topic Re: Windows Script to connect PaloAlto firewall and run commands in Automation/API Discussions

Windows Script to connect PaloAlto firewall and run commands

DexcomUser — Fri, 09 Aug 2019 14:30:15 GMT

Hi Team

My requirement is:

Run a Python/Powershell script from a windows box which should connect to Palo Alto by command line with SSH connection and run some commands, like "show user group list" or "show system disk-space", It should display the output on screen and store output in a file.

I have found one python script, it works with linux server but when it connects to Palo alto(Verified in the logs) server with SSH connection, It stuck and don't give prompt and after 10min timeout log print.
Also I am unable to see whether commands run on the Palo Alto server or not, Find below for your reference,

++++++++++++++++++++++++++++++++++++++++++
import paramiko
import os

os.remove("test.txt")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("xx.xx.xx.xx", username="user", password="*********", port=22)
stdin, stdout, stderr = ssh.exec_command('show system disk-space')
output = stdout.readlines()
print (''.join(output))
file = open('test.txt', 'w')
file.write(''.join(output))
file.close()
+++++++++++++++++++++++++++++++++++++++++++

Where can i see the command run successfully in firewall? Any log?

Is there any other way to run commands from remote server(Windows)? Anyone has automated this?

Thanks in advance.

Re: Windows Script to connect PaloAlto firewall and run commands

hshawn — Fri, 09 Aug 2019 14:37:46 GMT

It would make much more sense to simply send API calls using powershell/python/bash/whatever you like. This can be done quite easily and there is a ton of documentation out there. Take a look at what is available with

https://yourfirewall/php/rest/browse.php

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api

Re: Windows Script to connect PaloAlto firewall and run commands

DexcomUser — Fri, 09 Aug 2019 14:50:15 GMT

Thanks @hshawn fro quick reply and for providing information.

I am going through the link and understanding the way to automate the task.

Actually our tunnel goes down frequently so we are planning to bring up the tunnel with automation.

Is it possible to run below commands with API calls?

#show vpn ipsec-sa tunnel <Tunnel name>

#test vpn ipsec-sa tunnel <Tunnel name>

Thanks in advance.... 🙂

Re: Windows Script to connect PaloAlto firewall and run commands

hshawn — Fri, 09 Aug 2019 15:10:20 GMT

yes you should be able to do that with:

<request><operations><show><vpn><ipsec-sa><tunnel>yourtunnelnamehere</tunnel></ipsec-sa></vpn></show></operations></request>

You can run commands and get output that is needed for the API calls by using "debug cli on" then type your command and note the output. NOTE: This executes your commands so if you want to know what API call to use to reboot the dataplane I would not suggest using this method 🙂

Re: Windows Script to connect PaloAlto firewall and run commands

DexcomUser — Fri, 09 Aug 2019 15:46:14 GMT

Hello @hshawn,

Thanks I got the output but it seems different.

Actually not getting proper output,

With command i am getting below output, With this i can understand Phase 1 and 2 are okay.

Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.

Show IKEv1 phase2 SA: Total 4 gateways found. 1 ike sa found

But with the API call i am not getting this output, getting only time, name and algo.

Sorry Reboot is not possible.

How can i fetch this info, is there any other way to fetch the information ?

Re: Windows Script to connect PaloAlto firewall and run commands

hshawn — Fri, 09 Aug 2019 15:59:36 GMT

Try this:

If the tunnel is down it will show <state>inactive</state>

Re: Windows Script to connect PaloAlto firewall and run commands

DexcomUser — Fri, 09 Aug 2019 16:41:59 GMT

Thank @hshawn .

You really saved my time and helped me.

I will test and let you know if i am having any questions.

🙂

Re: Windows Script to connect PaloAlto firewall and run commands

DexcomUser — Mon, 12 Aug 2019 09:56:52 GMT

Hi @hshawn ,

I checked it but VPN tunnel shows UP.

I tell you the scenario,

Actually every so often our tunnel goes down but that is not reflected in the firewall section, it shows UP and green color.

When we run the below command to check VPN tunnel status, Its showing full details,

>show vpn ike-sa gateway <Name>

Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.

There is no IKEv1 phase-2 SA found. ---- The error we get in the logs and from command

our phase-2 authentication is failing which is not refecting in the firwall tunnel status section.

So we want to bring it UP using #test command.

1) How can i fetch full details from API?

2) I belive test command will work but will have to find out the status before runnint the test command, Is it possible ?

Thanks in advance ...... 🙂

Re: Windows Script to connect PaloAlto firewall and run commands

DexcomUser — Tue, 13 Aug 2019 12:43:24 GMT

Hi @hshawn ,

I can see "success" reply dispite my VPN tunnel status is down.

Could you please let me know alternet way for the same.

Regards,

Srikant Patil