Introducing the IBM Security App Exchange for SOAR: Our New Integration with Palo Alto Firewall
In the cybersecurity world, automation and Incident Response (IR) are essential components to keep your security posture up-to-date and accurate. With the rise of security orchestration, automation, and response (SOAR) platforms, the security industry has seen a need for robust integrations with popular security tools. One such tool is the Palo Alto Firewall, a state-of-the-art security solution that has become a staple of many enterprise-level organizations.
In the beginning, when we looked into the IBM App Exchange, we didn’t see any app for Palo Alto Firewall, only for Panorama, the central management system to control the firewall. This presented a challenge for those enterprises that didn’t have the Panorama system - how could they automate the process from SOAR to Palo Alto Firewall?
This challenge prompted us to write an app that integrates with Palo Alto Firewall through API, featuring some essential functions, including creating a new tag, creating an IP address object, deleting an IP address object, viewing all GlobalProtect users, and disconnecting a GlobalProtect user.
Our app was published in IBM App Exchange.
Our primary objective for writing this app is to enable SOAR users to have complete automation over their Palo Alto Firewall, even if they don’t have a Panorama system. With our integration, we can now extend the automation capabilities of SOAR to include Palo Alto Firewall, allowing customers greater control over their security posture.
Here are a few use cases that demonstrate how our app can be used in conjunction with Palo Alto Firewall:
Use Case 1: Create a Blacklist Address Group
To create a blacklist address group in the Palo Alto Firewall, we can use a dynamic address group with a tag name “blacklist”. To accomplish this, we create a tag first, followed by a dynamic group with the matching criteria “blacklist.” Then, for any new address that we want to add automatically to the dynamic group, we create a new address with the blacklist tag.
Functions used for this use case:
- Create a new tag
- Create an IP address object
- Delete an IP address object
Use Case 2: Disconnect a GlobalProtect User
If you are monitoring the system and detect some abnormal behaviors from users connecting to GlobalProtect VPN, our integration can help. Through our app, you can view those users that are connecting with which public IP, computer, and login time. If a user has engaged in any malicious activities or leaked VPN information, you can disconnect them from the GlobalProtect VPN.
Functions used for this use case:
- View all GlobalProtect users
- Disconnect a GlobalProtect user
In conclusion, our app is an essential tool for organizations that want to automate their security processes but don’t have the capacity to purchase a Panorama system. Our solution provides complete automation over Palo Alto Firewall and makes it easy to extend the capabilities of SOAR to include Palo Alto Firewall. To learn more about how our app can assist your organization, reach out to the IBM App Exchange or our Github Repo.