Palo Alto Networks FireWall V10
LAST UPDATED: NOV 22, 2024
Overview
Palo Alto Networks Firewall REST API allows managing and configuring firewalls. You can use the REST API to Create, Read, Update, Delete (CRUD) Objects and Policies on the firewalls; you can access the REST API directly on the firewall or use Panorama to perform these operations on policies and objects from a central location and push them to the managed firewalls.
D3 SOAR is providing REST operations to function with Palo Alto Networks FireWall V10.
Palo Alto Networks FireWall V10 is available for use in:
D3 SOAR | V14.5.123.0+ |
Category | Network Security |
Deployment Options |
Known Limitations
Evident Monitoring API's call rate limit is 120 calls per minute.When you exceed the rate limit, the request will respond with error code 429 (Too Many Requests). The response header will include the following attributes:
X-RateLimit-Limit: the current API rate limit
X-RateLimit-Remaining: number of calls left, will always be 0
X-RateLimit-Reset: the time (in iso8601) at which the limit will be reset
These can be leveraged to implement efficient retry logic.
Please refer to What is Evident Monitoring API's call rate limit? for detailed information.
The WildFire API key included with a standard WildFire subscription allows up to 150 sample uploads per day and up to 1,050 report queries per day. The daily limit resets at 23:59:00 UTC. You are also limited to 100MB sample sizes when submitting samples to the WildFire public cloud. File uploads to the WildFire appliance are also limited to 100MB per file, though there are no daily limits on uploads and queries. If you require extended API access limits, please contact your Palo Alto Networks sales representative for more information.
Please refer to Impose API Limits for detailed information.
Connection
To connect to Palo Alto Networks FireWall V10 from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the Palo Alto Networks Firewall. | https://1.1.1.1 |
User Name | The user name for generating the API Key. | admin |
Password | The password for generating the API Key. | ************ |
API Key | The API key for authenticating the connection. Click Generate API Key after entering the Username and Password. Remember to click Save button to preserve the current API key for future use. | LUFR****M01nb****Y2NE****eA== |
API Version | The version of the API to use for the integration. | v10.0 |
Permission Requirements
Each endpoint in the Palo Alto Networks FireWall V10 API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Required Permission |
Block Addresses By Groups | Device administrator or Superuser |
Block Applications | Device administrator or Superuser |
Block IP By Adding To Address Group | Device administrator or Superuser |
Block URLs By Category | Device administrator or Superuser |
Commit | Device administrator or Superuser |
Create Address | Device administrator or Superuser |
Create Address Group | Device administrator or Superuser |
Create Custom URL Category | Device administrator or Superuser |
Create Security Rule | Device administrator or Superuser |
Create Tag | Device administrator or Superuser |
Delete Addresses | Device administrator or Superuser |
Delete Security Rules | Device administrator or Superuser |
Generate API Key | Available for all roles |
List Addresses | Available for all roles |
List Address Groups | Available for all roles |
List Applications | Available for all roles |
List Custom URL Categories | Available for all roles |
List Security Rules | Available for all roles |
List Services | Available for all roles |
List Tags | Available for all roles |
List Virtual Systems | Available for all roles |
List Zones | Available for all roles |
Run Operation Commands | Available for all roles |
Unblock Applications | Device administrator or Superuser |
Update Addresses | Device administrator or Superuser |
Update Address Groups | Device administrator or Superuser |
Update Custom URL Categories | Device administrator or Superuser |
Update Security Rule | Device administrator or Superuser |
Update Tags | Device administrator or Superuser |
Test Connection | Available for all roles |
As Palo Alto Networks FireWall V10 is using role-based access control (RBAC), the API Key is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Palo Alto Networks FireWall V10 console for each command in this integration.
READER NOTE
Palo Alto Networks FireWall V10’s default user profiles (sorted from the most permissions to the least) are as follows:
Superuser
Superuser (read-only)
Device administrator
Device administrator (read-only)
Please refer to Administrative Role Types for user profile and configuration detail.
Device administrator is suggested since this role is sufficient for executing all D3 commands.
Configuring Palo Alto Networks FireWall V10 to Work with D3 SOAR
Log into Palo Alto Networks FireWall with your credentials.
Click Device, then choose Administrators. Click + Add at the bottom to add a new user.
Input your Name, Password and then Confirm Password. Choose Dynamic Administrator Type, then use the dropdown to select your user role. The Device Administrator role is suggested, since this role has access to all commands. Click OK to create the account.
