Skip to main content
Skip table of contents

Palo Alto Networks PAN-OS

LAST UPDATED: AUGUST 18, 2025

Overview

This integration facilitates the management of both Palo Alto Networks Firewall and Palo Alto Networks Panorama.

D3 SOAR is providing REST operations to function with Palo Alto Networks PAN-OS.

Palo Alto Networks PAN-OS is available for use in:

D3 SOAR

V16.8.0+

Category

Network Security

Deployment Options

Option I, Option III

Connection

To connect to Palo Alto Networks PAN-OS from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Instance Type

The type of system or instance with which the connection will interface.

Firewall

Server URL

The server URL of Palo Alto Networks Firewall/Panorama.

https://***.***.***.***

Username

The user name for generating the API Key.

admin

Password

The password for generating the API Key.

*****

API Key

The API key for authenticating the connection.

*****

API Version

The API version for the integration.

v11.0

Permission Requirements

Each endpoint in the Palo Alto Networks PAN-OS API requires a certain permission scope. The following are the required scopes for the commands in this integration:

Command

Required Permissions (Built-in Roles)

Create EDL

Firewall: Device administrator

Panorama: Panorama administrator

Delete EDLs

Firewall: Device administrator

Panorama: Panorama administrator

Get EDL Entries

Firewall: Device administrator (read-only)

Panorama: Panorama administrator

Global Find EDL Source

Firewall: Device administrator (read-only)

List Device Groups - Panorama

Panorama: Panorama administrator

List EDLs

Firewall: Device administrator (read-only)

Panorama: Panorama administrator

List Virtual Systems - Firewall

Firewall: Device administrator (read-only)

Update EDL

Firewall: Device administrator

Panorama: Panorama administrator

Test Connection

Firewall: Device administrator (read-only)

Panorama: Panorama administrator

As Palo Alto Networks PAN-OS is using role-based access control (RBAC), the API Key is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Palo Alto Networks PAN-OS console for each command in this integration.

READER NOTE

For more information on Palo Alto Networks PAN-OS's RBAC, refer to Administrative Role Types for Firewall and Panorama Administrator's Guide for Panorama.

Configuring Palo Alto Networks PAN-OS to Work with D3 SOAR

  1. Log into Palo Alto Networks PAN-OS interface for both the Firewall and Panorama instance types. It is recommended to open two separate windows, one for each instance type, for easier navigation and comparison.

  2. Add an administrator. This example applies to the Firewall instance type. However, the same steps also apply to the Panorama instance type unless otherwise specified.

    1. Click on the DEVICE tab for the Firewall instance or the PANORAMA tab for the Panorama instance.

    2. Click on the Administrators menu item.

    3. Click on the + Add button at the bottom.

  3. Input the following information.

    1. Enter a username. Refer to 3i sub-step 3 of the Configuring D3 SOAR to Work with Palo Alto Networks PAN-OS section.

    2. Enter a password. Refer to 3i sub-step 4 of the Configuring D3 SOAR to Work with Palo Alto Networks PAN-OS section.

    3. Select the Superuser role, under Administrator Type for the Firewall instance or under Admin Role for the Panorama instance.

      Only the Superuser can configure other roles using the same dropdown menu.

    4. Click on the OK button.

READER NOTE

  • Only a Superuser can perform unrestricted configurations, including the ability to add or remove users.

  • If some roles listed in the Permissions Requirements section are not visible, ensure the correct window is open for the corresponding instance type. For example, the Panorama Administrator role is available only in the Panorama instance.

Configuring D3 SOAR to Work with Palo Alto Networks PAN-OS

  1. Log in to D3 SOAR.

  2. Find the Palo Alto Networks PAN-OS integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Palo Alto Networks PAN-OS in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Palo Alto Networks PAN-OS.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the checkbox to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input the Instance Type (Firewall or Panorama). The default value is Firewall.

      2. Input the Server URL.

      3. Input the Username set in step 3a from the Configuring Palo Alto Networks PAN-OS to Work with D3 SOAR section.

      4. Input the Password set in step 3b from the Configuring Palo Alto Networks PAN-OS to Work with D3 SOAR section.

      5. Automatically generate the API Key during connection testing (the Username and Password must be supplied). If editing an existing connection and a different username and password are used, remove the API Key to allow for its automatic regeneration.

      6. Input the API Version. The default value is 11.0.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Palo Alto Networks PAN-OS includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Palo Alto Networks PAN-OS API, refer to the Palo Alto Networks PAN-OS API reference.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring Palo Alto Networks PAN-OS to Work with D3 SOAR sections for details.

Block Domains By Adding To Address Group

Blocks specified domains (FQDNs) by adding them to the specified address group configured to be blocked in a security rule. The command commits the changes. For Panorama, the command does not push the configuration to the firewalls. To do so, the "Push To Devices" command must be run. The FQDN address objects will be created in the same location as the address group. For example, in a Panorama instance with a Shared location, the FQDN address objects will be generated in Shared.

READER NOTE

Device Group Name and Virtual System Name are optional parameters to run this command.

  • Run the List Device Groups command to obtain the Device Group Name. Device Group Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at $.result.entry[*]['@name'].

List Address Groups is a required parameter to run this command.

  • Run the List Address Groups command to obtain the Address Group Name. Address Group Names can be found in the raw data at $.result.entry[*]['@name'].

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the address group. The parameter applies only to Panorama. For a Firewall instance, the location is set to "Virtual System". Valid options are:

  • Device Group

  • Shared

By default, the value is Device Group. The IP address objects will be created in the same location as the address group.

Device Group

Device Group Name

Optional

The device group name for which to update the address group. The parameter applies only to Panorama and is mandatory when the location is set to Device Group.

Device Group Names can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to update the address group. The parameter applies only to a Firewall instance and is mandatory for a Firewall instance.

Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Domains

Optional

The domains (FQDNs) to block.

JSON 
[ "malicious_domain.com" ]

Address Group Name

Optional

The name of the address group configured to be blocked.

Address Group Names can be obtained using the List Address Groups command.

Suspicious_group

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block Domains By Adding To Address Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

Block Domains By Adding To Address Group failed.

Status Code: 400.

Message: Bad request.

Commit Configuration

Commits a candidate configuration to the Firewall or Panorama. The command commits the changes but does not push the configuration to the firewalls through Panorama. To push the configuration, run the "Push To Devices" command.

