Skip to main content
Skip table of contents

Palo Alto Networks FireWall V10

LAST UPDATED: NOV 22, 2024

Overview

Palo Alto Networks Firewall REST API allows managing and configuring firewalls. You can use the REST API to Create, Read, Update, Delete (CRUD) Objects and Policies on the firewalls; you can access the REST API directly on the firewall or use Panorama to perform these operations on policies and objects from a central location and push them to the managed firewalls.

D3 SOAR is providing REST operations to function with Palo Alto Networks FireWall V10.

Palo Alto Networks FireWall V10 is available for use in:

D3 SOAR

V14.5.123.0+

Category

Network Security

Deployment Options

Option I, Option III

Known Limitations

  • Evident Monitoring API's call rate limit is 120 calls per minute.When you exceed the rate limit, the request will respond with error code 429 (Too Many Requests). The response header will include the following attributes:

    • X-RateLimit-Limit: the current API rate limit

    • X-RateLimit-Remaining: number of calls left, will always be 0

    • X-RateLimit-Reset: the time (in iso8601) at which the limit will be reset
      These can be leveraged to implement efficient retry logic.
      Please refer to What is Evident Monitoring API's call rate limit? for detailed information.

  • The WildFire API key included with a standard WildFire subscription allows up to 150 sample uploads per day and up to 1,050 report queries per day. The daily limit resets at 23:59:00 UTC. You are also limited to 100MB sample sizes when submitting samples to the WildFire public cloud. File uploads to the WildFire appliance are also limited to 100MB per file, though there are no daily limits on uploads and queries. If you require extended API access limits, please contact your Palo Alto Networks sales representative for more information.
    Please refer to Impose API Limits for detailed information.

Connection

To connect to Palo Alto Networks FireWall V10 from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the Palo Alto Networks Firewall.

https://1.1.1.1

User Name

The user name for generating the API Key.

admin

Password

The password for generating the API Key.

************

API Key

The API key for authenticating the connection. Click Generate API Key after entering the Username and Password. Remember to click Save button to preserve the current API key for future use.

LUFR****M01nb****Y2NE****eA==

API Version

The version of the API to use for the integration.

v10.0

Permission Requirements

Each endpoint in the Palo Alto Networks FireWall V10 API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Permission

Block Addresses By Groups

Device administrator or Superuser

Block Applications

Device administrator or Superuser

Block IP By Adding To Address Group

Device administrator or Superuser

Block URLs By Category

Device administrator or Superuser

Commit

Device administrator or Superuser

Create Address

Device administrator or Superuser

Create Address Group

Device administrator or Superuser

Create Custom URL Category

Device administrator or Superuser

Create Security Rule

Device administrator or Superuser

Create Tag

Device administrator or Superuser

Delete Addresses

Device administrator or Superuser

Delete Security Rules

Device administrator or Superuser

Generate API Key

Available for all roles

List Addresses

Available for all roles

List Address Groups

Available for all roles

List Applications

Available for all roles

List Custom URL Categories

Available for all roles

List Security Rules

Available for all roles

List Services

Available for all roles

List Tags

Available for all roles

List Virtual Systems

Available for all roles

List Zones

Available for all roles

Run Operation Commands

Available for all roles

Unblock Applications

Device administrator or Superuser

Update Addresses

Device administrator or Superuser

Update Address Groups

Device administrator or Superuser

Update Custom URL Categories

Device administrator or Superuser

Update Security Rule

Device administrator or Superuser

Update Tags

Device administrator or Superuser

Test Connection

Available for all roles

As Palo Alto Networks FireWall V10 is using role-based access control (RBAC), the API Key is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Palo Alto Networks FireWall V10 console for each command in this integration.

READER NOTE

Palo Alto Networks FireWall V10’s default user profiles (sorted from the most permissions to the least) are as follows:

  • Superuser

  • Superuser (read-only)

  • Device administrator

  • Device administrator (read-only)

Please refer to Administrative Role Types for user profile and configuration detail.

Device administrator is suggested since this role is sufficient for executing all D3 commands.

Configuring Palo Alto Networks FireWall V10 to Work with D3 SOAR

  1. Log into Palo Alto Networks FireWall with your credentials.

  2. Click Device, then choose Administrators. Click + Add at the bottom to add a new user.

  3. Input your Name, Password and then Confirm Password. Choose Dynamic Administrator Type, then use the dropdown to select your user role. The Device Administrator role is suggested, since this role has access to all commands. Click OK to create the account.

Configuring D3 SOAR to Work with Palo Alto Networks FireWall V10

  1. Log in to D3 SOAR.

  2. Find the Palo Alto Networks FireWall V10 integration.

    Frame 62 (7)-20241101-183242.png
    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Palo Alto Networks FireWall V10 in the search box to find the integration, then click it to select it.

    4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Palo Alto Networks FireWall V10.

    Frame 63 (7)-20241101-183259.png
    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

      Frame 66 (5)-20241101-183602.png
    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      Frame 65 (7)-20241101-183336.png

      1. Input your domain level Server URL. Default value is https://<REPLACE.ME>.
      2. Input your User Name.
      3. Input your Password.
      4. Click the Generate API Key button to generate an API Key. Note: Running the Generate API Key command can also generate API keys which can be pasted here for authenticating API calls (run the command, copy the API key result, paste in this command without clicking the Generate API Key button). Note that the API keys you generated by the command will not replace the existing ones.
      5. Input your API Version. Default value is v10.0.

    10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Palo Alto Networks FireWall V10 includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Palo Alto Networks FireWall V10 API, please refer to the Palo Alto Networks FireWall V10 API reference. PAN-OS REST API (10.0) or Access the PAN-OS REST API.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Palo Alto Networks FireWall V10 to Work with D3 SOAR for details.

Block Addresses By Groups

Specifies the address groups that will be set in an existing or new security rule with the deny action. The command needs a valid address group.

READER NOTE

Rule Name, Group Names and Virtual System Name are required parameters to run this command.

  • To use an existing rule, run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input rule name does not exist, a new rule will be created.

  • Run the List Address Groups command to obtain Group Names. Group Names can be found in the returned raw data at the path $.result.entry[*].@name.