Configuring D3 SOAR to Work with Palo Alto Networks FireWall V10
Log in to D3 SOAR.
Find the Palo Alto Networks FireWall V10 integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Palo Alto Networks FireWall V10 in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Palo Alto Networks FireWall V10.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your domain level Server URL. Default value is https://<REPLACE.ME>.
2. Input your User Name.
3. Input your Password.
4. Click the Generate API Key button to generate an API Key. Note: Running the Generate API Key command can also generate API keys which can be pasted here for authenticating API calls (run the command, copy the API key result, paste in this command without clicking the Generate API Key button). Note that the API keys you generated by the command will not replace the existing ones.
5. Input your API Version. Default value is v10.0.Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Palo Alto Networks FireWall V10 includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Palo Alto Networks FireWall V10 API, please refer to the Palo Alto Networks FireWall V10 API reference. PAN-OS REST API (10.0) or Access the PAN-OS REST API.
READER NOTE
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Palo Alto Networks FireWall V10 to Work with D3 SOAR for details.
Block Addresses By Groups
Specifies the address groups that will be set in an existing or new security rule with the deny action. The command needs a valid address group.
READER NOTE
Rule Name, Group Names and Virtual System Name are required parameters to run this command.
To use an existing rule, run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input rule name does not exist, a new rule will be created.
Run the List Address Groups command to obtain Group Names. Group Names can be found in the returned raw data at the path $.result.entry[*].@name.
If there are multiple group name inputs, invalid groups will be removed from the inputs and no error will be returned.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Required | The security rule name that takes action for the address groups. If the given rule name does not exist, a new rule will be created. Existing Rule Name can be obtained using the List Security Rule command. | testPolicy4 |
Group Names | Required | The list of valid address group names for the security rule. The group names can be obtained using the List Address Groups command. Invalid group names will be ignored. | ["testDynamicGroup2"] |
Virtual System Name | Required | The virtual system where the security rules will be retrieved from. The Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Block Addresses By Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Command Block Addresses By Group failed at step get the group details by group name xxx. |
Error Sample Data Block Addresses By Groups failed. Status Code: 400. Message: Command Block Addresses By Group failed at step get the group details by group name xxx. |
Block Applications
Adds applications to an existing or new security rule with the deny action.
READER NOTE
Rule Name, Virtual System Name and Applications are required parameters to run this command.
To use an existing rule, run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input rule name does not exist, a new rule will be created.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Applications command to obtain Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Required | The security rule name that takes action for the applications. If the given rule name does not exist, a new rule will be created. Existing Rule Name can be obtained using the List Security Rules command. | testPolicy5 |
Virtual System Name | Required | The virtual system where the security rules will be retrieved from. The Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Applications | Required | The list of application names for the security rule. Applications can be obtained using the List Applications command. | ["testApp1"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Block Applications failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: referenced before assignment. |
Error Sample Data Block Applications failed. Status Code: 404. Message: referenced before assignment. |
Block IPs By Adding To Address Group
Blocks specified IPs by adding them to the specified address group which was configured to be blocked in security rule.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Group Name | Required | The name of the address group which was configured to be blocked. | Suspicious_group |
Addresses | Required | The addresses to be blocked. You can enter an IP address or a network using the slash notation (Ex. 192.168.80.150 or 192.168.80.0/24). You can also enter an IPv6 address or an IPv6 address with its prefix (Ex. 2001:db8:123:1::1 or 2001:db8:123:1::/64). | [ "1.1.1.1", "2000:db0:123:1::1" ] |
Virtual System Name | Optional | The name of the virtual system where the configuration change will be made. The Virtual System Names can be obtained using the List Virtual Systems command. If not specified, the default Virtual System is vsys1. | Vsys1 |
Action | Optional | The action to take for the policy change. You can choose to only validate the policy change or commit the change. If this parameter is not defined, the default value is Validate Only. Please note, only changes made by the logged-in user will be validated or committed. Device-and-network and shared-object changes are not in the validate/commit scope. Also, committing changes to Panorama does not automatically push these settings to the firewalls. To do so, use the Push To Device Group command. | Commit |
Device Group | Optional | The device group in which to block IPs. Panorama instances only. | dev-group1 |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Block IPs By Adding To Address Group failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Block IPs By Adding To Address Group failed. Status Code: 404. Message: Object Not Present. |
Block URLs By Category
Adds URLs to an existing or new custom URL category which will be set in an existing or new security rule with the deny action.
