Palo Alto Networks Next-Generation Firewall integration

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 1 min. de leitura

    • Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and domains using External Dynamic List (EDL) capabilities with the ServiceNow Security Incident Response (SIR) products. The security incident analyst creates entries for an EDL from observables determined to be malicious on ServiceNow SIR security incidents.

    An EDL is a text file that is hosted on an external web server. For this integration, this web server is your ServiceNow AI Platform instance, which permits the Palo Alto Networks Next-Generation Firewall to import objects that are included in the list, IP addresses, URLs, and domains, and to enforce policy.

    To enforce policy on the EDL entries, the list is referenced in a policy rule or profile. As the EDL entries are modified, the firewall dynamically imports the list at the configured interval and enforces policy without a configuration change or a commit on the firewall. For this integration, ServiceNow AI Platform has created a table containing EDL entries that are retrieved by authorized Palo Alto Networks Next-Generation Firewall at the configured retrieval intervals.

    The integration includes the following features:
    • Flexibility to create multiple EDLs that apply to different firewall deny or allow policies.
    • Detailed reporting on the types of sites being blocked (phishing, malware, and allow listed sites).
    • Tagging of ServiceNow AI Platform security incidents with EDL entries by the observable type (URL, domain, IP address).
    • Configuring EDL expiration periods to maintain EDL list size by automatically expiring or removing older entries.
    • Searching, deleting, or migrating EDL entries between EDL lists.
    • Linking EDL entries to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.

    The integration requires that the (com.snc.security_incident) and (com.snc.secops.orchestration) plugins from the Security Incident Response product are activated.

    This integration only supports Palo Alto Networks (PAN-OS 8.x). Earlier versions are not supported.

    Nota:
    The following topics are numbered. For a smooth installation, configuration, and verification of expected results, follow the topics in the order they are presented.