* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Product Features](https://www2.paloaltonetworks.com/blog/security-operations/category/product-features/)
* Use Firewall Automation t...

# Use Firewall Automation to Remediate Internet Exposures

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fuse-firewall-automation-to-remediate-internet-exposures%2F)  
[](https://twitter.com/share?text=Use+Firewall+Automation+to+Remediate+Internet+Exposures&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fuse-firewall-automation-to-remediate-internet-exposures%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fuse-firewall-automation-to-remediate-internet-exposures%2F&title=Use+Firewall+Automation+to+Remediate+Internet+Exposures&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/use-firewall-automation-to-remediate-internet-exposures/&ts=markdown)  
\[\](mailto:?subject=Use Firewall Automation to Remediate Internet Exposures)  
Link copied  
By [Johnathan Wilkes](https://www.paloaltonetworks.com/blog/author/johnathan-wilkes/?ts=markdown "Posts by Johnathan Wilkes")  
Dec 20, 2023  
6 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Active Response module](https://www.paloaltonetworks.com/blog/tag/active-response-module/?ts=markdown)  
[PAN-OS](https://www.paloaltonetworks.com/blog/tag/pan-os/?ts=markdown)  
[Panorama](https://www.paloaltonetworks.com/blog/tag/panorama/?ts=markdown)  
[RDP](https://www.paloaltonetworks.com/blog/tag/rdp/?ts=markdown)  
[Xpanse](https://www.paloaltonetworks.com/blog/tag/xpanse/?ts=markdown)

Internet exposures, such as the Remote Desktop Protocol (RDP) open to the internet, are a ticking time bomb before they are exploited by threat actors as an initial attack vector for ransomware. Such exposures are often known issues for days or longer before an organization has the ability to act on them. Just knowing the exposure exists, and how bad it is, is only the first step of the process: remediation needs to be efficient and quick.

Understand where your network might be vulnerable with help from Cortex Xpanse. If you use Palo Alto Networks firewalls, you are not only able to discover the weak spots with Xpanse, but also can decide if the Active Response Module should automatically remediate exposures for you. This will ensure that these internet exposures don't become large security incidents that disrupt your business.

### Protect Your Firewall Management Interfaces

One challenge with a software as a service (SaaS) offering that needs API communication to your firewalls is you don't want your Palo Alto Networks firewall and Panorama management interfaces openly available on the internet.

Instead of taking that risk of opening up firewalls management interfaces to the public internet, you can use what we call an [engine](https://docs-cortex.paloaltonetworks.com/r/Cortex-XPANSE/Cortex-Xpanse-Expander-User-Guide/Engines)-- a small Linux server you set up on your network right alongside your firewalls that acts as a proxy. This engine will safely connect to Cortex Xpanse without exposing your systems. It requires a simple shell script to be installed and HTTPS connectivity to the internet as well as your firewalls.

Once you have that engine in place, you need to allow Xpanse to talk to your firewalls through secure API communication. It's a straightforward way to keep things running smoothly without opening up any additional gaps in your defenses.
![Fig 1: Engine configuration on Cortex Xpanse](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/word-image-310824-1.png)
Fig 1: Engine configuration on Cortex Xpanse

### Connecting to Firewalls via API

To connect your Palo Alto Networks firewalls and Panorama to Cortex Xpanse, there's an integration in the [PAN-OS by Palo Alto Networks](https://cortex.marketplace.pan.dev/marketplace/details/PANOS/) content pack. The content pack is only a couple of clicks away to install or upgrade via the Marketplace tab.

Before you get started, you'll also need the right [administrative role](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types) on the firewall that allows configuration and commit permissions for the Extensible Markup Language (XML) API in order to take full advantage of enrichment and remediation of Xpanse alerts.

When configuring the [integration](https://xsoar.pan.dev/docs/reference/integrations/panorama), make sure to follow the directions that show up in the right of the window regarding creating the API key as well as specific configuration for firewall vs Panorama. You will need to enter the URL for your firewall, the API key, and choose the engine that you previously configured. Don't forget to hit "test" to make sure the connection works.