READER NOTE
Rule Name, Category Name and Virtual System Name are required parameters to run this command.
To use an existing rule, run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input rule name does not exist, a new rule will be created.
To use an existing Category Name, run the List Custom URL Categories command to obtain Category Name. Category Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input Category Name does not exist, a new category will be created.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Required | The security rule name that takes action for the URL. If the given rule name does not exist, a new rule will be created. Existing Rule Name can be obtained using the List Security Rules command. | testPolicy4 |
Category Name | Required | The custom URL category name for the security rule. If the given category name does not exist, a new category will be created. Existing Category Name can be obtained using the List Custom URL Categories command. | BlockURLCategory03 |
Virtual System Name | Required | The virtual system where the security rules will be retrieved from. The Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
URLs | Required | The list of URLs that will be added to the custom URL category. | ["www.1.com"] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Block URLs By Category failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Object Command Block URLs By Category failed at step Create Custom URL Category. |
Error Sample Data Block URLs By Category failed. Status Code: 400. Message: Invalid Object Command Block URLs By Category failed at step Create Custom URL Category. |
Commit
Commits the configuration changes to the Firewall.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Commit failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server Url is not valid in format. |
Error Sample Data Commit failed. Status Code: 400. Message: Server Url is not valid in format. |
Create Address
Creates an address with tags. Addresses with the same tags can be dynamically collected by an address group with the Dynamic tags configuration.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input parameter Tags is an optional parameter to run this command.
Run the List Tags command with the Location parameter set to Virtual System to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Name | Required | The Address Name name to be created. The max length of the name is 63 characters. The exceeded characters will be cut off. | testAddress10 |
Virtual System Name | Required | The virtual system where the address will be added into. Virtual System Names can be obtained using List Virtual Systems command. | vsys1 |
Address | Required | The value that will be added to Palo Alto Networks Firewall as an address. Values can be an IP Address (192.168.20.40 or 192.168.80.0/24 or 2001:db8:123:1::/64), an IP Range (192.168.20.40-192.168.20.50, or 2001:db8:123:1::1-2001:db8:123:1::22), an IP Wildcard Mask (10.182.1.1/0.127.248.0) or a FQDN (www.example.com). The FQDN only contains the domain part. | 1.2.3.4 |
Tags | Optional | The tags for the address object. Tags can be obtained using List Tags command, with Location parameter set to Virtual System. | ["malware"] |
Description | Optional | The description of the address. The max length of the description is 1023 characters. The exceeded characters will be cut off. | Simple ip address |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Address failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: xxx is not supported address value. |
Error Sample Data Create Address failed. Status Code: 400. Message: xxx is not supported address value. |
Create Address Group
Creates an address group. Address groups with specified tags and the Group Type set to Dynamic can be used to block or unblock addresses in a security rule without needing to update the security rule.
READER NOTE
Virtual System Name and Group Object are required parameters to run this command.
When configuring the Group Type parameter as Dynamic, tags should be specified in the Group Objects parameter for address filtering.
Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Group Name | Required | The Address Group Name name to be created. The max length of the name is 63 characters. The exceeded characters will be cut off. | Block-1.1.1.1 |
Virtual System Name | Required | The virtual system where the address group will be created. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Group Type | Required | The group type of the address group. Available values are Static or Dynamic. | Static |
Group Objects | Required | The objects to be added to the group. When the Group Type is Static, then the group objects are a string of address names separated with commas. Ex. address1, address2. When the Group Type is Dynamic, the group object is a filter string to filter the addresses based on the tags. The syntax for the dynamic group is 'Tag1' and/or 'Tag2'. Each tag name must be quoted by a pair of single quotations. Tags can be obtained using the List Tags command. | 'malware' or 'testTagPre03' |
Tags | Optional | The tag names will be set to the specified address group. Tags can be obtained using the List Tags command. | ["malware", "testTag01"] |
Description | Optional | The description to update the specified addresses. The max length of the description is 1023 characters. The exceeded characters will be cut off. | New description for the addresses |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Address Group failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: xxx is not supported address value. |
Error Sample Data Create Address Group failed. Status Code: 400. Message: xxx is not supported address value. |
Create Custom URL Category
Creates a custom URL category.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Category Name | Required | The Category Name name to be created. The max length of category names is 31 characters. The exceeded characters will be cut off. | testURLcategory1 |
Virtual System Name | Required | The Virtual System where the URL category will be created. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
URLs | Required | The URLs for the category. | ["www.1.com"] |
Description | Optional | The description for the specified URL category. The max length of the description is 255 characters. The exceeded characters will be cut off. | New description for the addresses |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Custom URL Category failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Create Custom URL Category failed. Status Code: 404. Message: Object Not Present. |
Create Security Rule
Creates a security rule with the provided configurations. Security rules with categories and/or address groups can handle dynamic block/unblock addresses.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Source Zones, Destination Zones, Source Addresses, Destination Addresses, Services, Applications and Categories are optional parameters to run this command.
