To fully integrate USM Anywhere with your Palo Alto Networks device, you should also have the Palo Alto Networks PAN-OS log collection enabled so that USM Anywhere can retrieve and normalize the raw log data. See Collecting Logs from Palo Alto Networks for details.
The BlueApp for Palo Alto Networks PAN-OS is designed for use with single firewalls, and does not integrate with the Palo Alto Panorama software for managing multiple firewalls.
BlueApp for Palo Alto Networks PAN-OS Requirements
Before you can begin configuration, you must have the following information from the PAN-OS and, if desired, from a Certificate Authority (CA):- An API key
- The IP address or hostname of the Palo Alto Networks PAN-OS
- A dedicated admin account
- (Optional) A Secure Socket Layer (SSL) certificate, either self-signed or from a CA. See Uploading a CA Certificate for more information.
- Go to https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key.html and follow the vendor instructions to generate the key.
- Copy the token to be entered in USM Anywhere.
- Log in to your Palo Alto Networks account with an admin user profile.
- Click the Device tab.
- Select Admin Roles in the left pane and click Add to create a new administrator profile.
- In the Admin Role Profile window, enter a name and description (optional) for the profile.
- Click the XML/REST API tab and click each of the items under that tab to enable them all.
- Click OK to create the profile.
- Now select Administrators from the left panel and click Add.
- In the Administrator window: a. Enter a name for the account, a password, and select Role Based for the Administrator Type. b. For Profile, enter the name of the profile you previously created in the Admin Roles section.
- Click OK to create the admin account.
Configure the BlueApp for Palo Alto Networks PAN-OS Connection
To support the orchestration actions in USM Anywhere, you must configure a connection with the PAN-OS firewall. This connection enables the BlueApp to send a request to the PAN-OS API.USM Anywhere can only communicate with one PAN-OS instance per sensor. If you have multiple PAN-OS instances in your network, contact LevelBlue Technical Support for assistance.
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click Configure API.
- If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp. BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.
- Specify the connection information for Palo Alto Networks:
- IP address or hostname: Enter the IP address or hostname of your PAN-OS instance.
- (Optional) Validate HTTPS host name: Select this option if you want USM Anywhere to validate the hostname against its SSL certificate.
- (Optional) Require CA certificate: Select this option if you prefer to use a security certificate to establish a trusted SSL connection between PAN-OS and USM Anywhere.
- (Optional) CA certificate: Enter your certificate for the connection.
- Admin Name: Enter the name of the admin account you created.
- 
API key: Enter the API key that you generated in PAN-OS.
 
- Click Save.
Uploading a CA Certificate
If you leave the Require CA Certificate checkbox deselected, the BlueApp uses the browser’s default trust store. When you select the Require CA Certificate checkbox, the certificate entered in the CA Certificate field takes precedence and is the only certificate trusted by the client. There are two major use cases that might require you to upload your own certificate in the CA Certificate field:- The firewall was deployed with a self-signed Secure Sockets Layer (SSL) certificate. A certificate like this is typically generated on the firewall at the time of deployment. In this case, you need to export that self-signed certificate from the firewall and paste it into the CA Certificate field.
- You have deployed the firewall with a SSL certificate signed by your own CA. In this case, you need to import the root and intermediate certificates, if any, from your CA. This way, the BlueApp has the same trusted certificate chain that are deployed on your firewall.