02-11-2026 09:00 PM
hello experts,
my company is using XDR Pro, we noticed the importance of colleagues may use Openclaw...
is there any way to detect or even block Openclaw from XDR or Firewall?
Thanks
SdG
02-12-2026 06:04 AM
Hello @SeanDeHarris ,
Greetings for the day.
Yes, you can detect and block OpenClaw using a combination of Cortex XDR and Palo Alto Networks Next-Generation Firewalls (NGFW). While Cortex XDR does not natively support Layer 7 URL blocking at the agent level, it offers several mechanisms to identify and stop the application and its associated network traffic.
Because the Cortex XDR agent focuses on endpoint behavior and execution rather than direct web filtering, you should use the following methods:
To prevent the software from running, identify the SHA256 hash of the OpenClaw executable and add it to the Global Block List in the Action Center.
You can use Restriction Profiles to block the application by its file path (for example: *\openclaw.exe).
Although XDR cannot natively block the domain on its own, you can configure a Domain-type Indicator of Compromise (IOC) for openclaw.ai. This will generate an alert whenever an endpoint attempts to access that domain.
You can use the Host Firewall module to block outbound traffic to the specific IP addresses associated with OpenClaw. Note that this is less effective if the service uses dynamic IP addresses.
The firewall is the most effective tool for blocking the application's communication at the network perimeter.
Use a URL Filtering Profile to block access to the openclaw.ai domain directly.
You can create or use an External Dynamic List (EDL) integrated with your firewall to block malicious or unapproved domains and URLs systematically.
Check for a specific App-ID for OpenClaw (if available) to block the application traffic regardless of the port or protocol used.
With your XDR Pro license, you can leverage the following for better visibility:
Use the Query Builder (XQL) to search for network or DNS events related to OpenClaw across your environment.
Ensure XDR Analytics is enabled to detect abnormal network behaviors or large data uploads that might be associated with unapproved AI tools.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-17-2026 04:46 PM - edited 02-17-2026 04:46 PM
Update: Regarding the App-ID portion of Step 2, OpenClaw is available via ACE beginning 2/14/2026.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
