* [Blog](https://www.paloaltonetworks.com/blog) * [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/) * [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/) * Playbook of the Week: Aut... # Playbook of the Week: Automate NGFW Management with Cortex XSOAR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automate-ngfw-management-with-cortex-xsoar%2F) [](https://twitter.com/share?text=Playbook+of+the+Week%3A+Automate+NGFW+Management+with+Cortex+XSOAR&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automate-ngfw-management-with-cortex-xsoar%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automate-ngfw-management-with-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Automate+NGFW+Management+with+Cortex+XSOAR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automate-ngfw-management-with-cortex-xsoar/&ts=markdown) \[\](mailto:?subject=Playbook of the Week: Automate NGFW Management with Cortex XSOAR) Link copied By [Danil Vilenchik](https://www.paloaltonetworks.com/blog/author/danil-vilenchik/?ts=markdown "Posts by Danil Vilenchik") Jan 06, 2023 4 minutes [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown) [Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown) [SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown) [XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown) ### **Automate NGFW management using Cortex XSOAR** Today's security operations centers (SOCs) are plagued with lengthy investigation times and security teams are often drowning in repeatable, manual tasks. Combine these challenges with the tedious and time-consuming task of firewall management, and it's no wonder that [more than one-third](https://www.zdnet.com/article/cybersecurity-burnout-is-real-and-its-going-to-be-a-problem-for-all-of-us/) of IT professionals are considering quitting their job in the next six months. Fortunately, there are solutions that exist to help automate many of the SOC's most common processes, relieving some of the burden faced by security analysts. In this post, we'll take a deeper look into the [PAN-OS by Palo Alto Networks](https://cortex.marketplace.pan.dev/marketplace/details/PANOS/) content pack for Cortex XSOAR, which assists in managing firewall objects, rules and policies as well as the firewall instances themselves. This helps create a safer browsing environment and block unwanted traffic flowing into and out of organizations. ### **What is PAN-OS?** [PAN-OS](https://docs.paloaltonetworks.com/pan-os) is the software that runs all Palo Alto Networks® next-generation firewalls. By leveraging the key technologies that are built into PAN-OS natively (App-ID, Content-ID, Device-ID, and User-ID) you can have complete visibility and control of the applications in use across all users and devices in all locations. Because inline ML and application and threat signatures automatically reprogram firewalls with the latest intelligence, all traffic on your network is free of known and unknown threats. ### **Benefits of the PAN-OS content pack** The [PAN-OS](https://cortex.marketplace.pan.dev/marketplace/details/PANOS/) content pack for Cortex XSOAR enables SOC teams to create and manage security rules, update security policies, make sure devices and policies meet security best practices and take action when needed for device management. Over 250 manual commands can be executed from the XSOAR CLI and 18 generic playbooks help automate security and network operations. Utilizing Cortex XSOAR to control and manage network security operations consolidates security tools and many of the out-of-the-box commands can be used to further build playbooks to eliminate manual actions. Integrating PAN-OS with XSOAR helps to automate many of the time-consuming tasks associated with firewall operation and management, freeing up SOC teams to work on more critical security issues. ### **See it in action** Let's look at how Cortex XSOAR and PAN-OS can automate basic remediation steps. When a new malicious IP or URL indicator is detected in Cortex XSOAR, it automatically triggers a playbook that adds the malicious indicator to a block list. The playbook first checks to see if the address already exists in the block list, and if not, the indicator is added. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-177830-1.png) PAN-OS - Block IP - Static Address Group playbook This may seem like a simple task that can be performed manually, but in reality, when analysts are flooded with many tasks and pending investigations, it becomes critical to remove items from their list of actions. Cortex XSOAR can help! Automating processes is one of the key pillars of SOAR solutions. Real threats won't go ignored or even missed, and indicators can be quickly found within your environment to follow up with further investigation. ### **Threat hunting made easy with XSOAR and PAN-OS** XSOAR can automatically run through your PAN-OS logs each time a new IOC is detected. Proactive hunting is important to keep your environment safe, and as daily security incidents and escalations flood the SOC, high-tier analysts and engineers will no longer have to waste their time running queries on FW logs. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-177830-2.png) PAN-OS Query Logs For Indicators playbook Each malicious file (hash), URL and IP fetched into XSOAR is automatically queried by this playbook in up to six different logs in your PAN-OS instance, including [Wildfire](https://www.paloaltonetworks.com/network-security/wildfire?ts=markdown)malware protection engine, threat, traffic, data and more. Palo Alto Networks offers a whole suite of best-of-breed security solutions. Implementing the [PAN-OS by Palo Alto Networks](https://cortex.marketplace.pan.dev/marketplace/details/PANOS/) content pack in your standard workflows can save time that is normally wasted on basic manual actions and allow your security personnel to focus on other responsibilities, shorten SLAs and increase SOC efficiency. For more information on the PAN-OS by Palo Alto Networks content pack, refer to the developer article [here](https://xsoar.pan.dev/docs/reference/integrations/panorama). If you like these ideas or would like to suggest other ideas, please collaborate with us through the [Cortex XSOAR Aha](https://xsoar.ideas.aha.io/ideas) page. Please suggest ideas or vote for others. To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour?ts=markdown) We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events?ts=markdown) for upcoming ones. *** ** * ** *** ## Related Blogs ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### An Automated Response to Malicious Pod Activity](https://www.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Rapid Response for Fighting Ursa Phishing Campaign](https://www.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language