Run the List Zones command to obtain Source Zones and Destination Zones. Choose a Zone Name to define Source Zones and Destination Zones. Zone Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Addresses command if you want to input Addresses to the Source Addresses and Destination Addresses parameters. Addresses can be found in the returned raw data at the path $[*].@name.
Run the List Address Groups command if you want to input the Address Group name to Source Addresses and Destination Addresses parameters. Address Groups can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Services command to obtain Services. Services can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Applications command to obtain the Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Custom URL Categories command to obtain the Categories. Categories can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Required | The security rule name to be created. The max length of the name is 63 characters. The exceeded characters will be cut off. | testPolicy3 |
Virtual System Name | Required | The virtual system where the security rule will be created. Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Description | Optional | The description for the new security rule. The max length of the description is 1024 characters. The exceeded characters will be cut off. | A new security rule was added. |
Action | Required | The action for the security rule. Available values are Allow, Deny and Drop. | Deny |
Source Zones | Optional | The Zone Name list to be added to the security rule as the source. Zone Names can be obtained using the List Zones command. | ["D3cyberLabDmzZone"] |
Destination Zones | Optional | The Zone Name list to be added to the security rule as the destination. Zone Names can be obtained using the List Zones command. | ["l3-untrust"] |
Source Addresses | Optional | The address name/address group name list is to be added to the security rule as the source address. The address/group names can be obtained using List Addresses or List Address Groups command. | ["testDynamicGroup2", "suspiciousip1"] |
Destination Addresses | Optional | The address name/address group name list is to be added to the security rule as the destination address. The address/group names can be obtained using List Addresses or List Address Groups command. | ["suspicious_group", "suspiciousurl3"] |
Source Users | Optional | The user name list to be added to the security rule. The user names can be found in the GUI DEVICE > Local User Database > Users. | ["demo"] |
Services | Optional | The service name list is to be added to the security rule. Service name can be obtained using the List Services command. | ["service-http"] |
Applications | Optional | The application name list is to be added to the security rule. Application names can be obtained using the List Applications command. | ["100bao"] |
Categories | Optional | The URL category name list is to be added to the security rule. Category names can be obtained using the List Custom URL Categories command. | ["testURLcategory1"] |
Profile Setting | Optional | The profile settings for the security rule. It can be either profiles or group objects. For the detailed syntax please refer to the API document: <{Server URL}/restapi-doc/#tag/policies-security-rules/paths/~1restapi~1v10.0~1Policies~1SecurityRules/post>. | The Group Object Sample: { "group": { "member": [ "Threats_Prevention" ] } } The Profiles Object Sample: { "profiles": { "url-filtering": { "member": [ "AllUrlAccessAudit" ] }, "data-filtering": { "member": [ "default" ] }, "file-blocking": { "member": [ "basic file blocking" ] }, "virus": { "member": [ "AV-Alert" ] }, "spyware": { "member": [ "Spyware-Alert" ] }, "vulnerability": { "member": [ "IPS-Alert" ] }, "wildfire-analysis": { "member": [ "default" ], "gtp": { "member": [ "default" ], "sctp": { "member": [ "default" ] } } } |
Rule Type | Optional | The type of the security rule. Available values are Universal, Intrazone and Interzone. | Universal |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Security Rule failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Create Security Rule failed. Status Code: 404. Message: Object Not Present. |
Create Tag
Creates a tag in the specified virtual system.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Tag Name | Required | The tag name to be created. The max length of the tag name is 127 characters. The exceeded characters will be cut off. | tag01 |
Virtual System Name | Required | The virtual system the tag will be added into. Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Color | Optional | The color for the tag. | Color6 |
Comments | Optional | The comments for the tag. The max length of the comment is 1023 characters. The exceeded characters will be cut off. | A new sample tag in virtual system. |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Tag failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Create Tag failed. Status Code: 404. Message: Object Not Present. |
Delete Addresses
Deletes the given addresses.
