topic Re: Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules in General Topics

Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules?

Maxstr — Fri, 23 Aug 2019 14:18:45 GMT

I'd like to create a script or some kind of quick method to disable a PBF rule. We have a dual-ISP setup, and sometimes one ISP will get extremely slow. But it doesn't actually go down, so it doesn't trigger the PBF rule, and we're left with nearly unusable internet.

As the only "firewall guy", they basically have to wait on me to disable a PBF rule. Is there a way to script this?

Re: Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules

OtakarKlier — Fri, 23 Aug 2019 16:13:08 GMT

Hello,

Might be possible via the API. However gertting better ISP's might be worth looking into as well.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api

Regards,

Re: Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules

Maxstr — Fri, 23 Aug 2019 16:16:03 GMT

@OtakarKlier wrote:
However gertting better ISP's might be worth looking into as well.

How does the saying go... "A general goes to war with the army he has"

Re: Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules

BPry — Fri, 23 Aug 2019 17:32:17 GMT

@Maxstr,

This is an extremely good use case of the API.

Bonus Points: If you configure a machine so that it can utilize both ISP circuits (through two NICs or VLAN setup) you could actually automate testing the circuits and automatically enable/disable the PBF rule on the firewall once bandwidth is within expected norms. This would take any manual interaction requirements out completely.

Re: Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules

Maxstr — Fri, 23 Aug 2019 18:02:02 GMT

@BPry wrote:
@Maxstr,
This is an extremely good use case of the API.
Bonus Points: If you configure a machine so that it can utilize both ISP circuits (through two NICs or VLAN setup) you could actually automate testing the circuits and automatically enable/disable the PBF rule on the firewall once bandwidth is within expected norms. This would take any manual interaction requirements out completely.

So I looked over the API documentation, and I do see one for PBF rules. I've never used REST API though, so I guess it's time for a crash course. Any advise on where to start?

Re: Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules

BPry — Fri, 23 Aug 2019 19:11:53 GMT

@Maxstr,

The firewall includes a fairly decent browser that follows the CLI, so PBF would start at the following API URL

 /api/?type=config&action=gest&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules

So you would then set this to disabled by sending the following

/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules/entry[@name='Test-PBF']&element=<disabled>yes</disabled>&key=APIKEY

Just to make it clear, you would want a way to obsficate your API Key so that your help desk doesn't actually get to see what it is, otherwise they would have the same permissions as whatever account the key was generated under. You could then utilize something like RunDeck to actually get them to run a script without opening up the management interface to all of your helpdesk users.