    • If there are multiple group name inputs, invalid groups will be removed from the inputs and no error will be returned.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The security rule name that takes action for the address groups. If the given rule name does not exist, a new rule will be created. Existing Rule Name can be obtained using the List Security Rule command.

testPolicy4

Group Names

Required

The list of valid address group names for the security rule. The group names can be obtained using the List Address Groups command. Invalid group names will be ignored.

["testDynamicGroup2"]

Virtual System Name

Required

The virtual system where the security rules will be retrieved from. The Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" and "invalidGroups" fields. If no invalid group exists, then the "invalidGroup" will not appear in the returned raw data.

SAMPLE DATA

JSON
{
    "ruleName": "testPolicy4",
    "invalidGroups": [
        "BlockAddressGroup03"
    ],
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

ruleName

testPolicy4

invalidGroups

  • testDynamicGroup46

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block Addresses By Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Command Block Addresses By Group failed at step get the group details by group name xxx.

Error Sample Data

Block Addresses By Groups failed.

Status Code: 400.

Message: Command Block Addresses By Group failed at step get the group details by group name xxx.

Block Applications

Adds applications to an existing or new security rule with the deny action.

READER NOTE

Rule Name, Virtual System Name and Applications are required parameters to run this command.

  • To use an existing rule, run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input rule name does not exist, a new rule will be created.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Applications command to obtain Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The security rule name that takes action for the applications. If the given rule name does not exist, a new rule will be created. Existing Rule Name can be obtained using the List Security Rules command.

testPolicy5

Virtual System Name

Required

The virtual system where the security rules will be retrieved from. The Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Applications

Required

The list of application names for the security rule. Applications can be obtained using the List Applications command.

["testApp1"]

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" field to indicate the name of the rule used in this command.

SAMPLE DATA

JSON
{
    "ruleName": "testPolicy5",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

ruleName

testPolicy5

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block Applications failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: referenced before assignment.

Error Sample Data

Block Applications failed.

Status Code: 404.

Message: referenced before assignment.

Block IPs By Adding To Address Group

Blocks specified IPs by adding them to the specified address group which was configured to be blocked in security rule.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Group Name

Required

The name of the address group which was configured to be blocked.

Suspicious_group

Addresses

Required

The addresses to be blocked. You can enter an IP address or a network using the slash notation (Ex. 192.168.80.150 or 192.168.80.0/24). You can also enter an IPv6 address or an IPv6 address with its prefix (Ex. 2001:db8:123:1::1 or 2001:db8:123:1::/64).

[ "1.1.1.1", "2000:db0:123:1::1" ]

Virtual System Name

Optional

The name of the virtual system where the configuration change will be made. The Virtual System Names can be obtained using the List Virtual Systems command. If not specified, the default Virtual System is vsys1.

Vsys1

Action

Optional

The action to take for the policy change. You can choose to only validate the policy change or commit the change. If this parameter is not defined, the default value is Validate Only. Please note, only changes made by the logged-in user will be validated or committed.

Device-and-network and shared-object changes are not in the validate/commit scope. Also, committing changes to Panorama does not automatically push these settings to the firewalls. To do so, use the Push To Device Group command.

Commit

Device Group

Optional

The device group in which to block IPs. Panorama instances only.

dev-group1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "response": {
        "result": {
            "job": {
                "tenq": "2023/09/22 18:02:14",
                "tdeq": "18:02:14",
                "id": 58,
                "user": "admin",
                "type": "Commit",
                "status": "FIN",
                "queued": "NO",
                "stoppable": "no",
                "result": "OK",
                "tfin": "18:04:16",
                "description": "",
                "positionInQ": 0,
                "progress": 100,
                "details": {
                    "line": [
                        "Partial changes to commit: changes to configuration by administrators: admin_jon",
                        "Changes to policy and objects configuration",
                        "Configuration committed successfully"
                    ]
                },
                "warnings": {
                    "line": [
                        "Certificate crt.o365saml.shared in shared expired on Aug  7 22:14:50 2023 GMT",
                        "Certificate sslcert in shared expired on Mar 14 19:20:23 2023 GMT",
                        "Warning: No valid threat content package exists",
                        "vsys1",
                        "Warning: in vsys1, 6 warnings for profiles and profile groups: No valid URL filtering license,",
                        "(Module: device)"
                    ]
                }
            }
        }
    }
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

jobId

28

jobProgress

100

jobCurState

FIN

jobResult

OK

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block IPs By Adding To Address Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Block IPs By Adding To Address Group failed.

Status Code: 404.

Message: Object Not Present.

Block URLs By Category

Adds URLs to an existing or new custom URL category which will be set in an existing or new security rule with the deny action.

READER NOTE

Rule Name, Category Name and Virtual System Name are required parameters to run this command.

  • To use an existing rule, run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input rule name does not exist, a new rule will be created.

  • To use an existing Category Name, run the List Custom URL Categories command to obtain Category Name. Category Names can be found in the returned raw data at the path $.result.entry[*].@name. If the input Category Name does not exist, a new category will be created.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The security rule name that takes action for the URL. If the given rule name does not exist, a new rule will be created. Existing Rule Name can be obtained using the List Security Rules command.

testPolicy4

Category Name

Required

The custom URL category name for the security rule. If the given category name does not exist, a new category will be created. Existing Category Name can be obtained using the List Custom URL Categories command.

BlockURLCategory03

Virtual System Name

Required

The virtual system where the security rules will be retrieved from. The Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

URLs

Required

The list of URLs that will be added to the custom URL category.

["www.1.com"]

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" and "categoryName" fields.

SAMPLE DATA

JSON
{
    "ruleName": "testPolicy4",
    "categoryName": "BlockURLRule03",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

ruleName

testPolicy123

categoryName

BlockURLCategory123

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block URLs By Category failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Object Command Block URLs By Category failed at step Create Custom URL Category.

Error Sample Data

Block URLs By Category failed.

Status Code: 400.

Message: Invalid Object Command Block URLs By Category failed at step Create Custom URL Category.

Commit

Commits the configuration changes to the Firewall.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "response": {
        "@status": "success",
        "@code": "19",
        "result": {
            "msg": {
                "line": "Commit job enqueued with jobid 23378"
            },
            "job": "*****"
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "JobID": "\"*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

msg

{'line': 'Commit job enqueued with jobid ***'}

job

***

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Commit failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server Url is not valid in format.

Error Sample Data

Commit failed.

Status Code: 400.

Message: Server Url is not valid in format.