READER NOTE
Address Names and Virtual System Name are required parameters to run this command.
Run the List Addresses command to obtain the Address Names. Address Names can be found in the returned raw data at the path $[*].@name.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Names | Required | The list of address names to be deleted. Address Names can be obtained using the List Addresses command. | ["block-200.1.1.3", "block-200.1.1.2"] |
Virtual System Name | Required | The virtual system where the address will be deleted. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Addresses failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Delete Addresses failed. Status Code: 404. Message: Object Not Present. |
Delete Security Rules
Deletes the security rules by given names.
READER NOTE
Rule Names and Virtual System Name are required parameters to run this command.
Run the List Security Rules command to obtain the Rule Names. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Names | Required | The names of the security rules to be deleted. | ["testURLcategory1"] |
Location | Required | The location to retrieve the security rules from. Available values are Virtual System and Panorama Pushed. | Virtual System |
Virtual System Name | Required | The virtual system where the security rules will be retrieved from. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Security Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Delete Security Rules failed. Status Code: 404. Message: Object Not Present. |
Generate API Key
Generates the API key required for authenticating API calls. The API key generated by this command will not replace the existing one.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Generate API Key failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server Url is not valid in format. |
Error Sample Data Generate API Key failed. Status Code: 400. Message: Server Url is not valid in format. |
List Addresses
Lists the addresses in the specified Location.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Name | Optional | The name of the address to return. The max length of the name is 63 characters. The exceeded characters will be cut off. | Block-1.2.3.4 |
Location | Required | The location to retrieve the tags from. Available values are: Virtual System and Panorama Pushed. | Virtual System |
Virtual System Name | Required | The virtual system where the addresses will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Addresses failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Addresses failed. Status Code: 404. Message: Object Not Present. |
List Address Groups
Returns the address group list.
READER NOTE
Virtual System Name is a required parameter to run this command
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Group Name | Optional | The name of the address group to return. The max length of the name is 63 characters. The exceeded characters will be cut off. | ["block-200.1.1.3", "block-200.1.1.2"] |
Location | Required | The location to retrieve the address groups from. The available values are Virtual System and Panorama Pushed. | Virtual System |
Virtual System Name | Required | The virtual system where the address groups will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Address Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Address Groups failed. Status Code: 404. Message: Object Not Present. |
List Applications
Lists application objects registered in the firewall with given filters.
READER NOTE
Virtual System Name is a required parameter to run this command when the Location parameter is set to Virtual System or Panorama Pushed; it cannot be filled when the Location is set to Predefined.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Application Name | Optional | The name of the application to return. The max length of the name is 31 characters. The exceeded characters will be cut off. | testApp1 |
Location | Required | The location to retrieve the security rules. Available values are Virtual System, Predefined and Panorama Pushed. | Virtual System |
Virtual System Name | Optional | The virtual system where the applications will be retrieved from. The Virtual System Names can be obtained using the List Virtual Systems command. This parameter is required if Location is set to Virtual System or Panorama Pushed. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Applications failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Applications failed. Status Code: 404. Message: Object Not Present. |
List Custom URL Categories
Lists custom URL categories with details.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Category Name | Optional | The name of the URL Category to return. The max length of the name is 31 characters. The exceeded characters will be cut off. | suspicious_group |
Location | Required | The location to retrieve the tags from. Available values are Virtual System and Panorama Pushed. | Virtual System |
Virtual System Name | Required | The virtual system where the custom URL categories will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Custom URL Categories failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Custom URL Categories failed. Status Code: 404. Message: Object Not Present. |
List Security Rules
Lists security rules with the provided filters.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Optional | The name of the security rule to return. The max length of the name is 63 characters. The exceeded characters will be cut off. | testBlockURLsPolicy234 |
Location | Required | The location to retrieve the security rules. Available values are Virtual System and Panorama Pushed. | Virtual System |
Virtual System Name | Required | The virtual system where the security rules will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Security Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Security Rules failed. Status Code: 404. Message: Object Not Present. |
List Services
Lists service objects registered in the firewall with the provided filters.
