On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block URL, IP, or Domain

Workflow #0049

Response Workflow

This workflow blocks a URL, IP, or domain name in Palo Alto Panorama by adding them to a URL category or address group and then updating a security policy pre rule. Supported observables: ip, ipv6, url, domain

GitHub


Change Log

Date Notes
Nov 3, 2021 - Initial release
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


Requirements


Workflow Steps

  1. Validate the input and make sure the observable is supported
  2. Is the observable a URL or domain?
    • Make sure a URL category was provided (if not, log an error)
    • Add the URL to the URL category (if that fails, log an error)
    • Update the security policy pre rule with the URL category (if that fails, log an error)
  3. Is the observable an IP address?
    • Make sure an address group was provided (if not, log an error)
    • Check if an existing address object exists for this observable:
      • If it does, add it to the address group
      • If it doesn’t, create a new address object and add it to the address group
    • Update the security policy pre rule with the address group (if that fails, log an error)
  4. Compile the workflow results and send a Microsoft Teams message

Configuration

  • Set the Address Group Name local variable to the name of the address group to add address objects to
  • Set the API Key local variable to your Palo Alto Panorama API key
  • Set the Custom URL Category Name local variable to the name of the URL category to add URLs and domains to
  • Set the Device Group Name local variable to the name of the device group to manage objects for. This is only required when Location is set to device-group
  • Set the Location local variable to the availability zone of the objects. Valid values include: shared, device-group. If you use device-group, you must provide a Device Group Name
  • Set the Security Policy Pre Rule Name local variable to the name of the security policy pre rule to make changes to
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Note: If your Panorama instance is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Palo Alto Panorama HTTP Endpoint Protocol: HTTPS
Host: your-panorama-instance
Path: restapi
None If you use a self-signed certificate, disable certificate validation on the target
Microsoft Teams Webhook HTTP Endpoint Protocol: HTTPS
Host: your-tenant.webhook.office.com
Path: /the-rest-of-the-webhook-url
None