHygiene.Summary.issue_countNumberTotal number of matching issues.
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringThe parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue.
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of the issue.
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name.

Command example#

!pan-os-hygiene-check-log-forwarding

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Result": [
{
"container_name": "LAB",
"description": "Log forwarding profile missing log type 'threat'.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile-1"
},
{
"container_name": "LAB",
"description": "Log forwarding profile missing log type 'threat'.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile-1-1"
},
{
"container_name": "shared",
"description": "Log forwarding profile missing log type 'threat'.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile"
}
],
"Summary": [
{
"description": "Fails if there are no valid log forwarding profiles configured.",
"issue_code": "BP-V-1",
"issue_count": 0,
"result": "\u2714\ufe0f"
},
{
"description": "Fails if the configured log forwarding profile has no match list.",
"issue_code": "BP-V-2",
"issue_count": 3,
"result": "\u274c"
},
{
"description": "Fails if enhanced application logging is not configured.",
"issue_code": "BP-V-3",
"issue_count": 0,
"result": "\u2714\ufe0f"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails if there are no valid log forwarding profiles configured.BP-V-10āœ”ļø
Fails if the configured log forwarding profile has no match list.BP-V-23āŒ
Fails if enhanced application logging is not configured.BP-V-30āœ”ļø

pan-os-hygiene-check-vulnerability-profiles#


Checks the configured vulnerability profiles to ensure at least one meets best practices.

Base Command#

pan-os-hygiene-check-vulnerability-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString by which to filter so that only the given device is checked.Optional
minimum_block_severitiesComma-separated list of severities that must be in drop/reset/block-ip mode. Default is critical,high.Optional
minimum_alert_severitiesComma-separated list of severities that must be in alert/default or higher mode. Default is medium,low.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the hygiene check.
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check.
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed.
PANOS.ConfigurationHygiene.Summary.issue_countNumberTotal number of matching issues.
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringThe parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue.
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of the issue.
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name.

Command example#

!pan-os-hygiene-check-vulnerability-profiles

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Summary": [
{
"description": "Fails if no vulnerability profile is configured for visibility.",
"issue_code": "BP-V-4",
"issue_count": 0,
"result": "\u2714\ufe0f"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails if no vulnerability profile is configured for visibility.BP-V-40āœ”ļø

pan-os-hygiene-check-spyware-profiles#


Checks the configured Anti-spyware profiles to ensure at least one meets best practices.

Base Command#

pan-os-hygiene-check-spyware-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given devices.Optional
minimum_block_severitiescsv list of severities that must be in drop/reset/block-ip mode. Default is critical,high.Optional
minimum_alert_severitiescsv list of severities that must be in alert/default or higher mode. Default is medium,low.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the check
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed
PANOS.ConfigurationHygiene.Summary.issue_countStringTotal number of matching issues
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of issue
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name

Command example#

!pan-os-hygiene-check-spyware-profiles

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Summary": [
{
"description": "Fails if no spyware profile is configured for visibility.",
"issue_code": "BP-V-5",
"issue_count": 0,
"result": "\u2714\ufe0f"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails if no spyware profile is configured for visibility.BP-V-50āœ”ļø

pan-os-hygiene-check-url-filtering-profiles#


Checks the configured URL Filtering profiles to ensure at least one meets best practices.

Base Command#

pan-os-hygiene-check-url-filtering-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given device.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the check
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed
PANOS.ConfigurationHygiene.Summary.issue_countStringTotal number of matching issues
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of issue
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name

Command example#

!pan-os-hygiene-check-url-filtering-profiles

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Summary": [
{
"description": "Fails if no spyware profile is configured for url-filtering",
"issue_code": "BP-V-6",
"issue_count": 0,
"result": "\u2714\ufe0f"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails if no spyware profile is configured for url-filteringBP-V-60āœ”ļø

pan-os-hygiene-conforming-url-filtering-profiles#


Returns a list of existing PANOS URL filtering objects that conform to best practices.

