02-20-2019 03:35 PM
I couldn't determine the correct place to discuss this topic, so please forgive me if I have improperly located it. I need to know if there is a way to import the XML config file into a MS-SQL database. One of the challengs of auditing a firewall is not only to know which rules have been used or not, but also to know what objects within a rule have been used. I developed scripts many years ago to assist me in getting rid of latent or unused rules in the firewall. Finally in version 8.1 they have included that feature.
Now I would like to examine syslog files and based on the imported XML configuration, use each syslog event to tally the used objects within a rule. Many products purportedly can do this, but only if you setup a specific filter and then run that filter on live traffic over a given time period. That would take too long when you have any number of rules. My take is to create a database structure that includes a rule with references to each of the objects defined. By examining the standard syslog one can, potentially tally which objects in the rule were used. This is not an exact science unfortunately as objects can shadow one another in a single rule. The idea is to examine an entry in the syslog event from the first object in the rule downwards (assuming this is how the firewall does it as well).
It would certainly be nice if the migration tool or the firewall itself would do this to assist in tightening up rulesets, but without this ability, firewallls are still lacking fundamental abilities to be better protecting of the assets they protect.
Now that I'm off my soap box, can the XML config be imported easily into a SQL database?
02-20-2019 04:41 PM
There is no mechanism to export your config to MS-SQL from a firewall/Panorama. It would need to be something you convert yourself.
That's really more of a question for Microsoft, since XML is not unique to Palo Alto Networks. You're really looking for a generic XML-to-MSSQL program. Some quick googling shows a doc from MySQL (I know, not the same):
Microsoft does have a doc on it, but it's not something I am familiar with in any capacity, so I'm not sure if it will even help:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!