Create Address

Creates an address with tags. Addresses with the same tags can be dynamically collected by an address group with the Dynamic tags configuration.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input parameter Tags is an optional parameter to run this command.

  • Run the List Tags command with the Location parameter set to Virtual System to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Name

Required

The Address Name name to be created. The max length of the name is 63 characters. The exceeded characters will be cut off.

testAddress10

Virtual System Name

Required

The virtual system where the address will be added into. Virtual System Names can be obtained using List Virtual Systems command.

vsys1

Address

Required

The value that will be added to Palo Alto Networks Firewall as an address. Values can be an IP Address (192.168.20.40 or 192.168.80.0/24 or 2001:db8:123:1::/64), an IP Range (192.168.20.40-192.168.20.50, or 2001:db8:123:1::1-2001:db8:123:1::22), an IP Wildcard Mask (10.182.1.1/0.127.248.0) or a FQDN (www.example.com). The FQDN only contains the domain part.

1.2.3.4

Tags

Optional

The tags for the address object. Tags can be obtained using List Tags command, with Location parameter set to Virtual System.

["malware"]

Description

Optional

The description of the address. The max length of the description is 1023 characters. The exceeded characters will be cut off.

Simple ip address

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AddressName": "\"testAddress10\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Address failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: xxx is not supported address value.

Error Sample Data

Create Address failed.

Status Code: 400.

Message: xxx is not supported address value.

Create Address Group

Creates an address group. Address groups with specified tags and the Group Type set to Dynamic can be used to block or unblock addresses in a security rule without needing to update the security rule.

READER NOTE

Virtual System Name and Group Object are required parameters to run this command.

  • When configuring the Group Type parameter as Dynamic, tags should be specified in the Group Objects parameter for address filtering.

    • Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Group Name

Required

The Address Group Name name to be created. The max length of the name is 63 characters. The exceeded characters will be cut off.

Block-1.1.1.1

Virtual System Name

Required

The virtual system where the address group will be created. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Group Type

Required

The group type of the address group. Available values are Static or Dynamic.

Static

Group Objects

Required

The objects to be added to the group. When the Group Type is Static, then the group objects are a string of address names separated with commas. Ex. address1, address2. When the Group Type is Dynamic, the group object is a filter string to filter the addresses based on the tags. The syntax for the dynamic group is 'Tag1' and/or 'Tag2'. Each tag name must be quoted by a pair of single quotations. Tags can be obtained using the List Tags command.

'malware' or 'testTagPre03'

Tags

Optional

The tag names will be set to the specified address group. Tags can be obtained using the List Tags command.

["malware", "testTag01"]

Description

Optional

The description to update the specified addresses. The max length of the description is 1023 characters. The exceeded characters will be cut off.

New description for the addresses

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "addressGroupName" field to indicate the name of the address group.

SAMPLE DATA

JSON
{
    "addressGroupName": "testDynamicGroup",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AddressNames": "\"[\\\"block-21.1.1.1\\\", \\\"Block_www.testmalicious.com\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

addressGroupName

testDynamicGroup63

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Address Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: xxx is not supported address value.

Error Sample Data

Create Address Group failed.

Status Code: 400.

Message: xxx is not supported address value.

Create Custom URL Category

Creates a custom URL category.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Category Name

Required

The Category Name name to be created. The max length of category names is 31 characters. The exceeded characters will be cut off.

testURLcategory1

Virtual System Name

Required

The Virtual System where the URL category will be created. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

URLs

Required

The URLs for the category.

["www.1.com"]

Description

Optional

The description for the specified URL category. The max length of the description is 255 characters. The exceeded characters will be cut off.

New description for the addresses

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "categoryName" field to indicate the name of the category.

SAMPLE DATA

JSON
{
    "categoryName": "testURLcategory1",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "CategoryName": "\"testURLcategory1\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

categoryName

testURLcategory2

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Custom URL Category failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Create Custom URL Category failed.

Status Code: 404.

Message: Object Not Present.

Create Security Rule

Creates a security rule with the provided configurations. Security rules with categories and/or address groups can handle dynamic block/unblock addresses.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Source Zones, Destination Zones, Source Addresses, Destination Addresses, Services, Applications and Categories are optional parameters to run this command.

  • Run the List Zones command to obtain Source Zones and Destination Zones. Choose a Zone Name to define Source Zones and Destination Zones. Zone Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Addresses command if you want to input Addresses to the Source Addresses and Destination Addresses parameters. Addresses can be found in the returned raw data at the path $[*].@name.

  • Run the List Address Groups command if you want to input the Address Group name to Source Addresses and Destination Addresses parameters. Address Groups can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Services command to obtain Services. Services can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Applications command to obtain the Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Custom URL Categories command to obtain the Categories. Categories can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The security rule name to be created. The max length of the name is 63 characters. The exceeded characters will be cut off.

testPolicy3

Virtual System Name

Required

The virtual system where the security rule will be created. Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Description

Optional

The description for the new security rule. The max length of the description is 1024 characters. The exceeded characters will be cut off.

A new security rule was added.

Action

Required

The action for the security rule. Available values are Allow, Deny and Drop.

Deny

Source Zones

Optional

The Zone Name list to be added to the security rule as the source. Zone Names can be obtained using the List Zones command.

["D3cyberLabDmzZone"]

Destination Zones

Optional

The Zone Name list to be added to the security rule as the destination. Zone Names can be obtained using the List Zones command.

["l3-untrust"]

Source Addresses

Optional

The address name/address group name list is to be added to the security rule as the source address. The address/group names can be obtained using List Addresses or List Address Groups command.

["testDynamicGroup2", "suspiciousip1"]

Destination Addresses

Optional

The address name/address group name list is to be added to the security rule as the destination address. The address/group names can be obtained using List Addresses or List Address Groups command.

["suspicious_group", "suspiciousurl3"]

Source Users

Optional

The user name list to be added to the security rule. The user names can be found in the GUI DEVICE > Local User Database > Users.

["demo"]

Services

Optional

The service name list is to be added to the security rule. Service name can be obtained using the List Services command.

["service-http"]

Applications

Optional

The application name list is to be added to the security rule. Application names can be obtained using the List Applications command.

["100bao"]

Categories

Optional

The URL category name list is to be added to the security rule. Category names can be obtained using the List Custom URL Categories command.

