Palo Alto - Standalone Next-Generation Firewall (NGFW) Integration with TEM

Overview

Through Check Point Threat Exposure Management (TEM), Palo Alto Networks Standalone Next-Generation Firewalls (NGFWs) gain advanced capabilities to strengthen their security posture. Administrators use TEM to identify Intrusion Prevention System (IPS) misconfigurations, validate intrusion prevention settings, and ensure policies are optimized for maximum protection. This integration also supports Protection Hardening, reducing exposure to vulnerabilities and improving overall security hygiene.

Additionally, TEM enables organizations to validate real attacks by correlating Indicators of Compromise (IoCs) with actual threat activity, minimizing false positives and enhancing detection accuracy. By delivering actionable insights for Attack Analysis, Business Disruption prevention, and comprehensive Indicators management, TEM empowers teams to proactively mitigate risks and maintain consistent security across the firewall infrastructure.

1. IPS Enforcement

   Administrators must enable IPS enforcement on each Standalone Palo Alto Networks NGFW to ensure consistent application of threat protections across the network.

   Traffic-Based Insights

   • IPS logs capture real-time threat activity, including intrusion attempts, exploit signatures, and suspicious payloads.

   • TEM uses these logs to correlate traffic patterns and surface risk-based exposures.

   Log Requirements

   • Enable IPS and actively log events.

   • Retain logs for at least 7 days and ensure TEM can continuously access them for analysis.

   To verify IPS Enforcement logs, see Verifying IPS Enforcement Logs for TEM.

2. Access Policy Rules for TEM - For All Supported Standalone NGFW Deployments

   	Source	Destination	Port	Protocol	Purpose
   Palo Alto	TEM VM	Firewall	TCP/443	HTTPS	Configuration Fetch / Remediations
   	TEM VM	Firewall/ Log Collector	TCP/443	HTTPS	Logs Fetch
   	Firewall / Log Collector	TEM VM	TCP/30030	TCP	Logs Fetch
   	Firewall	TEM VM	TCP/30003	TCP	IoC Enforcement

Supported Capabilities

TEM supports the following capabilities as part of its integration with Standalone NGFW:

• Protection Hardening - Controlled Transition of IPS protections to Block mode strengthens security while minimizing operational impact.

• Attack Analysis - Uses machine learning to identify real attacks and provides one-click remediation to contain threats quickly.

• Security Hygiene - Keeps systems updated with the latest patches and security updates to reduce vulnerabilities.

• Business Disruption Prevention - Detects and mitigates security events that could disrupt operations, helping maintain continuity.

• Indicators - Manages threat intelligence across all integrated security controls, ensuring consistent alignment and protection across the organization.

  Note - Supported indicator types include IP Addresses and Domains.

Integrating Palo Alto - Standalone NGFW with TEM

• Step 1: Configuring a new Administrator Profile for a Super User

• Step 2: Configuring the TEM Portal

Step 1: Configuring a new Administrator Profile for a Super User

To configure a new Administrator Profile for a Super User:

1. Log in to the Firewall.

2. On the top toolbar, click Device.

3. From the left navigation panel, click Admin Roles.

4. Click Add to create a new Admin Role Profile and enter the following details:

1. Name: TEM Profile

2. XML API: Select the following permissions:

• Log

• Configuration

• Operational Requests

• Commit

5. Click OK.

6. From the left navigation panel, click Administrators.

7. Select the user created for TEM, assign the newly created profile, and click OK.

Step 2: Configuring the TEM Portal

1. Log in to the TEM portal.

2. Navigate to Settings > Integrations > Catalog > Standalone Next-Generation Firewall (NGFW).

   

3. In the Standalone Next-Generation Firewall (NGFW) pop-up that appears, navigate to the Connection tab.

4. Choose a User Configuration Method:

   1. Option A: Create a new user on your own

      In the User Configuration section, select the Create a new user on your own option and click Next.

      

      In the Connection Details section, enter the following details and click Next.

      1. In the Host field, enter the hostname or IP address of the system you are connecting to.

      2. In the Username field, enter the admin name to authenticate the connection.

      3. In the Password field, enter a secure password for the specified username.

         

      4. (Optional) In the Configuration section, enable Backfill Indicators to import existing indicators into the integration.

         

      5. Click Connect to establish a connection.

   2. Option B: Allow Veriti to create a new user

      In the User Configuration section, select the Allow Veriti to create a new user option and click Next.

      

      In the Connection Details section, enter the following details and click Next.

      1. In the Host field, enter the hostname or IP address of the system you are connecting to.

      2. In the Username field, enter the admin name to authenticate the connection.

      3. In the Password field, enter a secure password for the specified username.

         

      4. Click Next.

      5. (Optional) In the Configuration section, enable Backfill Indicators to import existing indicators into the integration

         

      6. Click Connect to establish a connection.

Limitations

1. REST API users

   REST API users are not supported in this deployment.

2. High Availability (HA):

   HA environments are not supported for this deployment.

3. Panorama Cloud Management:

   Panorama Cloud Management is not supported.

4. SNMP

   SNMP configuration through templates is not supported.

Verifying IPS Enforcement Logs for TEM

Prerequisites

User Creation Requirements:

• Automatic User Creation requires a Super User or a device-administrator profile.

• Manual User Creation requires an administrator with a dedicated user profile.

Notes - This permission is required only for the initial integration (one-time use). After the initial setup, you can create a dedicated profile instead of using a Superuser or device-administrator profile. Authentication profiles are not supported; ensure that the specified administrator account has no profile assigned.

Setting the Log Retention Rate for TEM

1. Log in to the Firewall.

2. From the top navigation panel, click Monitor > Threat.

3. In the search bar

   1. Set the time range to Last 7 Days.

   2. Enter threat-type eq vulnerability

Note - If IPS logs are unavailable, create a dedicated IPS profile set to Alert mode only. This enables TEM to collect traffic data and generate insights without blocking traffic, ensuring complete visibility into potential exposures while maintaining uninterrupted business operations.