Palo Alto

IBM® QRadar® Risk Manager supports the Palo Alto adapter. The Palo Alto adapter uses the PAN-OS XML-based Rest API to communicate with Palo Alto firewall devices.

The following features are available with the Palo Alto adapter:

Neighbor data support
Dynamic NAT
Static NAT
Static routing
SNMP discovery
IPSEC Tunneling/VPN
Applications
User/Groups
HTTPS connection protocol

The following table describes the integration requirements for the Palo Alto adapter.

Table 1. Integration requirements for the Palo Alto adapter
Integration requirement	Description
Versions	PAN-OS Versions 10.2.2 or earlier
Minimum user access level	Superuser (full access) is required for PA devices with External Dynamic Lists or Full Qualified Domain Name (FQDN) objects to perform system-level commands. Superuser (read-only) for all other PA devices.
SNMP discovery	SysDescr matches 'Palo Alto Networks(.*)series firewall' or sysOid matches 'panPA'
Required credential parameters To add credentials in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.	Username Password
Supported connection protocols To add protocols in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.	HTTPS
Required commands to use for the backup operation.	`/api/?type=op&cmd=<show><system><info></info></system>/show>` `/api/?type=op&cmd=<show><config><running></running></config></show>` `/api/?type=op&cmd=<show><interface>all</interface></show>`
Optional commands to use for the backup operation.	`/api/?type=op&cmd=<show><system><resources></resources></system></show>` `/api/?type=op&cmd=/config/predefined/service` For PAN-OS versions 7.0 and earlier: `/api/?type=op&cmd=<request><system><external-list> <show><name>$listName</name>< /show></external-list></system></request>`, where `$listName` is a variable in this command, which is run multiple times. For PAN-OS versions 7.1 and higher: `/api/?type=op&cmd=<request><system><external-list> <show><type><ip><name>$listName</name></ip></type></show></external-list></system></request>`, where `$listName` is a variable in this command, which is run multiple times. `/api/?type=op&cmd=<show><object><dynamic-address-group><all></all></dynamic-address-group></object></show>` `/api/?type=config&action=get&xpath=/config/predefined/application` `/api/?type=op&cmd=<request><system><external-list> <show><type><predefined-ip><name>$listName</name></predefined-ip></type></show></external-list></system></request>`, where `$listName` is a variable in this command, which is run multiple times. `/api/?type=config&action=get&xpath=/config/predefined/service` `/api/?type=config&action=get&xpath=/config/panorama` `/api/?type=op&cmd=<request><system><fqdn><show-object><vsys>$vsysId</vsys><name>$FQDN</name></show-object></fqdn></system></request>`, where `$vsysId` is the virtual system the FQDN object resides on, and `$FQDN` is the required fully qualified domain name, which is run multiple times.
Required commands to use for telemetry and neighbor data.	`/api/?type=op&cmd=<show><system><info></info></system></show>` `/api/?type=op&cmd=<show><interface>all</interface></show>` `/api/?type=op&cmd=<show><routing><interface></interface></routing></show>`
Optional commands to use for telemetry and neighbor data.	`/api/?type=op&cmd=<show><counter><interface>all</interface></counter></show>` `/api/?type=op&cmd=<show><arp>all</arp></show></p><p><show><mac>all</mac></show>` `/api/?type=op&cmd=<show><arp><entry name='all'/></arp></show>` `/api/?type=op&cmd=<show><routing><route></route></routing></show>`
Required commands to use for the GetApplication.	`/api/?type=config&action=get&xpath=/config/predefined/application`