Script to automate the baseline configuration after initial palo alto deployment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Script to automate the baseline configuration after initial palo alto deployment

L0 Member

Hello Guys,

 

I have prepared the "SET" commands which configure the baseline settings. I can able to run the full set command from CLI. I would like to know any options where I can run these command from a Linux machine where the system take the commands from the local script and loginto the palo alto and execute the commands.

 

Also need to print the output of each set of command like " executed password policy successfully" or Failed to executed password policy with the output comments"

 

No knowledge in python or any scripting language so need to make it simple and  would like to know this process is possible ?

 

eg: Commands

set mgt-config password-complexity enabled yes
set mgt-config password-complexity minimum-length 12
set mgt-config password-complexity minimum-uppercase-letters 1
set mgt-config password-complexity minimum-lowercase-letters 1

set deviceconfig setting management idle-timeout 10
set deviceconfig setting management admin-lockout failed-attempts 5
set deviceconfig setting management admin-lockout lockout-time 5
set deviceconfig system snmp-setting access-setting version v3

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

I'm not the best scripting guy, however have you heard of Palo Alto's Zero Touch Provisioning?

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/set-up-zero-touch-pr...

Regards,

L5 Sessionator

I'll do you one better. Pull our docker container to run IronSkillet (get it, hardened PANs?)

 

You are able to directly edit the config, add variables, among many other things (including generating set commands from a current config). 

Help the community! Add tags & mark solutions please.

Cyber Elite
Cyber Elite

Hello,

Here is a zero day config to base things off of ;)...

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint...

Regards,

Cyber Elite
Cyber Elite

@SPG,

IronSkillet and zero day configurations are all a great option. I would personally really recommend that you look into learning some sort of scripting language for use in situations like this. Whether you choose to utilize Python, PowerShell, simple Bash scripts, or anything of the sort is up to you, but it's an invaluable tool to have in your toolbox. 

What you're looking to do is pretty simple from a scripting aspect and easily done. It would actually be a great starter script to assist you in learning how to make basic scripts. While I'm personally impartial to Python and think that's a better scripting language to focus on from a network/security aspect, any scripting language can handle what you're looking to do. 

Hello @BPry ,

 

Thanks for the advice and agree on learning some scripting language . Let me try the IronSkillet

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!