TOC & Recently Viewed

Recently Viewed Topics

Palo Alto Firewall Keywords

The following keywords are supported in Palo Alto audits:

Keyword

Description

type

This must always be set to AUDIT_XML or AUDIT_REPORTS.

description

This is the information used as a title for unique compliance vulnerabilities in the SecurityCenter. It will also be the first set of data reported by Nessus.

info

This keyword allows users to add a more detailed description to the check that is being performed. Multiple info fields are allowed with no preset limit. The info content should be enclosed in double-quotes.

api_request_type

This keyword describes the type of request. The Palo Alto API supports six types of requests: keygen, op, commit, reports, export, and config. For the purposes of this plugin, only request type op is exposed.

request

This keyword specifies the request to run on the firewall. The result of each request is cached, so subsequent requests do not result in another request. In addition, for AUDIT_REPORTS check, the default Tenable audit only includes 9 checks. To include more reports, users are encouraged to create new checks, and replace request keyword with the REST API URL after type=report. For example:

/api/?type=report&reporttype=predefined&reportname=hruser-top-url-categories

regex

This keyword allows searching items that match a particular regex expression. If a check has regex keyword set, but no expect or not_expect keyword is set, then the check simply reports all lines matching the regex.

The compliance of a check can be determined by comparing the output of the check to either expect or not_expect keyword. There cannot be more than one compliance testing tag (i.e., either expect or not_expect can exist but not expect and not_expect).

Keyword

Description

expect

This keyword allows auditing the config item matched by the regex keyword or if the regex keyword is not used it looks for the expect string in the entire config. The check passes as long as the config line found by regex matches the expect string or in the case where regex is not set, it passes if the expect string is found in the config.

not_expect

This keyword allows searching the configuration items that should not be in the configuration. It acts as the opposite of expect. The check passes as long as the config line found by regex does not match the not_expect string or if the regex keyword is not set, it passes as long as not_expect string is not found in the config.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.