Configure Simple Response for Palo Alto NGFW: Block External IP Address

Configure a Palo Alto NGFW: Block External IP Address simple response to block IP addresses with Palo Alto Next-Generation Firewall (NGFW ) based on Alert Logic's recommendations. The response applies a tag to each IP address. You can then reference the tag in a dynamic address group in a firewall policy to block the IP addresses.

A typical use case for this response is to reduce opportunities for an identified attacker to probe your network further.

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to Palo Alto Networks NGFW
  4. (Optional) Apply exclusions
  5. Choose when to respond
  6. Use the tag in a Palo Alto Networks NGFW policy

(Optional) Create an exclusion list

If you want your automation to exclude specific IP addresses, the IP addresses must be defined in one or more exclusion lists. For example, you can create lists of IP addresses for services such as public addresses of your data centers, VPN endpoints, and external scanners. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

  1. In the Alert Logic console, click the navigation menu icon (), click Respond, and then click Automated Response.
  2. On the Simple Responses page, click the add icon (), and then, under Palo Alto NGFW: Block External IP Address, click START.

Connect to Palo Alto Networks NGFW

This response requires a Palo Alto Networks NGFW connection that grants Alert Logic access to tag IP addresses. In the Connect step, name your response and connect to Palo Alto Networks NGFW as follows.

To connect to Palo Alto Networks NGFW:

  1. In Response Name, enter a descriptive name for your simple response (example: Block Attacker IP Address).
  2. If you already have a Palo Alto Networks NGFW connection that grants Alert Logic permission to perform this response, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have a Palo Alto Networks NGFW connection that grants Alert Logic permission to perform this response, click Create a connection, and then complete the instructions in Create a Palo Alto Networks NGFW connection to set it up.
  4. In Tag, enter the tag that you want the response to apply to each IP address (example: Alert Logic Block). The response creates the tag if it does not exist already.
    The firewall uses the tag to add the IP address to your dynamic address group. The tag also appears with the IP address in the IP-tag logs in your Palo Alto Networks NGFW instance. For more information, see the vendor documentation listed in the technical reference section.
  5. In Expiration in Seconds, enter the number of seconds before you want Alert Logic to deactivate the block, or keep the default value of 604800.
  6. Click TEST to run a test that checks the configuration without performing the response. The test might take one to two minutes to complete. Results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click EDIT CONNECTION above Connection, and then use the information in Create a Palo Alto Networks NGFW connection to check and fix the connection. For further assistance with troubleshooting, see Troubleshooting tips.
  7. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  8. Click NEXT to continue to the Apply Exclusions step.

Create a Palo Alto Networks NGFW connection

A Palo Alto Networks Next-Generation Firewall (NGFW) connection securely stores reusable authentication credential information for integrations between Alert Logic and your Palo Alto Networks NGFW. To create the connection, Alert Logic requires the following information about your Palo Alto Networks NGFW instance:

  • Hostname or IP address—Hostname or IP address of the Palo Alto Networks NGFW instance that you want Alert Logic to access.
  • API username and password or API key—Administrative credentials or API key of the authentication user that allows Alert Logic to access Palo Alto Networks NGFW through a call to the API. Alert Logic recommends that you set up a dedicated user, rather than use one that is shared by human users or other software integrations.

This connection also requires an Alert Logic IDS appliance. You specify a network where your appliance is located, and Alert Logic chooses the appropriate appliance to connect to the specified hostname or IP address. Choosing the network instead of a specific appliance prevents you from needing to update the connection as appliances are added to or removed from the network. The IDS appliances in the selected network must be able to connect to the firewall using the TCP port selected, 443 by default. Any routing, network segmentation, cloud security groups, and other network access controls must allow outbound communication from all IDS appliances in the selected network to the firewall.

Alert Logic provides the following steps to help you create the connection. For further questions about the steps performed in Palo Alto NGFW, contact Palo Alto support, or refer to the vendor documentation listed in the technical reference section.

  1. (Optional) Generate an API key for Palo Alto Networks NGFW access
  2. Create the connection in the Alert Logic console

(Optional) Generate an API key for Palo Alto Networks NGFW access

A connection to Palo Alto Networks NGFW can use a PAN-OS XML API key. If you want to configure the connection to use the credentials of the administrative user instead, you can skip this procedure.

To generate your API key:

  1. In a command shell, make a GET or POST request to the hostname or IP address of the Palo Alto Networks NGFW using the administrative credentials and type=keygen:
    Copy
    curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'                    

    or

    Copy
    curl -k -X POST 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'
  2. Copy the returned key to a text editor for use later. A successful API call returns status="success" along with the API key within the key element:
    Copy
    <response status="success">
      <result>
        <key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU==</key>
      </result>
    </response>

For more information about generating an API key, what happens if you generate another key for a user with an existing key, and how to revoke API keys, see the Palo Alto Networks document Get Your API Key.

If you revoke the key or it expires, you must repeat this procedure to generate a new API key, and then edit the connection to use the new key. For more information about API key expiration, see the Palo Alto Networks document Configure API Key Lifetime.

Create the connection in the Alert Logic console

Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to perform the response.

To create the to Palo Alto Networks NGFW connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connection (example: Palo Alto Networks NGFW Connection for Blocking an IP Address).
  2. In Hostname or IP address, type the hostname or IP address of the Palo Alto Networks NGFW instance that you want to connect to.
  3. In Port, leave the default TCP port number 443 for secure incoming connection requests, or change it if you have a custom configuration.

  4. Grant Alert Logic access to your Palo Alto Networks NGFW instance by providing either:

    1. API key—Click API key, and then paste the key you generated in (Optional) Generate an API key for Palo Alto Networks NGFW access in API key.

    2. Administrative user credentials—Click API username and password, and then enter the following information:

      • API username—Authentication user ID for PAN-OS XML API

      • API password—Password for the specified API username

  5. In Network ID, select the network that contains an Alert Logic IDS appliance that can connect to your Palo Alto Networks NGFW.
  6. Click SAVE.

(Optional) Apply exclusions

If you want to exclude IP addresses from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In this step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step, you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to block external IP addresses detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "{vendor} Possible Credential Stuffing Activity Detected from {attacker_ip}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response. You can use the search bar to help you find analytics.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.
  5. Click SAVE.

Use the tag in a Palo Alto Networks NGFW policy

The last step is to add a dynamic address group that references the tag you specified in Connect to Palo Alto Networks NGFW, and then use the dynamic address group in a firewall policy. For detailed instructions, see the Palo Alto Networks document Use Dynamic Address Groups in Policy.

Alert Logic recommends that you create an address group specifically for this simple response to use. This practice avoids confusion about who is managing additions and removals.

Troubleshooting tips

Here are common errors that can occur when you test the configuration and suggested troubleshooting steps.

Connection Attempt to host Timed Out or Connection Attempt to host Failed

Common causes of these errors include:

  • The IP address or hostname provided in the connection is incorrect.
  • The port provided in the connection is incorrect.
  • The firewall administration interface is not enabled on this host and port.
  • Intermediate firewalls are blocking connections, especially if the firewall is in a “DMZ” network.
  • No route exists from the appliance to the firewall.

To troubleshoot these errors:

  1. In the Create a Simple Response page, click EDIT CONNECTION, ensure the settings are correct, and then click TEST again. For more information, see Create a Palo Alto Networks NGFW connection.
  2. If the connection settings are correct, review the configuration of your firewalls and routing, and then click TEST again.

Technical reference

Simple response name

Palo Alto NGFW: Block External IP Address

Vendor documentation

For general information about IP-tag logs and how Palo Alto uses IP-tags in dynamic address groups, see: