brianaddicks / poweralto Goto Github PK

I was surprised that there is no way to disable or enable security policy rule using a cmdlet.

Can this be implemented?

Code Solutions to Problem

PaTag.Class.ps1
########################## # GetColorName [string] GetColorName([string]$Color, [string]$ReturnedType) { $Mapping = @{} $Mapping.color1 = 'Red' $Mapping.color2 = 'Green' $Mapping.color3 = 'Blue' $Mapping.color4 = 'Yellow' $Mapping.color5 = 'Copper' $Mapping.color6 = 'Orange' $Mapping.color7 = 'Purple' $Mapping.color8 = 'Gray' $Mapping.color9 = 'Light Green' $Mapping.color10 = 'Cyan' $Mapping.color11 = 'Light Gray' $Mapping.color12 = 'Blue Gray' $Mapping.color13 = 'Lime' $Mapping.color14 = 'Black' $Mapping.color15 = 'Gold' $Mapping.color16 = 'Brown' $Mapping.color17 = 'Olive' $Mapping.color18 = '' $Mapping.color19 = 'Maroon' $Mapping.color20 = 'Red-Orange' $Mapping.color21 = 'Yellow-Orange' $Mapping.color22 = 'Forest Green' $Mapping.color23 = 'Turquoise Blue' $Mapping.color24 = 'Azure Blue' $Mapping.color25 = 'Cerulean Blue' $Mapping.color26 = 'Midnight Blue' $Mapping.color27 = 'Medium Blue' $Mapping.color28 = 'Cobalt Blue' $Mapping.color29 = 'Violet Blue' $Mapping.color30 = 'Blue Violet' $Mapping.color31 = 'Medium Violet' $Mapping.color32 = 'Medium Rose' $Mapping.color33 = 'Lavender' $Mapping.color34 = 'Orchid' $Mapping.color35 = 'Thistle' $Mapping.color36 = 'Peach' $Mapping.color37 = 'Salmon' $Mapping.color38 = 'Magenta' $Mapping.color39 = 'Red Violet' $Mapping.color40 = 'Mahogany' $Mapping.color41 = 'Burnt Sienna' $Mapping.color42 = 'Chestnut'

Set-PaTag.ps1
[Parameter(Mandatory = $False, Position = 1)] [ValidateSet('Red', 'Green', 'Blue', 'Yellow', 'Copper', 'Orange', 'Purple', 'Gray', 'Light Green', 'Cyan', 'Light Gray', 'Blue Gray', 'Lime', 'Black', 'Gold', 'Brown', 'Olive', 'Maroon', 'Red-Orange', 'Yellow-Orange', 'Forest Green', 'Turquoise Blue', 'Azure Blue', 'Cerulean Blue', 'Midnight Blue', 'Medium Blue', 'Cobalt Blue', 'Violet Blue', 'Blue Violet', 'Medium Violet', 'Medium Rose', 'Lavender', 'Orchid', 'Thistle', 'Peach', 'Salmon', 'Magenta', 'Red Violet', 'Mahogany', 'Burnt Sienna', 'Chestnut')] [string]$Color,

Currently I have more than 200 security rules in Palo alto, but this cmdlet gets only first 151

Hi!

The README.md file says full docs are at https://poweralto.com/ but the site seems to be down?

The domain seems to not exist:

C:\Users\___>nslookup poweralto.com 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find poweralto.com: Non-existent domain

C:\Users\___>nslookup www.poweralto.com 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find www.poweralto.com: Non-existent domain

C:\Users\___>

Is there somewhere else we can we find the full docs?

When connecting to FW , and after submitting my credential I got the following error:

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: An unexpected error occ
urred on a send."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\poweralto\poweralto-master\poweralto.psm1:273 char:50

•     $ApiKey = ([xml]$WebClient.DownloadString <<<< ("https://$Address/api/?type=keygen&user=$user&password=$($cre
  

d.getnetworkcredential().password)"))
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException

Thanks!

The super slow PA-2050s can actually timeout the webclient calls. usually you can just rerun the command and it'll work. Need to put in some kind of handling for this.

Hi there,
I've managed to connect to my PA firewall:

> Get-PaDevice -DeviceAddress 52.215.XXX.XXX -Credential $cred -SkipCertificateCheck

Port                  : 443
Protocol              : https
TargetVsys            : shared
Name                  : AWS-FW-DEV-DMZ-EUW1-01
...

