This document describes the step to configure a PanOS firewall using the ThreatSTOP Centralized Manager.

TSCM Installation

You will first need to have a working TSCM virtual machine. The steps to install the VM are described in the TSCM Overview.

Command line switches for the tsadmin tool are documented here .

PanOS configuration

ThreatSTOP is compatible with version 6.x and 7.x of PanOS

ThreatSTOP Centralized Manager has the following pre-installation conditions for Palo Alto Networks devices:

  • Users that will be allowed to setup devices with TSCM must either have root privileges, or be added to the threatstop usergroup.
  • Port 80 must allow TCP communications between the TSCM and PAN devices.


The following steps correspond to onscreen prompts to add a PAN device to the TSCM. These steps install a TSCM controlled ThreatSTOP configuration onto a PAN device. Please be aware that the configuration put in place is disabled and needs activation through the PAN interface. Enabling a PAN Configuration Post Setup, explains how to enable ThreatSTOP on the PAN Device.

  • After verifying your devices, enter tsadmin add --type pan
  • This displays the following prompt. Answer Y or accept the default to the prompt by pressing ENTER to begin the configuration for a Palo Alto Networks device.
    Configuring 'Palo Alto Networks'. Continue? (y or n) [default y]
  • Enter the Block list name you wish to use, if using a custom Block list, or press ENTER to accept the default. This is the blocklist name as provided by ThreatSTOP and can be located in your Devices screen on the portal. The format follows <<Policy name>-netb.<Threatstop Account ID>.threatstop.local.
  • Block list name : [default basic.threatstop.local] <block list name>.<ThreatSTOP account ID>.threatstop.local
  • Enter the Allow list name you wish to use, if using a custom Allow list, or press ENTER to accept the default. This is the allowlist name as provided by ThreatSTOP and can be located in your Devices screen on the portal. The format follows <Policy name>-neta.<Threatstop Account ID>.threatstop.local.
  • Allow list name : [default dns.threatstop.local] <allow list name>.<ThreatSTOP account ID>.threatstop.local
  • Setting the Block list name and Allow list name fields will establish the external lists (EBL) in the PAN device.
  • Enter the Log upload IP address use the IP address seen in the ThreatSTOP portal. If you are uncertain of this number, visit our Valid IP tool and copy the IP Address that appears.
    Log upload IP address :

    Alternatively, you can run the following command to find the IP address to use:

    wget -qO -

    A message will appear similar to the following example:

    Your IP address:

    This is the IP address you will want to use.