Input

Input Parameter

Required/Optional

Description

Example

Validate Mode

Optional

If set to True, the command validates the configuration changes without applying them. This functions as a pre-commit check to ensure the configurations are correct without making changes.

By default, the value is False.

False

Force Commit

Optional

The option to perform a force commit. This does not apply in validate mode.

True

Admin Name

Optional

The administrator name to perform or validate a partial commit of admin-level changes on a firewall.

D3Admin

Exclude Device and Network

Optional

The option to perform or validate a partial commit while excluding device and network configurations.

True

Exclude Shared Objects

Optional

The option to perform or validate a partial commit while excluding the shared objects configuration.

False

Await Completion

Optional

If set to True, the command continuously checks the status of the committed job until completion and returns detailed job information when finished. If set to False, the command immediately returns the initial job details. The timeout is 120 seconds.

True

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Commit Configuration failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Commit Configuration failed.

Status Code: 400.

Message: Bad Request

Create Custom URL Category

Creates a custom URL category.

READER NOTE

Device Group Name and Virtual System Name are optional parameters to run this command.

  • Run the List Device Groups command to obtain the Device Group Name. Device Group Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at $.result.entry[*]['@name'].

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the custom URL category. Valid options are:

  • Device Group

  • Shared

By default, the value for Panorama is "Device Group".

The parameter applies only to Panorama.

Device Group

Device Group Name

Optional

The device group name for which to create custom URL categories. The parameter applies only to Panorama and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to create a custom URL category. The parameter applies only to a Firewall instance and is mandatory for a Firewall instance.

Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Category Name

Required

The name of the custom URL category to create. The maximum length is 63 characters.

suspicious_URL-IP

Description

Optional

The description of the new security rule. The maximum length is 1023 characters.

A new custom URL category was added.

URLs

Optional

The URLs for the category.

JSON 
["www.test33.net"]

Category Type

Optional

The category type of the URL. By default, the value is "URL List".

URL List

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Custom URL Category failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Create Custom URL Category failed.

Status Code: 400.

Message: Bad Request

Create EDL

Creates an External Dynamic List (EDL).

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location in which to create the EDL. This parameter is exclusively used for the Panorama instance. Available options are:

  • Device Group

  • Shared

By default, the value is Device Group.

For the Firewall instance, the value is fixed to Virtual System. This value is not visible in the dropdown.

Device Group

Device Group Name

Optional

The name of the device group in which to create the EDL. This parameter is exclusively used for the Panorama instance and is mandatory only when the location is set to Device Group. Device Group Name can be obtained using the List Device Groups - Panorama command.

D3DeviceGroup

Virtual System Name

Optional

The name of the virtual system in which to create the EDL. This parameter is exclusively used for the Firewall instance and is mandatory. Virtual System Name can be obtained using the List Virtual Systems - Firewall command.

vsys1

EDL Name

Required

The name of the EDL to create. The maximum length is 63 characters.

api url EDL 916b

EDL Type

Required

The type of EDL to create. Available options are:

  • Domain

  • IP

  • URL

  • Subscriber Identity List

  • Equipment Identity List

  • Predefined IP

Predefined URL

URL

Source URL

Required

The source URL from which to pull the EDL. For Predefined IP and Predefined URL EDL types, enter the EDL source name. For example, "panw-highrisk-ip-list" is a valid value.

https://*****.*****

Recurring

Optional

The time interval for checking EDL updates. This parameter is not applicable to Predefined IP and Predefined URL EDL types. Available options are:

  • Five Minute

  • Hourly

  • Daily

  • Weekly

  • Monthly

By default, the value is Hourly for EDL types URL and Domain. By default, the value is Five Minute for EDL types IP, Subscriber Identity List, and Equipment Identity List.

Daily

Detailed Time

Optional

The detailed checking time for EDL updates in JSON format. This parameter only applies if the Recurring parameter is set to Daily, Weekly, or Monthly. For example:

  • Daily: To check EDL updates at 8 AM every day, input { "at": "08" } and select Daily for the Recurring parameter

  • Weekly: To check EDL updates at 11 PM every Sunday, input { "day-of-week": "sunday", "at": "23" } and select Weekly for the Recurring parameter

  • Monthly: To check EDL updates at 10 AM on the 15th day of every month, input { "day-of-month": "15", "at": "10" } and select Monthly for the Recurring parameter

JSON 
{ "at":"08" }

Description

Optional

The description of the EDL. The maximum length is 255 characters.

test desc api url EDL 916d

Certificate Profile

Optional

The profile name of the certificate for the EDL URL that was previously uploaded. This parameter is not applicable to Predefined IP and Predefined URL EDL types.

None

Exception List

Optional

The exception entries for the EDL.

JSON 
[ "www.test.com/home.html" ]

Expand Domain

Optional

This parameter is applicable only if the EDL Type is set to Domain.

If set to Yes, the firewall will automatically expand to include subdomains. By default, the value is No.

Yes

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create EDL failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The input parameter 'Device Group Name' is required when the location is 'Device Group'.

Error Sample Data

Create EDL failed.

Status Code: 400.

Message: The input parameter 'Device Group Name' is required when the location is 'Device Group'.

Create Security Rule

Creates a security policy rule with the provided configurations. Security rules with categories or address groups can handle dynamic block or unblock addresses.

READER NOTE

Device Group Name, Virtual System Name, Source Zones, Destination Zones, Source Addresses, Destination Addresses, Services, Applications, URL Categories, Tags, and Targets are optional parameters to run this command.

  • Run the List Device Groups command to obtain the Device Group Name. Device Group Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Zones command to obtain the Source Zones. Source Zones can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Zones command to obtain the Destination Zones. Destination Zones can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Addresses or List Address Groups commands to obtain the Source Addresses. Source Addresses can be found in the raw data at $.result.entry[*]['@name'] for both reference commands.

  • Run the List Addresses or List Address Groups commands to obtain the Destination Addresses. Destination Addresses can be found in the raw data at $.result.entry[*]['@name'] for both reference commands.

  • Run the List Services command to obtain the Services. Services can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Applications command to obtain the Applications. Applications can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Custom URL Categories command to obtain the URL Categories. URL Categories can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Tags command to obtain the Tags. Tags can be found in the raw data at $.result.entry[*]['@name'].

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the security rule. The parameter applies only to Panorama. Valid options are:

  • Device Group

  • Shared

By default, the value for Panorama is "Device Group".