READER NOTE
Virtual System Name is a required parameter to run this command when the Location parameter is set to Virtual System or Panorama Pushed; it cannot be filled when the Location is set to Predefined.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Service Name | Optional | The name of the service to return. The max length of the name is 63 characters. The exceeded characters will be cut off. | service-http |
Location | Required | The location to retrieve the security rules from. Available values are Virtual System, Predefined and Panorama Pushed. | Predefined |
Virtual System Name | Optional | The virtual system where the tag will be retrieved from. The Virtual System Names can be obtained using the List Virtual Systems command. The parameter is required only when Location is set to Virtual System or Panorama Pushed. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Services failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Services failed. Status Code: 404. Message: Object Not Present. |
List Tags
Lists tags in the specified Location.
READER NOTE
Virtual System Name is a required parameter to run this command when you choose the Location parameter to Virtual System; it cannot be filled when the Location parameter chooses to Panorama Pushed.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Tag Name | Optional | The name of the tag to return. The max length of the name is 127 characters. The exceeded characters will be cut off. | testTagPre03 |
Location | Required | The location to retrieve the tags from. Available values are: Virtual System, Predefined and Panorama Pushed. | Virtual System |
Virtual System Name | Optional | The virtual system where the tag will be retrieved from. This parameter is required only when Location is set to Virtual System or Panorama Pushed. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Tags failed. Status Code: 404. Message: Object Not Present. |
List Virtual Systems
Lists all virtual systems. If a valid virtual system name is given, the command will return the details of the specified virtual system.
Input
Input Parameter | Required/Optional | Description | Example |
Name | Optional | The name of the virtual system to return. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Virtual Systems failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Virtual Systems failed. Status Code: 404. Message: Object Not Present. |
List Zones
Lists zones with the provided filters.
READER NOTE
Virtual System Name is a required parameter to run this command.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Zone Name | Optional | The name of the zone to return. The max length of the name is 31 characters. The exceeded characters will be cut off. | l3-untrust |
Location | Required | The location to retrieve the tags from. Available values are Virtual System and Panorama Pushed. | Virtual System |
Virtual System Name | Required | The virtual system where the zones will be retrieved from. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Zones failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data List Zones failed. Status Code: 404. Message: Object Not Present. |
Run Operation Commands
Runs the operation commands.
Input
Input Parameter | Required/Optional | Description | Example |
Commands | Required | The name of the operation commands to run. The commands will be executed by order of input. Please check the link (<{Server URL}/php/rest/browse.php/op>) for the commands details. | ["<show><app-warning><count><vsys>vsys1</vsys></count></app-warning></show>"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Run Operation Commands failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server Url is not valid in format. |
Error Sample Data Run Operation Commands failed. Status Code: 403. Message: Server Url is not valid in format. |
Unblock Applications
Removes the specified applications from an existing security rule.
READER NOTE
Rule Name, Virtual System Name and Applications are required parameters to run this command.
Run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Applications command to obtain Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Required | The security rule name that applies to the application. Rule Name can be obtained using the List Security Rules command. | testPolicy5 |
Virtual System Name | Required | The virtual system where the security rules will be retrieved from. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Applications | Required | The list of application names to be removed from the security rule. Applications can be obtained using the List Applications command. | ["testApp1"] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Unblock Applications failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Please use command List Security Rules to get the valid security rules. |
Error Sample Data Unblock Applications failed. Status Code: 401. Message: Please use command List Security Rules to get the valid security rules. |
Update Addresses
Updates the tag and description of the specified addresses.
READER NOTE
Address Names and Virtual System Name are required parameters to run this command.
Run the List Addresses command to obtain the Address Names. Address Names can be found in the returned raw data at the path $[*].@name.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input parameter Tags is an optional parameter to run this command.
Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Names | Required | The list of address names to be updated. Address Names can be obtained using the List Addresses command. | ["testAddress10"] |
Virtual System Name | Required | The virtual system where the address will be updated. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Description | Optional | The description to update the specified addresses with. The max length of the description is 1023 characters. The exceeded characters will be cut off. | New description for the addresses |
Tags | Optional | The tag names to set to the specified addresses. Tags can be obtained using the List Tags command with the Location set to Virtual System. | ["malware", "testTag01"] |
Is Replace Tags | Required | If the value selected is True, then the new tags will replace existing tags of the addresses. If False is selected, the input tags will be appended to the addresses. | False |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Addresses failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Update Addresses failed. Status Code: 404. Message: Object Not Present. |
Update Address Groups
Updates address groups with the given parameters. When executing, the group type and group objects will be overwritten by the given values.
