Infoblox Integration with Palo Alto Networks Firewall 2.0 – Deployment Guide & Templates[ Edited ]
We are excited to bring you the latest integration with Palo Alto Next Generation Firewall.
Infoblox provides PAN with IPAM data that contain IP addresses, and PAN applies security policies on groups of these IPs. In addition to the features provided in the first version of the templates found here, we have added several features to maximize time and usability. This integration is built with the Infoblox Outbound REST API.
- Dynamic Address Groups support
- Dynamic Address Groups map tags to IPs dynamically
- Support for IPv6 addresses for asset and security events
- Offers an optional EA for security events in which a tag expires after a set amount of time starting with PAN Firewall version 9.0 or later
- Improved lease support
- Ability to add lease IPs to PAN using the existing parent network Extensible Attributes when IP data for the lease IP does not exist in IPAM
- Enhanced security remediation
- ADP event support
- Security events will use the source IP EAs instead of always using the parent network EAs
- Improved deduplication of security events
In the attached documents you will find the templates for the Palo Alto integration in JSON format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.
The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.
Serves as toggle to turn on/off sync for Asset events.
Update timestamp on an asset event. This attribute is created on the specific IP by the WAPI call when not present.
Serves as toggle to turn on/off sync for Security events.
Update timestamp on a security event. This attribute is created on the specific IP by the WAPI call when not present.
Dynamic Only - Tag that attaches to an IP in a Dynamic Address Group.
Dynamic Only - Tag that attaches to an IP in a Dynamic Address Group
Dynamic Only - Starting with PAN-OS 9.0 a tag can contain an optional timeout attribute. Default is 0 (never expires) or a timeout value in seconds for the tag. Maximum timeout is 2592000 (30 days). In older versions of PAN, this attribute cannot be accessed and IPs never timeout.
Templates require the session variables described in the table below.
The address group object which needs to be populated on the firewall for allowed hosts. This should be the same as the address group object created through the Palo Alto configuration. Set a default value (eg: Iblox_Host_Allow).
The address group object which needs to be populated on the firewall for denied hosts. This should be the same as the address group object created through the Palo Alto configuration. Set a default value (eg: Iblox_Host_Deny).