Once complete, you are ready to start pulling information on firewall rules that are over-permissive (enrichment) as well as starting to remediate these dangerous exposures.
![Fig 2: PAN-OS firewall integration configuration](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/word-image-310824-2.png)
Fig 2: PAN-OS firewall integration configuration

### Collecting Additional Information on Over-Permissive Firewall Rules

Enrichment in Xpanse alerts is all about collecting additional information for your vulnerability analyst to look over before they make their decision on next steps to take. For example, if a firewall rule is too liberal and causes a potential risk, the enrichment can tell you exactly which rule it is. For Panorama users, it can also identify the affected device group.

This detail is really helpful when you're figuring out where the problem is to fix. It also makes it easier for you to explain the issue to the team in charge of that part of the network, so they can take the right steps to tighten security.
![Fig 3: Firewall rule name found via automation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/word-image-310824-3.png)
Fig 3: Firewall rule name found via automation

### Automation to Fix the Exposure Efficiently

It's crucial to address exposures quickly, because they can escalate into major security incidents if left unchecked. This is where the power of automated remediation comes into play. With Cortex Xpanse, for vulnerabilities that can be fixed by blocking a specific firewall port, the process is simple.

Here's how it works: the details gathered during the enrichment phase are used to automatically guide the remediation steps. The automation system uses the prefix "xpanse-ar" to create new firewall elements (services, addresses, and rules) which are then strategically placed in your firewall rulebase to block the problematic traffic.

Additionally, the solution is traceable by including the alert ID in the name of the new block rule. This way, you can easily identify and reference the change later. The ultimate aim here is to close off the vulnerability promptly and accurately without interrupting the flow of other network traffic.
![Fig 4: Example remediation rule implemented via automation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/blog-image.png)
Fig 4: Example remediation rule implemented via automation

### Increasing Coverage

Cyberthreats are always advancing and you need automation systems that defend against them to evolve as well. That is why Palo Alto Networks always looks into making improvements that simplify security operations while increasing protections.

One example of improvement could be to simplify the configuration on the firewall side by unifying all firewall rules created by Cortex Xpanse into a single rule or external dynamic list (EDL). Furthermore, the addition of App-ID support is a possibility, promising to enhance your ability to identify application traffic.

The diversity of firewall configurations, particularly the use of network address translation (NAT) before the firewalls, which is very common for cloud service provider (CSP) deployments, is an understood challenge. Therefore, there's a focus on increasing interoperability for all the varied and advanced setups of firewalls you might encounter.

The most important part of the software development process is receiving and integrating feedback to improve the overall product. We're eager to hear your thoughts on what we are doing with remediation of internet exposures with Cortex Xpanse as well as integration with Palo Alto Networks firewalls. Are these solutions meeting your needs, or do you see room for improvement? Your feedback is crucial to us. Please reach out to your Customer Success Architect to give us some input.

To learn more about [Cortex Xpanse Active Response module](https://docs-cortex.paloaltonetworks.com/r/Cortex-XPANSE/Cortex-Xpanse-Expander-User-Guide/Active-Response)

### Article Reference Links

[Enrichment Playbook README](https://github.com/demisto/content/blob/master/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment_README.md)

[Remediation Playbook README](https://github.com/demisto/content/blob/master/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation_README.md)

*** ** * ** ***

## Related Blogs

### [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Streamline Incident Response with Xpanse's Service Owner Identification](https://www2.paloaltonetworks.com/blog/security-operations/streamline-incident-response-with-xpanses-service-owner-identification/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Disrupting Legacy Vulnerability Management](https://www2.paloaltonetworks.com/blog/security-operations/disrupting-legacy-vulnerability-management/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex Xpanse Protects Against Malicious Domain Takeover Techniques](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xpanse-protects-against-malicious-domain-takeover-techniques/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Understanding Drift In Your Internet Attack Surface](https://www2.paloaltonetworks.com/blog/security-operations/understanding-drift-in-your-internet-attack-surface/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Know When Your Remote Employee Networks Are Vulnerable](https://www2.paloaltonetworks.com/blog/security-operations/secure-remote-worker-networks/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex ITDR: Cyber Threats in Microsoft Teams and Their Detection](https://www2.paloaltonetworks.com/blog/security-operations/cortex-itdr-cyber-threats-in-microsoft-teams-and-their-detection/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language