10-18-2023 03:56 AM
I wrote a Python script that returns the differences in policies across firwealls. here's the github description:
Firewall policies contain object groups, hundreds of ip addresses and ACL's, services, address objects etc. This script compares a set of firewall policies with the same name, across many firewalls, and return differences in services, source/destination, address objects, ACL's etc, to a Python dictionary. We use a XML path api call to obtain the configuration files, so no need for token authentication. The script also returns object groups that exist in one firewall and not the other. So if your firewalls have similar named policies with dozens of rules, this script can save time in validating the policies by hand.
There's video of the code running against 10.0.4 vm_eval editions.
https://github.com/hfakoor222/Palo_Alto_Scripting/tree/master
the code is under folder compare_Object_ACL's
Please let me know what you think, and where I can improve on.
Also like or follow my github page for more scripts 🙂
Thanks!
10-18-2023 05:11 AM
Hi @hfakoor2 ,
Well done! You are now using the XML API! That is a very nice script!
If someone were going to use your script in production, then I would store the username and password (or API keys) in local environment variables and not the script. That is not required, but definitely a best practice especially if they use Git or another development platform where the code is shared. Your scripts have the default usernames and passwords. So, no sensitive information is exposed in your example.
Thanks,
Tom
10-18-2023 05:13 AM
Also, don't forget to follow my github to support me and stay updated on scripts ^_^
please let me know where I can imporve on the current program. Currently it just returns differences for services/address/groups/ip addresses per similar named policies. I was thinking of maybe modifying it to have the user specify policy names as well,
Open to ideas
10-19-2023 04:42 AM
Oh hey, I just saw this,
Thanks mucj I appreciate it!
I liked the XML API, it seems to bypass token requirements, even though it's a bit ugly. I can also use the same API link for different firewalls(I think the restapi could've used the same link as well with regards to Python, but I can't really remember)
10-19-2023 06:00 AM
Hi @hfakoor2 ,
That is good feedback! I have played a little with both. The nicest thing is that in your script you can easily feed the results into ElementTree without having to screen scrape and format the data.
Yes, the URL will be the same across all NGFWs. One thing I do not like about both the XML and REST is that the URL is different for different options. I would like the exact same URL and pass different options through the HTTP body. That makes for a more scalable script.
Thanks,
Tom
10-19-2023 06:10 AM
Yep, which is why I was playing with the restapi: I saw some other scripts that modified the restapi output in depth, however getting it off the ground seemed a pain, especially with the token auth.
Thanks for the feedback.
If you have any ideas of other good scripts, i wouldn't mind trying to write them to add to my resumé, seeing as I'm trying to move towards a job shift.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
