Host Firewall API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Host Firewall API

L2 Linker

Has anyone had any luck adding IPs to the XDR host firewall via API?

It seems like this would be a great function to have. (Looking at you Palo Alto DEVs)

 

I've also looked at:

Adding IPs to an IOC - but IOCs cannot be added to custom blocking rules in a policy

I've also looked at adding IPs to BIOCs using the above API, but it is only used for adding JSON or CSV to IOCs.

 

Does anyone have a reasonable method for adding IPs or other IOCs to a blocking profile/ policy via API or in an automated fashion?

3 REPLIES 3

L4 Transporter

Hello @CJNTS 

 

Thanks for reaching out on LiveCommunity!

Currently there is no API available for uploading IPs directly to host firewall rule. You can raise a feature request for it. As an alternate you can utilise External Dynamic List in order to control user access to IP addresses and domains using Palo Alto Network firewalls.  To add IPs you can use Add to EDL option from the Actions menu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher. For more information on EDL please follow below link.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Exte...

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

 

I agree, and we are already doing this.

We wanted more granular control in the case that a rogue machine was on the same subnet and did not have to traverse a firewall.

 

I will submit a feature request, but wanted to confirm there was not a way to accomplish this first.

@CJNTS 

We do have a somewhat similar feature request in already:

  • CXDR-I-21073 Allow the use of [IP,Domain] IOCs in restriction profiles

Basically, adding IP or domains to a restriction profile, effectively blocking them that way without relying on the host firewall.

It can be done by hash for files, I don't see why it can't be done for IPs. Since Cortex is doing deeppacket inspection anyway...

 

 

  • 1095 Views
  • 3 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!