List NAT tables with static-ip translations

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

List NAT tables with static-ip translations

L1 Bithead

Hello all!

I'd like to compile a list of all my NAT tables for static-ip entries for all my firewalls, I don't know if there's a better way to do it but I'm trying to do it by running the following command on my firewalls and recording the output:


show running nat-policy | match index\|source\|translate-to


The issue with this one is that it's showing all, I want to show only the ones with static IPs but if I replace translate-to with static-ip, it doesn't exclude the entire block/entry but only the lines containing something other than static-ip which is to be expected, is there a way to filter by config/rule block? I know Cisco has this "| section" filter (Palo only has match and except) and Palo supposedly could use Regex but it appears to be very limited, how can I achieve the output I need by excluding the entire entries that contain dynamic-ip in the translation field? Or if there's an even better way to get this information?

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @TigeRRR ,

 

You can export your NAT rules from the GUI with the PDF/CSV button on the bottom.  Then you can open in Excel and filter the Translated Packet Source Translation column with "contains 'static'".  You could also Text to Columns the same column to break out the translated source into a separate column.

 

If you have destination NAT, do the same for the Translated Packet Destination Translation column.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung Thank you! Yes, I'm aware of this but I wanted to get this for multiple firewalls at once, and preferably have the results emailed to me on regular basis, this report can only be obtained from the GUI and it has to be done manually. Maybe you know of a way I can automate it?

Cyber Elite
Cyber Elite

Hi @TigeRRR ,

 

Very cool.  Even 'show rulebase nat | match "source\|static"' would require some automation to filter.  Since you want to automate the process, the best tool to use is the API.

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

What automation tools do you know/use?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung I haven't used API much but doesn't that also involve passing the same CLI commands but is pulled differently using an API key? Is it more advanced that I can use complex Regex and the likes?

Cyber Elite
Cyber Elite

Hi @TigeRRR ,

 

In this case, you want to (1) retrieve the NAT policy from multiple firewalls, (2) filter out the static entries, and (3) build a table of the real and NATed IP addresses.  If you want to automate this process, you will need to program or script something, e.g. Python, Ansible, etc.

 

Regardless of the tool you use, the API interface is much easier to program that the CLI.  In addition, the data is returned in database format (XML or JSON) so that you do not have to screen scrape and tabulate.

 

In response to your questions:

 

  1. You pass XML to the API interface instead of CLI.
  2. You login with an API key instead of username/password.
  3. The API interface does not allow complex RegEx.  That is done with your automation tool.

So, configuring an automation tool and learning the API will have an initial steep learning curve, but once you build that foundation you could perform complex, repetitive tasks with ease.

 

Sorry that I do not have a quick solution.  It sounded like you may already be using an automation tool.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

@TomYoung I guess this is something worth exploring, I don't have much exposure to it so I hope I'll be able to achieve something from this.
I don't have an automation tool per se, I just use my monitoring platform, it has a service account that logs in using SSH and passes whatever commands I want to the monitored devices, it would have worked very well if Palo's CLI commands weren't so limited.

  • 4202 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!