PAN-OS Query Scripts

This quickplay solution includes a set of scripts and skillets to quickly query the NGFW to determine inbound open policy ports/applications, domain categories, and URL categories.

Below is a quick summary of each of the scripts. 

Prerequisites

Playing this solution requires:

• panhandler 4.3 or later to play skillets
• API access to the NGFW

Solution Details

Documentation: https://github.com/PaloAltoNetworks/panos-query-scripts/blob/main/README.md

Github Location: https://github.com/PaloAltoNetworks/panos-query-scripts.git

Github Branches: main

Product Versions Supported:

• DNS domain category query: PAN-OS 10.0 and later
• URL category query: PAN-OS 9.0 and later
• Inbound policy query: PAN-OS 9.0 and later

Full Description

The quickplay scripts and skillets use the NGFW API to gain insights about inbound policy configuration and cloud service category mappings.

Get the DNS Domain or URL Category

PAN-OS includes the capability to use CLI commands and the web UI to leverage the NGFW as a proxy into the cloud service layer to get category mappings for URLs and DNS domains. The CLI commands include:

test dns-proxy dns-signature fqdn {domain-to-test}

test url {url-to-test}

The quickplay solution utilizes these commands through the API to read a list of domains or URLs to determine their category and output the results to screen and as a csv file for additional data analysis.

Open Port Query

Provides a quick configuration analysis using the API to find security policies with destination of 'any' and a user input zone. The output shows the security policy name and associated services/ports and applications.

This provides quick insights regarding the NGFW attack surface where traffic is allowed from high risk zones such as the internet.