However when I call Get-PaHaSetup I get:

Invoke-WebRequest: C:\Users\peter.mcevoy\OneDrive - ding\Documents\PowerShell\Modules\PowerAlto\4.0.64\Classes\Main\PaloAltoDevice.Class.ps1:230
Line |
 230 |              $rawResult = Invoke-WebRequest @QueryParams
     |                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | A connection attempt failed because the connected party did not properly respond after a period of
     | time, or established connection failed because connected host has failed to respond.

Am I doing something wrong in the way I use the module?

Sincrerely
Pete

While, the PaConnectionArray can contain multiple connections, and most cmdlets will handle an array as the connection, there's still needs to be some more handling.

Need to work on it in an environment with multiple connected PAs

it seems not possible to rename an address object, am i correct?

New-PaAddress and Set-PaAddress is possible.

However the Set does not overwrite the existing one, but created a new one.

I am possibly missing how it would work?

I'm trying to get Object groups, but got an error. First I used Get-PaDevice and connection was established, but when I run
Get-PaAddressGroup, I get an error about connection. Is there something wrong or am I using it incorrectly?

Invoke-WebRequest: C:\xxxxxx\PaloAltoDevice.Class.ps1:193:26
Line |
193 | $rawResult = Invoke-WebRequest @queryParams
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Hi there,

So I've managed to test a few cmdlets without issue, but this doesn't appear to set anything on the firewall:
PS C:\Users\alexander.woolsey> New-PaNatPolicy -Name "TestNATPol" -SourceZone trust -DestinationZone untrust -SourceTra
nslationType dynamic-ip-and-port -SourceTranslatedAddress ethernet1/3

Name : TestNATPol2
Description :
NatType : ipv4
Tags :
Disabled : False
SourceZone : {trust}
DestinationZone : untrust
DestinationInterface : any
Service : any
SourceAddress : {any}
DestinationAddress : {any}
SourceTranslationType : dynamic-ip-and-port
SourceTranslatedAddress : ethernet1/3
BiDirectional : False
TranslatedDestinationAddress :
TranslatedDestinationPort : 0

I've tried a few different iterations, mainly -SourceTranslatedAddress as an IP or interface - the firewall responds as if all is ok, but the rule doesn't appear.

Write-Progress requires a -status on posh 2.0. Need to add a default value to watch-pajob.

The following error is generated when importing poweralto:

import-module -Global ipv4math
import-module : The specified module 'ipv4math' was not loaded because no valid module file was found in any module
directory.
At line:1 char:1

• import-module -Global ipv4math

• - CategoryInfo          : ResourceUnavailable: (ipv4math:String) [Import-Module], FileNotFoundException
  - FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  

Is the ipv4math module a third party module that is a requirement?

Trying to add IPv6 addresses with Set-PaAddress fails with the following error:

Set-PaAddress -Name "ipv6-test" -Type "ip-netmask" -Value "2001:db8:123:1::/64"
IpNetmask must be a valid CIDR range or Ip Address. Ex: 10.0.0.0/16'
At C:\Program Files\WindowsPowerShell\Modules\PowerAlto\4.0.46\Classes\Helpers\HelperRegex.Class.ps1:12 char:13
+ Throw $errorMessage
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (IpNetmask must ...Ex: 10.0.0.0/16:String) [], RuntimeException
+ FullyQualifiedErrorId : IpNetmask must be a valid CIDR range or Ip Address. Ex: 10.0.0.0/16

need to add vsys support

I'm looking to pull the list of current GlobalProtect users from a PA using this module, and I can connect to the PA okay using Get-PaDevice so I know the creds are good. When I try to show the current GP users, I get an Illegal parameter [request] error. I may be using the command wrong but there weren't any examples provided. Is there a clarification on the intent of the Invoke-PaApiOperation cmdlet? Happy to retract the issue if I'm using the module wrong...

PS C:\Users\test> Invoke-PaApiOperation -Cmd ""

Invoke-WebRequest: C:\Users\test\Documents\PowerShell\Modules\PowerAlto\4.0.46\Classes\Main\PaloAltoDevice.Class.ps1:163:26
Line |
163 | $rawResult = Invoke-WebRequest @queryParams
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Illegal parameter [request]