READER NOTE
Address Group Names, Virtual System Name and Group Object are required parameters to run this command.
Run the List Address Group command to obtain the Address Group Names. Address Group Names can be found from the returned raw data at the path $.result.entry[*].@name.
When configuring the Group Type parameter as Dynamic, tags should be specified in the Group Objects parameter for address filtering.
Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.
Input parameter Tags is an optional parameter to run this command.
Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Address Group Names | Required | The names of the address groups to be updated. Address Group Names can be obtained using the List Address Group command. | ["testDynamicGroup"] |
Virtual System Name | Required | The virtual system where the address group will be updated. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Group Type | Required | The group type of the address group to be updated. Available values are Static or Dynamic. | Dynamic |
Group Objects | Required | The objects to be set to the group. When the Group Type is Static, then the group objects are a string of address names separated with commas. Ex. address1, address2 … When the Group Type is Dynamic, the group object is a filter string to filter the addresses based on the tags. The syntax for the dynamic group is 'Tag1' and/or 'Tag2'…". Each tag name must be quoted by a pair of single quotations. Tags can be obtained using the List Tags command. | malware' or 'testTagPre03' |
Action | Required | The action operation for the group objects. The available values are: Add, Replace, Remove. Operation Add will append the new objects to the group. Operation Replace will replace the existing objects in the group. Operation Remove will remove the objects from the group. | Add |
Tags | Optional | The tags that will be set to the specified address group. Tags can be obtained using the List Tags command. | ["malware", "testTag01"] |
Is Replace Tags | Required | If this is set to True, then the new tags will replace existing tags of the address groups. If False is selected, the input tags will be appended to the address groups. | False |
Description | Optional | The description to update the specified address groups with. The max length of the description is 1023 characters. The exceeded characters will be cut off. | Incident1 |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Address Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Update Address Groups failed. Status Code: 404. Message: Object Not Present. |
Update Custom URL Categories
Updates the description and URLs of the specified URL categories.
READER NOTE
Category Names and Virtual System Name are required parameters to run this command.
Run the List Custom URL Categories command to obtain the Category Names. Category Names can be found from the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Category Names | Required | The list of URL category names to be updated. Category Names can be obtained using the List Custom URL Categories command. | ["suspicious_group"] |
Virtual System Name | Required | The virtual system where the address will be updated. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Description | Optional | The description to update the specified categories with. The max length of the description is 255 characters. The exceeded characters will be cut off. | New URL appended. |
URLs | Optional | The URLs to set to the specified category. | ["www.1.com"] |
Action | Required | The action operation for the category. The available values are: Add, Replace, Remove. Operation Add will append the new URLs to the categories. Operation Replace will replace the existing URLs of the categories. Operation Remove will remove the URLs from the categories. | Add |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Custom URL Categories failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Update Custom URL Categories failed. Status Code: 404. Message: Object Not Present. |
Update Security Rule
Updates a security rule with the provided configurations.
READER NOTE
Rule Name and Virtual System Name are required parameters to run this command.
Run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.
Source Zones, Destination Zones, Source Addresses, Destination Addresses, Services, Applications and Categories are optional parameters to run this command.
Run the List Zones command to obtain Source Zones and Destination Zones. Choose a Zone Name to define Source Zones and Destination Zones. Zone Name can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Addresses command if you want to input Addresses to Source Addresses and Destination Addresses parameters. Addresses can be found in the returned raw data at the path $[*].@name. Run the List Address Groups command if you want to input the Address Group name to Source Addresses and Destination Addresses parameters. Address Groups can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Services command to obtain the Services. Services can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Applications command to obtain the Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Custom URL Categories command to obtain the Categories. Categories can be found in the returned raw data at the path $.result.entry[*].@name.
The Update Action parameter is set to Add by default. Please note that this parameter will affect how your security rule is updated.
Add: New objects will be appended to the original rule fields. For instance, if the original source zone is "Zone1" and you input a new value of "Zone2", the security rule's source zone will be changed to ["Zone1", "Zone2"]. However, for the Action input parameter, the new value will replace the original value. For the Description and Rule Type input parameters, the original value will be replaced with the new value. The original value will remain unchanged if you don't input any value. Please note that it is only possible to perform the add operation on text array type parameters.
Replace: The original rule settings will be replaced with the new values specified for all parameters.
