topic Re: Python Script For Interface ACL's, feedback in General Topics

Python Script For Interface ACL's, feedback

hfakoor2 — Wed, 04 Oct 2023 23:12:10 GMT

Wrote script to update interface ACL's in batch. User logs in to multiple firewalls, SSH conenctions saved in background, interface profiles are updated in a customized way per user input per firewall.

Here's the Github link to the program:

https://github.com/hfakoor222/Palo_Alto_Scripting

There's a 2 minute video on multiple firewalls being updated at once, 10.0.4

My question is how useful would a script like this be? I'm not used to panOS devices, so I don't know if the GUI/Panorama has features suc as batch updates.

My second question is what other features would you recommend to add: example what issues does a firewall engineer face that could save time being scripted.

I had some ideas for features which include:

service-policy automation

object-group automation

connectivity test: using Python packets to test connectivity before and after ACL changes (ex: pings and tcp conenctions)

What are your thoughts on this? And what are your suggestions to improve on features.

Thanks

PS:

you can also follow/watch the Github link to stay updated with the fetures I'll be adding. I may at some point try to develop this into a full program hosted on an internal web page.

Re: Python Script For Interface ACL's, feedback

TomYoung — Thu, 05 Oct 2023 01:15:37 GMT

Hi @hfakoor2 ,

I like it! It's short and sweet and gets the job done. The script is mostly Pythonic which means it is easy to follow and self-documenting. I have 1 minor recommendation: Consider adding the operational mode command "set cli config-output-format set" so that your configuration mode commands show in the set format instead of JSON.

How useful will it be? That is always hard to answer. If people like it and find it easy to use, then yes. However, there are a plethora of automation products out there. The Live Community has pages dedicated for 3. Check out the pic below.

The Ansible module has an Interface Management Profile playbook. The PAN-OS Python page has 2 main Pythons tools, both on GitHub, and lots of community input. There is also a 3rd Python panapi on GitHub.

Panorama and the NGFWs also have an API interface. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-api-browser

I don't do much automation now. I use Panorama to manage multiple NGFWs. For automation n00bs, I think Ansible would be the easiest to setup and begin making changes. If I were to write an SDK, I would probably use the REST API because the URLs and actions would be consistent throughout. This would allow the script to be very modular. API keys also save time over username/passwords.

Thanks,

Tom

Re: Python Script For Interface ACL's, feedback

hfakoor2 — Thu, 05 Oct 2023 01:36:43 GMT

Thanks, I'm reading the panos read the docs right now, seems like it has a lot of power. I thinkI'm going to keep pushing with creating a lightweight program,

I think the next, and relatively easy and practical script, would be do get all device ACL's and compare it to existing ACL's in a SQL (Swinds) database, and give the user the option to push changes or delete the ACL's. I may add that next and integrate with the code I have.

Question for anyone:

does the PAN-OS SDK for Python make its API calls Panorama/ the GUI?

https://pan-os-python.readthedocs.io/en/latest/getting-started.html

Re: Python Script For Interface ACL's, feedback

TomYoung — Thu, 05 Oct 2023 02:00:33 GMT

Hi @hfakoor2 ,

I am pretty sure it is based upon pan-python which uses the PAN-OS and Panorama XML API. See the API Browser URL I posted above.

Thanks,

Tom

Re: Python Script For Interface ACL's, feedback

hfakoor2 — Thu, 05 Oct 2023 03:53:12 GMT

@TomYoung what is PAN-OS, a centralized GUI?

Also would I be able to practice these API calls in a lab environment? I'm not sure if the GUI would have some sort of subscription feature?

Thanks for the reply.

Re: Python Script For Interface ACL's, feedback

TomYoung — Thu, 05 Oct 2023 13:11:49 GMT

Hi @hfakoor2 ,

PAN-OS is the Palo Alto Networks - Operating System for their NGFWs.

Yes, you can practice the API calls in a lab. The API does not require a license.

Thanks,

Tom