Device Group

Pre or Post Rule

Optional

When the Panorama rule takes effect according to the locally configured rules. The parameter is exclusive and mandatory for Panorama. Valid options are:

  • Pre-Rule

  • Post-Rule

Post-Rule

Device Group Name

Optional

The device group name for which to create security policy rules. The parameter is exclusive to Panorama and is mandatory when the location is set to "Device Group".

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to create a security policy rule. The parameter applies only to a Firewall instance and is mandatory for a Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Rule Name

Optional

The name of the security rule to create. The maximum length is 63 characters.

rulename_001

Description

Optional

The description of the new security rule. The maximum length is 1023 characters.

Action

Optional

The action for the security rule. Available options are:

  • Allow

  • Deny

  • Drop

  • Reset Client

  • Reset Server

  • Reset Both

By default, the value is "Allow".

Allow

Source Zones

Optional

The list of zone names to add to the security rule as the source. By default, the value is "any".

Source Zone names can be obtained using the List Zones command.

JSON 
["D3cyberLabDmzZone"]

Destination Zones

Optional

The list of zone names to add to the security rule as the destination. By default, the value is "any".

Destination Zones can be obtained using the List Zones command.

JSON 
["l3-untrust"]

Source Addresses

Optional

The list of address names or address group names to add to the security rule as the source address. By default, the value is "any".

The address or group names can be obtained using the List Addresses or List Address Groups command.

JSON 
["testDynamicGroup2", "suspiciousip1"]

Destination Addresses

Optional

The list of address names or address group names to add to the security rule as the destination address. By default, the value is "any".

Destination Addresses can be obtained using the List Addresses or List Address Groups commands.

JSON 
["suspicious_group", "suspicious_url"]

Source Users

Optional

The list of user names to add to the security rule. User names can be obtained through the GUI at DEVICE > Local User Database > Users.

JSON 
["demo"]

Services

Optional

The list of service names to add to the security rule. By default, the value is "application-default".

Service can be obtained using the List Services command.

JSON 
["service-http"]

Applications

Optional

The list of application names to add to the security rule. By default, the value is "any".

Applications can be obtained using the List Applications command.

JSON 
["any"]

URL Categories

Optional

The list of URL category names to add to the security rule.

URL Categories can be obtained using the List Custom URL Categories command.

JSON 
["DemoURLCategory"]

Tags

Optional

The list of tags to assign to the security rule. The maximum length of a tag is 63 characters.

Tags can be obtained using the List Tags command.

JSON 
["tag1"]

Targets

Optional

The list of target firewall devices to specify in the security rule. The parameter applies only to Panorama.

Targets can be obtained using the List Connected Firewall Devices command.

JSON 
{
    "negate": "no"
}

Negate Source

Optional

The option to negate the source address or address group. Available options are:

  • True

  • False

By default, the value is False.

False

Negate Destination

Optional

The option to negate the destination address or address group. Available options are:

  • True

  • False

By default, the value is False.

False

Rule Type

Optional

The type of security rule. Available options are:

  • Universal

  • Intrazone

  • Interzone

By default, the value is Universal.

Universal

Profile Setting

Optional

The profile settings for the security rule. The value can be either profiles or group objects.

For detailed syntax, refer to the API document at <{Server URL}/restapi-doc/#tag/policies-security-rules/paths/~1restapi~1v10.0~1Policies~1SecurityRules/post>.

JSON 
{
    "profiles": {
        "url-filtering": {
            "member": ["AllUrlAccessAudit"]
        },
        "data-filtering": {
            "member": ["default"]
        },
        "file-blocking": {
            "member": ["basic file blocking"]
        },
        "virus": {
            "member": ["AV-Alert"]
        },
        "spyware": {
            "member": ["Spyware-Alert"]
        },
        "vulnerability": {
            "member": ["IPS-Alert"]
        },
        "wildfire-analysis": {
            "member": ["default"],
            "gtp": {
                "member": ["default"],
                "sctp": {
                    "member": ["default"]
                }
            }
        }
    }
}

Payload

Optional

The free payload for creating a rule. If not specified, the command generates the payload using the other parameters. If specified, the command ignores the other parameters and uses only the provided payload.

JSON 
{
    "@name": "string",
    "from": {
        "member": ["any"]
    },
    "to": {
        "member": ["any"]
    },
    "source": {
        "member": ["any"]
    },
    "source-user": {
        "member": ["any"]
    },
    "destination": {
        "member": ["any"]
    },
    "service": {
        "member": ["application-default"]
    },
    "category": {
        "member": ["any"]
    },
    "application": {
        "member": ["any"]
    },
    "source-imsi": {
        "member": ["any"]
    },
    "source-imei": {
        "member": ["any"]
    },
    "source-nw-slice": {
        "member": ["any"]
    },
    "source-hip": {
        "member": ["any"]
    },
    "destination-hip": {
        "member": ["any"]
    },
    "schedule": "string",
    "tag": {
        "member": ["string"]
    },
    "negate-source": "no",
    "negate-destination": "no",
    "disabled": "no",
    "description": "string",
    "group-tag": "string",
    "hip-profiles": {
        "member": ["any"]
    },
    "action": "allow",
    "icmp-unreachable": "no",
    "rule-type": "universal",
    "option": {
        "disable-server-response-inspection": "no"
    },
    "log-setting": "string",
    "log-start": "no",
    "log-end": "yes",
    "profile-setting": {
        "profiles": {
            "url-filtering": {
                "member": ["string"]
            },
            "data-filtering": {
                "member": ["string"]
            },
            "file-blocking": {
                "member": ["string"]
            },
            "wildfire-analysis": {
                "member": ["string"]
            },
            "virus": {
                "member": ["default"]
            },
            "spyware": {
                "member": ["default"]
            },
            "vulnerability": {
                "member": ["default"]
            },
            "gtp": {
                "member": ["string"]
            },
            "sctp": {
                "member": ["string"]
            }
        }
    },
    "qos": {
        "marking": {
            "ip-dscp": "string"
        }
    }
}

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Security Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Create Security Rule failed.

Status Code: 400.

Message: Bad Request

Create Tag

Creates a tag.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the tag. The parameter is exclusive to Panorama. Valid options are:

  • Device Group

  • Shared

By default, the value for Panorama is Device Group.

Device Group

Device Group Name

Optional

The device group name for which to create a tag. The parameter applies only to Panorama and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to create a tag. The parameter applies only to a Firewall instance and is mandatory for a Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Tag Name

Required

The name of the tag to create. The maximum length is 127 characters.

DemoTag

Color

Optional

The tag color. A color identifier in the format "colorX", where X is an integer between 1 and 42.

