09-19-2014 10:50 AM
So I got help from support and they gave me this nifty Perl example on how to get output from the firewalls.
However, I need to assign that output from the show command to a variable for further manipulation. That was the whole purpose.
Does anyone know how to assign the outputs from the show commands to a variable?
Thanks!
And below is the script example:
example.pl
-----------------------------------------------------------------
#!/usr/bin/perl
use strict;
my $cmd = "ssh ssh\@10.40.10.228";
my $line = "show system info";
open CLI, " | $cmd ";
print CLI "$line\n";
close CLI;
09-22-2014 03:14 PM
The value of the variable $line is "show system info" ... Printing $line gives me ... "show system info".
What I need is the output from the show command.
I want to assign that to a variable or be able to manipulate/parse it in the script to get meaningful information.
09-22-2014 03:54 PM
Ok first let's check your code, is it working?
my $cmd = "ssh ssh\@10.40.10.228"; # external command to run, I assume you're using a UNIX in your computer
my $line = "show system info"; # Command to run
open CLI, " | $cmd "; #Executing the external command, in this case SSH login, you cand find more info in the following link but I prefer to use the backstiks http://www.perlhowto.com/executing_external_commands
print CLI "$line\n"; # you have the CLI opened so you just put the command there and print it
close CLI; # you close the SSH external session
You have a lot of ways to put this working, you can use the Net:SSH module http://search.cpan.org/~schwigon/Net-SSH-Perl-1.37/lib/Net/SSH/Perl.pm
And create an script like this one:
use Net::SSH::Perl; #Loading the SSH module
my $cmd = shift; #command to execute
my $ssh = Net::SSH::Perl->new($host); #opening the SSH session
$ssh->login($user, $pass); #login into the session
my($stdout, $stderr, $exit) = $ssh->cmd($cmd); # the output will be saved in the $stdout varaible
If your script is working may be you can try
@output = print CLI "$line\n"; # @ indicates it's an array
Also the easiest one is that you already set up SSH keys betwen the PA FW and your script machine. https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
my @output = `ssh root@1.1.1.1 "which perl"`;
There is more info in the next link
http://stackoverflow.com/questions/2848725/how-can-i-ssh-inside-a-perl-script
09-23-2014 03:08 PM
You need two pipes one for input and one for output, this document goes over using pipes in Perl,
In the example CLI is a unidirectional pipe so the output will need to be returned through another pipe.
The example below will not work to get data back,
@output = print CLI "$line\n";
This example uses two pipes, it does require an extra library and you may have problems with line buffering.
use IPC::Open2;
open2(\*INPUT, \*OUTPUT, 'ssh ssh\@firewall');
print OUTPUT "show system info";
foreach $line (<INPUT>) {
print "$line";
}
close INPUT;
close OUTPUT;
09-24-2014 02:18 PM
Neither methods seem to work with the palo alto.
They just hang after I enter my password...
I was able find the PAN::CLI module and was able to issue operation commands successfully. However it seems to be one lined commands and very restrictive in what I can do.
I opened the PAN::CLI file and it uses the expect module to do most of it's work.
I can't follow it beyond that.
I just basically need a perl script example, that gets me to the basic point of working.
09-26-2014 09:47 AM
After doing some further reading I believe that you are having problems with line buffering as ssh doesn't auto flush the buffer.
I found this doc, PAN-perl: command line and Perl interface to PAN-OS XML API and CLI
I am working on reading through it now, it appears to cover aml api accesses to the PA also.
09-27-2014 08:47 PM
I was able to use the pancli tool that is part of PAN-perl-20121110.tar.gz
https://live.paloaltonetworks.com/docs/DOC-1910
pancli lets you run a command on the PA and returns the output. I was able to make it work with only one pipe and it does not require buffer auto flushing. I wrote and tested the script on Debian 7 and I had to install the following library s,
libjson-perl
libexpect-perl
libxml-simple-perl
The README file in PAN-perl-20121110.tar.gz covers the installation
#!/usr/bin/perl
use strict;
#
# run command on PA using "pancli"
# pancli is part of PAN-perl-20121110.tar.gz, found at
# https://live.paloaltonetworks.com/docs/DOC-1910
# the script runs the "show system info"print out each
# then prints each line
my $pa_cmd = "show system info";
my $raw_system_info;
# run command and catch returned data
$raw_system_info = pa_ctl($pa_cmd);
# send system data to be printed
display_system_info($raw_system_info);
sub pa_ctl {
my $opperation = shift;
my $cmd = 'pancli -l user:password -h 172.20.2.1';
my $line;
my $system_data;
my @data;
# pipe $opperation through pancli
open PAN, "$cmd \"$opperation\" |";
foreach $line (<PAN>) {
chomp $line;
push @data, $line;
}
close PAN;
$system_data = join ",", @data;
return $system_data;
}
sub display_system_info {
my $info = shift;
my $i = 0;
my $line;
my $num_lines;
my @system_info;
@system_info = split ",", $info;
$num_lines = @system_info;
print "$num_lines lines of output\n";
# print line number and line of info
foreach $line (@system_info) {
print "$i :-: $line\n";
$i++;
}
}
09-30-2014 02:46 PM
pancli is a wrapper around PAN::CLI and the CLI_operational_mode_exec() method. for documentation use 'perldoc CLI.pm'
10-01-2014 07:31 AM
I was able to use PAN:CLI to do one operational command.
What I need to do is run multiple commands and save output to a file or variable.
For example, I want all the shared addresses, address-groups, pre-rulebase security rules, etc.
That would require going into configure mode, running "show shared address", "show shared address-group", etc
Unfortunately, none of the scripts allow me to do that.
So far the only thing I've been able to do is use your first script but add the commands into an array.
#!/usr/bin/perl
use strict;
my $cmd = "ssh user\@192.168.1.1";
my $line = "show system info";
my @cli;
push(@cli, "set cli config-output-format set\n");
push(@cli, "configure\n");
push(@cli, "show shared address\n");
push(@cli, "show shared address-group\n");
push(@cli, "show shared pre-rulebase security\n");
push(@cli, "exit\n");
push(@cli, "exit\n");
open CLI, " | $cmd ";
print CLI @cli;
close CLI;
However, it doesn't allow me for further manipulation. I have to copy the contents and paste into a new file. Which can be tedious. It would be nice to have a script that can do that. It doesn't have to be perl. I would learn python if there is an easy way to ssh and run those commands all in session and be able to manipulate them in the end.
10-22-2014 04:22 PM
this may be useful for what you are doing:
https://github.com/kevinsteves/pan-python/blob/master/doc/panconf.rst
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
