This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Host Firewall API

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Host Firewall API

CJNTS
L2 Linker

‎01-08-2024 12:05 PM

Has anyone had any luck adding IPs to the XDR host firewall via API?

It seems like this would be a great function to have. (Looking at you Palo Alto DEVs)

 

I've also looked at:

Adding IPs to an IOC - but IOCs cannot be added to custom blocking rules in a policy

I've also looked at adding IPs to BIOCs using the above API, but it is only used for adding JSON or CSV to IOCs.

 

Does anyone have a reasonable method for adding IPs or other IOCs to a blocking profile/ policy via API or in an automated fashion?

3 REPLIES 3

nsinghvirk
L4 Transporter

‎01-16-2024 05:22 AM

Hello @CJNTS 

 

Thanks for reaching out on LiveCommunity!

Currently there is no API available for uploading IPs directly to host firewall rule. You can raise a feature request for it. As an alternate you can utilise External Dynamic List in order to control user access to IP addresses and domains using Palo Alto Network firewalls.  To add IPs you can use Add to EDL option from the Actions menu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher. For more information on EDL please follow below link.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Exte...

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

 

0 Likes Likes

CJNTS
L2 Linker
In response to nsinghvirk

‎01-16-2024 05:28 AM

I agree, and we are already doing this.

We wanted more granular control in the case that a rogue machine was on the same subnet and did not have to traverse a firewall.

 

I will submit a feature request, but wanted to confirm there was not a way to accomplish this first.

0 Likes Likes

Alexandre_Jodoin
L2 Linker

‎01-30-2024 10:53 AM

@CJNTS 

We do have a somewhat similar feature request in already:

  • CXDR-I-21073 Allow the use of [IP,Domain] IOCs in restriction profiles

Basically, adding IP or domains to a restriction profile, effectively blocking them that way without relying on the host firewall.

It can be done by hash for files, I don't see why it can't be done for IPs. Since Cortex is doing deeppacket inspection anyway...

 

 

0 Likes Likes
  • 605 Views
  • 3 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks