Palo Alto integration

With a Palo Alto integration, you can block IP addresses at the firewall that you have confirmed to be a threat. The integration uses an External Dynamic List (EDL) sourced from an S3 bucket to block specific IP addresses on your Palo Alto firewall. You can update the list through the detection triage process and easily add or remove threats.

To configure the integration, you need to create an EDL for IP addresses and store it in an S3 bucket. Investigator needs access to the EDL and permission to add or remove IPs from the file.

Within Investigator, you need admin access to configure this integration. (Analyst users can view the integration but cannot make changes.)

To integrate Palo Alto with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the Palo Alto card.

  3. Click Configure.

    An integration dialog box appears.

  4. Toggle the integration value to Enabled.

  5. Enter your Access Key and Secret Key.

    These are the credentials to access your AWS S3 bucket with the EDL file.

  6. Specify the S3 Bucket.

    Provide the name of the AWS S3 bucket with the EDL file used by the Palo Alto firewall.

  7. In the S3 File Prefix field, specify the path and name of the EDL, such as directory/blocked_ips.txt.

  8. Click Verify Connection to ensure Investigator can use these credentials to update the EDL.

    You cannot save your connection until you verify it.

  9. Click Save.

If you want to pause the integration, toggle the integration setting to Disabled. This preserves your connection details.

If you want to disable the integration and delete your connection details, click the Delete icon.

When configured, you can block and unblock IP addresses for your Palo Alto firewalls.