- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-26-2018 01:36 PM
Hi @jdprovine
We do this in our Changemanagement. Every Rule (Name,srczone,srcaddress,srcuser,dstzone,dstaddress,ports,apps,URL category,Log forwarding, security profiles) and specially every rulechange is documented there and depending on the actual Firewall the change also needs so be approved by different Security officers.
Regards,
Remo
02-26-2018 02:16 PM
Hello,
What we did was go through the entire firewall settings and approved the base. Then any firewall change requires approved chagne management. At the end of each month I have to review the changes with our security officer and justify them. This is how we get around certification and changes that are forced onto us by the customers.
For security reasons we do not keep like an excel spreadsheet of all the rules. That said, you can export the rules into a CSV.
https://indeni.com/how-to-export-palo-alto-networks-firewalls/
Just a thought.
02-27-2018 06:04 AM
I actually exported the configuration change logs to a csv and we backup the running config dail
02-27-2018 06:22 AM
So what I would recommend doing is having a bash or PowerShell script that pulls the running-config.xml from the firewall on a nightly basis, and saves it to a backed-up location. In this instance you would have a backup of your entire configuration and if need be, you can easily get replacement equipment up and running quickly.
If need be I can share an example PowerShell script.
02-27-2018 06:28 AM
I would a appreciate you sharing some script
02-27-2018 07:18 AM
$netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection]) if($netAssembly) { $bindingFlags = [Reflection.BindingFlags] "Static,GetProperty,NonPublic" $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal") $instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @()) if($instance) { $bindingFlags = "NonPublic","Instance" $useUnsafeHeaderParsingField = $settingsType.GetField("useUnsafeHeaderParsing", $bindingFlags) if($useUnsafeHeaderParsingField) { $useUnsafeHeaderParsingField.SetValue($instance, $true) } } } [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 $ConfigTime = Get-Date -Format "MM-dd-yyyy" # Config File Logation $ConfigFile = '\\fs1\Enterprise\Documentation\Network\Palo Alto\PA-3020 Backups\'+"running-config-"+$ConfigTime+".xml" $wc = New-Object System.Net.WebClient # Takes the running-config and saves it to the S drive. $src=$wc.DownloadString("https://10.191.136.7/api/?type=export&category=configuration&key=*key*") | Out-File $ConfigFile # Attempts to remove the commit lock if one is held by bpry. $src=$wc.DownloadString("https://10.191.136.7/api/?type=op&cmd=<request><commit-lock><remove><admin>bpry</admin></remove></commit-lock></request>&key=*key*") # Commits the current canidate-config. $src=$wc.DownloadString("https://10.191.136.7/api/?type=commit&cmd=<commit></commit>&key=*key*")
Obviously you would replace 10.191.136.7 with whatever IP your firewall is on, and replace the destination of $ConfigFile with whatever location you are going to save to. The *key* is going to simply be your API key which you'll need to generate if you haven't done so already.
What this script will do is take a backup of the running-config with the first API call; then it removed a commit lock that I would potentially have in place (I have three lines for removing possible commit locks) and then it simply commits the current canidate-config.
You can simply issue the first line if you simply want a backup to be taken; however I use the entire script as a sort of 'scheduled commit' so that all of the changes that I've made throughout the day simply take effect at 10pm; you simply need to ensure that your team knows about this so that they don't leave something half-finished. If the config isn't valid obviously this will fail automatically during the commit process, but I wouldn't chance that.
02-27-2018 02:41 PM
What is the goal now? Documentation or backup 😛
02-28-2018 05:30 AM
For me it is to keep track of who made changes to the firewall and when. We have a user or two who do not communicate when they make changes and why they are doing it. We also do not have a change management process,not good. So I guess I am doing a little of both backing them up so I can review what has been done. Sometimes the logs roll over and I loose the history.
02-28-2018 07:04 AM
Hello,
I can see how that can be a real pain. For the time being, unless you have a lot of changes, you can refer to the Configuration logs?
Monitor tab -> Logs-> Configuration
That should let you know who made what changes. However a good change management policy should help out as well, expecially since there are many admins working in the systems.
You can setup alerts to email you when changes are made.
Device tab -> Log Settings -> Configuration area.
Cheers!
02-28-2018 07:18 AM
Yep I have started to export the config logs from monitor/configuration to maintain history. Though i also check those logs daily.
02-28-2018 02:08 PM
This is bad when there is a security admin (you) needed to controll other admins. Do they know what what they have to do or is there maybe a conversation with the supervisor needed?
As mentionned by @OtakarKlier you can configure alert emails when someone changes the configuration or limit these alert emails to the commit-log-events. This way you know at least when someone changed something. And as you then directly have the timestamp you can probably check the config logs more easily and find out what they changed.
You may be also want to try a script that automatically pulls the config logs hourly/daily so this saves your time with the manual config-log-export-task.
03-01-2018 05:12 AM
Well we have not change management in place so you can't hold people accountable for what you do not have rules concerning. I have heard for that last year that they want to put change management in place, I do think that would help
03-03-2018 12:30 AM
Hi @jdprovine
Ok, thats true. But you could also have some teaminternal guidelines that make it easier for all when they know what's been done and noone needs to waist time searching for a change which may resultet in something not working anymore.
@kiwi probably also read this topic 😉 ... and if not it's luck that he posted a blog post exactly about this config log topic and the basics on how to automate this here: https://live.paloaltonetworks.com/t5/Community-Blog/The-Power-of-XML-API/ba-p/202789
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!