Link Search Menu Expand Document

Request Threat Containment

Workflow #0050

Response Workflow

This workflow is designed to be triggered by ServiceNow in response to a new Firewall Rule Task. When triggered, it gets data from ServiceNow which is used to update rules in Palo Alto Panorama. If an address or service object for the given input is not found, new objects are created using the following naming convention:

  • SXo-DestinationAddressObject-{Timestamp}
  • SXo-SourceAddressObject-{Timestamp}
  • SXo-ServiceObject-{Timestamp}
While this workflow is listed as a response workflow, it won't work if triggered from a SecureX pivot menu. This workflow expects a JSON payload from ServiceNow and is only marked as a response workflow so it can be triggered using the SecureX response API

GitHub


Change Log

Date Notes
Nov 4, 2021 - Initial release

See the Important Notes page for more information about updating workflows


Requirements


Workflow Steps

  • Validate the input from ServiceNow and check for required inputs
  • Convert the input into a table we can loop through
  • For each object in the input:
    • Check if an address object exists for this item:
      • If it does, store its name in a local variable
      • If it doesn’t, create a new address object and store its name in a local variable
    • Add the address object to the configured address group
  • Check if a service object exists for this service:
    • If it does, store its name in a local variable
    • If it doesn’t, create a new service object and store its name in a local variable
  • Add the service object to the configure service group
  • Update the configured security policy pre rule with the address and service object
  • Post a work note with results to the ServiceNow firewall rule task

Configuration

  • Set the API Key local variable to your Palo Alto Panorama API key
  • Set the Destination Address Group Name local variable to the name of the address group to add the rule’s destination objects to
  • Set the Device Group Name local variable to the name of the device group to manage objects for. This is only required when Location is set to device-group
  • Set the Location local variable to the availability zone of the objects. Valid values include: shared, device-group. If you use device-group, you must provide a Device Group Name
  • Set the Security Policy Pre Rule Name local variable to the name of the security policy pre rule to make changes to
  • Set the Service Group Name local variable to the name of the service object group to add the rule’s service objects to
  • Set the Source Address Group Name local variable to the name of the address group to add the rule’s source objects to
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Note: If your Panorama instance is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Palo Alto Panorama HTTP Endpoint Protocol: HTTPS
Host: your-panorama-instance
Path: restapi
None If you use a self-signed certificate, disable certificate validation on the target
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password
 

ServiceNow Configuration

Follow the steps below to configure ServiceNow to trigger this workflow when a Firewall Rule Task is created. The task will be updated with a work note showing the results of workflow execution.

Register OAuth Provider

  1. In ServiceNow, navigate to System OAuth > Application Registry
  2. Click New and select Connect to a third party OAuth Provider
  3. Fill in the following values:
    • Name: Name to uniquely identify the OAuth provider (for example: Cisco SecureX)
    • Client ID: The client ID for your SecureX API client (must have the response scope, see these instructions)
    • Client Secret: The secret for your SecureX API client
    • Token URL: OAuth server token endpoint
      • North America: https://visibility.amp.cisco.com/iroh/oauth2/token
      • Europe: https://visibility.eu.amp.cisco.com/iroh/oauth2/token
      • Asia Pacific: https://visibility.apjc.amp.cisco.com/iroh/oauth2/token
    • Default Grant Type: Client Credentials
    • Send Credentials: In Request Body (Form URL-Encoded)
  4. Click Submit in the upper right corner

Create a New REST Message

  1. In ServiceNow, navigate to System Web Services > REST Message
  2. Click New and fill in the following values:
    • Name: Enter a descriptive name for this message. (for example: Palo Alto - Create Policy Rule)
    • Endpoint: One of the following
      • North America: https://visibility.amp.cisco.com/iroh/iroh-response/
      • Europe: https://visibility.eu.amp.cisco.com/iroh/iroh-response/
      • Asia Pacific: https://visibility.apjc.amp.cisco.com/iroh/iroh-response/
  3. Under Authentication, select OAuth 2.0 for the Authentication type and set the OAuth profile to the profile you created in the previous section
  4. Click Submit
  5. Select the REST Message you just created from the list
  6. In the HTTP Methods section, click New
  7. Fill in the following values:
    • Name: Default POST
    • HTTP method: POST
    • Endpoint: https://visibility.amp.cisco.com/iroh/<action_URL> (see these instructions)
  8. Select Inherit from parent for the Authentication type
  9. Click Submit
  10. Select the Default POST method you just created
  11. Click New under Variable Substitutions
  12. Enter the name observable_value and click Submit
  13. Under HTTP Request, add the following HTTP Query Parameters:
    • observable_type: ip
    • observable_value: ${observable_value}
    • workflow_id: The ID of the Request Threat Containment workflow in your SecureX orchestration environment (this is shown in the browser URL when you have the workflow open in the workflow editor, for example: 01S95E2UAWP6G22rL4MPUgNjAPvF0lI7OkB)
  14. Click Update in the upper right corner

Create a New Business Rule

  1. In ServiceNow, navigate to System Definition > Business Rules
  2. Click New and fill in the following values:
    • Name: Enter a name for the business rule
    • Table: Change Request [change_request]
    • Advanced: Select this check box
    • Active: Select this check box
  3. Under When to run, check the Insert box and select after for the When box
  4. Under Filter Condition, set field to Task Type, oper to is, and value to Change Request
  5. Under Advanced, paste the following script into code section (be sure to enter the name of the REST Message you created earlier):
    (function executeRule(current, previous) {
     try {
         var rule_task = new GlideRecord("sn_disco_firewall_rule_task");
         rule_task.get("sys_id", current.parent);
    		
         data = {
             "Destination Host IP": rule_task.getValue("destination_ip"),
             "Source Host IP": rule_task.getValue("source_ip"),
             "Access Action": rule_task.getValue("action"),
             "Protocol": rule_task.getValue("protocol"),
             "ServiceNow Task ID": rule_task.getValue("sys_id"),
             "Destination Port": rule_task.getValue("destination_port")
         };
    		
         var r = new sn_ws.RESTMessageV2("<name of your REST message>", "Default POST");
         r.setStringParameterNoEscape("observable_value", JSON.stringify(data));
         var response = r.execute();
         var responseBody = response.getBody();
         var httpStatus = response.getStatusCode();
     } catch (ex) {
         var message = ex.message;
     }
    })(current, previous);
    
  6. Click Submit

Now, when a firewall rule task is created, the SecureX orchestration workflow should run. See this page for more information about ServiceNow firewall requests