Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
This use case allows you to use data from
AutoFocus threat intelligence to create an external dynamic list
for your firewall.
Use the AutoFocus API to export AutoFocus
artifacts (IP addresses, domains, or URLs) as an export list that
you can host on a web server. Learn more about AutoFocus in AutoFocus documentation. Then use the
PAN-OS XML API to add this URL as an external dynamic list to enforce
policy dynamically on the firewall. Learn more about how to use an external dynamic list in policy.
To
use AutoFocus, you must first register and activate AutoFocus.
- Build an AutoFocus export list. For example,
if you want to block potential attacks from the Sofacy group, search
for Sofacy as the Tag, and then add the appropriate artifacts shown
within the File Analysis tab, such as DNS Activity, HTTP Requests,
and Connection Activity. Use the AutoFocus API to export the AutoFocus artifacts. Include you the AutoFocus API key, the label of the export list, and specify that the list should be formatted for a PAN-OS block list. ("panosFormatted":true): curl -X POST -H "Content-Type: application/json" -d '{ "apiKey": "<apikey>", "label": "<export-list-name>", "panosFormatted": true }' "https://autofocus.paloaltonetworks.com/api/v1.0/export"The response contains a list of IP addresses, domains, or URLs, depending on the artifacts you save:{ "bucket_info": { "daily_points": 10.2, "minute_points": 200 }, "export_list": [ "176.31.112.10", "31.220.43.99", "40.76.58.209", "62.113.232.196", "95.215.47.207" ] }
- Host the export list as a text file on an external web server. To ensure that you have the latest list of artifacts, frequently refresh the hosted list.
- Add the URL for the export list to an external dynamic list. In this example the external dynamic list uses IP addresses:
curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/external-list/entry[@name='export-list-name']/type/ip&element=<url><edl-list-url></url><recurring><five-minute/></recurring>&key=<apikey>"- Add the external dynamic list as match criteria in a security policy rule. In this example, the rule denies access to IP addresses on the external dynamic list for all users on your network:
curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='<security-policy-rulename>']@element=<to><member>any</member></to><from><member>any</member></from><source>any</source><destination><member><edl-list-name></member></destination><source-user><member>any</member></source-user><service><member>application-default</member></service><action>deny</action>&key=<apikey>"- Commit the changes to the firewall:
curl -X POST 'https://firewall/api?type=commit&cmd=<commit></commit>&key=<apikey>"You must commit only once when you add the reference to the EDL in a policy rule. Any changes to the external dynamic list do not require a commit.