Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt

Use this file to discover all available pages before exploring further.

The BlueApp for Palo Alto Networks PAN-OS provides a set of orchestration actions that you can use to quickly send IP addresses to the firewall as a response to threats identified by USM Anywhere. You can also send IP addresses to Palo Alto Dynamic Address Groups. The BlueApp sends standard HTTP requests to the Palo Alto Networks PAN-OS APIs to register tags. Each such tag contains the source or destination address (or the fully qualified domain name [FQDN]) of the event or alarm that triggered the action or orchestration rule.
Using the BlueApp for Palo Alto Networks PAN-OS orchestration actions requires that the BlueApp is enabled on a deployed USM Anywhere Sensor with configured integration to your Palo Alto Networks product. See Configuring the BlueApp for Palo Alto Networks PAN-OS for more information.
As USM Anywhere surfaces and , your team determines which items require a response action. Rather than manually tagging source and destination hosts in the Palo Alto Networks firewall for enforcement purposes, you can use the BlueApp for Palo Alto Networks PAN-OS orchestration actions to enforce protection based on the information associated with the event or alarm. The following table lists the available actions from the BlueApp. Actions for BlueApp for Palo Alto Networks PAN-OS
ActionDescription
Tag Source IP Address from EventRun this action to tag a source IP address to a dynamic address group from an event
Tag Source IP Address from RuleRun this action to tag source IP address and add it to a Dynamic Address Group in the connected Palo Alto Networks device from a rule
Tag Source IP Address from AlarmRun this action to tag a source IP address to a dynamic address group from an alarm
Tag Source Address from RuleRun this action to tag a source address from a rule
Tag Destination IP Address from EventRun this action to tag a destination IP address to a dynamic address group from an event
Tag Destination IP Address from RuleRun this action to tag destination IP Address and add it to a Dynamic Address Group in the connected Palo Alto Networks device from a rule
Tag Destination IP Address from AlarmRun this action to tag a destination IP address to a dynamic group address from an alarm
Tag Destination Address from RuleRun this action to tag a destination address from a rule
Remove Tag from Source AddressRun this action to remove a tag from the source address
Remove Tag from Address GroupRun this action to remove a tag from the address group
Remove Tag from Destination AddressRun this action to remove a tag from a destination address
Add Tag to Address GroupRun this action to add a tag to an address group
Add Tag to Destination AddressRun this action to add a tag to a destination address
Add Tag to Source AddressRun this action to add a tag to a source address
Upon launch of the action, USM Anywhere sends a request to the Palo Alto Networks PAN-OS API to add one of the following identifiers to its Object database and to tag it according to the value specified in the action or rule.
  • IPv4 address
  • IPv6 address
  • FQDN
By default, changes affecting PAN-OS firewall configurations require activation through a commit. The object (host) tag requests sent by BlueApp for Palo Alto Networks PAN-OS are not activated until you or another Palo Alto administrator commits them. In the PAN-OS web UI, you can filter pending changes by user account or location and then preview, validate, or commit only those changes. For more information about committing these changes, refer to the PAN-OS documentation.If a specified tag does not already exist in the Palo Alto Networks device, the action also creates the new tag. The tag creation does not require a commit in the Palo Alto Networks environment.
To view information about these actions in USM Anywhere
  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
    To use the Dynamic Address Group actions, you first need to configure Dynamic Address Groups in your policy within PAN-OS.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm or event.
All Group and Tag names will default to lowercase in USM Anywhere to avoid any potential confusion over letter casing.
To launch a Palo Alto Networks orchestration action for an alarm
  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select the Palo Alto tile.
  5. For the App Action, select the action you want to launch. Additional fields will be populated based on the action you’ve selected. Fill out the necessary fields for the app action. You can launch an action to tag the alarm destination host or source host.
  6. Enter the Palo Alto Networks Tag Name that you want to apply to the host.
  7. Click Run. After USM Anywhere initiates the action, it displays a confirmation dialog box.
If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.