Code Monkey home page Code Monkey logo

palo_alto_firewall_analyzer's Introduction

Palo Alto Firewall Analyzer

BuildTest coverage

Python3 scripts for reviewing and fixing Palo Alto Firewall configurations

This repository contains the script pan_analyzer, which can detects and fix Palo Alto Network firewall configuration issues, as well as several other helper scripts.

The validators are designed to have as few false positives as possible. If there is a false positive, please report an issue!

pan_analyzer Quickstart

  1. Install the package with pip install pan_analyzer
  2. Run all validators on an XML configuration file downloaded with Panorama -> Setup -> Operations -> "Export Panorama configuration version": pan_analyzer --xml 12345.xml

Using pan_analyzer

The first time you launch pan_analyzer, it will create a PAN_CONFIG.cfg file in "~\.pan_policy_analyzer\ and instruct you to edit it. The second time you launch the analyzer it will detect that "API_KEY.txt" is not present, and will prompt you for credentials and save the retrieved API key to "API_KEY.txt"

  • Run all validators on all device groups: pan_analyzer

  • Run a single validator on all device groups: pan_analyzer --validator UnusedServices

  • Run a single validator on a single device group: pan_analyzer --device-group my_device_group --validator UnusedServices

  • Run all validators on an XML configuration file downloaded with "Export Panorama configuration version": pan_analyzer --xml 12345.xml

  • Run all validators on an XML configuration file downloaded with "Export Panorama configuration version" and choose type output file (formats support txt (text) and json (json)): pan_analyzer --xml 12345.xml --output text pan_analyzer --xml 12345.xml --output json

If you're not sure where to start, I recommend downloading an XML file from: Panorama -> Setup -> Operations -> Export Panorama configuration version and running: pan_analyzer.py --xml 12345.xml

Common Workflows

There are a few common workflows to clean the firewall configuration:

Consolidate Service Objects

Consolidate Service objects so there is only one object for each Service:

  • Delete unused Service objects: python pan_analyzer --fixer DeleteUnusedServices
  • Check if any Service objects have misleading names: python pan_analyzer --validator MisleadingServices
  • Consolidate service objects in use: python pan_analyzer --fixer ConsolidateServices
  • Delete the now-unused Service objects: python pan_analyzer --fixer DeleteUnusedServices
  • Define a convention in the config file, then rename to fit the naming convention: python pan_analyzer --fixer RenameUnconventionallyNamedServices

Consolidate Address Objects

Consolidate Address objects so there is only one object for each target:

  • Delete unused Address objects: python pan_analyzer --fixer DeleteUnusedAddresses
  • Delete Address objects with FQDNs that don't resolve: python pan_analyzer --validator BadHostname
  • Check if any Address objects have IPs in FQDNs: python pan_analyzer --validator FQDNContainsIP
  • Check if any Address objects have misleading names: python pan_analyzer --validator MisleadingAddresses
  • Replace Address objects using IPs with FQDNs: python pan_analyzer --fixer FixIPWithResolvingFQDN
  • Consolidate Address objects in use: python pan_analyzer --fixer ConsolidateAddresses
  • Delete the now-unused Address objects: python pan_analyzer --fixer DeleteUnusedAddresses
  • Make all FQDN objects use FQDNs: python pan_analyzer --fixer FixUnqualifiedFQDN
  • Define a convention in the config file, then rename objects to fit a naming convention: python pan_analyzer --fixer RenameUnconventionallyNamedAddresses

Known Issues

The validators for checking zones (ExtaZones, MissingZones, and ExtraRules) all require looking up the zones for address objects on the firewall. This requires many API requests and can take a very long time. Given that PA recommends limiting the number of concurrent API calls to five, and that's shared among the web UI, these calls are not parallelized. Because of these concerns, the default configuration skips those validators.