Remove: The original values will be removed from a field. However, the input value must match the original value to be removed. For example, if the original source zone is ["Zone1", "Zone2"], and you input a value of "Zone2", the security rule's source zone will be changed to "Zone1". Please note that it is only possible to perform the remove operation on text array type parameters.
Input
Input Parameter | Required/Optional | Description | Example |
Rule Name | Required | The name of the security rule to update. Rule names can be obtained using the List Security Rules command. | testPolicy3 |
Virtual System Name | Required | The virtual system where the security rule will be updated. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Description | Optional | The description to update the security rule with. The max length of the description is 1024 characters. The exceeded characters will be cut off. | A new security rule was added. |
Action | Required | The action for the security rule. Available values are Allow, Deny and Drop. | Deny |
Source Zones | Optional | The zone name list to be added to the security rule as the source. Zone names can be obtained using the List Zones command. | ["D3cyberLabDmzZone"] |
Destination Zones | Optional | The zone name list to be added to the security rule as the destination. Zone names can be obtained using the List Zones command. | ["l3-untrust"] |
Source Addresses | Optional | The address name/address group name list to be added to the security rule as the source address. The address/group names can be obtained using the List Addresses or List Address Groups command. | ["testDynamicGroup2", "suspiciousip1"] |
Destination Addresses | Optional | The address name/address group name list to be added to the security rule as the destination address. The address/group names can be obtained using the List Addresses or List Address Groups command. | ["suspicious_group", "suspiciousurl3"] |
Source Users | Optional | The user name list to be added to the security rule. The user names can be found in the GUI DEVICE > Local User Database > Users. | ["demo"] |
Services | Optional | The service name list to be added to the security rule. Service names can be obtained using the List Services command. | ["service-http"] |
Applications | Optional | The application name list to be added to the security rule. The address/group names can be obtained using the List Applications command. | ["100bao"] |
Categories | Optional | The URL category name list to be added to the security rule. Category names can be obtained using the List Custom URL Categories command. | ["testURLcategory1"] |
Profile Setting | Optional | The profile settings for the security rule. It could be one of the profiles or group objects. For the detailed syntax please refer to the API document: <{Server URL}/restapi-doc/#tag/policies-security-rules/paths/~1restapi~1v10.0~1Policies~1SecurityRules/post>. | The Group Object Sample: { "group": { "member": [ "Threats_Prevention" ] } } The Profiles Object Sample: { "profiles": { "url-filtering": { "member": [ "AllUrlAccessAudit" ] }, "data-filtering": { "member": [ "default" ] }, "file-blocking": { "member": [ "basic file blocking" ] }, "virus": { "member": [ "AV-Alert" ] }, "spyware": { "member": [ "Spyware-Alert" ] }, "vulnerability": { "member": [ "IPS-Alert" ] }, "wildfire-analysis": { "member": [ "default" ], "gtp": { "member": [ "default" ], "sctp": { "member": [ "default" ] } } } |
Rule Type | Optional | The type of the security rule. The available rule types are Universal, Intrazone and Interzone. | Universal |
Update Action | Optional | The operation to update the security rule. The available update actions are Add, Replace, and Remove. "Add" will append the new objects to the security rule. "Replace" will replace the existing objects in the security rule. "Remove" will remove the objects from the security rule. The default update action is Add. Please refer to the corresponding section in the D3 SOAR user guide for more in-depth information about each action. | Add |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Security Rule failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Update Security Rule failed. Status Code: 404. Message: Object Not Present. |
Update Tags
Updates the specified tags with the provided values.
READER NOTE
Tag Names and Virtual System Name are required parameters to run this command.
Run the List Tags command to obtain Tag Names. Tag Names can be found in the returned raw data at the path $.result.entry[*].@name.
Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.
Input
Input Parameter | Required/Optional | Description | Example |
Tag Names | Required | The list of tag names to be updated. Tag Names can be obtained using the List Tags command. | ["testTagPre03"] |
Virtual System Name | Required | The virtual system where the tags will be updated. Virtual System Names can be obtained using the List Virtual Systems command. | vsys1 |
Color | Optional | The color to apply to the tags. | Color6 |
Comments | Optional | The comments to add to the tags. The max length of the comment is 1023 characters. The exceeded characters will be cut off. | A new sample tag in virtual system. |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Object Not Present. |
Error Sample Data Update Tags failed. Status Code: 404. Message: Object Not Present. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Server Url is not valid in format. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: Server Url is not valid in format. |