×
Panorama

Overview

The Panorama plugin provides for the blocking/unblocking of Domains, URLs, and IP addresses, decommissioning servers, and performing bulk actions.

Functionality

The Panorama plugin provides several nodes for blocking/unblocking Domains, URLs, and IP addresses, committing/reverting changes, decommissioning servers, and performing bulk actions.

Instance Configuration Parameters

Property
Description
Instance Name

Name for the Panorama instance.

Unique Id

Unique name for the Panorama instance.

Server

IP or hostname where Panorama is running.

User Name

Valid user name for the Panorama server.

Password

Valid password for the user name on the Palo Alto Firewall server.

Listen for Domain Block broadcast events

Whether or not to listen to broadcast domain block events.

Listen for Domain Unblock broadcast events

Whether or not to listen to broadcast domain unblock events.

Domain Broadcast Block List

The name used for the URL Filter to add the blocked domain to.

Listen for URL Block broadcast events

Whether or not to listen to broadcast URL block events.

Listen for URL Unblock broadcast events

Whether or not to listen to broadcast URL unblock events.

URL Broadcast Block List

The name used for the URL Filter to add the blocked URL to.

Listen for IP Block broadcast events

Whether or not to listen to broadcast IP block events.

Listen for IP Unblock broadcast events

Whether or not to listen to broadcast IP unblock events.

IP Broadcast Block List

The name used for the Firewall rule to add the blocked IP to.

Device Groups

A list of device groups to push changes to. If this is blank, it will default to the Shared group.

Flow Nodes

Communication node which blocks/unblocks IPs. URLs, and Domains, in Panorama according to the specified node configuration.
Property
Description
Name

The display name of the node within the flows

Unique Id

ID name for the specific Palo Alto Firewall Instance.

Action

Block or Unblock IP, URL, or Domain.

Domain List

The Name of the URL Filter to add blocked Domains to.

URL List

The Name of the URL Filter to add blocked URLs to.

IP List

The Name of the Firewall rule to add blocked IPs to.

Device Groups

A list of device groups to push changes to. If this is blank, it will default to the Shared group.

Block/Unblock Within

Determines the block/unblock requests to run based on a search of the contents within the Block Within or Unblock Within field. For example, if the supplied value is payload.ioc and the contents at that location are as follows,
{
“domain”: “baddomain.com”,
“url”: “https://baddomain.com/path/to/file”
}
a domain block/unblock and url block/unblock will be run.

Block/Unblock Domain

Sends a request to block/unblock the domain configured by Domain. This adds a URL Filtering rule.

Block/Unblock IP Address

Sends a request to block/unblock the IP Address configured by IP Address. This adds a filrewall rule.

Block/Unblock URL

Sends a request to block/unblock the URL configured by URL. This adds a URL Filtering rule.

The node will search all policies/objects from Panorama and attached Pano Alto Firewall devices for the string defined under Asset Source. A list of all rules/objects found will be returned. This is used getting all rules to delete for a decommissioned server.
Property
Description
Name

The display name of the node within the flows.

Unique Id

ID name for the specific Panorama Instance.

Asset Source

Panorama asset string to search for. Generally the ip/hostname of a decommissioned server.

This node must come after the NL-Panorama-Get-Rules node in a flow. This node deletes the rules/objects found by the NL-Panorama-Get-Rules node. This can be used to delete all rules associated with a decommissioned server. When a rule/object is deleted, if it is the last element in an asset, the asset will be deleted and removed from any other assets containing it. If the deleted asset was the last element in another asset, that asset will also be removed. For example, if you have a firewall rule with one address group and the address group has one address, if you delete the address, the address group and firewall rule will also be deleted.
Property
Description
Name

The display name of the node within the flows.

Unique Id

ID name for the specific Panorama Instance.

Commit Changes

Whether or not to commit actions performed by this node.

This node should come after the csv node in a flow. This node will perform bulk actions on a parsed csv file. Each row defines an individual action to take. Actions are performed sequentially from the first row to the last. If an action depends on another, they must be ordered sequentially in the csv file. i.e. if you want to create an address-group containing an address, the address must be created on a line above the address-group. If a column contains multiple values, those values should be separated by semicolons. i.e. 1.2.3.4;5.6.7.8;10.20.30.40. If there is an error processing an action, the node will continue processing the rest of the actions. Error and success status for each action can be seen from the output. If Commit Changes is checked, changes will be committed and pushed to devices. If there is an error, changes will NOT be committed. The CSV file should have the following columns
type
Type of object. Options include
address
CIDR block, IP Address, or IP Address Range.
address-group
Group of address objects
block
Firewall rule or URL Filtering object. Can be a list of address objects, address-group objects, address strings, URLs, or domains.
action
Action to take. Options include
set
Create or add to an object/policy. If the object can only contain one element, then the object will be overwritten.
delete
Delete from an existing object/policy. If the values and tags columns are both empty, the entire object/policy will be deleted.
name
Name of the object/policy.
values (Optional)
Values to be updated. Can contain multiple values.
device-groups (Optional)
Device groups to apply changes to. Can contain multiple values. If this is not included, it will default to Shared.
tags (Optional)
Tags to update on the object. Can contain multiple values.
Property
Description
Name

The display name of the node within the flows.