Base Command#

pan-os-hygiene-conforming-url-filtering-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given device.Optional

Context Output#

PathTypeDescription
PANOS.PanosObject.hostidStringHost ID.
PANOS.PanosObject.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.PanosObject.nameStringThe PAN-OS object name
PANOS.PanosObject.object_typeStringThe PAN-OS-Python object type

Command example#

!pan-os-hygiene-conforming-url-filtering-profiles

Context Example#

{
"PANOS": {
"PanosObject": [
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Outbound-URL",
"object_type": "URLFilteringProfile"
},
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Exception-URL",
"object_type": "URLFilteringProfile"
}
]
}
}

Human Readable Output#

PAN-OS Objects#

container_namehostidnameobject_type
shared192.168.1.145Outbound-URLURLFilteringProfile
shared192.168.1.145Exception-URLURLFilteringProfile

pan-os-hygiene-conforming-spyware-profiles#


Returns all Anti-spyware profiles that conform to best practices.

Base Command#

pan-os-hygiene-conforming-spyware-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given device.Optional
minimum_block_severitiescsv list of severities that must be in drop/reset/block-ip mode. Default is critical,high.Optional
minimum_alert_severitiescsv list of severities that must be in alert/default or higher mode. Default is medium,low.Optional

Context Output#

PathTypeDescription
PANOS.PanosObject.hostidStringHost ID.
PANOS.PanosObject.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.PanosObject.nameStringThe PAN-OS object name
PANOS.PanosObject.object_typeStringThe PAN-OS-Python object type

Command example#

!pan-os-hygiene-conforming-spyware-profiles

Context Example#

{
"PANOS": {
"PanosObject": [
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Outbound-AS",
"object_type": "AntiSpywareProfile"
},
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Inbound-AS",
"object_type": "AntiSpywareProfile"
},
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Internal-AS",
"object_type": "AntiSpywareProfile"
}
]
}
}

Human Readable Output#

PAN-OS Objects#

container_namehostidnameobject_type
shared192.168.1.145Outbound-ASAntiSpywareProfile
shared192.168.1.145Inbound-ASAntiSpywareProfile
shared192.168.1.145Internal-ASAntiSpywareProfile

pan-os-hygiene-conforming-vulnerability-profiles#


Returns all Vulnerability profiles that conform to best practices.

Base Command#

pan-os-hygiene-conforming-vulnerability-profiles

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given device.Optional
minimum_block_severitiescsv list of severities that must be in drop/reset/block-ip mode. Default is critical,high.Optional
minimum_alert_severitiescsv list of severities that must be in alert/default or higher mode. Default is medium,low.Optional

Context Output#

PathTypeDescription
PANOS.PanosObject.hostidStringHost ID.
PANOS.PanosObject.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.PanosObject.nameStringThe PAN-OS object name
PANOS.PanosObject.object_typeStringThe PAN-OS-Python object type

Command example#

!pan-os-hygiene-conforming-vulnerability-profiles

Context Example#

{
"PANOS": {
"PanosObject": [
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Outbound-VP",
"object_type": "VulnerabilityProfile"
},
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Inbound-VP",
"object_type": "VulnerabilityProfile"
},
{
"container_name": "shared",
"hostid": "192.168.1.145",
"name": "Internal-VP",
"object_type": "VulnerabilityProfile"
}
]
}
}

Human Readable Output#

PAN-OS Objects#

container_namehostidnameobject_type
shared192.168.1.145Outbound-VPVulnerabilityProfile
shared192.168.1.145Inbound-VPVulnerabilityProfile
shared192.168.1.145Internal-VPVulnerabilityProfile

pan-os-hygiene-check-security-zones#


Check configured security zones have correct settings.

Base Command#

pan-os-hygiene-check-security-zones

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given device.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the check
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed
PANOS.ConfigurationHygiene.Summary.issue_countStringTotal number of matching issues
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of issue
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name

Command example#

!pan-os-hygiene-check-security-zones

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Result": [
{
"container_name": "LAB",
"description": "Security zone has no log forwarding setting.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-7",
"name": "TEST_ZONE"
}
],
"Summary": [
{
"description": "Fails when a security zone has no log forwarding setting.",
"issue_code": "BP-V-7",
"issue_count": 1,
"result": "\u274c"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails when a security zone has no log forwarding setting.BP-V-71āŒ

pan-os-hygiene-check-security-rules#


Check security rules are configured correctly.

