: Convert Rules Using the Panorama Web Interface
Focus
Focus

Convert Rules Using the Panorama Web Interface

Table of Contents

Convert Rules Using the Panorama Web Interface

Use the Panorama™ web interface to convert IPS rules to custom PAN-OS® threat signatures.
After you install the intrusion prevention system (IPS) signature converter plugin, you can use it to translate Snort and Suricata rules into custom Palo Alto Networks threat signatures. You can then register the custom signatures on Palo Alto Networks firewalls that belong to device groups that you specify and use these customer signatures in your Vulnerability Protection and Anti-Spyware Security Profiles.
Additionally, you can export rules that list IP address indicators of compromise (IOC) and use the resultant text file as an external dynamic list to enforce policy on the entries contained in the list.
The following example uses this Snort rule:
alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)
  1. Select PanoramaIPS Signature ConverterManage.
  2. Upload Signatures.
  3. Select one of two methods for uploading your rules:
    • Browse to and select a text file.
      You cannot convert binary file types, such as .pdf or .docx.
    • Paste the rules directly into the text box.
    You can upload only 300 rules at a time for conversion.
  4. Click OK.
    Your signatures will populate at least one of the following tabs: Succeeded, Succeeded with Warnings, Failed, Duplicates, or Existing Coverage.
  5. (Optional) Export rules to an indicator of compromise (IOC) list.
    Panorama converts a rule that does not contain the keywords content or PCRE into an IOC List. Export IOC List to group these rules into a text file that you can use as an external dynamic list for your Security policy rules.
    1. Select Export IOC List.
      A dialog displays any rules that converted as IOC List.
    2. Select the rules that you want to export.
    3. Enter the name of the file to which you want to export your rules.
    4. Click OK.
      The exported text file will appear in your downloads folder.
  6. Commit converted signatures to Panorama.
    1. Select the signatures you want to upload.
    2. Import Custom Signatures.
    3. Select a Device Group from the drop-down.
      Select Shared to make the signatures available to all device groups.
    4. Under the Destination column, select whether to commit the signatures as Vulnerability or Spyware.
    5. Click OK.
    6. In the top right of the screen, select
      and Commit to Panorama.
    7. Verify that you successfully committed your signatures.
      1. Select ObjectsCustom Objects.
      2. Select either Spyware or Vulnerability, depending on how you categorized your signatures in the previous step.
  7. Push the signatures to managed firewalls.
    The firewalls must be running PAN-OS 10.0 or a later release with an active Threat Prevention license.
  8. Test your signatures on a firewall in the device group to which you pushed the signatures.