["testURLcategory1"]

Profile Setting

Optional

The profile settings for the security rule. It can be either profiles or group objects. For the detailed syntax please refer to the API document: <{Server URL}/restapi-doc/#tag/policies-security-rules/paths/~1restapi~1v10.0~1Policies~1SecurityRules/post>.

The Group Object Sample:

{

"group": {

"member": [

"Threats_Prevention"

]

}

}

The Profiles Object Sample:

{

"profiles": {

"url-filtering": {

"member": [

"AllUrlAccessAudit"

]

},

"data-filtering": {

"member": [

"default"

]

},

"file-blocking": {

"member": [

"basic file blocking"

]

},

"virus": {

"member": [

"AV-Alert"

]

},

"spyware": {

"member": [

"Spyware-Alert"

]

},

"vulnerability": {

"member": [

"IPS-Alert"

]

},

"wildfire-analysis": {

"member": [

"default"

],

"gtp": {

"member": [

"default"

],

"sctp": {

"member": [

"default"

]

}

}

}

Rule Type

Optional

The type of the security rule. Available values are Universal, Intrazone and Interzone.

Universal

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" field to indicate the name of the security rule.

SAMPLE DATA

JSON
{
    "ruleName": "testPolicy3",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "RuleName": "\"testPolicy3\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

ruleName

testPolicy18

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Security Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Create Security Rule failed.

Status Code: 404.

Message: Object Not Present.

Create Tag

Creates a tag in the specified virtual system.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Tag Name

Required

The tag name to be created. The max length of the tag name is 127 characters. The exceeded characters will be cut off.

tag01

Virtual System Name

Required

The virtual system the tag will be added into. Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Color

Optional

The color for the tag.

Color6

Comments

Optional

The comments for the tag. The max length of the comment is 1023 characters. The exceeded characters will be cut off.

A new sample tag in virtual system.

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TagName": "\"testTag01\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
The tag: tag01 has been created successfully.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Tag failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Create Tag failed.

Status Code: 404.

Message: Object Not Present.

Delete Addresses

Deletes the given addresses.

READER NOTE

Address Names and Virtual System Name are required parameters to run this command.

  • Run the List Addresses command to obtain the Address Names. Address Names can be found in the returned raw data at the path $[*].@name.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Names

Required

The list of address names to be deleted. Address Names can be obtained using the List Addresses command.

["block-200.1.1.3", "block-200.1.1.2"]

Virtual System Name

Required

The virtual system where the address will be deleted. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "addressName" field to indicate the name of the addresses being deleted.

SAMPLE DATA

JSON
[
    {
        "addressName": "block-200.1.1.3",
        "code": 5,
        "message": "Object Not Present",
        "details": [
            {
                "@type": "CauseInfo",
                "causes": [
                    {
                        "code": 7,
                        "module": "panui_mgmt",
                        "description": "Object Not Present: No object to edit."
                    }
                ]
            }
        ]
    },
    {
        "addressName": "block-200.1.1.2",
        "@status": "success",
        "@code": "20",
        "msg": "command succeeded"
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@STATUS

@CODE

MSG

ADDRESSNAME

success

20

command succeeded

block-200.1.1.3

success

20

command succeeded

block-200.1.1.2

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Addresses failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Delete Addresses failed.

Status Code: 404.

Message: Object Not Present.

Delete Security Rules

Deletes the security rules by given names.

READER NOTE

Rule Names and Virtual System Name are required parameters to run this command.

  • Run the List Security Rules command to obtain the Rule Names. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Names

Required

The names of the security rules to be deleted.

["testURLcategory1"]

Location

Required

The location to retrieve the security rules from. Available values are Virtual System and Panorama Pushed.

Virtual System

Virtual System Name

Required

The virtual system where the security rules will be retrieved from. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" field to indicate the name of the rules being deleted.

SAMPLE DATA

JSON
[
    {
        "ruleName": "testPolicy3",
        "@status": "success",
        "@code": "20",
        "msg": "command succeeded"
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@STATUS

@CODE

MSG

RULENAME

success

20

command succeeded

testPolicy18

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Security Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Delete Security Rules failed.

Status Code: 404.

Message: Object Not Present.

Generate API Key

Generates the API key required for authenticating API calls. The API key generated by this command will not replace the existing one.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "response": {
        "@status": "success",
        "result": {
            "key": "****************************************************"
        }
    }
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

response

{'@status': 'success', 'result': {'key': '******=='}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Generate API Key failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server Url is not valid in format.

Error Sample Data

Generate API Key failed.

Status Code: 400.

Message: Server Url is not valid in format.

List Addresses

Lists the addresses in the specified Location.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Name

Optional

The name of the address to return. The max length of the name is 63 characters. The exceeded characters will be cut off.

Block-1.2.3.4

Location

Required

The location to retrieve the tags from. Available values are: Virtual System and Panorama Pushed.

Virtual System

Virtual System Name

Required

The virtual system where the addresses will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "2",
        "@count": "2",
        "entry": [
            {
                "@name": "block-1.1.1.1",
                "@location": "vsys",
                "@vsys": "vsys1",
                "tag": {
                    "member": [
                        "malware"
                    ]
                }
            },
            {
                "@name": "Block_www.testmalicious.com",
                "@location": "vsys",
                "@vsys": "vsys1",
                "fqdn": "www.testmalicious.com"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AddressNames": "\"[\\\"block-1.1.1.1\\\", \\\"Block_www.testmalicious.com\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@LOCATION

@VSYS

DESCRIPTION

TAG

testAddress14

vsys

vsys1

New description for the addresses

{'member': ['tag02']}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Addresses failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Addresses failed.

Status Code: 404.

Message: Object Not Present.

List Address Groups

Returns the address group list.

READER NOTE

Virtual System Name is a required parameter to run this command

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Group Name

Optional

The name of the address group to return. The max length of the name is 63 characters. The exceeded characters will be cut off.

["block-200.1.1.3", "block-200.1.1.2"]

Location

Required

The location to retrieve the address groups from. The available values are Virtual System and Panorama Pushed.

