Palo Alto Next Gen Firewall

Integration version: 22.0

Configure Palo Alto Next Gen Firewall integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Api Root	String	https://x.x.x.x/api	Yes	API root of the Palo Alto Networks Next-Generation Firewall instance.
Username	String	N/A	Yes	Username of the Palo Alto Networks Next-Generation Firewall account.
Password	Password	N/A	Yes	Password of the Palo Alto Networks Next-Generation Firewall account.
Verify SSL	Checkbox	Unchecked	No	If enabled, verifies that the SSL certificate for the connection to the Palo Alto Networks Next-Generation Firewall server is valid.

Actions

Add IPs to Group

Description

Add IP addresses to an address group.

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
Address Group Name	String	N/A	Group name value.
Use Shared Objects	Checkbox	N/A	If enabled, action will use shared objects instead of vsys. Note: action will not create a shared address group, if it doesn't exist.

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result


["1.1.1.1", "2.2.2.2"]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys and one IP (is_success=true): Successfully added the following IPs to the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for one vsys and one IP (is_success=true): Action wasn't able to add the following IPs to the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for all IPs in vsys (is_success=false, if the same behavior for all vsys and is_success=true if partial): No IPs were added to the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW. If at least one of the vsys were not found (fail): Error executing action "Add Ips to group". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If "Use Shared Objects" is disabled and none of the "Device name" and "Vsys name" are provided (fail): Error executing action "{action_name}": Either "Use Shared Objects" parameter should be enabled or "Device name" and "Vsys name" to be provided. If device name is invalid (fail): Error executing action "Add Ips to group". Reason: Device {device name} was not found. Please check the spelling. If "Use Shared Objects" is enabled and at least one IP address was added (is_success=true): Successfully added the following IP addresses to the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and one IP addresses was already a part of address group (is_success=true) : The following IP addresses were already a part of the the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and at least one IP address was not added (is_success=true): Action wasn't able to add the following IP addresses to the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and no IP address was added (is_success=false): No IP addresses were added to the shared address group '{Group Name}' in Palo Alto NGFW. If Address Group wasn't found (fail): Error executing action "Add Ips to group". Shared address group "{Group Name}" was not found in Palo Alto NGFW. Critical Error Error executing action "Add Ips to group". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys and one IP (is_success=true): Successfully added the following IPs to the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for one vsys and one IP (is_success=true): Action wasn't able to add the following IPs to the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for all IPs in vsys (is_success=false, if the same behavior for all vsys and is_success=true if partial): No IPs were added to the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW.

If at least one of the vsys were not found (fail): Error executing action "Add Ips to group". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If "Use Shared Objects" is disabled and none of the "Device name" and "Vsys name" are provided (fail): Error executing action "{action_name}": Either "Use Shared Objects" parameter should be enabled or "Device name" and "Vsys name" to be provided.

If device name is invalid (fail): Error executing action "Add Ips to group". Reason: Device {device name} was not found. Please check the spelling.

If "Use Shared Objects" is enabled and at least one IP address was added (is_success=true): Successfully added the following IP addresses to the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and one IP addresses was already a part of address group (is_success=true) : The following IP addresses were already a part of the the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and at least one IP address was not added (is_success=true): Action wasn't able to add the following IP addresses to the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and no IP address was added (is_success=false): No IP addresses were added to the shared address group '{Group Name}' in Palo Alto NGFW.

If Address Group wasn't found (fail): Error executing action "Add Ips to group". Shared address group "{Group Name}" was not found in Palo Alto NGFW.

Critical Error Error executing action "Add Ips to group". Reason: {error

traceback}

General

Block IPs in Policy

Description

Block IP addresses in a policy (each IP is added individually to the policy).

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
Policy Name	String	N/A	Policy name value.
Target	String	N/A	Has to be source or destination.

