AlienVault® USM Anywhere™

Configuring the AlienApp for Palo Alto Networks

Role Availability Read-Only Analyst Manager

When the AlienApp for Palo Alto Networks is enabled and connected to your Palo Alto Networks environment, you can launch app actions and create orchestration rules to send data from USM Anywhere to your Palo Alto device. See AlienApp for Palo Alto Networks Orchestration for more information about the orchestration actions supported by the AlienApp for Palo Alto Networks.

Note: To fully integrate USM Anywhere with your Palo Alto Networks device, you should also have the Palo Alto Networks PAN-OS log collection enabled so that USM Anywhere can retrieve and normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the raw log data. See Collecting Logs from Palo Alto Networks for more information about enabling this raw log data retrieval.

Note: The AlienApp for Palo Alto Networks is designed for use with single firewalls, and does not integrate with the Palo Alto Panorama software for managing multiple firewalls.

AlienApp for Palo Alto Networks Requirements

Before you can begin configuration, you must have the following information from PAN-OS and, if desired, from a certificate authority (CA).

To acquire an API key for PAN-OS

  1. Go to https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/get-started-with-the-pan-os-xml-api/get-your-api-key and follow the vendor instructions to generate the key.
  2. Copy the token to be entered in USM Anywhere.

To create a service account profile

  1. Log in to your Palo Alto account with an admin user profile.
  2. Click the Device tab.
  3. Select Admin Roles in the left panel and click Add to create a new administrator profile.
  4. In the Admin Role Profile window, enter a name and description (optional) for the profile.
  5. Click the XML/REST API tab and click each of the items under that tab to enable them all.
  6. Click OK to create the profile.
  7. Now select Administrators from the left panel and click Add.
  8. In the Administrator window, enter a name for the account, a password, and select Role Based for the Administrator Type. For Profile, enter the name of the profile you previously created in the Admin Roles section.
  9. Click OK to create the admin service account.

Configuring the AlienApp for Palo Alto Networks Connection

To support the orchestration actions in USM Anywhere, you must configure a connection with the PAN-OS firewall. This connection enables the AlienApp to send a request to the Palo Alto Networks PAN-OS API.

Important: USM Anywhere can only communicate with one PAN-OS instance per sensor. If you have multiple PAN-OS instances in your network, AT&T Cybersecurity recommends that you contact AT&T Cybersecurity Technical Support for setup help.

To configure the connection between the firewall and the AlienApp

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Available Apps tab

  3. On the AlienApps page, click the Palo Alto Networks tile.

    Click the Palo Alto Networks tile

    The Status tab is displayed, but it does not provide status information until the AlienApp for Palo Alto Networks is enabled and configured.

  4. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  5. Click Enable.
  6. Click the Settings tab.
  7. Specify the connection information for Palo Alto Networks:

    • IP address or hostname: Enter the IP address or hostname of your PAN-OS instance.
    • (Optional) CA certificate: If you want to use a security certificate, select the checkbox and enter your certificate to establish a trusted SSL connection between PAN-OS and USM Anywhere.

    • (Optional) Validate HTTPS host name: Select the checkbox if you want the sensor to verify the HTTPS hostname against its SSL certificate.
    • Admin Name: The name of the admin service account you created.
    • API key: Enter the API key that you generated in PAN-OS.
  8. Click Save.

Uploading a CA Certificate (Optional)

If you leave the Require CA Certificate checkbox deselected, the AlienApp uses the browser's default browser trust store. When you select the Require CA Certificate checkbox, the certificate entered in the CA Certificate field takes precedence and is the only certificate trusted by the client.

There are two major use cases that might require you to upload your own certificate in the CA Certificate field:

  • The firewall was deployed with a self-signed Secure Sockets Layer (SSL) certificate. A certificate like this is typically generated on the firewall at the time of deployment. In this case, you need to export that self-signed certificate from the firewall and import it into the app's CA Certificate.
  • You have deployed the firewall with a SSL certificate signed by your own CA. In this case, you need to import the root or intermediate certificate from your CA so that the client has a trust chain that can include the SSL certificate and its chained intermediates that are deployed on the firewall.

See the Palo Alto PAN-OS Export a Certificate and Private Key documentation for further information on exporting a certificate to use with the AlienApp for Palo Alto Networks.

Palo Alto Dynamic Address Groups

To Configure PAN-OS to be able to use Tags from USM Anywhere to add addresses to Dynamic Address Groups

The Dynamic Address Groups in PAN-OS allow you to group addresses by using a tag as an identifier to denote the alarm of product of a rule will be added to that Dynamic Address Group.

To allow for PAN-OS to autoimatically associate the tags you create in USM Anywhere with the PAN-OS Dynamic Address Groups, you first need to configure Dynamic Adress Groups in your policy.