Activate Palo Alto PAN-OS L1 Package

Is there an I&W for Palo Alto PAN-OS L1?


Im using an L1 I&W for another product and most of the base rules correspond but I need a product specific version to capture non-generic rules as well as the correct Device Group and Device Type.









  • Hey Mary,

    Not yet, as far as I know. As usual, the four common areas (user authentication, user management, service installation/changes, and errors, are common for all devices, it's the product-specific (aka "suspicious") events that take the real research. You're on the right track by looking at similar product I&Ws.


  • Thanks Prentice!  Couple things:

    1. Are you or John aware of any other customers developing this package?  I dont want to duplicate work
    2. I am currently using the Imperva WAF I&W as that was a copy I had lying around
    3. I'll attach the I&W here
    4. So far I have the following filters built from the attached I&W and which specifically identifies the events used for these filters:
      1. System and Service Changes*: lines 4, 9 (should be made into a single filter?), 11, 13
      2. System and Service Errors*: lines 17 (should be made into a single filter?), 18 (should be made into a single filter?), 25
      3. User/Group Management*: line 31
      4. User/Host Authentication*: lines 49, 50
      5. URL Category*: lines 51-80
      6. *Column O indicates that I have actual events to analyze, P indicates the name that I used for the filter, Q indicates that I have written the filter, R indicates that the actual filter logic is available in I&W for analysis
    5. I expect to have the following additional stimulus response filters created this week:
      1. Various User Auth/Mgmt: lines 27, 29, 31, 37 and others as are possible to generate
    6. What I need to build rules off of filters from above categories 1-4:
      1. Specific string to use for Column F in attached I&W "Device Group"
      2. Specific string to use for Column G in attached I&W "Device Type"
      3. Confirmation that the string to use for Column H should not change
    7. What I need to build rules off of filters from above category 5:
      1. Column values for C-N
      2. I have sent this request over to my team as well since some of this may be site specific alerting based on corporate policy
    8. Attached also is some Palo Alto PAN-OS docs

    Let me know if you need anything further, I can do a Webex if you'd like.  Shoot me over an invite anytime. 




  • Can't attach's the upload links:

  • Mary,

    Looking good so far.

    1. Specific string to use for Column F in attached I&W "Device Group"
    2. Specific string to use for Column G in attached I&W "Device Type"

    For these, without overriding them, what do they show up as in ESM?  From there, John or Prentice, do you have an idea for overriding the Device Group or Device Type?  While Palo Alto separates the web content as traffic from the ids as threat, I don't know or recall if it separates the device type.

    John, Prentice, do you have any gut reaction to keeping such events separated, IDS is IDS/IPS and Web Proxy Content is .... (drawing a blank for the default device type for web content/proxy traffic)


  • As far as I know, there isn't anybody working on PAN content for Activate.

  • Ok, for Device Group and Device Type I've decided the following:


    DT=Next-Gen Firewall

  • Hi ,

    Could you share the packages? Thank you!


  • Updated the .arb file (it's a .zip now but it will import fine).  This is just the basic L1 package with the initial rule-set and filters built for all products; System Errors, System Changes, User Auth, User Mgmt for the Palo Alto appliances themselves.  An L2 package with security posture needs to be developed. 

  • (average user rating 4.5 stars...if I gave myself a 4 that means somebody else thinks I'm a 5...WOOOOOOOO )