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

[
    "1.1.1.1",
    "2.2.2.2"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys and one IP (is_success=true): Successfully blocked the following IPs in policy "{policy name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for one vsys and one IP (is_success=true): Action wasn't able to block the following IPs in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for all IPs in vsys (is_success=false, if the same behavior for all vsys and is_success=true if partial): No IPs were blocked in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW. If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy} If at least one of the vsys were not found (fail): Error executing action "Block Ips in policy". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If Policy name wasn't found in all vsys (fail): Error executing action "Block Ips in policy". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Block Ips in policy". Reason: Device "{device name}" was not found. Please check the spelling. if Target != source or destination: Error executing action "Block Ips in policy". Reason: Target should be either "source" or "destination" Critical Error: Error executing action "Block Ips in policy". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys and one IP (is_success=true): Successfully blocked the following IPs in policy "{policy name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for one vsys and one IP (is_success=true): Action wasn't able to block the following IPs in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for all IPs in vsys (is_success=false, if the same behavior for all vsys and is_success=true if partial): No IPs were blocked in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW.

If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy}

If at least one of the vsys were not found (fail): Error executing action "Block Ips in policy". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Policy name wasn't found in all vsys (fail): Error executing action "Block Ips in policy". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Block Ips in policy". Reason: Device "{device name}" was not found. Please check the spelling.

if Target != source or destination: Error executing action "Block Ips in policy". Reason: Target should be either "source" or "destination"

Critical Error: Error executing action "Block Ips in policy". Reason: {error traceback}

General

Block URLs

Description

Add URLs to a given URL category.

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
URL Category Name	String	N/A	Policy name value.
Use Shared Objects	Checkbox	N/A	If enabled, action will use shared objects instead of vsys.

Use cases

N/A

Run On

This action runs on the URL entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

[
    "www.example.com"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys and one URL (is_success=true): Successfully added the following URLs to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for one vsys and one URL (is_success=true): Action wasn't able to add the following URLs to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for all URLs in vsys: No URLs were added to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW. If Group name wasn't found in some vsys (is_success=true): Category "{category name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the category} If "Use Shared Objects" is disabled and none of the "Device name" and "Vsys name" are provided (fail): Error executing action "{action_name}": Either "Use Shared Objects" parameter should be enabled or "Device name" and "Vsys name" to be provided. If at least one of the vsys were not found (fail): Error executing action "Block Urls". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If Category name wasn't found in all vsys (fail): Error executing action "Block Urls". Reason: Category "{category name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Block Urls". Reason: Device "{device name}" was not found. Please check the spelling. If "Use Shared Objects" is enabled and at least one URL was added (is_success=true): Successfully added the following URLs to the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and one URL was already a part of URL Category (is_success=true) : The following URLs were already a part of the the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and at least one URL was not added (is_success=true): Action wasn't able to add the following URLs to the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and no URL was added (is_success=false): No URLs were added to the shared category '{Category Name}' in Palo Alto NGFW. If Category wasn't found (fail): Error executing action "Block Urls". Shared category "{Category Name}" was not found in Palo Alto NGFW. Critical Error: Error executing action "Block Urls". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys and one URL (is_success=true): Successfully added the following URLs to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for one vsys and one URL (is_success=true): Action wasn't able to add the following URLs to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for all URLs in vsys: No URLs were added to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW.

If Group name wasn't found in some vsys (is_success=true): Category "{category name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the category}

If at least one of the vsys were not found (fail): Error executing action "Block Urls". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Category name wasn't found in all vsys (fail): Error executing action "Block Urls". Reason: Category "{category name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Block Urls". Reason: Device "{device name}" was not found. Please check the spelling.

If "Use Shared Objects" is enabled and at least one URL was added (is_success=true): Successfully added the following URLs to the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and one URL was already a part of URL Category (is_success=true) : The following URLs were already a part of the the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and at least one URL was not added (is_success=true): Action wasn't able to add the following URLs to the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and no URL was added (is_success=false): No URLs were added to the shared category '{Category Name}' in Palo Alto NGFW.

If Category wasn't found (fail): Error executing action "Block Urls". Shared category "{Category Name}" was not found in Palo Alto NGFW.

Critical Error: Error executing action "Block Urls". Reason: {error traceback}

General

Commit Changes

Description

Commit changes in Palo Alto NGFW.

Parameters

Parameter	Type	Default Value	Description
Only My Changes	String	N/A	Commit only the configured use changes.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

N/A

Edit Blocked Applications

Description

Block and unblock applications. Each application is added to or removed from a given policy.

