Configuring the BlueApp for Palo Alto Networks PAN-OS

Role Availability Read-Only Investigator Analyst Manager

When the BlueApp for Palo Alto Networks PAN-OS is enabled and connected to your Palo Alto Networks environment, you can launch app actions and create orchestration rules to send data from USM Anywhere to your Palo Alto device. For more information about the orchestration actions supported by the BlueApp for Palo Alto Networks PAN-OS, see BlueApp for Palo Alto Networks PAN-OS Actions.

Note: To fully integrate USM Anywhere with your Palo Alto Networks device, you should also have the Palo Alto Networks PAN-OS log collection enabled so that USM Anywhere can retrieve and normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the raw log data. See Collecting Logs from Palo Alto Networks for details.

Note: The BlueApp for Palo Alto Networks PAN-OS is designed for use with single firewalls, and does not integrate with the Palo Alto Panorama software for managing multiple firewalls.

BlueApp for Palo Alto Networks PAN-OS Requirements

Before you can begin configuration, you must have the following information from the PAN-OS and, if desired, from a Certificate Authority (CA):

To acquire an API key for PAN-OS

  1. Go to https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key.html and follow the vendor instructions to generate the key.
  2. Copy the token to be entered in USM Anywhere.

To create an admin account in Palo Alto Networks

  1. Log in to your Palo Alto Networks account with an admin user profile.
  2. Click the Device tab.
  3. Select Admin Roles in the left pane and click Add to create a new administrator profile.
  4. In the Admin Role Profile window, enter a name and description (optional) for the profile.
  5. Click the XML/REST API tab and click each of the items under that tab to enable them all.
  6. Click OK to create the profile.
  7. Now select Administrators from the left panel and click Add.
  8. In the Administrator window:

    1. Enter a name for the account, a password, and select Role Based for the Administrator Type.
    2. For Profile, enter the name of the profile you previously created in the Admin Roles section.
  9. Click OK to create the admin account.

Configure the BlueApp for Palo Alto Networks PAN-OS Connection

To support the orchestration actions in USM Anywhere, you must configure a connection with the PAN-OS firewall. This connection enables the BlueApp to send a request to the PAN-OS API.

Important: USM Anywhere can only communicate with one PAN-OS instance per sensor. If you have multiple PAN-OS instances in your network, contact LevelBlue Technical Support for assistance.

To configure the connection for PAN-OS

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Specify the connection information for Palo Alto Networks:

    • IP address or hostname: Enter the IP address or hostname of your PAN-OS instance.
    • (Optional) Validate HTTPS host name: Select this option if you want USM Anywhere to validate the hostname against its SSL certificate.
    • (Optional) Require CA certificate: Select this option if you prefer to use a security certificate to establish a trusted SSL connection between PAN-OS and USM Anywhere.
    • (Optional) CA certificate: Enter your certificate for the connection.

    • Admin Name: Enter the name of the admin account you created.
    • API key: Enter the API key that you generated in PAN-OS.

    Enter the Palo Alto connection information for the AlienApp

  7. Click Save.

Uploading a CA Certificate

If you leave the Require CA Certificate checkbox deselected, the BlueApp uses the browser's default trust store. When you select the Require CA Certificate checkbox, the certificate entered in the CA Certificate field takes precedence and is the only certificate trusted by the client.

There are two major use cases that might require you to upload your own certificate in the CA Certificate field:

  • The firewall was deployed with a self-signed Secure Sockets Layer (SSL) certificate. A certificate like this is typically generated on the firewall at the time of deployment. In this case, you need to export that self-signed certificate from the firewall and paste it into the CA Certificate field.
  • You have deployed the firewall with a SSL certificate signed by your own CA. In this case, you need to import the root and intermediate certificates, if any, from your CA. This way, the BlueApp has the same trusted certificate chain that are deployed on your firewall.

See the Palo Alto Networks PAN-OS documentation for further information on exporting a certificate to use with the BlueApp.