topic Re: List NAT tables with static-ip translations in General Topics

List NAT tables with static-ip translations

TigeRRR — Wed, 20 Apr 2022 17:32:56 GMT

Hello all!

I'd like to compile a list of all my NAT tables for static-ip entries for all my firewalls, I don't know if there's a better way to do it but I'm trying to do it by running the following command on my firewalls and recording the output:

show running nat-policy | match index\|source\|translate-to

The issue with this one is that it's showing all, I want to show only the ones with static IPs but if I replace translate-to with static-ip, it doesn't exclude the entire block/entry but only the lines containing something other than static-ip which is to be expected, is there a way to filter by config/rule block? I know Cisco has this "| section" filter (Palo only has match and except) and Palo supposedly could use Regex but it appears to be very limited, how can I achieve the output I need by excluding the entire entries that contain dynamic-ip in the translation field? Or if there's an even better way to get this information?

Re: List NAT tables with static-ip translations

TomYoung — Wed, 20 Apr 2022 18:02:15 GMT

Hi @TigeRRR ,

You can export your NAT rules from the GUI with the PDF/CSV button on the bottom. Then you can open in Excel and filter the Translated Packet Source Translation column with "contains 'static'". You could also Text to Columns the same column to break out the translated source into a separate column.

If you have destination NAT, do the same for the Translated Packet Destination Translation column.

Thanks,

Tom

Re: List NAT tables with static-ip translations

TigeRRR — Wed, 20 Apr 2022 18:05:39 GMT

@TomYoung Thank you! Yes, I'm aware of this but I wanted to get this for multiple firewalls at once, and preferably have the results emailed to me on regular basis, this report can only be obtained from the GUI and it has to be done manually. Maybe you know of a way I can automate it?

Re: List NAT tables with static-ip translations

TomYoung — Wed, 20 Apr 2022 18:26:20 GMT

Hi @TigeRRR ,

Very cool. Even 'show rulebase nat | match "source\|static"' would require some automation to filter. Since you want to automate the process, the best tool to use is the API.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api

What automation tools do you know/use?

Thanks,

Tom

Re: List NAT tables with static-ip translations

TigeRRR — Wed, 20 Apr 2022 22:34:54 GMT

@TomYoung I haven't used API much but doesn't that also involve passing the same CLI commands but is pulled differently using an API key? Is it more advanced that I can use complex Regex and the likes?

Re: List NAT tables with static-ip translations

TomYoung — Wed, 20 Apr 2022 23:17:32 GMT

Hi @TigeRRR ,

In this case, you want to (1) retrieve the NAT policy from multiple firewalls, (2) filter out the static entries, and (3) build a table of the real and NATed IP addresses. If you want to automate this process, you will need to program or script something, e.g. Python, Ansible, etc.

Regardless of the tool you use, the API interface is much easier to program that the CLI. In addition, the data is returned in database format (XML or JSON) so that you do not have to screen scrape and tabulate.

In response to your questions:

You pass XML to the API interface instead of CLI.
You login with an API key instead of username/password.
The API interface does not allow complex RegEx. That is done with your automation tool.

So, configuring an automation tool and learning the API will have an initial steep learning curve, but once you build that foundation you could perform complex, repetitive tasks with ease.

Sorry that I do not have a quick solution. It sounded like you may already be using an automation tool.

Thanks,

Tom

Re: List NAT tables with static-ip translations

TigeRRR — Mon, 25 Apr 2022 18:25:08 GMT

@TomYoung I guess this is something worth exploring, I don't have much exposure to it so I hope I'll be able to achieve something from this.
I don't have an automation tool per se, I just use my monitoring platform, it has a service account that logs in using SSH and passes whatever commands I want to the monitored devices, it would have worked very well if Palo's CLI commands weren't so limited.