Windows Script to connect PaloAlto firewall and run commands

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows Script to connect PaloAlto firewall and run commands

L1 Bithead

Hi Team

My requirement is:

Run a Python/Powershell script from a windows box which should connect to Palo Alto by command line with SSH connection and run some commands, like "show user group list" or "show system disk-space", It should display the output on screen and store output in a file.

I have found one python script, it works with linux server but when it connects to Palo alto(Verified in the logs) server with SSH connection, It stuck and don't give prompt and after 10min timeout log print.
Also I am unable to see whether commands run on the Palo Alto server or not, Find below for your reference,

++++++++++++++++++++++++++++++++++++++++++
import paramiko
import os

os.remove("test.txt")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("xx.xx.xx.xx", username="user", password="*********", port=22)
stdin, stdout, stderr = ssh.exec_command('show system disk-space')
output = stdout.readlines()
print (''.join(output))
file = open('test.txt', 'w')
file.write(''.join(output))
file.close()
+++++++++++++++++++++++++++++++++++++++++++

Where can i see the command run successfully in firewall? Any log?

Is there any other way to run commands from remote server(Windows)? Anyone has automated this?


Thanks in advance.

2 accepted solutions

Accepted Solutions

L4 Transporter

It would make much more sense to simply send API calls using powershell/python/bash/whatever you like. This can be done quite easily and there is a ton of documentation out there. Take a look at what is available with 

 

https://yourfirewall/php/rest/browse.php

 

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

 

 

 

View solution in original post

Try this:

 

<show><running><tunnel><flow><all></all></flow></tunnel></running></show>

 

If the tunnel is down it will show <state>inactive</state>

View solution in original post

8 REPLIES 8

L4 Transporter

It would make much more sense to simply send API calls using powershell/python/bash/whatever you like. This can be done quite easily and there is a ton of documentation out there. Take a look at what is available with 

 

https://yourfirewall/php/rest/browse.php

 

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

 

 

 

Thanks @hshawn fro quick reply and for providing information.

 

I am going through the link and understanding the way to automate the task.

 

Actually our tunnel goes down frequently so we are planning to bring up the tunnel with  automation.

 

Is it possible to run below commands with API calls?

#show vpn ipsec-sa tunnel <Tunnel name>

#test vpn ipsec-sa tunnel <Tunnel name>

 

Thanks in advance.... 🙂

yes you should be able to do that with:

 

<request><operations><show><vpn><ipsec-sa><tunnel>yourtunnelnamehere</tunnel></ipsec-sa></vpn></show></operations></request>

 

You can run commands and get output that is needed for the API calls by using "debug cli on" then type your command and note the output. NOTE: This executes your commands so if you want to know what API call to use to reboot the dataplane I would not suggest using this method 🙂

 

Hello @hshawn,

 

Thanks I got the output but it seems different.

Actually not getting proper output,

 

With command i am getting below output, With this i can understand Phase 1 and 2 are okay.

 

Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.

Show IKEv1 phase2 SA: Total 4 gateways found. 1 ike sa found

 

But with the API call i am not getting this output, getting only time, name and algo.

 

Sorry Reboot is not possible.

 

How can i fetch this info, is there any other way to fetch the information ?

Try this:

 

<show><running><tunnel><flow><all></all></flow></tunnel></running></show>

 

If the tunnel is down it will show <state>inactive</state>

Thank @hshawn .

 

You really saved my time and helped me.

I will test and let you know if i am having any questions.

 

🙂

Hi @hshawn ,

 

I checked it but VPN tunnel shows UP.

 

I tell you the scenario, 

Actually every so often our tunnel goes down but that is not reflected in the firewall section, it shows UP and green color.

 

When we run the below command to check VPN tunnel status, Its showing full details,

>show vpn ike-sa gateway <Name>

Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.

There is no IKEv1 phase-2 SA found. ---- The error we get in the logs and from command

our phase-2 authentication is failing which is not refecting in the firwall tunnel status section.

 

So we want to bring it UP using #test command.

 

1) How can i fetch full details from API?

2) I belive test command will work but will have to find out the status before runnint the test command, Is it possible ?

 

Thanks in advance ...... 🙂

Hi @hshawn ,

 

I can see "success" reply dispite my VPN tunnel status is down.

Could you please let me know alternet way for the same.

Regards,

Srikant Patil

  • 2 accepted solutions
  • 18757 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!