05-05-2018 04:17 PM
Hi,
I am new to Palto Alto. I have a requirement to download security rules of several firewalls so it can be viewed bu audit teams.
I have downloaded the running configuration file of target firewalls I need and I have been able to format the output into a searchable excel file.
However, when I was looking at the security rule output I noticed it was missing security rules at were pushed from Panorama.
How can I get these panorama rules exported them as I did with local firewall config ?
Thanks a mil
05-07-2018 10:32 AM - edited 05-07-2018 11:29 AM
There isn't really a good way of gathering the post- pre- and running-config, as you are trully looking for the mergesp.xml file. The only way that I know of to actually get this is by pulling the tech-support file.
05-07-2018 11:15 AM - edited 05-07-2018 11:19 AM
I once wrote a powershell script that downloaded the security policies from a firewall using the API and created a CSV of the ruleset - I do not have it available to me at this time, but it didn't take terribly long to do. powershell parses the XML into a collection of collections that makes it "easy" to iterate through the ruleset and pull the properties you are interested in.
A few resources to get you started, if you are interested:
Palo API documentation: https://www.paloaltonetworks.com/documentation/80/pan-os/xml-api
Invoke-RestMethod, to make the API calls and get information from firewall: https://blogs.technet.microsoft.com/heyscriptingguy/2013/10/21/invokerestmethod-for-the-rest-of-us/
ForEach, to loop through items in a collection: https://blogs.technet.microsoft.com/heyscriptingguy/2014/04/28/basics-of-powershell-looping-foreach/
Export-CSV, to create your csv file once you have teh information you want to put in it: https://blogs.technet.microsoft.com/heyscriptingguy/2014/02/04/use-powershell-to-create-csv-file-to-...
Regarding missing rules, when you pull the configuration from panorama - remember there are pre-rules and post-rules, and they can come from multiple levels before being pushed to the firewall. the easiest way to get the entire ruleset is to obtain the ruleset directly from the firewall. That being said, I believe I have seen the entire pre- or post- ruleset when I obtained teh configuration via, with the location listed for each rule.
05-07-2018 12:33 PM
PAN-OS / Panorama 8.1 has export function:
05-09-2018 10:18 PM
Thansk a mil.
Might be an option, have not tried it. Suppose I pull it can it be edited easily through an exmel editor to be imported into excel.
The reason I ask, is that I can all the configuration I need in show running policy. It seems there is an option to display this in XML format, not sure it can be exported.
05-09-2018 10:23 PM
This are great recommendation. I will look into them. I must admit I have no skills in programming, but maybe the material you suggested can help me to develop some new basic skills.
Thanks that is great point about Panorama's rule hierarchy. I am just getting to know Panorama.
Much appreciate your input
05-10-2018 04:32 AM
I use powershell as an example simply because it is what I know, If you have someone in your organization with other scripting or programming experience, they would likely be able to come up with something to parse XML into a CSV.
If you choose to take this on yourself, it may be easier to obtain the XML another way, then parse it in PowerShell, that will take a level of complexity out of the project.
All of the microsoft Scripting Guy's blogs are great, he makes the topic understandable and leaves you with enough knowledge to apply the lesson at hand in your own way.
once you have your XML as a variable (let's say $config) powershell represents xml as a collection of collections, so each "branch" in the XML is a property of it's parent, so for isntance $config.vsys.entry[0].ruleset.security.entry[1].name is the name of the second (computers count from 0) security policy in the ruleset of your first vsys (even in a single vsys firewall the vsys branch exists) $config.vsys.entry[0].ruleset.security.entry[1].action would be it's action (allow, deny, etc) $config.vsys.entry[0].ruleset.security.entry[100].name would be the 101st rule's name, etc
First, write some "pseudo-code" of what you want to do, the major steps, then you can try to figure out how to do them.
For instance:
for each $rule in $config
{
write $rule.name, $rule.from, $rule.to, $rule.source, $rule.dest, $rule.action to a file (you may have other properties that are valuable to you)
}
You can adjust and fill in those steps as you go, and soon enough you will have a tool you can use again and again.
Learn some basic scripting techniques and you'll be a hero the rest of your career.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