Virtual System

Virtual System Name

Required

The virtual system where the address groups will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "testDynamicGroup2",
                "@location": "vsys",
                "@vsys": "vsys1",
                "description": "The Group is created for testing a feature of dynamic grou2p",
                "dynamic": {
                    "filter": "'malware' and 'testTagPre03'"
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AddressGroupNames": "\"[\\\"testDynamicGroup2\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@LOCATION

@VSYS

STATIC

suspicious_group

vsys

vsys1

{'member': ['Block_1.5.1.1', 'Block_2.2.2.2', 'Block_136.143.184.91', 'Block_195.206.105.217', 'Block_217.160.174.204', 'Block_coin-coin-data-6.com', 'Block_216.151.180.240', 'Block_136.143.184.92', 'Block_195.254.135.76', 'Block_199.195.248.29', 'Block_193.31.24.154', 'Block_213.164.206.127', 'Block_213.202.216.189', 'Block_198.54.128.94', 'Block_204.85.191.8', 'Block_217.79.179.7', 'Block_216.151.180.238', 'Block_198.144.121.43', 'Block_198.144.121.93', 'Block_216.151.180.51', 'block-1.1.1.1', 'block-1.1.1.2', 'Block-1.1.1.3', 'suspiciousip1', 'suspiciousurl1']}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Address Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Address Groups failed.

Status Code: 404.

Message: Object Not Present.

List Applications

Lists application objects registered in the firewall with given filters.

READER NOTE

Virtual System Name is a required parameter to run this command when the Location parameter is set to Virtual System or Panorama Pushed; it cannot be filled when the Location is set to Predefined.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Application Name

Optional

The name of the application to return. The max length of the name is 31 characters. The exceeded characters will be cut off.

testApp1

Location

Required

The location to retrieve the security rules. Available values are Virtual System, Predefined and Panorama Pushed.

Virtual System

Virtual System Name

Optional

The virtual system where the applications will be retrieved from. The Virtual System Names can be obtained using the List Virtual Systems command. This parameter is required if Location is set to Virtual System or Panorama Pushed.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "testApp1",
                "@location": "vsys",
                "@vsys": "vsys1",
                "subcategory": "internet-utility",
                "category": "general-internet",
                "technology": "browser-based",
                "description": "test app",
                "risk": "1"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ApplicationNames": "\"[\\\"testApp1\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@LOCATION

@VSYS

SUBCATEGORY

CATEGORY

TECHNOLOGY

DESCRIPTION

RISK

testApp1

vsys

vsys1

internet-utility

general-internet

browser-based

test app

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Applications failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Applications failed.

Status Code: 404.

Message: Object Not Present.

List Custom URL Categories

Lists custom URL categories with details.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Category Name

Optional

The name of the URL Category to return. The max length of the name is 31 characters. The exceeded characters will be cut off.

suspicious_group

Location

Required

The location to retrieve the tags from. Available values are Virtual System and Panorama Pushed.

Virtual System

Virtual System Name

Required

The virtual system where the custom URL categories will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "suspicious_group",
                "@location": "vsys",
                "@vsys": "vsys1",
                "list": {
                    "member": [
                        "1.5.1.1",
                        "2.2.2.2",
                        "192.168.1.2",
                        "20.12.2.3",
                        "zohomail.com"
                    ]
                },
                "type": "URL List"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "CategoryNames": "\"[\\\"suspicious_group\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@LOCATION

@VSYS

TYPE

LIST

BlockURLCategory123

vsys

vsys1

URL List

{'member': ['www.2.com']}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Custom URL Categories failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Custom URL Categories failed.

Status Code: 404.

Message: Object Not Present.

List Security Rules

Lists security rules with the provided filters.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Optional

The name of the security rule to return. The max length of the name is 63 characters. The exceeded characters will be cut off.

testBlockURLsPolicy234

Location

Required

The location to retrieve the security rules. Available values are Virtual System and Panorama Pushed.

Virtual System

Virtual System Name

Required

The virtual system where the security rules will be retrieved from. Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "testBlockURLsPolicy234",
                "@uuid": "*****-*****-******-*****-******",
                "@location": "vsys",
                "@vsys": "vsys1",
                "from": {
                    "member": [
                        "D3cyberLabDmzZone"
                    ]
                },
                "to": {
                    "member": [
                        "any"
                    ]
                },
                "source": {
                    "member": [
                        "testDynamicGroup"
                    ]
                },
                "source-user": {
                    "member": [
                        "any"
                    ]
                },
                "destination": {
                    "member": [
                        "any"
                    ]
                },
                "service": {
                    "member": [
                        "service-http"
                    ]
                },
                "category": {
                    "member": [
                        "testURLcategory1"
                    ]
                },
                "application": {
                    "member": [
                        "any"
                    ]
                },
                "source-imsi": {
                    "member": [
                        "any"
                    ]
                },
                "source-imei": {
                    "member": [
                        "any"
                    ]
                },
                "source-nw-slice": {
                    "member": [
                        "any"
                    ]
                },
                "source-hip": {
                    "member": [
                        "any"
                    ]
                },
                "destination-hip": {
                    "member": [
                        "any"
                    ]
                },
                "negate-source": "no",
                "negate-destination": "no",
                "disabled": "no",
                "description": "string",
                "hip-profiles": {
                    "member": [
                        "any"
                    ]
                },
                "action": "deny",
                "icmp-unreachable": "no",
                "rule-type": "universal",
                "option": {
                    "disable-server-response-inspection": "no"
                },
                "log-start": "no",
                "log-end": "yes",
                "profile-setting": {
                    "profiles": {
                        "url-filtering": {
                            "member": [
                                "AllUrlAccessAudit"
                            ]
                        },
                        "file-blocking": {
                            "member": [
                                "basic file blocking"
                            ]
                        },
                        "virus": {
                            "member": [
                                "AV-Alert"
                            ]
                        },
                        "spyware": {
                            "member": [
                                "Spyware-Alert"
                            ]
                        },
                        "vulnerability": {
                            "member": [
                                "IPS-Alert"
                            ]
                        },
                        "wildfire-analysis": {
                            "member": [
                                "default"
                            ]
                        }
                    }
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "RuleNames": "\"[\\\"testBlockURLsPolicy234\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@UUID

@LOCATION

@VSYS

ACTION

FROM

TO

SOURCE

DESTINATION

SERVICE

APPLICATION

DESCRIPTION

testPolicy5

*****-*****-******-*****-******

vsys

vsys1

deny

{'member': ['any']}

{'member': ['any']}

{'member': ['any']}

{'member': ['any']}

{'member': ['any']}

{'member': ['any', 'testApp1']}

The security rule testPolicy5 is for Block Applications.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Security Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Security Rules failed.

Status Code: 404.

