Get routes through Panorama

czinu — Mon, 29 Aug 2022 12:16:18 GMT

Hello Fellow Community Members,

we are currently working on automation solution which involves getting routing tables from firewalls. Is there any way we can get routing tables from firewalls through Panorama's API?

Thanks in advance!

Re: Get routes through Panorama

joaovictor — Thu, 08 Sep 2022 15:42:46 GMT

Hi Czinu,

is possible to get routing tables using Python SDK and through API url. I prefer to use Python SDK. Follow bellow a sugestion:

1- Define authentication parameters:

from panos import network from panos import policies from panos import firewall from panos import objects api_user = 'admin' api_password = 'admin' device = 'fw.abc.com' fw = firewall.Firewall(device, api_user, api_password)

2- So now, you can get the vrouters names:

vrouters_list = network.VirtualRouter.refreshall(fw) for vrouter in vrouters_list: print(vrouter)

#the output of commands above will be the name of vrouters created in your firewall.

If you want to know more details about each vrouter:

for vrouter in vrouters_list: print(vrouter.about())

#the output of commands above will be the name of vrouters created in your firewall plus interfaces, virtual router
parameters. Below an example:

output: {'interface': ['ae1.30', 'tunnel.10', 'tunnel.11', 'ae1.20'], 'ad_static': None, 'ad_static_ipv6': None, 'ad_ospf_int': None, 'ad_ospf_ext': None, 'ad_ospfv3_int': None, 'ad_ospfv3_ext': None, 'ad_ibgp': None, 'ad_ebgp': None, 'ad_rip': None, 'name': 'default'}

4- To verify the static routes applied in a specific routing table:

vrouter = network.VirtualRouter(name='default') fw.add(vrouter) static_routes = network.StaticRoute.refreshall(vrouter) for route in static_routes: print(route.about())

#the output of commands above will be the details about each static route in the vrouter:

output: #{'destination': '10.11.77.11/32', 'nexthop_type': None, 'nexthop': None, 'interface': 'tunnel.22', 'admin_dist': 10, 'metric': 10, 'enable_path_monitor': False, 'failure_condition': 'any', 'preemptive_hold_time': 2, 'name': '10.11.77.11_32'} {'destination': '10.20.20.0/27', 'nexthop_type': 'ip-address', 'nexthop': '10.10.10.1', 'interface': None, 'admin_dist': 10, 'metric': 10, 'enable_path_monitor': False, 'failure_condition': 'any', 'preemptive_hold_time': 2, 'name': '10.20.20.0_27'} {'destination': '10.30.30.30/24', 'nexthop_type': 'ip-address', 'nexthop': '10.10.10.1', 'interface': None, 'admin_dist': 10, 'metric': 10, 'enable_path_monitor': False, 'failure_condition': 'any', 'preemptive_hold_time': 2, 'name': '10.30.30.0_24'}

5 - To deploy a static route in a routing table, you can follow the following procedure:
5.a - First, create a dictionary with required parameters:

test_python_route = {'destination': '8.8.8.8/32', 'nexthop_type': None, 'nexthop': None, 'interface': None, 'admin_dist': 10, 'metric': 10, 'enable_path_monitor': False, 'failure_condition': 'any', 'preemptive_hold_time': 2, 'name': 'PYTHON_TESTE_GOOGLE_DNS' } #**If you don´t fill all the key values, the default value is assumed.

5.b - Second, you need to get the virtual routers configuration from the firewall:

network.VirtualRouter.refreshall(fw)

5.c - So, you can "search" and/or "find" the virtual-router that will receive the new static route:

vrouter = fw.find('default', network.VirtualRouter)

5.d - So now, you can "build" the configuration and associate the "route dictionary":

deploy_route = network.StaticRoute(**test_python_route)

5.e - Bind the config to vrouter python instance:

vrouter.add(deploy_route)

5.f - create the route:

deploy_route.create()

5.g - My sugestion is, not commit from the script. But if required, you can commit from the script:

fw.commit()

#to confirm the commit process ocurring in the firewall go to GUI interface and verify in Task the commit status.

Hope that this be useful, and i my suggestion is verify how panos module really works in the official documentation.
I´m a beginer yet, but i already learned a lot. 🙂

Re: Get routes through Panorama

czinu — Fri, 09 Sep 2022 10:49:06 GMT

Thanks for extensive answer. This is not directly what I was asking for, but it has guided me in the right direction. For anyone else looking for the same thing this is how you can access devices with panorama as a proxy.

Take a look at option 2 from here:

https://pan-os-python.readthedocs.io/en/latest/howto.html#connect-via-panorama

topic Re: Get routes through Panorama in Automation/API Discussions

Get routes through Panorama

Re: Get routes through Panorama

Re: Get routes through Panorama