Infoblox Integration with Palo Alto Networks Firewall – Deployment Guide & Templates
[ Edited ]
New Member
Posts: 10
Registered: ‎06-24-2019
New Member
Posts: 12

We are excited to bring you the latest integration with Palo Alto Next Generation Firewall.

Infoblox provides PAN with IPAM data that contain IP addresses, and PAN applies security policies on groups of these IPs. In addition to the features provided in the first version of the templates found here, we have added several features to maximize time and usability. This integration is built with the Infoblox Outbound REST API.

 

  1. Dynamic Address Groups support
    1. Dynamic Address Groups map tags to IPs dynamically
    2. Support for IPv6 addresses for asset and security events
    3. Offers an optional EA for security events in which a tag expires after a set amount of time starting with PAN Firewall version 9.0 or later
  2. Improved lease support
    1. Ability to add lease IPs to PAN using the existing parent network Extensible Attributes when IP data for the lease IP does not exist in IPAM
  3. Enhanced security remediation
    1. ADP event support
    2. Security events will use the source IP EAs instead of always using the parent network EAs
    3. Improved deduplication of security events
  4. Network Insight support (Discovery events - Static only)

In the attached documents you will find the templates for the Palo Alto integration in JSON format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.

 

The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.

 

Extensible Attribute

Description

PaloAlto_Asset_Sync

Serves as toggle to turn on/off sync for Asset events.

PaloAlto_Asset_SyncedAt

 

Update timestamp on an asset event. This attribute is created on the specific IP by the WAPI call when not present.

PaloAlto_Security_Sync

 

Serves as toggle to turn on/off sync for Security events.

PaloAlto_Security_SyncedAt

 

Update timestamp on a security event. This attribute is created on the specific IP by the WAPI call when not present.

PaloAlto_Asset_Tag

Dynamic Only - Tag that attaches to an IP in a Dynamic Address Group.

PaloAlto_Security_Tag

Dynamic Only - Tag that attaches to an IP in a Dynamic Address Group

PaloAlto_Timeout

Dynamic Only - Starting with PAN-OS 9.0 a tag can contain an optional timeout attribute. Default is 0 (never expires) or a timeout value in seconds for the tag. Maximum timeout is 2592000 (30 days). In older versions of PAN, this attribute cannot be accessed and IPs never timeout.

 

Templates require the session variables described in the table below.

 

Session Variable

Description

Host_Allow

The address group object which needs to be populated on the firewall for allowed hosts. This should be the same as the address group object created through the Palo Alto configuration. Set a default value (eg: Iblox_Host_Allow).

Host_Deny

The address group object which needs to be populated on the firewall for denied hosts. This should be the same as the address group object created through the Palo Alto configuration. Set a default value (eg: Iblox_Host_Deny).