forked from splunk-soar-connectors/panorama
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreadme.html
64 lines (60 loc) · 3.73 KB
/
readme.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<!-- File: readme.html
Copyright (c) 2016-2022 Splunk Inc.
Licensed under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt)
-->
<h3>Overview</h3>
<p>The Panorama app has been tested with PanOS version 7.0.4 and should work with any version above.
<p>All the containment actions (like <b>block ip</b> etc.), take a policy name and the policy type as parameters. The action first creates an object (Application Group, Address Group, etc.) on the Panorama device to represent the object being blocked. This object is then added to the specified policy. It does not modify any other policy parameters including the <b>Action</b>. Therefore you must pre-configure the policy action as <b>Drop</b>.</p>
<p>Most of the actions execute a commit on the panorama device followed by a commit on the device group. This second commit results in Panorama sending the commit to each device that belongs to a device group, which could take some time. It is a good idea to add a time interval between two panorama actions when executing a playbook</p>
<p>Panorama restricts object names to 31 characters. This could result in object names that are created by Phantom being truncated in some cases.</p>
<p>It is usually a good idea to have one Policy created on the Panorama device to handle the <b>block</b> of each type of object. The panorama_app playbook that is available on the community github repo assumes this type of configuration. Note that to block URLs on Panorama, they are included in a URL Filtering profile that is usually added to an <b>Allow</b> policy. Please see the PanOS documentation for more details.</p>
<h3>Commit Configuration</h3>
<p>
You can use the commit API request to commit a candidate configuration to a firewall.
Commit actions are called at the end of all Contain actions (e.g. BlockIP).
</p>
<p>
Contain and Correct actions can be run in parallel by making use of (1) the flag <b>should_commit_changes</b> and
(2) the action <b>commit changes</b>.
To run Contain or Correct actions in parallel, the actions should have <b>should_commit_changes</b> as False.
Once all Contain and Correct actions with disabled <b>should_commit_changes</b> are completed,
the action <b>commit changes</b> should be run.
This ensures there won't be any duplicated commits to the same device groups.
</p>
<p>You can learn more about Commit Configuration below: (API)</p>
<ul>
<li>
<a href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/pan-os-xml-api-request-types/commit-configuration-api.html"
target="_blank">
Commit and Commit-All
</a>
</li>
<li>
<a href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-web-interface/panorama-commit-operations.html"
target="_blank">
Panorama Commit Operations - Learn about Partial commits
</a>
</li>
</ul>
<h3>Audit Comment Archive</h3>
<p>
If the option "Require audit comment on policies" (Panorama -> Management) is enabled,
Audit comments must be specified to a given Policy rule before
committing any changes to that rule.
</p>
<p>WARNING: Additionally, the length of an Audit comment can be at most 256 characters.</p>
<p>You can learn more about Audit comment below:</p>
<ul>
<li>
<a href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/policies/audit-comment-archive.html"
target="_blank">
Audit Comment Archive
</a>
</li>
<li>
<a href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/pan-os-xml-api-request-types/run-operational-mode-commands-api.html"
target="_blank">
Making changes to Audit comments via API
</a>
</li>
</ul>