I'd like to compile a list of all my NAT tables for static-ip entries for all my firewalls, I don't know if there's a better way to do it but I'm trying to do it by running the following command on my firewalls and recording the output:
show running nat-policy | match index\|source\|translate-to
The issue with this one is that it's showing all, I want to show only the ones with static IPs but if I replace translate-to with static-ip, it doesn't exclude the entire block/entry but only the lines containing something other than static-ip which is to be expected, is there a way to filter by config/rule block? I know Cisco has this "| section" filter (Palo only has match and except) and Palo supposedly could use Regex but it appears to be very limited, how can I achieve the output I need by excluding the entire entries that contain dynamic-ip in the translation field? Or if there's an even better way to get this information?
Hi @TigeRRR ,
You can export your NAT rules from the GUI with the PDF/CSV button on the bottom. Then you can open in Excel and filter the Translated Packet Source Translation column with "contains 'static'". You could also Text to Columns the same column to break out the translated source into a separate column.
If you have destination NAT, do the same for the Translated Packet Destination Translation column.
@TomYoung Thank you! Yes, I'm aware of this but I wanted to get this for multiple firewalls at once, and preferably have the results emailed to me on regular basis, this report can only be obtained from the GUI and it has to be done manually. Maybe you know of a way I can automate it?
Hi @TigeRRR ,
Very cool. Even 'show rulebase nat | match "source\|static"' would require some automation to filter. Since you want to automate the process, the best tool to use is the API.
What automation tools do you know/use?
Hi @TigeRRR ,
In this case, you want to (1) retrieve the NAT policy from multiple firewalls, (2) filter out the static entries, and (3) build a table of the real and NATed IP addresses. If you want to automate this process, you will need to program or script something, e.g. Python, Ansible, etc.
Regardless of the tool you use, the API interface is much easier to program that the CLI. In addition, the data is returned in database format (XML or JSON) so that you do not have to screen scrape and tabulate.
In response to your questions:
So, configuring an automation tool and learning the API will have an initial steep learning curve, but once you build that foundation you could perform complex, repetitive tasks with ease.
Sorry that I do not have a quick solution. It sounded like you may already be using an automation tool.
@TomYoung I guess this is something worth exploring, I don't have much exposure to it so I hope I'll be able to achieve something from this.
I don't have an automation tool per se, I just use my monitoring platform, it has a service account that logs in using SSH and passes whatever commands I want to the monitored devices, it would have worked very well if Palo's CLI commands weren't so limited.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!