Message: Object Not Present.

List Services

Lists service objects registered in the firewall with the provided filters.

READER NOTE

Virtual System Name is a required parameter to run this command when the Location parameter is set to Virtual System or Panorama Pushed; it cannot be filled when the Location is set to Predefined.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Service Name

Optional

The name of the service to return. The max length of the name is 63 characters. The exceeded characters will be cut off.

service-http

Location

Required

The location to retrieve the security rules from. Available values are Virtual System, Predefined and Panorama Pushed.

Predefined

Virtual System Name

Optional

The virtual system where the tag will be retrieved from. The Virtual System Names can be obtained using the List Virtual Systems command. The parameter is required only when Location is set to Virtual System or Panorama Pushed.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "service-http",
                "@location": "predefined",
                "protocol": {
                    "tcp": {
                        "port": "80,8080"
                    }
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ServiceNames": "\"[\\\"service-http\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

19

result

{'@total-count': '1', '@count': '1', 'entry': [{'@name': 'service-http', '@location': 'predefined', 'protocol': {'tcp': {'port': '80,8080'}}}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Services failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Services failed.

Status Code: 404.

Message: Object Not Present.

List Tags

Lists tags in the specified Location.

READER NOTE

Virtual System Name is a required parameter to run this command when you choose the Location parameter to Virtual System; it cannot be filled when the Location parameter chooses to Panorama Pushed.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Tag Name

Optional

The name of the tag to return. The max length of the name is 127 characters. The exceeded characters will be cut off.

testTagPre03

Location

Required

The location to retrieve the tags from. Available values are: Virtual System, Predefined and Panorama Pushed.

Virtual System

Virtual System Name

Optional

The virtual system where the tag will be retrieved from. This parameter is required only when Location is set to Virtual System or Panorama Pushed. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "3",
        "@count": "3",
        "entry": [
            {
                "@name": "malware",
                "@location": "vsys",
                "@vsys": "vsys1",
                "color": "color1",
                "comments": "malware"
            },
            {
                "@name": "testTag01",
                "@location": "vsys",
                "@vsys": "vsys1",
                "color": "color2",
                "comments": "create test Tag in vsys1"
            },
            {
                "@name": "testTagPre02",
                "@location": "vsys",
                "@vsys": "vsys1",
                "color": "color3",
                "comments": "create test Tag02 in vsys"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TagNames": "\"[\\\"malware\\\", \\\"testTag01\\\", \\\"testTagPre02\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@LOCATION

@VSYS

COLOR

COMMENTS

testTagPre03

vsys

vsys1

color7

update tag02 and tag03 to color 7

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Tags failed.

Status Code: 404.

Message: Object Not Present.

List Virtual Systems

Lists all virtual systems. If a valid virtual system name is given, the command will return the details of the specified virtual system.

Input

Input Parameter

Required/Optional

Description

Example

Name

Optional

The name of the virtual system to return.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "vsys1",
                "import": {
                    "network": {
                        "interface": {
                            "member": [
                                "ethernet1/1",
                                "ethernet1/2",
                                "tunnel.1",
                                "tunnel.3"
                            ]
                        }
                    }
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "VirtualSystemNames": "\"[\\\"vsys1\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

IMPORT

vsys1

{'network': {'interface': {'member': ['ethernet1/1', 'ethernet1/2', 'tunnel.1', 'tunnel.3']}}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Virtual Systems failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Virtual Systems failed.

Status Code: 404.

Message: Object Not Present.

List Zones

Lists zones with the provided filters.

READER NOTE

Virtual System Name is a required parameter to run this command.

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Zone Name

Optional

The name of the zone to return. The max length of the name is 31 characters. The exceeded characters will be cut off.

l3-untrust

Location

Required

The location to retrieve the tags from. Available values are Virtual System and Panorama Pushed.

Virtual System

Virtual System Name

Required

The virtual system where the zones will be retrieved from. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "@status": "success",
    "@code": "19",
    "result": {
        "@total-count": "1",
        "@count": "1",
        "entry": [
            {
                "@name": "l3-untrust",
                "@location": "vsys",
                "@vsys": "vsys1",
                "network": {
                    "layer3": {
                        "member": [
                            "ethernet1/1",
                            "ethernet1/2"
                        ]
                    }
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ZoneNames": "\"[\\\"l3-untrust\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@NAME

@LOCATION

@VSYS

NETWORK

l3-untrust

vsys

vsys1

{'layer3': {'member': ['ethernet1/1', 'ethernet1/2']}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Zones failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List Zones failed.

Status Code: 404.

Message: Object Not Present.

Run Operation Commands

Runs the operation commands.

Input

Input Parameter

Required/Optional

Description

Example

Commands

Required

The name of the operation commands to run. The commands will be executed by order of input. Please check the link (<{Server URL}/php/rest/browse.php/op>) for the commands details.

["<show><app-warning><count><vsys>vsys1</vsys></count></app-warning></show>"]

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "cmd" field to indicate the executed operation command.

SAMPLE DATA

JSON
[
    {
        "cmd": "vsys1",
        "response": {
            "@status": "success",
            "result": {
                "app-warnings-count": {
                    "@jobid": "*****",
                    "entry": {
                        "@vsys": "vsys1"
                    }
                }
            }
        }
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

RESPONSE

CMD

{'@status': 'success', 'result': {'app-warnings-count': {'@jobid': '*****', 'entry': {'@vsys': 'vsys1'}}}}

vsys1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Run Operation Commands failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server Url is not valid in format.

Error Sample Data

Run Operation Commands failed.

Status Code: 403.

Message: Server Url is not valid in format.

Unblock Applications

Removes the specified applications from an existing security rule.

READER NOTE

Rule Name, Virtual System Name and Applications are required parameters to run this command.

  • Run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Applications command to obtain Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The security rule name that applies to the application. Rule Name can be obtained using the List Security Rules command.

testPolicy5

Virtual System Name

Required

The virtual system where the security rules will be retrieved from. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Applications

Required

The list of application names to be removed from the security rule. Applications can be obtained using the List Applications command.

["testApp1"]

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" field to indicate the name of the rule in this command.

SAMPLE DATA

JSON
{
    "ruleName": "testPolicy5",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

ruleName

testPolicy5

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Unblock Applications failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please use command List Security Rules to get the valid security rules.

Error Sample Data

Unblock Applications failed.