Unique Id

ID name for the specific Panorama Instance.

CSV Array Source

CSV array from csv node containing actions to perform.

Commit Changes

Whether or not to commit actions performed by this node.

This node must come after the NL-Panorama node, NL-Panorama-Delete-Rules, or NL-Panorama-Bulk-Action node in a flow if those nodes were not configured to commit changes. This node will perform a commit of the pending changes within the Panorma Instance. If Panorama has changes, the commit will be for all device groups. A failed commit will not stop other commits from running. The status of each commit is listed in the output message. If a commit fails, its changes will not be reverted.
Property
Description
Name

The display name of the node within the flows.

Unique Id

ID name for the specific Panorama Instance.

This node must come after the NL-Panorama node, NL-Panorama-Delete-Rules, or NL-Panorama-Bulk-Action node in a flow. This node will perform a revert all uncommitted changes performed on Panorama and any attached Palo Alto Firewall devices.
Property
Description
Name

The display name of the node within the flows.

Unique Id

ID name for the specific Panorama Instance.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the pano1 object.

Block Site Success

The italicized, green text is inserted into the message payload upon a successful request. The following example uses “pano1” for the uniqueId of the Panorama Instance:

"payload": {
    "panorama": {
      "pano1": {
        "response": {
          "commit": {
            "Panorama": {
              "Group 1": {
                "status": "success"
              },
              "Group 2": {
                "status": "success"
              },
              "Group 3": {
                "status": "success"
              },
              "Panorama": {
                "status": "success"
              },
              "Group 1-2": {
                "status": "success"
              },
              "Group 1-3": {
                "status": "success"
              },
              "Group 1-4": {
                "status": "success"
              },
              "Group 2-2": {
                "status": "success"
              },
              "Group 2-3": {
                "status": "success"
              },
              "Group 2-4": {
                "status": "success"
              },
              "Group 3-2": {
                "status": "success"
              }
            }
          },
          "actions": [
            {
              "name": "IP 1",
              "tags": "SQL",
              "type": "address",
              "action": "set",
              "values": "192.168.1.2",
              "response": [
                {
                  "shared": "success"
                }
              ]
            },
            {
              "name": "IP 2",
              "tags": "SQL",
              "type": "address",
              "action": "set",
              "values": "192.168.1.0/24",
              "response": [
                {
                  "Group 1-2": "success"
                }
              ],
              "device-groups": "Group 1-2"
            },
            {
              "name": "IP 3",
              "tags": "TEST2",
              "type": "address",
              "action": "set",
              "values": "192.168.1.1-192.168.3.10",
              "response": [
                {
                  "shared": "success"
                }
              ]
            },
            {
              "name": "IP 4",
              "tags": "TEST2",
              "type": "address",
              "action": "set",
              "values": "192.168.1.4",
              "response": [
                {
                  "shared": "success"
                }
              ]
            },
            {
              "name": "Group 1",
              "tags": "TEST2",
              "type": "address-group",
              "action": "set",
              "values": "IP 1;IP 2;IP 3;IP 4",
              "response": [
                {
                  "Group 1-2": "success"
                }
              ],
              "device-groups": "Group 1-2"
            },
            {
              "name": "Secflow Filter",
              "tags": "NEW TAG2",
              "type": "block",
              "action": "set",
              "values": "https://www.gogle.com/badURL;20.30.40.50;027.ru",
              "response": [
                {
                  "Group 1-2": {
                    "tags": "success",
                    "027.ru": "command succeeded",
                    "20.30.40.50": "command succeeded",
                    "https://www.gogle.com/badURL": "command succeeded"
                  }
                },
                {
                  "Group 1": {
                    "tags": "success",
                    "027.ru": "command succeeded",
                    "20.30.40.50": "command succeeded",
                    "https://www.gogle.com/badURL": "command succeeded"
                  }
                },
                {
                  "Group 1-3": {
                    "tags": "success",
                    "027.ru": "command succeeded",
                    "20.30.40.50": "command succeeded",
                    "https://www.gogle.com/badURL": "command succeeded"
                  }
                }
              ],
              "device-groups": "Group 1-2;Group 1;Group 1-3"
            }
          ]
        }
      }
    }
  }
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.

EULA