Skip to main content

Palo Alto Networks -Firewall Integration Guide (without Cortex XSOAR)

A
Written by Asha Latha Amara
Updated over 5 months ago

This document provides a step-by-step guide for integrating Celona with Palo Alto Networks NGFW (Next-Generation Firewall) without requiring Cortex XSOAR. This method leverages RADIUS messages and HTTP log forwarding to automate security responses and manage devices efficiently.

Introduction

For enterprises that do not use Cortex XSOAR, Celona provides a direct integration with Palo Alto Networks Next-Generation Firewalls (NGFW) to enable Zero Trust security and granular policy enforcement for private 5G networks. This integration ensures that all 4G/5G devices, including IoT, OT, and user endpoints, are identified and protected using their IMSI (Subscriber ID) and IMEI (Equipment ID), independent of IP addressing.

By leveraging RADIUS messages and HTTP log forwarding, this solution enhances secuirty automation while reducing costs and infrastructure complexity. It allows the NGFW to detect security threats and communicate directly with Celona CSO to enforce appropriate security actions without relying on additional middleware. The result is a streamlined, low-latency integration that improves threat response times and optimizes network resource utilization.

Key Benefits

  • Lower Cost: Eliminates the need for XSOAR, reducing software and hardware expenses.

  • Lower Latency: Direct updates from Celona Edge reduce the time for UE context updates from ~30-90 sec to ~6-20 sec.

  • Optimized Resource Utilization: Enables hosting Celona Core and VM/CN series on the same hardware, such as AWS Outpost or ESXi.

Architecture

  1. Devices connect to the Celona private network.

  2. NGFW retrieves IMEI and IMSI data from Celona CSO.

  3. The firewall directly detects and quarantines threats without automation.

Enabling RADIUS Messages on Celona Edge

Starting from Celona Orchestrator version 2406.orch and Celona Edge Cluster version 2406.edge, the system can send a RADIUS message upon UE attach or detach, containing subscriber context (UE IP, IMEI, IMSI).

Steps to Enable Celona Edge to send RADIUS to the NGFW

  1. Ensure the customer has updated to the required software versions.

  2. Navigate to Celona CSO -> Admin Settings -> IoT Security.

  3. Select the Non-XSOAR option.

  4. Enter the NGFW IP address that will receive the RADIUS packet.

  5. Click Apply.

  6. At the NGFW, the Radius security policy needs to be adjusted so that the Source/Destination endpoints and zones match the new ones. Disable/delete the XSOAR UEIP correlation policy.

Security Automation Configuration Steps

Configuring IoT Security at Celona

In this method, the NGFW will send an API to the Celona CSO every time the NGFW detects a Threat.

Celona uses the NGFW Threat log level severity (High or Critical) to trigger a configurable desired Policy action. The configurable policy options are isolate, deactivate, or none.

  • Isolate: We will move the device to a different Device Group. In the background, the Core detaches the UE requesting re-attach; when it attaches, it will be allocated the new Device Group, like a “quarantined” device group.

  • Deactivate: The core will detach the Ue and not accept further attach attempts. It can be allowed back again from the SIMs & Devices menu at Celona CSO.

  • None: Do nothing

Configure the HTTP log forwarding at NGFW

The NGFW can send an API to the Celona CSO using HTTP log forwarding. There are two items that require configuration:

  • Create an HTTP server profile: This defines the destination of the log and the HTTP payload format.

  • Add the Log Forwarding method to the existing Log forwarding rule.

  1. Create an HTTP server profile (Device - Server Profiles - HTTP)
    Click on Servers and enter the Celona API destination URL. The user and password can be anything.

  2. Add configure the HTTP log forwarding for Security Automation

    1. Click on Payload Format, then Threat:

      1. Add the HTTP headers and their values

      2. X-API-Key: paste the Celona API key at the value column

        Content-Type: value is application/json

      3. Add the payload. Copy and paste it, but make sure to match the zones

      4. {
        "imei": "$imei",
        "imsi": "$imsi",
        "devicename": "$device_name",
        "destinationip": "$dst",
        "destinationnetwork": "Edge_Zone",
        "destinationport": $dport,
        "sourceip":"$src",
        "sourcenetwork":"RAN_Zone",
        "sourceport":63243,
        "thr_category": "$thr_category",
        "threatid": "$threatid",
        "threatname": "$threat_name",
        "threatlevel": "$severity"
        }

  3. Add the Log Forwarding method to the existing Log forwarding rule

    1. Select Log Type as Threat

    2. Put the severity filter (severity eq high) or (severity eq critical)

    3. Select the HTTP profile created previously

  4. Ensure the Security policies have the desired Log forwarding profile

Conclusion

Integrating Celona with Palo Alto NGFW without Cortex XSOAR provides a cost-effective, efficient, and low-latency security solution. By eliminating the need for additional middleware, this approach ensures that security events are processed faster while reducing the overall infrastructure complexity. Organizations can leverage Celona's built-in capabilities along with Palo Alto NGFW's robust threat detection to maintain a highly responsive security posture. This streamlined solution not only enhances operational efficiency but also strengthens network protection by enabling real-time threat mitigation.

Did this answer your question?