  • At the prompt for DNS Port, enter the port number used by your network. In the majority of cases, this is set to the standard DNS port of 53, and it is safe to accept the default by pressing ENTER. In certain rare cases, this may need to be changed to port 5353.
    DNS port : [default 53]
  • The Device management IP address is the firewall’s management IP address. This is the static IP address for this management device, as it was established in the VM Installation section of General TSCM Information. If this is not set, the TSCM will not be able to reach the firewall for updates, and may require a reset to regain control.
    Device management IP address :
  • At the Please enter all possible syslog source IP(s) prompt enter the address used to send syslog data from the device to the TSCM. From there the TSCM will send the data to ThreatSTOP for processing. This is most likely going to be the same as the Device management IP address listed above, though some configurations may have a different source. Multiple devices can be entered at the same time for HA/clustered environments. To do this enter each IP separated by a space, for example: you will want to include the primary device’s Device Management IP address in this list.
    Please enter all possible syslog source IP(s) :
  • For the Log rotate size, we recommend that you accept the default value provided; unless you have a specific reason to change the log rotation size. This number is the log size in Kb.
    Log rotate size, in Kb : [default 100]
  • For Send logs to ThreatSTOP accept the default of Y.
    Send logs to ThreatSTOP? (y or n) [default y]
  • At the Enable policy updates? prompt accept the default of Y. This will download allow policy information from ThreatSTOP’s servers and load them into the PAN device. This is the backbone of the ThreatSTOP, and is quite potentially the most important step in this process.
    Enable policy updates? (y or n) [default y]
  • At the Device username: prompt enter the username used to login to your firewall. Enter this to allow the TSCM to configure the device.
Device username :
  • At the Device password: prompt enter the password for the username entered in the last step. Enter this to allow the TSCM to configure the device.
  • You will now be prompted for High-Availability (HA) or cluster mode. If your device is in an HA/clustered setup enter the IP addresses for the additional firewalls in the network (the setup script is already handling the primary). If you are not using an HA/clustered environment tap ENTER to default to none.
    Is this device part of an HA/cluster setup?
      If so, enter the additional IP(s) (space-separated),
      or "none" for no HA : [default none]
  • The next prompt will add ThreatSTOP into an existing syslog profile (if one exists and is specified), or will create a new syslog profile for ThreatSTOP. Enter a syslog profile name, or tap ENTER to have one generated.
    Name of an existing syslog profile in which the ThreatSTOP server will be added
                or "none, and a ThreatSTOP syslog profile will be created : [default none]
  • When prompted with Name of the Trusted Zone, enter one or more Trusted Zone names in a comma separated format. These are the names used to refer to anything on the safe side of your PAN device, meaning your internal network. This has been defaulted to Trusted.
    Name of the trusted zone : [default Trusted]
  • Similarly, enter the name for an Untrusted Zone at the Name of the Untrusted Zone prompt in a comma separated format. These are the ports that may present bad data sources. The default is set to Untrusted.
    Name of the untrusted zone : [default Untrusted]
  • For the Virtual system name prompt, enter the vsys name as it appears at the top of the screen when viewing your vsys. This is not the entry in the Name field of the device, but has the format vsysX (where X is a number) and should appear at the top of the screen when configuring the PAN device. For a single firewall instance, this would be vsys1.
    Virtual system name (case-sensitive) : [default VSYS_NAME]
  • The number of dynamic lists ThreatSTOP may use : Defaults to 9 (one allow and eight block). Adjust this property to meet the available resources on your device. If you have custom dynamic lists already generated, you will need to drop this number to account for the number of block and allow lists you currently have setup.
    The number of dynamic lists ThreatSTOP may use : [default 9]
    **** Important PAN device configuration note :
    You indicated "yes" to enable device updates by ThreatSTOP.
    Upon the first update, the PAN device will be configured,
    followed by a FULL commit of all pending changes on the
    device. If you want time to check your device for pending
    configuration changes that were not initiated by ThreatSTOP,
    you may proceed with updates disabled. And then come back
    later and enable this setting.

    The number of objects in a dynamic block list is determined by the maximum number of IP addresses supported by your firewall. This is calculated automatically for each device.

To do this, we retrieve the maximum number of addresses from the device. These are returned to us per-dynamic list. That is, if a device claims 10,000 addresses, then the server reserves 300 for it’s own use, so the device can actually support as many as 9,700 block rules per list, or 77,600 addresses total (8 * 9,700 = 77,600 with another 9,700 for an allow list).

Dynamic lists are loaded in order, up to max addresses - 300 with a maximum of eight (8) blocklists, and one allow list. Any addresses that aren’t loaded will be empty. That is, if your ThreatSTOP Policy uses less than the maximum number of addresses, or you have other dynamic objects on the firewall, you will want to lower the number of dynamic lists used by TSCM.

  • The prompt Are you sure you want device updates enabled at this time? allows device updates by ThreatSTOP. The first update will configure the device and issue a full commit of any pending changes. If you have pending changes that were not created by ThreatSTOP you may wish to enter N for now, verify the changes, and then re-run this setup and enter Y to enable ThreatSTOP’s changes.

Configured policy rules are installed in a disabled state. They will need to be enabled on the PAN device once the changes have been uploaded to the device.

Are you sure you want device updates enabled at this time? (y or n) [default y]
  • The next step will check the connectivity between the TSCM and the Palo Alto Networks device. The API does this transparently, and automatically attempts to connect to the device. A successful attempt will display:
    [INFO ] : Checking Palo Alto Networks credentials at
    Successfully added pan

Once this process completes press ENTER to return to the command line. If an IP collision is detected it will be displayed at this point. No changes will be saved and you will need to go through the steps to add a device again and provide an IP address that does not conflict with another device. The availability of IP addresses can be determined using the command tsadmin list to list issued addresses in your network setup.

