Panorama Security Rules Export in Human Readable Format- Excel Sheet

Reply
Highlighted
L1 Bithead

Panorama Security Rules Export in Human Readable Format- Excel Sheet

Hi,

 

I am new to Palto Alto. I have a requirement to download security rules of several firewalls so it can be viewed bu audit teams.

 

I have downloaded the running configuration file of target firewalls I need and I have been able to format the output into a searchable excel file.

 

However, when I was looking at the security rule output I noticed it was missing security rules at were pushed from Panorama. 

 

How can I get these panorama rules exported them as I did with local firewall config ?

 

Thanks a mil 

Tags (1)
Highlighted
Cyber Elite

@HosseinMohajer,

There isn't really a good way of gathering the post- pre- and running-config, as you are trully looking for the mergesp.xml file. The only way that I know of to actually get this is by pulling the tech-support file. 

Highlighted
L4 Transporter

I once wrote a powershell script that downloaded the security policies from a firewall using the API and created a CSV of the ruleset - I do not have it available to me at this time, but it didn't take terribly long to do.  powershell parses the XML into a collection of collections that makes it "easy" to iterate through the ruleset and pull the properties you are interested in.

 

A few resources to get you started, if you are interested:

Palo API documentation: https://www.paloaltonetworks.com/documentation/80/pan-os/xml-api

Invoke-RestMethod, to make the API calls and get information from firewall: https://blogs.technet.microsoft.com/heyscriptingguy/2013/10/21/invokerestmethod-for-the-rest-of-us/

ForEach, to loop through items in a collection: https://blogs.technet.microsoft.com/heyscriptingguy/2014/04/28/basics-of-powershell-looping-foreach/

Export-CSV, to create your csv file once you have teh information you want to put in it: https://blogs.technet.microsoft.com/heyscriptingguy/2014/02/04/use-powershell-to-create-csv-file-to-...

 

Regarding missing rules, when you pull the configuration from panorama - remember there are pre-rules and post-rules, and they can come from multiple levels before being pushed to the firewall.  the easiest way to get the entire ruleset is to obtain the ruleset directly from the firewall.  That being said, I believe I have seen the entire pre- or post- ruleset when I obtained teh configuration via, with the location listed for each rule.

Highlighted
L4 Transporter

Highlighted
L1 Bithead

Thansk a mil.

 

Might be an option, have not tried it. Suppose I pull it can it be edited easily through an exmel editor to be imported into excel. 

 

The reason I ask, is that I can all the configuration I need in show running policy. It seems there is an option to display this in XML format, not sure it can be exported. 

Highlighted
L1 Bithead

This are great recommendation. I will look into them. I must admit I have no skills in programming, but maybe the material you suggested can help me to develop some new basic skills.

 

Thanks that is great point about Panorama's rule hierarchy. I am just getting to know Panorama.

 

Much appreciate your input 

Highlighted
L4 Transporter

I use powershell as an example simply because it is what I know, If you have someone in your organization with other scripting or programming experience, they would likely be able to come up with something to parse XML into a CSV.

 

If you choose to take this on yourself, it may be easier to obtain the XML another way, then parse it in PowerShell, that will take a level of complexity out of the project.

 

All of the microsoft Scripting Guy's blogs are great, he makes the topic understandable and leaves you with enough knowledge to apply the lesson at hand in your own way.

 

once you have your XML as a variable (let's say $config) powershell represents xml as a collection of collections, so each "branch" in the XML is a property of it's parent, so for isntance $config.vsys.entry[0].ruleset.security.entry[1].name is the name of the second (computers count from 0) security policy in the ruleset of your first vsys (even in a single vsys firewall the vsys branch exists) $config.vsys.entry[0].ruleset.security.entry[1].action would be it's action (allow, deny, etc) $config.vsys.entry[0].ruleset.security.entry[100].name would be the 101st rule's name, etc

 

First, write some "pseudo-code" of what you want to do, the major steps, then you can try to figure out how to do them.

For instance:

for each $rule in $config

{

write $rule.name, $rule.from, $rule.to, $rule.source, $rule.dest, $rule.action to a file (you may have other properties that are valuable to you)

}

 

You can adjust and fill in those steps as you go, and soon enough you will have a tool you can use again and again. 

Learn some basic scripting techniques and you'll be a hero the rest of your career.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!