1

Comments

Optional

The tag comment. The maximum length is 1023 characters.

malware

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Tag failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Create Tag failed.

Status Code: 400.

Message: Bad Request

Delete Custom URL Categories

Deletes custom URL categories by category names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the custom URL categories. The parameter applies only to Panorama. Valid options are:

  • Device Group

  • Shared

By default, the value is Device Group.

Device Group.

Device Group Name

Optional

The device group name from which to delete a custom URL category. The parameter applies only to Panorama and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name from which to delete a custom URL category. The parameter is exclusive and mandatory for a Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Category Names

Optional

The names of the custom URL categories to delete.

JSON 
["suspicious_URL-IP"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Custom URL Categories failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Delete Custom URL Categories failed.

Status Code: 400.

Message: Bad Request

Delete EDLs

Deletes the specified External Dynamic Lists (EDLs).

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

EDL Names is an optional parameter used to run this command.

  • Run the List EDLs command to obtain the EDL Names. EDL Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the EDLs to be deleted. This parameter is exclusively used for the Panorama instance. Available options are:

  • Device Group

  • Shared

By default, the value is Device Group.

For the Firewall instance, the value is fixed to Virtual System. This value is not visible in the dropdown.

Device Group

Device Group Name

Optional

The name of the device group from which to delete the EDLs. This parameter is exclusively used for the Panorama instance and is mandatory only when the location is set to Device Group. Device Group Name can be obtained using the List Device Groups - Panorama command.

D3DeviceGroup

Virtual System Name

Optional

The name of the virtual system from which to delete the EDLs. This parameter is exclusively used for the Firewall instance and is mandatory. Virtual System Name can be obtained using the List Virtual Systems - Firewall command.

vsys1

EDL Names

Required

The EDLs to delete. EDL Names can be obtained using the List EDLs command.

JSON 
[ "api url EDL 916d" ]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete EDLs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Delete EDLs failed.

Status Code: 404.

Message: Object Not Present.

Delete Security Rules

Deletes security policy rules by rule names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the security rules. The parameter applies only to Panorama. Available options are:

  • Device Group

  • Shared

By default, the value for Panorama is Device Group.

Device Group

Pre or Post Rule

Optional

When the Panorama rule takes effect according to the locally configured rules. The parameter is exclusive and mandatory for Panorama. Valid options are:

  • Pre-Rule

  • Post-Rule

Pre-Rule

Device Group Name

Optional

The device group name from which to delete security policy rules. The parameter applies only to Panorama and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name from which to delete security policy rules. The parameter is exclusive and mandatory for a Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Rule Names

Required

The names of the security rules to delete.

JSON 
["rulename_001"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Security Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Delete Security Rules failed.

Status Code: 400.

Message: Bad Request

Delete Tags

Deletes tags by tag names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the tags. The parameter applies only to Panorama. Available options are:

  • Device Group

  • Shared

By default, the value for Panorama is Device Group.

Device Group

Device Group Name

Optional

The device group name from which to delete tags. The parameter is exclusive to Panorama and mandatory when the location is "Device Group".

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to delete a tag. The parameter is exclusive and mandatory for a Firewall instance.

Virtual System Names can be obtained using the List Virtual Systems command.

vsys1

Tag Names

Optional

The names of the tags to delete.

JSON 
["tag1"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Delete Tags failed.

Status Code: 400.

Message: Bad Request

Export Application PCAP

Exports the specified application PCAP.

READER NOTE

Application PCAP File is a required parameter to run this command.

  • Run the List Application PCAP Directory Files command to obtain the Application PCAP File. Application PCAP Files can be found in the raw data at $.result.dir-listing.file.

Input

Input Parameter

Required/Optional

Description

Example

Application PCAP File

Required

The application PCAP file to export.

The application PCAP file can be obtained using the List Application PCAP Directory Files command or the Retrieve Logs command with the Traffic log type. For the latter, replace the hyphen between the date directory and file name with a forward slash. Example: "yyyymmdd-filename.pcap" becomes "yyyymmdd/filename.pcap".

/*****/*****.pcap

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Export Application PCAP failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Export Application PCAP failed.

Status Code: 400.

Message: Bad Request

Export DLP PCAP

Exports the specified DLP PCAP.

READER NOTE

DLP PCAP File is a required parameter to run this command.

  • Run the List DLP PCAPs command to obtain the DLP PCAP File. DLP PCAP Files can be found in the raw data at $.result.dir-listing.file.

Input

Input Parameter

Required/Optional

Description

Example

DLP PCAP File

Required

The DLP PCAP file to export. DLP PCAP File can be obtained using the List DLP PCAPs command.

*****.pcap

DLP Password

Required

The password for DLP.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Export DLP PCAP failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Export DLP PCAP failed.

Status Code: 400.

Message: Bad Request

Export Filter PCAP

Exports the specified threat PCAP.

READER NOTE

Filter PCAP File is a required parameter to run this command.

  • Run the List Filter PCAPs command to obtain the Filter PCAP File. Filter PCAP Files can be found in the raw data at $.result.dir-listing.file.

Input

Input Parameter

Required/Optional

Description

Example

Filter PCAP File

Required

The filter PCAP file to export.

Filter PCAP File can be obtained using the List Filter PCAPs command.

*****.pcap

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Export Filter PCAP failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Export Filter PCAP failed.

Status Code: 400.

Message: Bad Request

Export Threat PCAP

Exports the specified threat PCAP.

READER NOTE

Device Name and Session ID are optional parameters to run this command.

  • Run the Retrieve Logs command to obtain the Device Name. Device Names can be found in the raw data at $.result.log.logs.entry[*].device_name.

  • Run the Retrieve Logs command to obtain the Session ID. Session IDs can be found in the raw data at $.result.log.logs.entry[*].sessionid.

PCAP ID is a required parameter to run this command.

  • Run the Retrieve Logs command to obtain the PCAP ID. PCAP IDs can be found in the raw data at $.result.log.logs.entry[*].pcap_id.

Input

Input Parameter

Required/Optional

Description

Example

Device Name

Optional

The valid device name on which to export the PCAP.

Device Name can be obtained using the Retrieve Logs command with the log type set to Threat logs.

This parameter is required for PAN-OS firewall versions earlier than 9.0.7 and is always required for Panorama.

PA-VM

Session ID

Optional

The session ID to export the threat PCAP.