Status Code: 401.

Message: Please use command List Security Rules to get the valid security rules.

Update Addresses

Updates the tag and description of the specified addresses.

READER NOTE

Address Names and Virtual System Name are required parameters to run this command.

  • Run the List Addresses command to obtain the Address Names. Address Names can be found in the returned raw data at the path $[*].@name.

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input parameter Tags is an optional parameter to run this command.

  • Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Names

Required

The list of address names to be updated. Address Names can be obtained using the List Addresses command.

["testAddress10"]

Virtual System Name

Required

The virtual system where the address will be updated. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Description

Optional

The description to update the specified addresses with. The max length of the description is 1023 characters. The exceeded characters will be cut off.

New description for the addresses

Tags

Optional

The tag names to set to the specified addresses. Tags can be obtained using the List Tags command with the Location set to Virtual System.

["malware", "testTag01"]

Is Replace Tags

Required

If the value selected is True, then the new tags will replace existing tags of the addresses. If False is selected, the input tags will be appended to the addresses.

False

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "addressName" field to indicate the name of the addresses being updated.

SAMPLE DATA

JSON
[
    {
        "addressName": "block-21.1.1.1",
        "code": 5,
        "message": "Object Not Present",
        "details": [
            {
                "@type": "CauseInfo",
                "causes": [
                    {
                        "code": 7,
                        "module": "panui_mgmt",
                        "description": "Object Not Present: No object to edit."
                    }
                ]
            }
        ]
    },
    {
        "addressName": "testAddress10",
        "@status": "success",
        "@code": "20",
        "msg": "command succeeded"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AddressNames": "\"[\\\"testAddress10\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@STATUS

@CODE

MSG

ADDRESSNAME

success

20

command succeeded

testAddress14

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Addresses failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Update Addresses failed.

Status Code: 404.

Message: Object Not Present.

Update Address Groups

Updates address groups with the given parameters. When executing, the group type and group objects will be overwritten by the given values.

READER NOTE

Address Group Names, Virtual System Name and Group Object are required parameters to run this command.

  • Run the List Address Group command to obtain the Address Group Names. Address Group Names can be found from the returned raw data at the path $.result.entry[*].@name.

  • When configuring the Group Type parameter as Dynamic, tags should be specified in the Group Objects parameter for address filtering.

    • Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.

Input parameter Tags is an optional parameter to run this command.

  • Run the List Tags command to obtain Tags. Tags can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Address Group Names

Required

The names of the address groups to be updated. Address Group Names can be obtained using the List Address Group command.

["testDynamicGroup"]

Virtual System Name

Required

The virtual system where the address group will be updated. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Group Type

Required

The group type of the address group to be updated. Available values are Static or Dynamic.

Dynamic

Group Objects

Required

The objects to be set to the group. When the Group Type is Static, then the group objects are a string of address names separated with commas. Ex. address1, address2 … When the Group Type is Dynamic, the group object is a filter string to filter the addresses based on the tags. The syntax for the dynamic group is 'Tag1' and/or 'Tag2'…". Each tag name must be quoted by a pair of single quotations. Tags can be obtained using the List Tags command.

malware' or 'testTagPre03'

Action

Required

The action operation for the group objects. The available values are: Add, Replace, Remove. Operation Add will append the new objects to the group. Operation Replace will replace the existing objects in the group. Operation Remove will remove the objects from the group.

Add

Tags

Optional

The tags that will be set to the specified address group. Tags can be obtained using the List Tags command.

["malware", "testTag01"]

Is Replace Tags

Required

If this is set to True, then the new tags will replace existing tags of the address groups. If False is selected, the input tags will be appended to the address groups.

False

Description

Optional

The description to update the specified address groups with. The max length of the description is 1023 characters. The exceeded characters will be cut off.

Incident1

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "addressGroupName" field to indicate the name of the address groups being updated.

SAMPLE DATA

JSON
[
    {
        "addressGroupName": "testDynamicGroup",
        "@status": "success",
        "@code": "20",
        "msg": "command succeeded"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AddressGroupNames": "\"[\\\"testDynamicGroup\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@STATUS

@CODE

MSG

ADDRESSGROUPNAME

success

20

command succeeded

testDynamicGroup62

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Address Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Update Address Groups failed.

Status Code: 404.

Message: Object Not Present.

Update Custom URL Categories

Updates the description and URLs of the specified URL categories.

READER NOTE

Category Names and Virtual System Name are required parameters to run this command.

  • Run the List Custom URL Categories command to obtain the Category Names. Category Names can be found from the returned raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Category Names

Required

The list of URL category names to be updated. Category Names can be obtained using the List Custom URL Categories command.

["suspicious_group"]

Virtual System Name

Required

The virtual system where the address will be updated. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Description

Optional

The description to update the specified categories with. The max length of the description is 255 characters. The exceeded characters will be cut off.

New URL appended.

URLs

Optional

The URLs to set to the specified category.

["www.1.com"]

Action

Required

The action operation for the category. The available values are: Add, Replace, Remove. Operation Add will append the new URLs to the categories. Operation Replace will replace the existing URLs of the categories. Operation Remove will remove the URLs from the categories.

Add

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "categoryName" field to indicate the name of the categories being updated.

SAMPLE DATA

JSON
[
    {
        "categoryName": "suspicious_group",
        "@status": "success",
        "@code": "20",
        "msg": "command succeeded"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "CategoryNames": "\"[\\\"suspicious_group\\\"]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@STATUS

@CODE

MSG

CATEGORYNAME

success

20

command succeeded

testURLcategory2

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Custom URL Categories failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Update Custom URL Categories failed.

Status Code: 404.

Message: Object Not Present.

Update Security Rule

Updates a security rule with the provided configurations.

READER NOTE

  • Rule Name and Virtual System Name are required parameters to run this command.

    • Run the List Security Rules command to obtain Rule Name. Rule Names can be found in the returned raw data at the path $.result.entry[*].@name.

    • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Source Zones, Destination Zones, Source Addresses, Destination Addresses, Services, Applications and Categories are optional parameters to run this command.

    • Run the List Zones command to obtain Source Zones and Destination Zones. Choose a Zone Name to define Source Zones and Destination Zones. Zone Name can be found in the returned raw data at the path $.result.entry[*].@name.

