Block URL, IP, or Domain
Workflow #0049
Response Workflow
This workflow blocks a URL, IP, or domain name in Palo Alto Panorama by adding them to a URL category or address group and then updating a security policy pre rule. Supported observables: ip
, ipv6
, url
, domain
Change Log
Date | Notes |
---|---|
Nov 3, 2021 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- None
- The following atomic actions must be imported before you can import this workflow:
- Microsoft Teams - Post Message via Webhook (CiscoSecurity_Atomics)
- Palo Alto - Panorama - Add Address Object to Address Group (CiscoSecurity_Atomics)
- Palo Alto - Panorama - Add URL to Custom URL Category (CiscoSecurity_Atomics)
- Palo Alto - Panorama - Create Address Object (CiscoSecurity_Atomics)
- Palo Alto - Panorama - Search Address Objects by Value (CiscoSecurity_Atomics)
- Palo Alto - Panorama - Update Security Policy Pre Rule (CiscoSecurity_Atomics)
- The targets listed at the bottom of the page
- A webhook URL for the Microsoft Teams channel to post messages to (see: this page)
- Palo Alto Panorama
Workflow Steps
- Validate the input and make sure the observable is supported
- Is the observable a URL or domain?
- Make sure a URL category was provided (if not, log an error)
- Add the URL to the URL category (if that fails, log an error)
- Update the security policy pre rule with the URL category (if that fails, log an error)
- Is the observable an IP address?
- Make sure an address group was provided (if not, log an error)
- Check if an existing address object exists for this observable:
- If it does, add it to the address group
- If it doesn’t, create a new address object and add it to the address group
- Update the security policy pre rule with the address group (if that fails, log an error)
- Compile the workflow results and send a Microsoft Teams message
Configuration
- Set the
Address Group Name
local variable to the name of the address group to add address objects to - Set the
API Key
local variable to your Palo Alto Panorama API key - Set the
Custom URL Category Name
local variable to the name of the URL category to add URLs and domains to - Set the
Device Group Name
local variable to the name of the device group to manage objects for. This is only required when Location is set to device-group - Set the
Location
local variable to the availability zone of the objects. Valid values include: shared, device-group. If you use device-group, you must provide a Device Group Name - Set the
Security Policy Pre Rule Name
local variable to the name of the security policy pre rule to make changes to - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Note: If your Panorama instance is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Palo Alto Panorama | HTTP Endpoint | Protocol: HTTPS Host: your-panorama-instance Path: restapi | None | If you use a self-signed certificate, disable certificate validation on the target |
Microsoft Teams Webhook | HTTP Endpoint | Protocol: HTTPS Host: your-tenant.webhook.office.com Path: /the-rest-of-the-webhook-url | None |