Session ID can be obtained using the Retrieve Logs command with the log type set to Threat logs. This parameter is required for PAN-OS firewall versions earlier than 9.0.7 and is always required for Panorama.

*****

PCAP ID

Required

The PCAP ID to export.

PCAP ID can be obtained using the Retrieve Logs command with the log type set to Threat logs.

*****

Search Time

Required

The search time, in the format of yyyy/mm/dd+hr:min:sec, when the PCAP was received on the firewall or Panorama.

Search Time can be obtained using the Retrieve Logs command with the log type set to Threat logs.

2024/03/21 11:55:33

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Export Threat PCAP failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Export Threat PCAP failed.

Status Code: 400.

Message: Bad Request

Get EDL Entries

Retrieve entries from the specified External Dynamic List (EDL). The EDL must be attached to a policy to populate its entries.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

EDL Name is an optional parameter used to run this command.

  • Run the List EDLs command to obtain the EDL Name. EDL Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the EDL from which to retrieve entries.

  • For the Firewall instance, applicable options are Virtual System (default) and Panorama Pushed

  • For the Panorama instance, applicable options are Device Group (default) and Shared

Virtual System

Device Group Name

Optional

The name of the device group containing the EDL from which to retrieve entries. This parameter is exclusively used for the Panorama instance and is mandatory only when the location is set to Device Group. Device Group Name can be obtained using the List Device Groups - Panorama command.

D3DeviceGroup

Virtual System Name

Optional

The name of the virtual system containing the EDL from which to retrieve entries. This parameter is exclusively used for the Firewall instance and is mandatory. Virtual System Name can be obtained using the List Virtual Systems - Firewall command.

vsys1

EDL Name

Required

The name of the EDL from which to retrieve entries. EDL Name can be obtained using the List EDLs command. For the Panorama instance, only the Predefined IP and Predefined URL EDL types can be retrieved.

edl predefined ip 123

Entry Name

Optional

Searches for an EDL entry by name. This can be an IP address, URL or domain name.

***.***.***.***

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get EDL Entries failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

Get EDL Entries failed.

Status Code: 404.

Message: Object Not Present.

Global Find EDL Source

Retrieves the source name of the External Dynamic List (EDL) containing the specified entry. This command is applicable only to the Firewall instance. Check the value of the Instance Type parameter in the connection section.

Input

Input Parameter

Required/Optional

Description

Example

Entry Name

Required

Searches for EDL sources containing the specified entry name, supporting full or partial string matches.

***.***.***.***

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Global Find EDL Source failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Predefined hash is empty.

Error Sample Data

Global Find EDL Source failed.

Status Code: 400.

Message: Predefined hash is empty.

List Address Groups

Returns the address group list.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the address groups. For a Firewall instance, valid options are:

  • Virtual System

  • Panorama Pushed

For a Panorama instance, valid options are:

  • Device Group

  • Shared

By default, the value is Virtual System for a Firewall instance and Device Group for a Panorama instance.

Virtual System

Device Group Name

Optional

The device group name from which to retrieve address groups. The parameter is exclusive to Panorama and mandatory when the location is Device Group.

Device Group Name can be obtained using the List Device Groups - Panorama command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name from which to retrieve address groups. The parameter is exclusive and mandatory for a Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems - Firewall command.

vsys1

Address Group Name

Optional

The name of the address group to return. The maximum length is 63 characters. Exceeding characters will be truncated.

suspicious_group

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Address Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Address Groups failed.

Status Code: 400.

Message: Bad Request

List Application PCAP Directories

Returns a list of all application PCAP directories. Each directory name is a date in yyyymmdd format.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Application PCAP Directories failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Application PCAP Directories failed.

Status Code: 400.

Message: Bad Request

List Application PCAP Directory Files

Returns a list of all application PCAP files under the specified date directory.

READER NOTE

Date Directory is a required parameter to run this command.

  • Run the List Application PCAP Directories command to obtain the Date Directory. Date Directories can be found in the raw data at $.result.dir-listing.dir.

Input

Input Parameter

Required/Optional

Description

Example

Date Directory

Required

The date directory in which to retrieve application PCAP files.

Date Directory can be obtained using the List Application PCAP Directories command.

/20241101

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Application PCAP Directory Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Application PCAP Directory Files failed.

Status Code: 400.

Message: Bad Request

List Custom URL Categories

Lists custom URL categories or retrieves custom URL categories by category names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the custom URL categories. For a Firewall instance, valid options are:

  • Virtual System

  • Panorama Pushed

For a Panorama instance, the options are:

  • Device Group

  • Shared

By default, the value is Virtual System for a Firewall instance and Device Group for a Panorama instance.

Virtual System

Device Group Name

Optional

The device group name for which to return custom URL categories. The parameter is exclusive to Panorama and mandatory when the location is Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to return custom URL categories. The parameter is exclusive and mandatory for a Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Category Names

Optional

The names of the custom URL categories to retrieve. If left empty, the command retrieves all categories.

JSON 
The names of the custom URL categories to retrieve. If left empty, the command retrieves all categories.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Custom URL Categories failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Custom URL Categories failed.

Status Code: 400.

Message: Bad Request

List Device Groups - Panorama

Lists all Panorama device groups. This command is applicable only to the Panorama instance. Check the value of the Instance Type parameter in the connection section.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Device Groups - Panorama failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The command 'List Device Groups' is exclusively for the Panorama instance.

Error Sample Data

List Device Groups - Panorama failed.

Status Code: 403.

Message: The command 'List Device Groups' is exclusively for the Panorama instance.

List DLP PCAPs

Returns a list of all data filtering PCAPs.

Input

Input Parameter

Required/Optional

Description

Example

DLP Password

Required

The password for DLP.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List DLP PCAPs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List DLP PCAPs failed.

Status Code: 400.

Message: Bad Request

List EDLs

Lists all External Dynamic Lists (EDLs) or retrieves specific EDLs by name.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

EDL Names is an optional parameter used to run this command.

  • Run this command without filling in the EDL Names parameter to obtain the EDL Names. EDL Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the EDLs to be listed.

  • For the Firewall instance, applicable options are Virtual System (default) and Panorama Pushed

  • For the Panorama instance, applicable options are Device Group (default) and Shared

Virtual System

Device Group Name

Optional

The name of the device group from which to return EDLs. This parameter is exclusively used for the Panorama instance and is mandatory only when the location is set to Device Group. Device Group Name can be obtained using the List Device Groups - Panorama command.

