Detect and Block Openclaw with XDR!?

SeanDeHarris — Thu, 12 Feb 2026 05:00:01 GMT

hello experts,

my company is using XDR Pro, we noticed the importance of colleagues may use Openclaw...
is there any way to detect or even block Openclaw from XDR or Firewall?

Thanks

SdG

Re: Detect and Block Openclaw with XDR!?

susekar — Thu, 12 Feb 2026 14:04:15 GMT

Hello @SeanDeHarris ,

Greetings for the day.

Yes, you can detect and block OpenClaw using a combination of Cortex XDR and Palo Alto Networks Next-Generation Firewalls (NGFW). While Cortex XDR does not natively support Layer 7 URL blocking at the agent level, it offers several mechanisms to identify and stop the application and its associated network traffic.

1. Detection and Blocking via Cortex XDR

Because the Cortex XDR agent focuses on endpoint behavior and execution rather than direct web filtering, you should use the following methods:

Block the Executable (Global Block List):

To prevent the software from running, identify the SHA256 hash of the OpenClaw executable and add it to the Global Block List in the Action Center.

Restriction Profiles:

You can use Restriction Profiles to block the application by its file path (for example: *\openclaw.exe).

Domain-type IOCs (Detection):

Although XDR cannot natively block the domain on its own, you can configure a Domain-type Indicator of Compromise (IOC) for openclaw.ai. This will generate an alert whenever an endpoint attempts to access that domain.

Host Firewall (IP-based):

You can use the Host Firewall module to block outbound traffic to the specific IP addresses associated with OpenClaw. Note that this is less effective if the service uses dynamic IP addresses.

2. Blocking via Palo Alto Networks Firewall (NGFW)

The firewall is the most effective tool for blocking the application's communication at the network perimeter.

URL Filtering:

Use a URL Filtering Profile to block access to the openclaw.ai domain directly.

External Dynamic Lists (EDL):

You can create or use an External Dynamic List (EDL) integrated with your firewall to block malicious or unapproved domains and URLs systematically.

App-ID

Check for a specific App-ID for OpenClaw (if available) to block the application traffic regardless of the port or protocol used.

3. Investigation and Visibility

With your XDR Pro license, you can leverage the following for better visibility:

XQL Search

Use the Query Builder (XQL) to search for network or DNS events related to OpenClaw across your environment.

Analytics

Ensure XDR Analytics is enabled to detect abnormal network behaviors or large data uploads that might be associated with unapproved AI tools.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: Detect and Block Openclaw with XDR!?

TCoates — Wed, 18 Feb 2026 00:46:49 GMT

Update: Regarding the App-ID portion of Step 2, OpenClaw is available via ACE beginning 2/14/2026.

topic Detect and Block Openclaw with XDR!? in Cortex XDR Discussions

Detect and Block Openclaw with XDR!?

Re: Detect and Block Openclaw with XDR!?

1. Detection and Blocking via Cortex XDR

Block the Executable (Global Block List):

Restriction Profiles:

Domain-type IOCs (Detection):

Host Firewall (IP-based):

2. Blocking via Palo Alto Networks Firewall (NGFW)

URL Filtering:

External Dynamic Lists (EDL):

App-ID

3. Investigation and Visibility

XQL Search

Analytics

Re: Detect and Block Openclaw with XDR!?