Parameters

Parameter	Type	Default Value	Description
Applications To Block	String	N/A	List of applications to block, comma separated. Example: apple-siri,app2
Applications To UnBlock	String	N/A	List of applications to unblock, comma separated. Example: apple-siri,app2
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
Policy Name	String	N/A	Policy name value.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

[
    "1und1-mail",
    "Filter",
    "Group1",
    "SiemplifyAppBlacklist",
    "apple-siri",
    "google-analytics"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys for blocking of applications (is_success=true): Successfully added the following applications to the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block} Not success for one vsys for blocking of one application (is_success-=true): Action wasn't able to add the following applications to the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block} Not success for one vsys for blocking of all applications (is_success-=true): No applications were added to the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block} Success for one vsys for unblocking of applications (is_success=true): Successfully removed the following applications from the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block} Not success for one vsys for blocking of one application (is_success-=true): Action wasn't able to remove the following applications from the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block} Not success for one vsys for blocking of all applications (is_success-=true): No applications were removed from the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block} If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy} If at least one of the vsys were not found (fail): Error executing action "Edit Blocked Applications". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If Policy name wasn't found in all vsys (fail): Error executing action "Edit Blocked Applications". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Edit Blocked Applications". Reason: Device "{device name}" was not found. Please check the spelling. Critical Error: Error executing action "Edit Blocked Applications". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys for blocking of applications (is_success=true): Successfully added the following applications to the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block}

Not success for one vsys for blocking of one application (is_success-=true): Action wasn't able to add the following applications to the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block}

Not success for one vsys for blocking of all applications (is_success-=true): No applications were added to the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block}

Success for one vsys for unblocking of applications (is_success=true): Successfully removed the following applications from the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block}

Not success for one vsys for blocking of one application (is_success-=true): Action wasn't able to remove the following applications from the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block}

Not success for one vsys for blocking of all applications (is_success-=true): No applications were removed from the policy "{policy name}" in vsys "{vsys name}" in Palo Alto NGFW: {applications to block}

If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy}

If at least one of the vsys were not found (fail): Error executing action "Edit Blocked Applications". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Policy name wasn't found in all vsys (fail): Error executing action "Edit Blocked Applications". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Edit Blocked Applications". Reason: Device "{device name}" was not found. Please check the spelling.

Critical Error: Error executing action "Edit Blocked Applications". Reason: {error traceback}

General

Get Blocked Applications

Description

List all blocked applications in a given policy.

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
Policy Name	String	N/A	Policy name value.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
blocked_applications	N/A	N/A

JSON Result

[
    "1und1-mail",
    "Filter",
    "Group1",
    "SiemplifyAppBlacklist",
    "apple-siri",
    "google-analytics"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys (is_success=true): Successfully listed available blocked applications in the following vsys in Palo Alto NGFW: {vsys with success} Not success for one vsys (is_success=true): Action wasn't able to list available blocked application in the following vsys in Palo Alto NGFW: {vsys with success} Not success for all IPs in all vsys: No blocked applications were found in the provided vsys in Palo Alto NGFW. If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy} If at least one of the vsys were not found (fail): Error executing action "Get Blocked Applications". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If Policy name wasn't found in all vsys (fail): Error executing action "Get Blocked Applications". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Get Blocked Applications". Reason: Device "{device name}" was not found. Please check the spelling. Critical Error: Error executing action "Get Blocked Applications". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys (is_success=true): Successfully listed available blocked applications in the following vsys in Palo Alto NGFW: {vsys with success}

Not success for one vsys (is_success=true): Action wasn't able to list available blocked application in the following vsys in Palo Alto NGFW: {vsys with success}

Not success for all IPs in all vsys: No blocked applications were found in the provided vsys in Palo Alto NGFW.

If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy}

If at least one of the vsys were not found (fail): Error executing action "Get Blocked Applications". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Policy name wasn't found in all vsys (fail): Error executing action "Get Blocked Applications". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Get Blocked Applications". Reason: Device "{device name}" was not found. Please check the spelling.

Critical Error: Error executing action "Get Blocked Applications". Reason: {error traceback}

General

Ping

Description

Test connectivity to Panorama.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

N/A

Remove IPs From Group

Description

Remove IP addresses from an address group.

