Configure Palo Alto Networks NGFW Connection

A Palo Alto Networks Next-Generation Firewall (NGFW) connection securely stores reusable authentication credential information for integrations between Alert Logic and your Palo Alto Networks NGFW. To create the connection, Alert Logic requires the following information about your Palo Alto Networks NGFW instance:

  • Hostname or IP address—Hostname or IP address of the Palo Alto Networks NGFW instance that you want Alert Logic to access.
  • API username and password or API key—Administrative credentials or API key of the authentication user that allows Alert Logic to access Palo Alto Networks NGFW through a call to the API. Alert Logic recommends that you set up a dedicated user, rather than use one that is shared by human users or other software integrations.

This connection also requires an Alert Logic IDS appliance. You specify a network where your appliance is located, and Alert Logic chooses the appropriate appliance to connect to the specified hostname or IP address. Choosing the network instead of a specific appliance prevents you from needing to update the connection as appliances are added to or removed from the network. The IDS appliances in the selected network must be able to connect to the firewall using the TCP port selected, 443 by default. Any routing, network segmentation, cloud security groups, and other network access controls must allow outbound communication from all IDS appliances in the selected network to the firewall.

Alert Logic provides the following steps to help you create the connection. For further questions about the steps performed in Palo Alto NGFW, contact Palo Alto support.

  1. (Optional) Generate an API key for Palo Alto Networks NGFW access
  2. Create the Palo Alto Networks NGFW connection in the Alert Logic console
  3. Use the connection in automated response

(Optional) Generate an API key for Palo Alto Networks NGFW access

A connection to Palo Alto Networks NGFW can use a PAN-OS XML API key. If you want to configure the connection to use the credentials of the administrative user instead, you can skip this procedure.

To generate your API key:

  1. In a command shell, make a GET or POST request to the hostname or IP address of the Palo Alto Networks NGFW using the administrative credentials and type=keygen:
    Copy
    curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'                    

    or

    Copy
    curl -k -X POST 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'
  2. Copy the returned key to a text editor for use later. A successful API call returns status="success" along with the API key within the key element:
    Copy
    <response status="success">
      <result>
        <key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU==</key>
      </result>
    </response>

For more information about generating an API key, what happens if you generate another key for a user with an existing key, and how to revoke API keys, see the Palo Alto Networks document Get Your API Key.

If you revoke the key or it expires, you must repeat this procedure to generate a new API key, and then edit the connection to use the new key. For more information about API key expiration, see the Palo Alto Networks document Configure API Key Lifetime.

Create the Palo Alto Networks NGFW connection in the Alert Logic console

The next step is to create the Palo Alto Networks NGFW connection in the Alert Logic console.

To create a Palo Alto Networks NGFW connection:

  1. In the Alert Logic console, click the navigation menu icon (), click Configure, and then click Connections.
  2. On the Connections page, click the add icon (), and then click Palo Alto Networks NGFW.
  3. On the Create a Palo Alto Networks NGFW Connection page, type a descriptive name for the connection (example: Palo Alto Networks NGFW Connection).
  4. In Hostname or IP address, type the hostname or IP address of the Palo Alto Networks NGFW instance that you want to connect to.
  5. In Port, leave the default TCP port number 443 for secure incoming connection requests, or change it if you have a custom configuration.

  6. Grant Alert Logic access to your Palo Alto Networks NGFW instance by providing either:

    1. API key—Click API key, and then paste the key you generated in (Optional) Generate an API key for Palo Alto Networks NGFW access in API key.
    2. Administrative user credentials—Click API username and password, and then enter the following information:
      • API username—Authentication user ID for PAN-OS XML API
      • API password—Password for the specified API username
  7. In Network ID, select the network that contains an Alert Logic IDS appliance that can connect to your Palo Alto Networks NGFW.
  8. Click SAVE.

Use the connection in automated response

After you save the connection, you can use it for the simple response Palo Alto NGFW: Block External IP Address.

For more information about automated response, see Get Started with Automated Response.

Manage connections

You can view the list of connections and edit or delete an existing one. For more information, see Manage Connections.