USM Anywhere™

AlienApp for Palo Alto Networks PAN-OS Orchestration

The AlienApp for Palo Alto Networks PAN-OS provides a set of orchestration actions that you can use to quickly send IP addresses to the firewallVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. as a response to threats identified by USM Anywhere. You can also send IP addresses to Palo Alto Dynamic Address Groups. The AlienApp sends standard HTTP requests to the Palo Alto Networks PAN-OS APIs to register tags. Each such tag contains the source or destination address (or the fully qualified domain name [FQDN]) of the event or alarm that triggered the action or orchestration rule.

Important: Using the AlienApp for Palo Alto Networks PAN-OS orchestration actions requires that the AlienApp is enabled on a deployed USM Anywhere Sensor with configured integration to your Palo Alto Networks product. See Configuring the AlienApp for Palo Alto Networks PAN-OS for more information.

As USM Anywhere surfaces eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually tagging source and destination hosts in the Palo Alto Networks firewall for enforcement purposes, you can use the AlienApp for Palo Alto Networks PAN-OS orchestration actions to enforce protection based on the information associated with the event or alarm. The following table lists the available actions from the AlienApp.

Actions for AlienApp for Palo Alto Networks PAN-OS
Action Function

Tag Destination IP Address from Rule

Run this action to tag destination IP Address in the connected Palo Alto Networks device.

Tag Destination IP Address to Dynamic Address Group from Rule

Run this action to tag destination IP Address and add it to a Dynamic Address Group in the connected Palo Alto Networks device.

Tag Source IP Address from Rule

Run this action to tag source IP Address in the connected Palo Alto Networks device.

Tag Source IP Address to Dynamic Address Group from Rule

Run this action to tag source IP Address and add it to a Dynamic Address Group in the connected Palo Alto Networks device.

Upon launch of the action, USM Anywhere sends a request to the Palo Alto Networks PAN-OS API to add one of the following identifiers to its Object database and to tag it according to the value specified in the action or rule.

  • IPv4 address
  • IPv6 address
  • FQDN

Important: By default, changes affecting PAN-OS firewall configurations require activation through a commit. The object (host) tag requests sent by AlienApp for Palo Alto Networks PAN-OS are not activated until you or another Palo Alto administrator commits them. In the PAN-OS web UI, you can filter pending changes by user account or location and then preview, validate, or commit only those changes. For more information about committing these changes, refer to the PAN-OS documentation.

If a specified tag does not already exist in the Palo Alto Networks device, the action also creates the new tag. The tag creation does not require a commit in the Palo Alto Networks environment.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.

    Note: To use the Dynamic Address Group actions, you first need to configure Dynamic Address Groups in your policy within PAN-OS.

  5. Click the History tab to display information about the executed orchestration actions.

    View the history of executed Palo Alto orchestration actions