Palo Alto

JSA Risk Manager supports the Palo Alto adapter. The Palo Alto adapter uses the PAN-OS XML-based Rest API to communicate with Palo Alto firewall devices.

The following features are available with the Palo Alto adapter:

Neighbor data support
Dynamic NAT
Static NAT
Static routing
SNMP discovery
IPSEC Tunneling/VPN
Applications
User/Groups
HTTPS connection protocol

Note:

The Palo Alto adapter does not support shared policies that are pushed to devices by a Palo Alto Panorama network security management system.

The following table describes the integration requirements for the Palo Alto adapter.

Table 1: Integration Requirements for the Palo Alto Adapter
Integration requirement	Description
Versions	PAN-OS Versions 5.0 to 8.1
Minimum user access level	Superuser (full access) is required for PA devices with External Dynamic Lists or Full Qualifies Domain name (FQDN) objects to perform system-level commands. Superuser (read-only) for all other PA devices.
SNMP discovery	SysDescr matches 'Palo Alto Networks(.*)series firewall' or sysOid matches 'panPA'
Required credential parameters To add credentials in JSA log in as an administrator and use Configuration Source Management on the Admin tab.	Username Password
Supported connection protocols To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.	HTTPS
Required commands to use for the backup operation.	`/api/?type=op&cmd=<show><system><info></info></system>/show>` `/api/?type=op&cmd=<show><config><running></running></config></show>` `/api/?type=op&cmd=<show><interface>all</interface></show>`
Optional commands to use for the backup operation.	`/api/?type=op&cmd=<show> <system><resources> </resources></system></show>` `/api/?type=op&cmd=/config/predefined/service` For PAN-OS versions 7.0 and lower: `/api/?type=op&cmd=<request><system><external-list> <show><name>$listName</name>< /show></external-list></system></request>` where `$listName` is a variable in this command, which is run multiple times. For PAN-OS versions 7.1 and higher: `/api/? type=op&cmd=<request><system><external-list> <show><type><ip><name>$listName</name></ip></ type></show></external-list></system></request>` where `$listName` is a variable in this command, which is run multiple times. `/api/?type=op&cmd=<show><object><dynamic-address-group><all></all>< /dynamic-address-group></object></show>` `/api/?type=config&action=get&xpath=/config/predefined/application` `/api/?type=op&cmd=<request><system><external -list> <show><type><predefined-ip><name> $listName</name></predefined-ip></type></show></ external-list></system></request>` where `$listName` is a variable in this command, which is run multiple times. `/api/?type=config&action=get&xpath=/config/ predefined/service` `/api/?type=config&action=get&xpath=/config/ panorama` `/api/?type=op&cmd=<request><system><fqdn> <show -object><vsys><$vsysId</vsys><name>$FQDN< /name></ show-object></fqdn></system></request>` where `$vsysId` is the virtual system the FQDN object resides on, and $FQDN is the required fully qualified domain name, which is run multiple times.
Required commands to use for telemetry and neighbor data.	`/api/?type=op&cmd=<show><system><info></info></system></show>` `/api/?type=op&cmd=<show><interface>all</interface></show>` `/api/?type=op&cmd=<show><routing> <interface></interface> </routing></show>`
Optional commands to use for telemetry and neighbor data.	`/api/?type=op&cmd= <show><counter> <interface>all</interface></counter></show>` `/api/?type=op&cmd =<show> <arp>all</arp></show></p><p><show><mac>all </mac></show>` `/api/?type=op&cmd=<show><arp><entry name='all'/></arp></show>` `/api/?type=op&cmd=<show><routing><route></route></routing></show>`
Required commands to use for the GetApplication.	`/api/?type=config&action=get&xpath=/config/predefined/application`

Palo Alto

Related Documentation