Python Script For Interface ACL's, feedback

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Python Script For Interface ACL's, feedback

L2 Linker

Wrote script to update interface ACL's in batch. User logs in to multiple firewalls, SSH conenctions saved in background, interface profiles are updated in a customized way per user input per firewall.

 

Here's the Github link to the program:

https://github.com/hfakoor222/Palo_Alto_Scripting

 

There's a 2 minute video on multiple firewalls being updated at once, 10.0.4

 

My question is how useful would a script like this be? I'm not used to panOS devices, so I don't know if the GUI/Panorama has features suc as batch updates.

 

My second question is what other features would you recommend to add: example what issues does a firewall engineer face that could save time being scripted.

 

 

I had some ideas for features which include:

service-policy automation

object-group automation

connectivity test: using Python packets to test connectivity before and after ACL changes (ex: pings and tcp conenctions)

 

What are your thoughts on this? And what are your suggestions to improve on features.

 

Thanks

 

 

PS:

you can also follow/watch the Github link to stay updated with the fetures I'll be adding. I may at some point try to develop this into a full program hosted on an internal web page. 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @hfakoor2 ,

 

I like it!  It's short and sweet and gets the job done.  The script is mostly Pythonic which means it is easy to follow and self-documenting.  I have 1 minor recommendation:  Consider adding the operational mode command "set cli config-output-format set" so that your configuration mode commands show in the set format instead of JSON.

 

How useful will it be?  That is always hard to answer.  If people like it and find it easy to use, then yes.  However, there are a plethora of automation products out there.  The Live Community has pages dedicated for 3.  Check out the pic below.

 

TomYoung_0-1696466957503.png

 

The Ansible module has an Interface Management Profile playbook.   The PAN-OS Python page has 2 main Pythons tools, both on GitHub, and lots of community input.  There is also a 3rd Python panapi on GitHub.

 

Panorama and the NGFWs also have an API interface.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

I don't do much automation now.  I use Panorama to manage multiple NGFWs.  For automation n00bs, I think Ansible would be the easiest to setup and begin making changes.  If I were to write an SDK, I would probably use the REST API because the URLs and actions would be consistent throughout.  This would allow the script to be very modular.  API keys also save time over username/passwords.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks, I'm reading the panos read the docs right now, seems like it has a lot of power. I thinkI'm going to keep pushing with creating a lightweight program,

 

I think the next, and relatively easy and practical script, would be do get all device ACL's and compare it to existing ACL's in a SQL (Swinds) database, and give the user the option to push changes or delete the ACL's. I may add that next and integrate with the code I have.

 

 

Question for anyone:

does the PAN-OS SDK for Python make its API calls  Panorama/ the GUI?

https://pan-os-python.readthedocs.io/en/latest/getting-started.html

 

 

Cyber Elite
Cyber Elite

Hi @hfakoor2 ,

 

I am pretty sure it is based upon pan-python which uses the PAN-OS and Panorama XML API.  See the API Browser URL I posted above.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung what is PAN-OS,  a centralized GUI?

 

Also would I be able to practice these API calls in a lab environment? I'm not sure if the GUI would have some sort of subscription feature?


Thanks for the reply.

Cyber Elite
Cyber Elite

Hi @hfakoor2 ,

 

PAN-OS is the Palo Alto Networks - Operating System for their NGFWs.

 

Yes, you can practice the API calls in a lab.  The API does not require a license.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1631 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!