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
Address Group Name	String	N/A	The name of the required address group.
Use Shared Objects	Checkbox	N/A	If enabled, action will use shared objects instead of vsys. Note: action will not create a shared address group, if it doesn't exist.

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

[
    "1.1.1.1",
    "2.2.2.2"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys and one IP (is_success=true): Successfully removed the following IPs from the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for one vsys and one IP (is_success=true): Action wasn't able to remove the following IPs from the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for all IPs in vsys (is_success=false, if the same behavior for all vsys and is_success=true if partial): No IPs were removed from the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW. If Group name wasn't found in some vsys (is_success=true): Group "{group name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the group} If at least one of the vsys were not found (fail): Error executing action "Remove Ips from group". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If "Use Shared Objects" is disabled and none of the "Device name" and "Vsys name" are provided (fail): Error executing action "{action_name}": Either "Use Shared Objects" parameter should be enabled or "Device name" and "Vsys name" to be provided. If Group name wasn't found in all vsys (fail): Error executing action "Remove Ips from group". Reason: Group "{group name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Remove Ips from group". Reason: Device "{device name}" was not found. Please check the spelling. If "Use Shared Objects" is enabled and at least one IP address was removed (is_success=true): Successfully removed the following IP addresses from the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and one IP addresses was already not a part of address group (is_success=true) : The following IP addresses were not a part of the the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier} If Address Group wasn't found (fail): Error executing action "Remove Ips to group". Shared address group "{Group Name}" was not found in Palo Alto NGFW. Critical Error: Error executing action "Remove Ips from group". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys and one IP (is_success=true): Successfully removed the following IPs from the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for one vsys and one IP (is_success=true): Action wasn't able to remove the following IPs from the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for all IPs in vsys (is_success=false, if the same behavior for all vsys and is_success=true if partial): No IPs were removed from the group "{group_name}" for vsys "{vsys name}" in Palo Alto NGFW.

If Group name wasn't found in some vsys (is_success=true): Group "{group name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the group}

If at least one of the vsys were not found (fail): Error executing action "Remove Ips from group". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Group name wasn't found in all vsys (fail): Error executing action "Remove Ips from group". Reason: Group "{group name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Remove Ips from group". Reason: Device "{device name}" was not found. Please check the spelling.

If "Use Shared Objects" is enabled and at least one IP address was removed (is_success=true): Successfully removed the following IP addresses from the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and one IP addresses was already not a part of address group (is_success=true) : The following IP addresses were not a part of the the shared address group '{Group Name}' in Palo Alto NGFW:\n {entity.identifier}

If Address Group wasn't found (fail): Error executing action "Remove Ips to group". Shared address group "{Group Name}" was not found in Palo Alto NGFW.

Critical Error: Error executing action "Remove Ips from group". Reason: {error traceback}

General

Unblock IPs in Policy

Description

Unblock IP addresses in a policy (each IP address is removed individually from the policy).

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
Policy Name	String	N/A	Policy name value.
Target	String	N/A	Has to be source or destination.

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

[
    "1.1.1.1",
    "2.2.2.2"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys and one IP (is_success=true): Successfully unblocked the following IPs in policy "{policy name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for one vsys and one IP (is_success=true): Action wasn't able to unblock the following IPs in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for all IPs in vsys: No IPs were unblocked in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW. If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy} If at least one of the vsys were not found (fail): Error executing action "Unblock Ips in policy". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If Policy name wasn't found in all vsys (fail): Error executing action "Unblock Ips in policy". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Unblock Ips in policy". Reason: Device "{device name}" was not found. Please check the spelling. if Target != source or destination.: Error executing action "Unblock Ips in policy". Reason: Target should be either "source" or "destination". Critical Error: Error executing action "Unblock Ips in policy". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys and one IP (is_success=true): Successfully unblocked the following IPs in policy "{policy name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for one vsys and one IP (is_success=true): Action wasn't able to unblock the following IPs in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for all IPs in vsys: No IPs were unblocked in policy "{policy_name}" for vsys "{vsys name}" in Palo Alto NGFW.

