08-09-2019 07:30 AM
Hi Team
My requirement is:
Run a Python/Powershell script from a windows box which should connect to Palo Alto by command line with SSH connection and run some commands, like "show user group list" or "show system disk-space", It should display the output on screen and store output in a file.
I have found one python script, it works with linux server but when it connects to Palo alto(Verified in the logs) server with SSH connection, It stuck and don't give prompt and after 10min timeout log print.
Also I am unable to see whether commands run on the Palo Alto server or not, Find below for your reference,
++++++++++++++++++++++++++++++++++++++++++
import paramiko
import os
os.remove("test.txt")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("xx.xx.xx.xx", username="user", password="*********", port=22)
stdin, stdout, stderr = ssh.exec_command('show system disk-space')
output = stdout.readlines()
print (''.join(output))
file = open('test.txt', 'w')
file.write(''.join(output))
file.close()
+++++++++++++++++++++++++++++++++++++++++++
Where can i see the command run successfully in firewall? Any log?
Is there any other way to run commands from remote server(Windows)? Anyone has automated this?
Thanks in advance.
08-09-2019 07:37 AM
It would make much more sense to simply send API calls using powershell/python/bash/whatever you like. This can be done quite easily and there is a ton of documentation out there. Take a look at what is available with
https://yourfirewall/php/rest/browse.php
08-09-2019 08:58 AM - edited 08-09-2019 08:59 AM
Try this:
<show><running><tunnel><flow><all></all></flow></tunnel></running></show>
If the tunnel is down it will show <state>inactive</state>
08-09-2019 07:37 AM
It would make much more sense to simply send API calls using powershell/python/bash/whatever you like. This can be done quite easily and there is a ton of documentation out there. Take a look at what is available with
https://yourfirewall/php/rest/browse.php
08-09-2019 07:50 AM
Thanks @hshawn fro quick reply and for providing information.
I am going through the link and understanding the way to automate the task.
Actually our tunnel goes down frequently so we are planning to bring up the tunnel with automation.
Is it possible to run below commands with API calls?
#show vpn ipsec-sa tunnel <Tunnel name>
#test vpn ipsec-sa tunnel <Tunnel name>
Thanks in advance.... 🙂
08-09-2019 07:56 AM - edited 08-09-2019 08:10 AM
yes you should be able to do that with:
<request><operations><show><vpn><ipsec-sa><tunnel>yourtunnelnamehere</tunnel></ipsec-sa></vpn></show></operations></request>
You can run commands and get output that is needed for the API calls by using "debug cli on" then type your command and note the output. NOTE: This executes your commands so if you want to know what API call to use to reboot the dataplane I would not suggest using this method 🙂
08-09-2019 08:46 AM
Hello @hshawn,
Thanks I got the output but it seems different.
Actually not getting proper output,
With command i am getting below output, With this i can understand Phase 1 and 2 are okay.
Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.
Show IKEv1 phase2 SA: Total 4 gateways found. 1 ike sa found
But with the API call i am not getting this output, getting only time, name and algo.
Sorry Reboot is not possible.
How can i fetch this info, is there any other way to fetch the information ?
08-09-2019 08:58 AM - edited 08-09-2019 08:59 AM
Try this:
<show><running><tunnel><flow><all></all></flow></tunnel></running></show>
If the tunnel is down it will show <state>inactive</state>
08-09-2019 09:41 AM
Thank @hshawn .
You really saved my time and helped me.
I will test and let you know if i am having any questions.
🙂
08-12-2019 02:56 AM
Hi @hshawn ,
I checked it but VPN tunnel shows UP.
I tell you the scenario,
Actually every so often our tunnel goes down but that is not reflected in the firewall section, it shows UP and green color.
When we run the below command to check VPN tunnel status, Its showing full details,
>show vpn ike-sa gateway <Name>
Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.
There is no IKEv1 phase-2 SA found. ---- The error we get in the logs and from command
our phase-2 authentication is failing which is not refecting in the firwall tunnel status section.
So we want to bring it UP using #test command.
1) How can i fetch full details from API?
2) I belive test command will work but will have to find out the status before runnint the test command, Is it possible ?
Thanks in advance ...... 🙂
08-13-2019 05:43 AM
Hi @hshawn ,
I can see "success" reply dispite my VPN tunnel status is down.
Could you please let me know alternet way for the same.
Regards,
Srikant Patil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
