https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/574984#M5980 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/258598">@CJNTS</a>&nbsp;</P> <P>We do have a somewhat similar feature request in already:</P> <UL> <LI><STRONG>CXDR-I-21073 Allow the use of [IP,Domain] IOCs in restriction profiles</STRONG></LI> </UL> <P>Basically, adding IP or domains to a restriction profile, effectively blocking them that way without relying on the host firewall.</P> <P>It can be done by hash for files, I don't see why it can't be done for IPs. Since Cortex is doing deeppacket inspection anyway...</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 30 Jan 2024 18:53:56 GMT Alexandre_Jodoin 2024-01-30T18:53:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/572161#M5858 <P>Has anyone had any luck adding IPs to the XDR host firewall via API?</P> <P>It seems like this would be a great function to have. (Looking at you Palo Alto DEVs)</P> <P>&nbsp;</P> <P>I've also looked at:</P> <P>Adding IPs to an IOC - <EM>but IOCs cannot be added to custom blocking rules in a policy</EM></P> <UL> <LI><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Rule-Management" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Rule-Management</A></LI> </UL> <P>I've also looked at adding IPs to BIOCs using the above API, but it is only used for adding JSON or CSV to IOCs.</P> <P>&nbsp;</P> <P>Does anyone have a reasonable method for adding IPs or other IOCs to a blocking profile/ policy via API or in an automated fashion?</P> Mon, 08 Jan 2024 20:05:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/572161#M5858 CJNTS 2024-01-08T20:05:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/573180#M5888 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/258598">@CJNTS</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Currently there is no API available for uploading IPs directly to host firewall rule. You can raise a feature request for it. As an alternate you can utilise&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists" target="_self">External Dynamic List</A>&nbsp;in order to control user access to IP addresses and domains using Palo Alto Network firewalls.&nbsp; To add IPs&nbsp;<SPAN>you can use&nbsp;</SPAN><STRONG><SPAN class="guilabel">Add to&nbsp;<SPAN class="proto-highlight">EDL</SPAN></SPAN></STRONG><SPAN>&nbsp;option from the&nbsp;</SPAN><SPAN class="guilabel">Actions</SPAN><SPAN>&nbsp;menu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher. For more information on EDL please follow below link.</SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Please click&nbsp;<STRONG>Accept as Solution</STRONG>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> <P>&nbsp;</P> Tue, 16 Jan 2024 13:22:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/573180#M5888 nsinghvirk 2024-01-16T13:22:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/573185#M5889 <P>I agree, and we are already doing this.</P> <P>We wanted more granular control in the case that a rogue machine was on the same subnet and did not have to traverse a firewall.</P> <P>&nbsp;</P> <P>I will submit a feature request, but wanted to confirm there was not a way to accomplish this first.</P> Tue, 16 Jan 2024 13:28:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/573185#M5889 CJNTS 2024-01-16T13:28:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/574984#M5980 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/258598">@CJNTS</a>&nbsp;</P> <P>We do have a somewhat similar feature request in already:</P> <UL> <LI><STRONG>CXDR-I-21073 Allow the use of [IP,Domain] IOCs in restriction profiles</STRONG></LI> </UL> <P>Basically, adding IP or domains to a restriction profile, effectively blocking them that way without relying on the host firewall.</P> <P>It can be done by hash for files, I don't see why it can't be done for IPs. Since Cortex is doing deeppacket inspection anyway...</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 30 Jan 2024 18:53:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-firewall-api/m-p/574984#M5980 Alexandre_Jodoin 2024-01-30T18:53:56Z