Windows Script to connect PaloAlto firewall and run commands

Reply
L1 Bithead

Windows Script to connect PaloAlto firewall and run commands

Hi Team

My requirement is:

Run a Python/Powershell script from a windows box which should connect to Palo Alto by command line with SSH connection and run some commands, like "show user group list" or "show system disk-space", It should display the output on screen and store output in a file.

I have found one python script, it works with linux server but when it connects to Palo alto(Verified in the logs) server with SSH connection, It stuck and don't give prompt and after 10min timeout log print.
Also I am unable to see whether commands run on the Palo Alto server or not, Find below for your reference,

++++++++++++++++++++++++++++++++++++++++++
import paramiko
import os

os.remove("test.txt")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("xx.xx.xx.xx", username="user", password="*********", port=22)
stdin, stdout, stderr = ssh.exec_command('show system disk-space')
output = stdout.readlines()
print (''.join(output))
file = open('test.txt', 'w')
file.write(''.join(output))
file.close()
+++++++++++++++++++++++++++++++++++++++++++

Where can i see the command run successfully in firewall? Any log?

Is there any other way to run commands from remote server(Windows)? Anyone has automated this?


Thanks in advance.

L4 Transporter

Re: Windows Script to connect PaloAlto firewall and run commands

It would make much more sense to simply send API calls using powershell/python/bash/whatever you like. This can be done quite easily and there is a ton of documentation out there. Take a look at what is available with 

 

https://yourfirewall/php/rest/browse.php

 

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

 

 

 

L1 Bithead

Re: Windows Script to connect PaloAlto firewall and run commands

Thanks @hshawn fro quick reply and for providing information.

 

I am going through the link and understanding the way to automate the task.

 

Actually our tunnel goes down frequently so we are planning to bring up the tunnel with  automation.

 

Is it possible to run below commands with API calls?

#show vpn ipsec-sa tunnel <Tunnel name>

#test vpn ipsec-sa tunnel <Tunnel name>

 

Thanks in advance.... :)

L4 Transporter

Re: Windows Script to connect PaloAlto firewall and run commands

yes you should be able to do that with:

 

<request><operations><show><vpn><ipsec-sa><tunnel>yourtunnelnamehere</tunnel></ipsec-sa></vpn></show></operations></request>

 

You can run commands and get output that is needed for the API calls by using "debug cli on" then type your command and note the output. NOTE: This executes your commands so if you want to know what API call to use to reboot the dataplane I would not suggest using this method :)

 

L1 Bithead

Re: Windows Script to connect PaloAlto firewall and run commands

Hello @hshawn,

 

Thanks I got the output but it seems different.

Actually not getting proper output,

 

With command i am getting below output, With this i can understand Phase 1 and 2 are okay.

 

Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.

Show IKEv1 phase2 SA: Total 4 gateways found. 1 ike sa found

 

But with the API call i am not getting this output, getting only time, name and algo.

 

Sorry Reboot is not possible.

 

How can i fetch this info, is there any other way to fetch the information ?

L4 Transporter

Re: Windows Script to connect PaloAlto firewall and run commands

Try this:

 

<show><running><tunnel><flow><all></all></flow></tunnel></running></show>

 

If the tunnel is down it will show <state>inactive</state>

L1 Bithead

Re: Windows Script to connect PaloAlto firewall and run commands

Thank @hshawn .

 

You really saved my time and helped me.

I will test and let you know if i am having any questions.

 

:)

L1 Bithead

Re: Windows Script to connect PaloAlto firewall and run commands

Hi @hshawn ,

 

I checked it but VPN tunnel shows UP.

 

I tell you the scenario, 

Actually every so often our tunnel goes down but that is not reflected in the firewall section, it shows UP and green color.

 

When we run the below command to check VPN tunnel status, Its showing full details,

>show vpn ike-sa gateway <Name>

Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.

There is no IKEv1 phase-2 SA found. ---- The error we get in the logs and from command

our phase-2 authentication is failing which is not refecting in the firwall tunnel status section.

 

So we want to bring it UP using #test command.

 

1) How can i fetch full details from API?

2) I belive test command will work but will have to find out the status before runnint the test command, Is it possible ?

 

Thanks in advance ...... :)

L1 Bithead

Re: Windows Script to connect PaloAlto firewall and run commands

Hi @hshawn ,

 

I can see "success" reply dispite my VPN tunnel status is down.

Could you please let me know alternet way for the same.

Regards,

Srikant Patil

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!