Base Command#

pan-os-hygiene-check-security-rules

Input#

Argument NameDescriptionRequired
device_filter_stringString to filter to only check given device.Optional

Context Output#

PathTypeDescription
PANOS.ConfigurationHygiene.Summary.descriptionStringThe description of the check
PANOS.ConfigurationHygiene.Summary.issue_codeStringThe shorthand code for this hygiene check
PANOS.ConfigurationHygiene.Summary.resultStringWhether the check passed or failed
PANOS.ConfigurationHygiene.Summary.issue_countStringTotal number of matching issues
PANOS.ConfigurationHygiene.Result.hostidStringHost ID.
PANOS.ConfigurationHygiene.Result.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygiene.Result.issue_codeStringThe shorthand code for the issue
PANOS.ConfigurationHygiene.Result.descriptionStringHuman readable description of issue
PANOS.ConfigurationHygiene.Result.nameStringThe affected object name

Command example#

!pan-os-hygiene-check-security-rules

Context Example#

{
"PANOS": {
"ConfigurationHygiene": {
"Result": [
{
"container_name": "shared",
"description": "Security rule is not configured to log at session end.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-8",
"name": "Test-webapp-rule"
},
{
"container_name": "shared",
"description": "Security rule has no log forwarding profile.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-9",
"name": "Test-webapp-rule"
},
{
"container_name": "shared",
"description": "Security rule has no profile group or configured threat profiles.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-10",
"name": "Test-webapp-rule"
}
],
"Summary": [
{
"description": "Fails when a security rule is not configured to log at session end.",
"issue_code": "BP-V-8",
"issue_count": 1,
"result": "\u274c"
},
{
"description": "Fails when a security rule has no log forwarding profile configured.",
"issue_code": "BP-V-9",
"issue_count": 1,
"result": "\u274c"
},
{
"description": "Fails when a security rule has no configured profiles or profile groups.",
"issue_code": "BP-V-10",
"issue_count": 1,
"result": "\u274c"
}
]
}
}
}

Human Readable Output#

PAN-OS Configuration Hygiene Check#

descriptionissue_codeissue_countresult
Fails when a security rule is not configured to log at session end.BP-V-81āŒ
Fails when a security rule has no log forwarding profile configured.BP-V-91āŒ
Fails when a security rule has no configured profiles or profile groups.BP-V-101āŒ

pan-os-hygiene-fix-log-forwarding#


Fix log forwarding issues identified by pan-os-hygiene-check-log-forwarding.

Base Command#

pan-os-hygiene-fix-log-forwarding

Input#

Argument NameDescriptionRequired
issueDictionary of Hygiene issue, from a hygiene check command. Can be a list.Required

Context Output#

PathTypeDescription
PANOS.ConfigurationHygieneFix.hostidStringHost ID
PANOS.ConfigurationHygieneFix.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygieneFix.issue_codeStringThe shorthand code for the issue
PANOS.ConfigurationHygieneFix.descriptionStringHuman readable description of issue
PANOS.ConfigurationHygieneFix.nameStringThe affected object name

Command example#

!pan-os-hygiene-fix-log-forwarding issue=${PANOS.ConfigurationHygiene.Result}

Context Example#

{
"PANOS": {
"ConfigurationHygieneFix": [
{
"container_name": "LAB",
"description": "Enabled Enhanced Application Logging.",
"hostid": "192.168.1.145",
"issue_code": "BP-V-2",
"name": "test_fwd_profile-1"
}
]
}
}

pan-os-hygiene-fix-security-zone-log-settings#


Fixes security zones that are configured without a valid log forwarding profile.

Base Command#

pan-os-hygiene-fix-security-zone-log-settings

Input#

Argument NameDescriptionRequired
issueDictionary of Hygiene issue, from a hygiene check command. Can be a list.Required
log_forwarding_profile_nameName of log forwarding profile to set.Required

Context Output#

PathTypeDescription
PANOS.ConfigurationHygieneFix.hostidStringHost ID
PANOS.ConfigurationHygieneFix.container_nameStringWhat parent container (DG, Template, VSYS) this object belongs to.
PANOS.ConfigurationHygieneFix.issue_codeStringThe shorthand code for the issue
PANOS.ConfigurationHygieneFix.descriptionStringHuman readable description of issue
PANOS.ConfigurationHygieneFix.nameStringThe affected object name

Command example#

!pan-os-hygiene-fix-security-zone-log-settings issue=${PANOS.ConfigurationHygiene.Result} log_forwarding_profile_name="test-fwd-profile"

Context Example#

{
"PANOS": {
"ConfigurationHygieneFix": [
{
"container_name": "LAB",
"description": "Set log forwarding profile test-fwd-profile",
"hostid": "192.168.1.145",
"issue_code": "BP-V-7",
"name": "TEST_ZONE"