Palo Alto Next-Gen Firewall Out-of-the-box Response Integration

Palo Alto Next-Gen Firewall Out-of-the-box Response Integration

The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint Detection and Response (EDR); incident response systems; and more.
To get started with the Lumu Defender API, consult our getting started documentation.
This article shows how to create an external block list using Palo Alto Next-Gen Firewall. 

Requirements

  1. Palo Alto Next-Gen Firewall 
  2. A Lumu Defender subscription.
Out-of-the-box Integrations are part of Lumu Defender. This tier was built to help organizations orchestrate and automate defense against confirmed compromise instances. To know more about Lumu Defender,  visit our site.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen and select “Response”.



2. Locate the Palo Alto Next-Gen Firewall integration in the available apps area and then click "Add".



3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.



4. To generate the integration URL, add a description and select the threat types you want to include in the list. You can also generate a list of compromised IPs



5. Once you create the integration, you will be provided with the Integration URL:



Deleting an integration will cause URLs to be removed. This action cannot be undone. To reintegrate you will have to generate the URLs again and update your Palo Alto Next-Gen Firewall configuration.

Set Up Palo Alto Next-Gen Firewall

Now that you have the integration URLs, it’s necessary to configure a dynamic block list on Palo Alto Next-Gen Firewall. To do this, you can add an URL or an IP External Dynamic List.

Add a URL External Dynamic List

  1. Under Objects > External Dynamic Lists, add a new External Dynamic List of type URL List.
  2. Enter the required information, including the Domains & URLs URL you obtained from Lumu on step 4. Make sure to select ‘URL List’ in the ‘Type’ parameter.
  3. Modify the update frequency according to your business needs. The Palo Alto Next-Gen Firewall documentation recommends setting this parameter to ‘Hourly’.


      4. After creating the External Dynamic list, you must use it inside a security policy created under the URL filtering profile. The following is an example of said policy:


Add an IP External Dynamic List

  1. Under Objects > External Dynamic Lists, add a new External Dynamic List of type IP List. 
  2. Enter the required information, including the Compromised IPs URL you obtained from Lumu in step 4. Make sure to select ‘IP List’ in the ‘Type’ parameter.
  3. Modify the update frequency according to your business needs. The Palo Alto Next-Gen Firewall documentation recommends setting this parameter to ‘Hourly’.


      4. After creating the External Dynamic list, you must use it inside a firewall policy. The following is an example of said policy:







Further considerations 
Bear in mind that the characteristics of the policy must be defined by your organization. For more details on External Dynamic Lists, consult Palo Alto Next-Gen Firewall’s documentation


        • Related Articles

        • Palo Alto Next-Gen Firewall Custom Integration with Lumu Defender API

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Check Point Next Generation Firewall (NGFW) Out-of-the-box Response Integration

          The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint ...
        • Defender API

          Some enterprises may already be using diverse defense solutions such as Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR) technologies, etc. Lumu provides an easy-to-use and comprehensive API ...
        • Juniper SRX Firewall Out-of-the-box Response Integration

          The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM); Security Orchestration, Automation, and Response (SOAR); Endpoint ...
        • Crowdstrike Custom Response Integration with Lumu Defender API

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...