  • After the program exits, if the connection test was successful, enter: tsadmin update <device name> and press ENTER . This will configure the PAN with the data provided above, set the syslog source IP, establish the syslog server, setup log forwarding, create the EBLs and then setup the policies.

  • Configuration of the TSCM is now complete, but the policies uploaded to the TSCM will not be active at this point. You will need to login to the TSCM and activate the policies in the firewall itself. Instructions to accomplish this are in Committing the Changes to the Device .

Committing the Changes to the Device

Once the configuration of the TSCM is completed, you will need to turn on the policies in the PAN device to place the device in a state to receive information from the TSCM and ThreatSTOP. To enable the policies on the device:

  • Log into your PAN device through the web management interface.
  • Click on Policies.
  • You will see all of your rules established for your policy on this device. Including four rules for ThreatSTOP:
    • ThreatSTOP-Allow-Inbound
    • ThreatSTOP-Allow-Outbound
    • ThreatSTOP-Block-Inbound
    • ThreatSTOP-Block-Outbound
  • Place these rules where you want them in your policy. We recommend placing them at the top to receive the maximum amount of protection from ThreatSTOP.
  • After placing the rules in your desired location select all four rules, and click Enable at the bottom of the screen.
  • Now click Commit at the top of the screen to enact the changes.

After enabling your policies, you will want to test the connection between your device and ThreatSTOP. Testing the Connection has details on how to do this.

Forcing the import of a block list into the EBL

It may be necessary at times to force the import of a block list into the EBL. The procedure to do this is:

  • Click Objects.
  • Click Dynamic Block Lists.
  • Check the box next to the lists you want imported immediately.
  • Click Import Now.

Enable Reporting

In addition to the ThreatSTOP policies that you will now receive, and the updates that these will send back, you have the option of setting up log forwarding on all of a devices policies using syslog and Log forwarding. Enabling this information across all of your devices will help to strengthen the threat intelligence we provide.

This procedure has two parts, one of ThreatSTOP and one for existing policies on the PAN.

To turn on Log Forwarding to ThreatSTOP

  • Under Objects click Log Forwarding.
  • Click on ThreatSTOP.
  • Select any of the data you want to forward and click OK.
  • Click on Commit, this will start contributing your logs to our threat assessment pool starting with your next batch.

To turn on Log Forwarding for other policies

  • As an option, other logs generated by your Palo Alto device can be forwarded to ThreatSTOP for processing and inclusion in your ThreatSTOP firewall.
  • Click on the Device tab.
  • Then click on Syslog.
  • Then click on TSCM.
  • Click Add. A list of log forwarding options will appear.
  • Add the entries TSCM should include and click OK twice.
  • Click Commit to save the changes to the router.

Steps to Remove ThreatSTOP Configurations from PAN Devices

Removing a PAN device from TSCM, will remove the ThreatSTOP configurations on the PAN device. You will need to log onto your PAN device and perform the following steps:

  • Disable the ThreatSTOP Policy Rules - these rules reference the dynamic block lists and the log forwarding profile. Until these policy rules are removed, you will be unable to delete the configurations under Policies->Security : Check each of the four ThreatSTOP policy rules
  • Click Disable at the bottom of the policy rules window
  • Login to the management device.
  • Enter tsadmin remove <device name>

This will remove the PANOS device and all ThreatSTOP Policy Rules, as well as the dynamic block lists and log forwarding profile.

Testing the Connection

After device setup has been completed, a test will need to be run to verify the firewall is behaving as intended. To perform this test:

  • Open a console on the TSCM and enter “tail -f /var/log/threatstop/devices/<device name>/syslog”
  • From a device behind the firewall that is not the TSCM, attempt to connect to with a web browser.
  • If the connection is blocked, you will see a connection blocked error message in the web browser, and the log being tailed will update.
  • If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will need to be double checked.
  • If the command runs successfully update the device’s configuration as detailed in TSCM Configuration to begin sending logs back to ThreatSTOP for enhanced security.