D3DeviceGroup

Virtual System Name

Optional

The name of the virtual system from which to return EDLs. This parameter is exclusively used for the Firewall instance and is mandatory. Virtual System Name can be obtained using the List Virtual Systems - Firewall command.

vsys1

EDL Names

Optional

The EDLs to retrieve. EDL Names can be obtained by running the command without filling in this input parameter. By default, all EDLs will be retrieved.

JSON 
["api url EDL 916b"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List EDLs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Object Not Present.

Error Sample Data

List EDLs failed.

Status Code: 404.

Message: Object Not Present.

List Filter PCAPs

Returns a list of all filter PCAPs.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Filter PCAPs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Filter PCAPs failed.

Status Code: 400.

Message: Bad Request

List Managed Firewall Devices - Panorama

Lists all managed firewall devices in Panorama. The command is exclusive to Panorama.

Input

Input Parameter

Required/Optional

Description

Example

Connected Only

Optional

Whether to get a list of connected firewalls only. If True, the command will query only the connected firewalls. If False, the command will return all managed Firewall devices of Panorama.

By default, the value is False.

True

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Managed Firewall Devices - Panorama failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Managed Firewall Devices - Panorama failed.

Status Code: 400.

Message: Bad Request

List Security Rules

List security policy rules or get security policy rules by rule names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the security rules. For a Firewall instance, valid options are:

  • Virtual System

  • Panorama Pushed

For a Panorama instance, the options are:

  • Device Group

  • Shared

By default, the value is Virtual System for a Firewall instance and Device Group for a Panorama instance.

Virtual System

Pre or Post Rule

Optional

The time when the Panorama rule takes effect according to the locally configured rules. The parameter is exclusively for the Panorama instance and is mandatory for the Panorama instance.

Pre-Rule

Device Group Name

Optional

The device group name for which to return security policy rules. The parameter is exclusively for the Panorama instance and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to return security policy rules. The parameter is exclusively for the Firewall instance and is mandatory for the Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Rule Names

Optional

The names of the security rules to retrieve. If the parameter is empty, the command will retrieve all rules.

JSON 
["rulename_001"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Security Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Security Rules failed.

Status Code: 400.

Message: Bad Request

List Services

Retrieves a list of services or services by their names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the services. The location options for the Firewall instance are:

  • Predefined

  • Virtual System

  • Panorama Pushed

The location options for the Panorama instance are:

  • Predefined

  • Device Group

  • Shared

By default, the Firewall instance value is Virtual System and the Panorama instance value is Device Group.

Virtual System

Device Group Name

Optional

The device group name for which to return services. The parameter is exclusively for the Panorama instance and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to return services. The parameter is exclusively for the Firewall instance and is mandatory when the location is set to Virtual System or Panorama Pushed.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Service Names

Optional

The names of the services to retrieve. If the parameter is empty, the command will retrieve all services.

JSON 
["service-http"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Services failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Services failed.

Status Code: 400.

Message: Bad Request

List Tags

Retrieves a list of tags by their names.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the tags. The location options for the Firewall instance are:

  • Predefined

  • Virtual System

  • Panorama Pushed

The location options for the Panorama instance are:

  • Predefined

  • Device Group

  • Shared

By default, the Firewall instance value is Virtual System and the Panorama instance value is Device Group.

Virtual System

Device Group Name

Optional

The device group name for which to return tags. The parameter is exclusively for the Panorama instance and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to return tags. The parameter is exclusively for the Firewall instance and is mandatory when the location is set to Virtual System or Panorama Pushed.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Tag Names

Optional

The names of the tags to retrieve. If the parameter is empty, the command will retrieve all tags.

["tag1"]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

List Tags failed.

Status Code: 400.

Message: Bad Request

List Virtual Systems - Firewall

Lists all Firewall virtual systems. This command is applicable only to the Firewall instance. Check the value of the Instance Type parameter in the connection section.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Virtual Systems - Firewall failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The command 'List Virtual Systems' is exclusively for the Firewall instance.

Error Sample Data

List Virtual Systems - Firewall failed.

Status Code: 403.

Message: The command 'List Virtual Systems' is exclusively for the Firewall instance.

Push to Devices

Pushes and validates shared policy to the firewalls using device groups, and configuration to Log Collectors and firewalls using templates or template stacks.

Input

Input Parameter

Required/Optional

Description

Example

Device Group

Required

The device group name to which to push or validate the shared policy or configuration.

D3DeviceGroup

Exclude Template

Optional

Whether to commit shared policy or configuration while excluding the template. By default, the value is False.

True

Serial Number

Optional

The serial number for a firewall commit. If specified, the shared policy or configuration will be pushed to the specified firewall.

0007*****0205

Await Completion

Optional

If True, the command continuously checks the status of the committed job until completion and returns detailed job information when finished. If False, the command immediately returns the initial job details. Timeout occurs after 120 seconds.

False

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Push to Devices failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Push to Devices failed.

Status Code: 400.

Message: Bad Request

Retrieve Logs

Retrieves logs from a firewall or Panorama. At most 1000 logs will be returned. For more than 1000 logs, use Start Time, End Time, and Query parameters to narrow the results.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The log items received after this time will be returned. The time is based on the local time of the Firewall or Panorama instance.

By default, the start time is 30 minutes before End Time.

2024/03/21 11:41:00

End Time

Optional

The log items received before this time will be returned. The time is based on the local time of the Firewall or Panorama instance.

By default, the end time is the current time.

2024/03/21 11:42:00

Log Type

Required

The type of logs to retrieve.

Threat

Query

Optional

The match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing logs.

(dst eq '***.***.***.***.') and (dport eq 80) and (flags has pcap)

Match OID

Optional

The Match Object ID to retrieve correlated event details. This parameter is required for the Correlated Event Details log type.

.1.3.6.1.4.1.25461.2.1.3

External Type

Optional

The External Type to retrieve external logs. This parameter is required for the External Logs log type.

syslog

Skip

Optional

The number of logs to skip during log retrieval. By default, the value is 0. This is useful for retrieving logs in batches to skip previously retrieved logs.

0

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Retrieve Logs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Retrieve Logs failed.

Status Code: 400.

Message: Bad Request

Sync Address Group With Global List

Synchronizes IP addresses in the specified global list to the address group, which can be enforced in a security policy to block the IP addresses. This command commits the changes. For Panorama, the command does not push the configuration to the firewalls. To do so, run the "Push To Devices" command. The IP address objects will be created in the same location as the address group. For example, for a Panorama instance, if the location is Shared, the IP address objects will be generated in the Shared location.

