Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
This is a question about how a firewall, FW, keeps IP to UID associations current/up-to-date in an environment where such associations might be changing every few seconds. A FW associates a UID with an internal IP address, e.g. 10.10.10.10, which has no UID associated with it. Let's say that I logon as ipj1965 from 10.10.10.10. The first time a FW sees traffic from 10.10.10.10 it will ask itself "Do I know who's at 10.10.10.10?" If not, it will ask its associated UID servers. They do know the answer, as they're constantly interrogating the Windows AD Server Logs, and will tell the FW. If my UID logs off, and nobody else is given 10.10.10.10, no problem. If I 'move' to a new IP address, e.g. 10.10.10.11, that was previously not associated with a UID, the FW will associate ipj1965 with that new IP, again, by asking its UID servers. I think that this is in addition to my prior IP, 10.10.10.10. I also assume that this prior association times out after a period set somewhere in the firewall's configuration. What happens when somebody else, e.g. joeblogs, is given IP 10.10.10.10? Unless the association between 10.10.10.10 and ipj1965 has timed out, joebloggs will now be permitted through any policies in which ipj1965 is a named user. When, and how, do the FWs confirm their IP address to UID associations? The UID servers will know almost immediately that the joeblogs is now associated with 10.10.10.10. Do the UID servers send a message to the FWs telling them to drop the IP/UID association whenever they learn that a UID has logged off, or changed IP? Do the UID servers keep track of which UIDs the FWs have asked them about and inform them of any changes? If it all depends on timeouts, what happens with IPs that are only associated with a UID for a short time before quickly being associated with another UID (even though it's only a single UID at any one time)? I'd also like to know where this timeout is set, if that is the way the FWs keep their IP/UID associations current. Thanks for any and all help, Ian
... View more
Solved by: import pandevice my_fw = firewall.Firewall(host, user, password) response = my_fw.op(command2, xml=True) print(response) The response is a page of XML, so needs to be interpreted, but I do get the answers I want 🙂
... View more
I have a very simple python script that uses ssh=paramiko.SSHClient(), ssh.connect (host, 22, user, password), stdin, stdout, stderr=ssh.exec_command(command), and for line in stdout.read().splitlines(): print(line). When I set host, user, password and command, e.g. "show ip int brief", to connect to a Cisco router, everything works fine and the script prints out the results that I expect. However, when I set them to connect to a PAN firewall, e.g. command="show clock", my script connects to the FW, which I confirm by looking in the FW's system log, but all I get returned is the 'Number of failed attempts since last successful login: 0' message? Any ideas - I'm sure I'm just missing something basic. Do I need to import any of the PAN packages or can I just run run simple CLI commands using paramiko? PS: I sleep for 20 seconds after connecting before running the ssh.exec_command() Thanks, Ian
... View more