Other scripts

In addition to pan_analyzer, several other scripts are included in this package:

  • pan_categorization_lookup - Looks up categorization for either a single URL or a file with a list of URLs
  • pan_disable_rules - Takes a textfile with a list of security rules and disables them (useful for disabling rules found with PolicyOptimizer)
  • pan_dump_active_sessions - Dumps all active sessions from all firewalls
  • pan_run_command - Runs a single command on a single firewall
  • pan_zone_lookup - Looks up Zone for a single IP on all firewalls

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

palo_alto_firewall_analyzer's People

Contributors

dependabot-preview[bot] avatar moshekaplan avatar nawtest avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

discoking fishdom888 kevinhuy bbrk364 saurabhtalreja desh130 nawtest

palo_alto_firewall_analyzer's Issues

consolidatable_addresses_and_groups: Error when examining NAT rules

:\Pan_Cleaner>pan_analyzer --xml 4412.xml
palo_alto_firewall_analyzer - INFO - Running validators
palo_alto_firewall_analyzer.validators.bad_hostnames - INFO - ********************************************************************************

              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 172, in replace_policy_contents
if object_policy_dict[translation].get('static-ip', {}).get('translated-address', {}).get('member'):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'get'

C:\Pan_Cleaner>

New Validator: Identify rule usage to detect unused rules

From https://www.reddit.com/r/paloaltonetworks/comments/11zjzdq/python_script_for_analyzing_panorama_configuration/ :

good addition to this might be identifying redundant rules, shadowed rules, or rules that aren’t shadowed but still have no hit count.

I was hoping to integrate the hit count data so I could mimic how I use policy optimizer to find rules that are deletion candidates. Something like displaying a list of all rules never since since they were created x years ago, and all rules that were once used, but have not been used for duration y.

If there's an efficient way to collect that data, I'm game to try, but it seems like the only way would be to dump all hit counts from all devices in a device group, then iterate through the rules in the device group and seeing when they were created, last reset and last hit. Could be at one request per device per rule type, it's still realistic, but would add a pretty significant amount of runtime in the initial data collection. OTOH it could probably be implemented to only run if the rule "lifespans" (x and y mentioned before) are set, so only users interested in the functionality would have the runtime cost.

Write script to find all rules involving either one or two CIDR blocks or IPs

to find all rules between two specific CIDR blocks.I have created a code. it might help you to understand

import xml.etree.ElementTree as ETimport panxapi '''# Panorama connection detailspanorama_host = "192.168.248.140"panorama_user = "admin"panorama_password = "  "
# Initialize PAN-OS API connection to Panoramaxapi = panxapi(api_username=panorama_user, api_password=panorama_password, hostname=panorama_host,verify=False)
#xapi = panxapi.py -h 192.168.248.140 -l ***@***.***! -k
# Perform an API request to get all security policiesxpath = ***@***.******@***.***='vsys1']/rulebase/security/rules")
try:    response = xapi.get(xpath=xpath)    if response is None:        raise Exception("Empty response from the API.")except Exception as e:    print(f"Error: {e}")    exit()
'''# Parse the XML responseroot = ET.parse("3882.xml")#print(root)
# Iterate through the security rulesfor rule in root.findall(".//entry"):    source_objects = []    destination_objects = []        # Get the source and destination objects of the rule    for element in rule.findall(".//source/member"):        source_objects.append(element.text)    for element in rule.findall(".//destination/member"):        destination_objects.append(element.text)        # Check if any source or destination object falls within the specified IP range    in_range = False    for obj in source_objects + destination_objects:        subNetMask = obj.startswith("10.0.0.") and int(obj.split('/')[1])        if obj.startswith("10.0.0.") and (subNetMask >= 8) and (subNetMask <= 20):            in_range = True            break        if in_range:        # Print the rule name and other relevant information        # rule_name = rule.find(".//tag").text        rule_name = rule.attrib        print(f"Rule Name: {rule_name}")        print(f"Source Objects: {', '.join(source_objects)}")        print(f"Destination Objects: {', '.join(destination_objects)}")        print("\n")
# Disconnect from the Panorama device#xapi.logout()

Turn into Python package

Publish to pypi. pan_policy_validator.py and pan_policy_fixer.py should be installed to be available to run directly.