READER NOTE

Device Group Name and Virtual System Name are optional parameters to run this command.

  • Run the List Device Groups command to obtain the Device Group Name. Device Group Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at $.result.entry[*]['@name'].

List Address Groups is a required parameter to run this command.

  • Run the List Address Groups command to obtain the Address Group Name. Address Group Names can be found in the raw data at $.result.entry[*]['@name'].

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the address group. The parameter is exclusively for the Panorama instance. Valid options are:

  • Device Group

  • Shared

By default, the Panorama instance value is "Device Group". The IP address objects will be created in the same location as the address group.

Device Group

Device Group Name

Optional

The device group name for which to update the address group. The parameter is exclusively for the Panorama instance and is mandatory when the location is set to "Device Group".

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to update the address group. The parameter is exclusively for the Firewall instance and is mandatory for the Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Global List Name

Required

The name of the Palo Alto Firewall blocked IP global list. The IP addresses in this global list will be added to the specified address group.

PaloAlto_Firewall_Blocked_IPs

IP Address JSON Path

Optional

The JSON path of the global list from which to extract the IP addresses.

By default, the value is the path of the entire list.

Configure the path correctly to avoid emptying the address group.

CODE 
$.[*].ip

Address Group Name

Required

The name of the address group to which the IP addresses in the global list are synced. Address Group Name can be obtained using the List Address Groups command.

Blocked_IP_Address

Empty Address Group Enabled?

Required

Whether the address group can be emptied when the command retrieves no items from the global list.

The 4th and 5th parameters, Global List Name and IP Address JSON Path, respectively, must be configured correctly.

The value is set to True to empty the address group in this case. The value is set to False to prevent emptying the address group when the global list is empty, which avoids incorrect emptying caused by a wrong path specified in the Address JSON Path parameter.

False

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Sync Address Group With Global List failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Sync Address Group With Global List failed.

Status Code: 400.

Message: Bad Request

Update Custom URL Category

Updates a custom URL category.

READER NOTE

Device Group Name and Virtual System Name are optional parameters to run this command.

  • Run the List Device Groups command to obtain the Device Group Name. Device Group Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at $.result.entry[*]['@name'].

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the custom URL category. The parameter is exclusively for the Panorama instance. Valid options are:

  • Device Group

  • Shared

By default, the Panorama instance value is Device Group.

Device Group

Device Group Name

Optional

The device group name for which to update custom URL categories. The parameter is exclusively for the Panorama instance and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to update the custom URL category. The parameter is exclusively for the Firewall instance and is mandatory for the Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Category Name

Required

The name of the custom URL category to update. The maximum length of the name is 63 characters.

suspicious_URL-IP

Description

Optional

The description of the new security rule. The maximum length of the description is 1023 characters.

A new custom URL category was added.

URLs

Required

The URLs for the category.

JSON 
["www.demo.net"]

Category Type

Optional

The category type of the URL.

By default, the value is “URL List”.

URL List

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Custom URL Category failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Update Custom URL Category failed.

Status Code: 400.

Message: Bad Request

Update EDL

Updates an existing External Dynamic List (EDL).

READER NOTE

Device Group Name and Virtual System Name are optional parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

EDL Name is a required parameter used to run this command.

  • Run the List EDLs command to obtain the EDL Name. EDL Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the EDL to update. This parameter is exclusively used for the Panorama instance. Available options are:

  • Device Group

  • Shared

By default, the value is Device Group.

For the Firewall instance, the value is fixed to Virtual System. This value is not visible in the dropdown.

Device Group

Device Group Name

Optional

The name of the device group for which to update the EDL. This parameter is exclusively used for the Panorama instance and is mandatory only when the location is set to Device Group. Device Group Name can be obtained using the List Device Groups - Panorama command.

D3DeviceGroup

Virtual System Name

Optional

The name of the virtual system for which to update the EDL. This parameter is exclusively used for the Firewall instance and is mandatory. Virtual System Name can be obtained using the List Virtual Systems - Firewall command.

vsys1

EDL Name

Required

The EDL to update. EDL Name can be obtained using the List EDLs command.

api url EDL 916b

Source URL

Required

The updated source URL from which to pull the EDL. For Predefined IP and Predefined URL EDL types, enter the EDL source name. For example, "panw-highrisk-ip-list" is a valid value.

https://*****.*****

Recurring

Optional

The updated time interval for checking EDL updates. This parameter is not applicable to Predefined IP and Predefined URL EDL types. Available options are:

  • Five Minute

  • Hourly

  • Daily

  • Weekly

  • Monthly

By default, the value is Hourly for EDL types URL and Domain. By default, the value is Five Minute for EDL types IP, Subscriber Identity List, and Equipment Identity List.

Hourly

Detailed Time

Optional

The detailed checking time for EDL updates in JSON format. This parameter only applies if the Recurring parameter is set to Daily, Weekly, or Monthly. For example:

  • Daily: To check EDL updates at 8 AM every day, input { "at": "08" } and select Daily for the Recurring parameter

  • Weekly: To check EDL updates at 11 PM every Sunday, input { "day-of-week": "sunday", "at": "23" } and select Weekly for the Recurring parameter

  • Monthly: To check EDL updates at 10 AM on the 15th day of every month, input { "day-of-month": "15", "at": "10" } and select Monthly for the Recurring parameter

JSON 
{ "at":"08" }

Description

Optional

The updated description of the EDL. The maximum length is 255 characters.

test desc api url EDL 916d

Certificate Profile

Optional

The profile name of the certificate for the EDL URL that was previously uploaded. This parameter is not applicable to Predefined IP and Predefined URL EDL types.

None

Exception List

Optional

The updated list of exception entries for the EDL. This parameter is used to overwrite the existing exception entries in the list. If the user only intends to add new entries, they must input the existing entries along with the newly added ones.

JSON 
[ "*****.*****" ]

New EDL Name

Optional

The updated EDL name. This parameter applies exclusively to the Firewall instance.

api url EDL 916 New Name

Expand Domain

Optional

This parameter is applicable only if the EDL Type is set to Domain.

If set to Yes, the firewall will automatically expand to include subdomains. By default, the value is No.

Yes

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update EDL failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Request failed when getting EDL details.

Error Sample Data

Update EDL failed.

Status Code: 404.

Message: Request failed when getting EDL details.

Update Security Rule

Updates an existing security policy rule with the provided configurations. Security rules with categories or address groups can handle dynamic block or unblock of addresses.