    • Run the List Addresses command if you want to input Addresses to Source Addresses and Destination Addresses parameters. Addresses can be found in the returned raw data at the path $[*].@name. Run the List Address Groups command if you want to input the Address Group name to Source Addresses and Destination Addresses parameters. Address Groups can be found in the returned raw data at the path $.result.entry[*].@name.

    • Run the List Services command to obtain the Services. Services can be found in the returned raw data at the path $.result.entry[*].@name.

    • Run the List Applications command to obtain the Applications. Applications can be found in the returned raw data at the path $.result.entry[*].@name.

    • Run the List Custom URL Categories command to obtain the Categories. Categories can be found in the returned raw data at the path $.result.entry[*].@name.

  • The Update Action parameter is set to Add by default. Please note that this parameter will affect how your security rule is updated.

    • Add: New objects will be appended to the original rule fields. For instance, if the original source zone is "Zone1" and you input a new value of "Zone2", the security rule's source zone will be changed to ["Zone1", "Zone2"]. However, for the Action input parameter, the new value will replace the original value. For the Description and Rule Type input parameters, the original value will be replaced with the new value. The original value will remain unchanged if you don't input any value. Please note that it is only possible to perform the add operation on text array type parameters.

    • Replace: The original rule settings will be replaced with the new values specified for all parameters.

    • Remove: The original values will be removed from a field. However, the input value must match the original value to be removed. For example, if the original source zone is ["Zone1", "Zone2"], and you input a value of "Zone2", the security rule's source zone will be changed to "Zone1". Please note that it is only possible to perform the remove operation on text array type parameters.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The name of the security rule to update. Rule names can be obtained using the List Security Rules command.

testPolicy3

Virtual System Name

Required

The virtual system where the security rule will be updated. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Description

Optional

The description to update the security rule with. The max length of the description is 1024 characters. The exceeded characters will be cut off.

A new security rule was added.

Action

Required

The action for the security rule. Available values are Allow, Deny and Drop.

Deny

Source Zones

Optional

The zone name list to be added to the security rule as the source. Zone names can be obtained using the List Zones command.

["D3cyberLabDmzZone"]

Destination Zones

Optional

The zone name list to be added to the security rule as the destination. Zone names can be obtained using the List Zones command.

["l3-untrust"]

Source Addresses

Optional

The address name/address group name list to be added to the security rule as the source address. The address/group names can be obtained using the List Addresses or List Address Groups command.

["testDynamicGroup2", "suspiciousip1"]

Destination Addresses

Optional

The address name/address group name list to be added to the security rule as the destination address. The address/group names can be obtained using the List Addresses or List Address Groups command.

["suspicious_group", "suspiciousurl3"]

Source Users

Optional

The user name list to be added to the security rule. The user names can be found in the GUI DEVICE > Local User Database > Users.

["demo"]

Services

Optional

The service name list to be added to the security rule. Service names can be obtained using the List Services command.

["service-http"]

Applications

Optional

The application name list to be added to the security rule. The address/group names can be obtained using the List Applications command.

["100bao"]

Categories

Optional

The URL category name list to be added to the security rule. Category names can be obtained using the List Custom URL Categories command.

["testURLcategory1"]

Profile Setting

Optional

The profile settings for the security rule. It could be one of the profiles or group objects. For the detailed syntax please refer to the API document: <{Server URL}/restapi-doc/#tag/policies-security-rules/paths/~1restapi~1v10.0~1Policies~1SecurityRules/post>.

The Group Object Sample:

{

"group": {

"member": [

"Threats_Prevention"

]

}

}

The Profiles Object Sample:

{

"profiles": {

"url-filtering": {

"member": [

"AllUrlAccessAudit"

]

},

"data-filtering": {

"member": [

"default"

]

},

"file-blocking": {

"member": [

"basic file blocking"

]

},

"virus": {

"member": [

"AV-Alert"

]

},

"spyware": {

"member": [

"Spyware-Alert"

]

},

"vulnerability": {

"member": [

"IPS-Alert"

]

},

"wildfire-analysis": {

"member": [

"default"

],

"gtp": {

"member": [

"default"

],

"sctp": {

"member": [

"default"

]

}

}

}

Rule Type

Optional

The type of the security rule. The available rule types are Universal, Intrazone and Interzone.

Universal

Update Action

Optional

The operation to update the security rule. The available update actions are Add, Replace, and Remove. "Add" will append the new objects to the security rule. "Replace" will replace the existing objects in the security rule. "Remove" will remove the objects from the security rule. The default update action is Add. Please refer to the corresponding section in the D3 SOAR user guide for more in-depth information about each action.

Add

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "ruleName" field to indicate the name of the rule being updated.

SAMPLE DATA

JSON
{
    "ruleName": "testPolicy3",
    "@status": "success",
    "@code": "20",
    "msg": "command succeeded"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "RuleName": "\"testPolicy3\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@status

success

@code

20

msg

command succeeded

ruleName

testPolicy15

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Security Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Update Security Rule failed.

Status Code: 404.

Message: Object Not Present.

Update Tags

Updates the specified tags with the provided values.

READER NOTE

Tag Names and Virtual System Name are required parameters to run this command.

  • Run the List Tags command to obtain Tag Names. Tag Names can be found in the returned raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems command to obtain Virtual System Name. Virtual System Name can be found in the returned raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Tag Names

Required

The list of tag names to be updated. Tag Names can be obtained using the List Tags command.

["testTagPre03"]

Virtual System Name

Required

The virtual system where the tags will be updated. Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Color

Optional

The color to apply to the tags.

Color6

Comments

Optional

The comments to add to the tags. The max length of the comment is 1023 characters. The exceeded characters will be cut off.

A new sample tag in virtual system.

Output

Raw Data

The primary response data from the API request.

D3 enriches the raw data from the original Palo Alto Networks Firewall API response by adding the "tagName" field to indicate the name of the tag names being updated.

SAMPLE DATA

JSON
[
    {
        "tagName": "testTag01",
        "@status": "success",
        "@code": "20",
        "msg": "command succeeded"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TagNames": "\"[\\\"testTag01\\\"]\"",
    "VirtualSystemName": "\"vsys1\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

@STATUS

@CODE

MSG

TAGNAME

success

20

command succeeded

testTagPre03

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Update Tags failed.

Status Code: 404.

Message: Object Not Present.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks FireWall V10 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server Url is not valid in format.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: Server Url is not valid in format.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.