Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is there any way I can make an "Easy Button" for help desk to enable/disable PBF rules?

L3 Networker

I'd like to create a script or some kind of quick method to disable a PBF rule. We have a dual-ISP setup, and sometimes one ISP will get extremely slow. But it doesn't actually go down, so it doesn't trigger the PBF rule, and we're left with nearly unusable internet.

As the only "firewall guy", they basically have to wait on me to disable a PBF rule. Is there a way to script this?

 

1 accepted solution

Accepted Solutions

@Maxstr,

The firewall includes a fairly decent browser that follows the CLI, so PBF would start at the following API URL

 /api/?type=config&action=gest&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules

So you would then set this to disabled by sending the following

/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules/entry[@name='Test-PBF']&element=<disabled>yes</disabled>&key=APIKEY

Just to make it clear, you would want a way to obsficate your API Key so that your help desk doesn't actually get to see what it is, otherwise they would have the same permissions as whatever account the key was generated under. You could then utilize something like RunDeck to actually get them to run a script without opening up the management interface to all of your helpdesk users. 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

Might be possible via the API. However gertting better ISP's might be worth looking into as well.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

Regards,


@OtakarKlier wrote:

However gertting better ISP's might be worth looking into as well.

 


How does the saying go... "A general goes to war with the army he has"

@Maxstr,

This is an extremely good use case of the API.

Bonus Points: If you configure a machine so that it can utilize both ISP circuits (through two NICs or VLAN setup) you could actually automate testing the circuits and automatically enable/disable the PBF rule on the firewall once bandwidth is within expected norms. This would take any manual interaction requirements out completely. 


@BPry wrote:

@Maxstr,

This is an extremely good use case of the API.

Bonus Points: If you configure a machine so that it can utilize both ISP circuits (through two NICs or VLAN setup) you could actually automate testing the circuits and automatically enable/disable the PBF rule on the firewall once bandwidth is within expected norms. This would take any manual interaction requirements out completely. 


So I looked over the API documentation, and I do see one for PBF rules. I've never used REST API though, so I guess it's time for a crash course. Any advise on where to start?

@Maxstr,

The firewall includes a fairly decent browser that follows the CLI, so PBF would start at the following API URL

 /api/?type=config&action=gest&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules

So you would then set this to disabled by sending the following

/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules/entry[@name='Test-PBF']&element=<disabled>yes</disabled>&key=APIKEY

Just to make it clear, you would want a way to obsficate your API Key so that your help desk doesn't actually get to see what it is, otherwise they would have the same permissions as whatever account the key was generated under. You could then utilize something like RunDeck to actually get them to run a script without opening up the management interface to all of your helpdesk users. 

  • 1 accepted solution
  • 5220 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!