READER NOTE

Device Group Name, Virtual System Name, Source Zones, Destination Zones, Source Addresses, Destination Addresses, Services, Applications, URL Categories, Tags, and Targets are optional parameters to run this command.

  • Run the List Device Groups command to obtain the Device Group Name. Device Group Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Virtual Systems command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Zones command to obtain the Source Zones. Source Zones can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Zones command to obtain the Destination Zones. Destination Zones can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Addresses or List Address Groups commands to obtain the Source Addresses. Source Addresses can be found in the raw data at $.result.entry[*]['@name'] for both reference commands.

  • Run the List Addresses or List Address Groups commands to obtain the Destination Addresses. Destination Addresses can be found in the raw data at $.result.entry[*]['@name'] for both reference commands.

  • Run the List Services command to obtain the Services. Services can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Applications command to obtain the Applications. Applications can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Custom URL Categories command to obtain the URL Categories. URL Categories can be found in the raw data at $.result.entry[*]['@name'].

  • Run the List Tags command to obtain the Tags. Tags can be found in the raw data at $.result.entry[*]['@name'].

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the security rule. The parameter is exclusively for the Panorama instance. Valid options are:

  • Device Group

  • Shared

By default, the Panorama instance value is Device Group.

Device Group

Pre or Post Rule

Optional

The time when the Panorama rule takes effect according to the locally configured rules. The parameter is exclusively for the Panorama instance and is mandatory for the Panorama instance.

Pre-Rule

Device Group Name

Optional

The device group name for which to create security policy rules. The parameter is exclusively for the Panorama instance and is mandatory when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to update the security policy rule. The parameter is exclusively for the Firewall instance and is mandatory for the Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Rule Name

Optional

The name of the security rule to update. The maximum length of the name is 63 characters.

rulename_001

Description

Optional

The description of the new security rule. The maximum length of the description is 1023 characters.

A new security rule was added.

Action

Optional

The action for the security rule. Available options are:

  • Allow

  • Deny

  • Drop

  • Reset Client

  • Reset Server

  • Reset Both

By default, the value is Allow.

Allow

Source Zones

Optional

The list of zone names to add to the security rule as the source.

Source Zone can be obtained using the List Zones command.

By default, the value is "any".

JSON 
["DemoDmzZone"]

Destination Zones

Optional

The list of zone names to add to the security rule as the destination.

Destination Zone names can be obtained using the List Zones command.

By default, the value is "any".

JSON 
["l3-untrust"]

Source Addresses

Optional

The list of address names or address group names to add to the security rule as the source address.

Source Addresses can be obtained using the List Addresses or List Address Groups commands.

By default, the value is "any".

JSON 
["testDynamicGroup2", "suspiciousip1"]

Destination Addresses

Optional

The list of address names or address group names to add to the security rule as the destination address.

Destination Addresses can be obtained using the List Addresses or List Address Groups commands.

By default, the value is "any".

JSON 
["suspicious_group", "suspiciousurl3"]

Source Users

Optional

The list of user names to add to the security rule. User names can be obtained through the GUI path DEVICE > Local User Database > Users.

JSON 
["DemoUser"]

Services

Optional

The list of service names to add to the security rule. Services can be obtained using the List Services command.

By default, the value is "application-default".

JSON 
["service-http"]

Applications

Optional

The list of application names to add to the security rule.

Application can be obtained using the List Applications command.

By default, the value is "any".

JSON 
["DemoApp"]

URL Categories

Optional

The list of URL category names to be added to the security rule.

URL Categories can be obtained using the List Custom URL Categories command.

JSON 
["URLCategory1"]

Tags

Optional

The list of tags to be assigned to the security rule. The maximum length of each tag is 63 characters.

Tags can be obtained using the List Tags command.

JSON 
["tag1"]

Targets

Optional

The list of target firewall devices to be specified in the security rule. This parameter is exclusively for the Panorama instance.

Targets can be obtained using the List Connected Firewall Devices command.

CODE 
{"negate": "no"}

Negate Source

Optional

Whether to negate the source address or address group.

By default, the value is False.

False

Negate Destination

Optional

Whether to negate the destination address or address group.

By default, the value is False.

False

Rule Type

Optional

The type of security rule. Available options are:

  • Universal

  • Intrazone

    Interzone.

By default, the value is Universal.

Universal

Profile Setting

Optional

The profile settings for the security rule. The value can be profiles or group objects.

For the detailed syntax, refer to the API document: <{Server URL}/restapi-doc/#tag/policies-security-rules/paths/~1restapi~1v10.0~1Policies~1SecurityRules/post>.

Payload

Optional

The free payload for creating a rule. The command will generate the payload using the other parameters by default. When a payload is provided, the command will ignore the other parameters and use only the provided payload.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Security Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Update Security Rule failed.

Status Code: 400.

Message: Bad Request

Update Tag

Updates a tag.

READER NOTE

Device Group Name and Virtual System Name are parameters used to run this command.

  • Run the List Device Groups - Panorama command to obtain the Device Group Name. Device Group Names can be found in the raw data at the path $.result.entry[*].@name.

  • Run the List Virtual Systems - Firewall command to obtain the Virtual System Name. Virtual System Names can be found in the raw data at the path $.result.entry[*].@name.

Input

Input Parameter

Required/Optional

Description

Example

Location

Optional

The location of the tag. The parameter is exclusively for the Panorama instance. Valid options are:

  • Device Group

  • Shared

By default, the value for the Panorama instance is Device Group.

Shared

Device Group Name

Optional

The device group name for which to update the tag. The parameter is exclusively for the Panorama instance and is mandatory only when the location is set to Device Group.

Device Group Name can be obtained using the List Device Groups command.

D3DeviceGroup

Virtual System Name

Optional

The virtual system name for which to update the tag. The parameter is exclusively for the Firewall instance and is mandatory for the Firewall instance.

Virtual System Name can be obtained using the List Virtual Systems command.

vsys1

Tag Name

Required

The name of the tag to update. The maximum length of the name is 127 characters.

tag1

Color

Optional

The tag color. The value is a color identifier in the format colorX, where X is an integer between 1 and 42.

1

Comments

Optional

The tag comment. The maximum length of the comment is 1023 characters.

malware

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Tag failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request

Error Sample Data

Update Tag failed.

Status Code: 400.

Message: Bad Request

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE 
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Palo Alto Networks PAN-OS portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Credential.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 403.

Message: Invalid Credential.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close