Release Notes

Palo Alto Networks SASE/Prisma Access

Configuring the Veza integration for Palo Alto Networks SASE / Prisma Access

Overview

The Veza integration for Palo Alto Networks enables the discovery of applications, users, roles, and permissions from the Palo Alto Networks SASE platform. Veza uses Palo Alto Networks APIs to populate the Authorization Graph with entities and metadata.

This document explains how to enable and create a Palo Alto Networks integration. See notes and supported entities for more details.

Configuring Palo Alto Networks SASE / Prisma Access

Before adding the integration to Veza, create a service account for the connection and record your tenant ID.

To create a service user on the Palo Alto Networks platform, follow these steps:

  1. Browse to your Strata Cloud Manager instance as an administrator.

  2. In the left navigation pane, click the Settings gear. Click Identity & Access.

  3. In the Identity & Access pane that appears, record and store the tenant ID (TSG ID) displayed at the top of the pane, then click the Add Identity button.

  4. In the modal that appears, provide the following information:

    • Identity Type: Service Account

    • Service Account Name: Enter a unique name for the service account (ex: svc-veza-integration)

    • Service Account Contact: Enter an optional email for the owner of the service account

    • Description: Enter an optional description for the service account's purpose

  5. Click Next.

  6. On the Client Credentials screen that appears, copy and save the Client ID and Client Secret. Click Next.

  7. On the Assign Roles screen, click the dropdown menu under Apps & Services and enable All Apps & Services. Click the Role box and pick View Only Administrator.

Configuring Palo Alto Networks on the Veza Platform

To enable Veza to gather data from the Palo Alto Networks platform, follow these steps:

  1. In Veza, open the Integrations page.

  2. Click Add New and pick Palo Alto Networks as the type of integration to add. Click Next.

  3. Enter the required information (below) and Save the configuration.

Field
Notes

Name

A unique display name for the Palo Alto Networks connection

Client ID

The Client ID recorded earlier

Client Secret

The Client Secret recorded earlier

Tenant ID

The Tenant ID recorded earlier

Region

The x-panw-region for the tenant. See Palo Alto Documentation for available values

Notes and Supported Entities

The connector discovers the following entities and attributes:

Palo Alto Applications

The connector discovers the following applications on the Palo Alto Networks platform:

Application

AIOps for NGFW

AIOps for NGFW Free

Cloud Identity Engine

Cortex Data Lake

Enterprise DLP

IoT Security

Next-Generation CASB

Prisma Access +NGFW

Prisma SD-WAN

Palo Alto Networks User

The connector discovers human users and service account users.

Attribute
Notes

description

The optional description of the user (service account only)

email

The users's email address

inherited_from

The Tenant ID from which the user account is inherited

tsg_id

The Tenant ID on which the user is defined (service account only)

type

The type of user (human or service account)

Palo Alto Networks Role

The connector discovers both built-in and custom roles and their permissions.

Attribute
Notes

id

The ID of the role on the Palo Alto Networks platform

name

The human-readable name of the role on the Palo Alto Networks platform

PreviousPagerDutyNextPingOne

Last updated

Was this helpful?