This may depend on #2 for ease of usage

There is another issue while iterating XML files

alo_alto_firewall_analyzer.validators.misleading_objects - INFO - (9/13) Checking PDX Office's Address objects
palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (10/13) Checking HVW DC's Address objects
palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (11/13) Checking PDX's Address objects
palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (12/13) Checking vor0506df01's Address objects
Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in run_code
File "C:\Pan_Cleaner\pan_analyzer.exe_main.py", line 7, in
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 193, in main
problems, total_problems = run_policy_validators(validators, profilepackage, output_fname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 66, in run_policy_validators
validator_problems = validator_function(profilepackage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\misleading_objects.py", line 49, in find_misleading_addresses
ip_address = entry_value.split('/', 1)[0]
^^^^^^^^^^^^^^^^^
AttributeError: 'dict' object has no attribute 'split'

Implement Zone determination offline

Instead of requiring one API request per IP, can we resolve interfaces fully offline?

For FW , how does traffic to IP get routed?

 Comes in on interface X (whichever that will be) and goes to a VR (e.g., Default VR, depending on which interface X is)
 VR <myvr>
 Next hop is IP2
 So goes through ethernet 1/4
 Ethernet 1/4 is zone "ZONE"

The routing tables can be dumped from the active firewalls with show routing route

While iretarting xml file getting error

:\Pan_Cleaner>pan_analyzer --xml 4412.xml
palo_alto_firewall_analyzer - INFO - Running validators
palo_alto_firewall_analyzer.validators.bad_hostnames - INFO - ********************************************************************************

File "", line 198, in _run_module_as_main
File "", line 88, in run_code
File "C:\Pan_Cleaner\pan_analyzer.exe_main.py", line 7, in
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 193, in main
problems, total_problems = run_policy_validators(validators, profilepackage, output_fname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 66, in run_policy_validators
validator_problems = validator_function(profilepackage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 212, in find_consolidatable_addresses
return consolidate_address_like_objects(profilepackage, object_type, object_friendly_type, validator_function)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 203, in consolidate_address_like_objects
badentries += replace_policy_contents(policies_needing_replacement, address_to_replacement)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^alo_alto_firewall_analyzer.validators.bad_hostnames - INFO - Checking for non-resolving hostnames
p
Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in run_code
File "C:\Pan_Cleaner\pan_analyzer.exe_main.py", line 7, in
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 193, in main
problems, total_problems = run_policy_validators(validators, profilepackage, output_fname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 66, in run_policy_validators
validator_problems = validator_function(profilepackage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 212, in find_consolidatable_addresses
return consolidate_address_like_objects(profilepackage, object_type, object_friendly_type, validator_function)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 203, in consolidate_address_like_objects
badentries += replace_policy_contents(policies_needing_replacement, address_to_replacement)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 172, in replace_policy_contents
if object_policy_dict[translation].get('static-ip', {}).get('translated-address', {}).get('member'):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'get'^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\consolidatable_addresses_and_groups.py", line 172, in replace_policy_contents
if object_policy_dict[translation].get('static-ip', {}).get('translated-address', {}).get('member'):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'get'

C:\Pan_Cleaner>

Issue while iterting xml file

alo_alto_firewall_analyzer.validators.misleading_objects - INFO - (9/13) Checking PDX Office's Address objects
palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (10/13) Checking HVW DC's Address objects
palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (11/13) Checking PDX's Address objects
palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (12/13) Checking vor0506df01's Address objects
Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in run_code
File "C:\Pan_Cleaner\pan_analyzer.exe_main.py", line 7, in
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 193, in main
problems, total_problems = run_policy_validators(validators, profilepackage, output_fname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 66, in run_policy_validators
validator_problems = validator_function(profilepackage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\misleading_objects.py", line 49, in find_misleading_addresses
ip_address = entry_value.split('/', 1)[0]
^^^^^^^^^^^^^^^^^
AttributeError: 'dict' object has no attribute 'split'

Support JSON output

Support generating JSON output, instead of only text-based.
JSON should (ideally) include:

  • Configuration file version
  • Date of execution
  • Runtime
  • Output from each analyzer

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.