If Policy name wasn't found in some vsys (is_success=true): Policy "{policy name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the policy}

If at least one of the vsys were not found (fail): Error executing action "Unblock Ips in policy". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Policy name wasn't found in all vsys (fail): Error executing action "Unblock Ips in policy". Reason: Policy "{policy name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Unblock Ips in policy". Reason: Device "{device name}" was not found. Please check the spelling.

if Target != source or destination.: Error executing action "Unblock Ips in policy". Reason: Target should be either "source" or "destination".

Critical Error: Error executing action "Unblock Ips in policy". Reason: {error traceback}

General

Unblock URLs

Description

Remove URLs from a given URL category.

Parameters

Parameter	Type	Default Value	Description
Device Name	String	N/A	The device name in which the group is located. The default device name of NGFW is localhost.localdomain. In case configured differently, please refer to https://php/rest/browse.php/config::devices for the list of all the device names and select the relevant device.
Vsys Name	String	N/A	"Specify a comma-separated list of vsys on which you want to execute the action. The default vsys name of NGFW is vsys1. In case configured differently, please refer to https://{ip}/php/rest/browse.php/config::devices::entry[@name='{device name{']::vsys for the list of all available vsys on the device."
URL Category Name	String	N/A	N/A
Use Shared Objects	Checkbox	N/A	If enabled, action will use shared objects instead of vsys.

Use cases

N/A

Run On

This action runs on the URL entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

[
    "www.example.com"
]

Case Wall

Result Type	Value / Description	Type
Output message*	Success for one vsys and one URL(is_success=true): Successfully removed the following URLs from the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for one vsys and one URL (is_success=true): Action wasn't able to remove the following URLs to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers} Not success for all URLs in vsys: No URLs were removed from the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW. If Group name wasn't found in some vsys (is_success=true): Category "{category name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the category} If at least one of the vsys were not found (fail): Error executing action "Unblock Urls". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found} If "Use Shared Objects" is disabled and none of the "Device name" and "Vsys name" are provided (fail): Error executing action "{action_name}": Either "Use Shared Objects" parameter should be enabled or "Device name" and "Vsys name" to be provided. If Category name wasn't found in all vsys (fail): Error executing action "Unblock Urls". Reason: Category "{category name}" wasn't found in the provided vsys. Please check the spelling. If device name is invalid (fail): Error executing action "Unblock Urls". Reason: Device "{device name}" was not found. Please check the spelling. If "Use Shared Objects" is enabled and at least one URL was added (is_success=true): Successfully removed the following URLs from the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier} If "Use Shared Objects" is enabled and one URL was already a part of URL Category (is_success=true) : The following URLs were not a part of the the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier} If Category wasn't found (fail): Error executing action "Block Urls". Shared category "{Category Name}" was not found in Palo Alto NGFW. Critical Error: Error executing action "Unblock Urls". Reason: {error traceback}	General

Result Type

Value / Description

Type

Output message*

Success for one vsys and one URL(is_success=true): Successfully removed the following URLs from the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for one vsys and one URL (is_success=true): Action wasn't able to remove the following URLs to the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW: {entity.identifiers}

Not success for all URLs in vsys: No URLs were removed from the category "{category_name}" for vsys "{vsys name}" in Palo Alto NGFW.

If Group name wasn't found in some vsys (is_success=true): Category "{category name}" wasn't found in the following vsys in the Palo Alto NGFW: {vsys that don't have the category}

If at least one of the vsys were not found (fail): Error executing action "Unblock Urls". Reason: The following vsys were not found in Palo Alto NGFW: {vsys that were not found}

If Category name wasn't found in all vsys (fail): Error executing action "Unblock Urls". Reason: Category "{category name}" wasn't found in the provided vsys. Please check the spelling.

If device name is invalid (fail): Error executing action "Unblock Urls". Reason: Device "{device name}" was not found. Please check the spelling.

If "Use Shared Objects" is enabled and at least one URL was added (is_success=true): Successfully removed the following URLs from the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier}

If "Use Shared Objects" is enabled and one URL was already a part of URL Category (is_success=true) : The following URLs were not a part of the the shared category '{Category Name}' in Palo Alto NGFW:\n {entity.identifier}

If Category wasn't found (fail): Error executing action "Block Urls". Shared category "{Category Name}" was not found in Palo Alto NGFW.

Critical Error: Error executing action "Unblock Urls". Reason: {error traceback}

General