Code Monkey home page Code Monkey logo

nautobot-plugin-chatops-panorama's Introduction

Nautobot Panorama ChatOps

The code in this repository has been migrated to the Nautobot ChatOps Repository as an integration - read more about it in the ChatOps Docs! As of July 2023 this repository has been FROZEN - all development / issues / discussions for this integration are in the Nautobot ChatOps Repository going forward.

This is a plugin for Nautobot that extends ChatOps support to Palo Alto Panorama systems. The plugin adds some useful commands into your ChatOps environment that enhances an administrator's and end user's day-to-day usage of Panorama. This framework allows for the quick extension of new ChatOps commands for Panorama.

Note: While this plugin requires Nautobot and the base Nautobot ChatOps plugin, it does not require the Panorama or Palo Alto inventory to be in Nautobot. It is effectively Nautobot-independent, except for using it as a backend to run the chatbot itself.

Usage

The supported commands are listed below. We welcome any new command or feature requests by submitting an issue or PR.

/panorama Command Description
get-devices Get information about connected devices from Panorama.
get-devicegroups Get information about DeviceGroups and their devices from Panorama.
validate-rule-exists Verify that a specific ACL rule exists within a device, via Panorama.
get-version Obtain software version information for Panorama.
upload-software Upload software to specified Palo Alto device.
install-software Install software to specified Palo Alto device.
get-device-rules Return a list of all firewall rules on a given device with details.
export-device-rules Generate a downloadable list of firewall rules with details in CSV format.
capture-traffic Run a packet capture on PANOS Device for specified IP traffic.

Prerequisites

This plugin requires the Nautobot ChatOps Plugin to be installed and configured before using. You can find detailed setup and configuration instructions here.

Installation

The plugin is available as a Python package in pypi and can be installed with pip:

pip install nautobot-plugin-chatops-panorama

The plugin is compatible with Nautobot 1.1.0 and higher

To ensure Nautobot Panorama ChatOps is automatically re-installed during future upgrades, create a file named local_requirements.txt (if not already existing) in the Nautobot root directory (alongside requirements.txt) and list the nautobot-plugin-chatops-panorama package:

# echo nautobot-plugin-chatops-panorama >> local_requirements.txt

Once installed, the plugin needs to be enabled in your nautobot_config.py

# In your configuration.py
PLUGINS = ["nautobot_chatops", "nautobot_plugin_chatops_panorama"]

In addition, add/update the below PLUGINS_CONFIG section to nautobot_config.py.

It is only necessary to add the sections from the below snippet for the chat platform you will be using (Slack, Webex, etc.).

# Also in nautobot_config.py
PLUGINS_CONFIG = {
    "nautobot_chatops": {
        # Slack
        "enable_slack": os.environ.get("ENABLE_SLACK", False),
        "slack_api_token": os.environ.get("SLACK_API_TOKEN"),
        "slack_signing_secret": os.environ.get("SLACK_SIGNING_SECRET"),
        "slack_slash_command_prefix": os.environ.get("SLACK_SLASH_COMMAND_PREFIX", "/"),
        # Webex
        "enable_webex": os.environ.get("ENABLE_WEBEX", False),
        "webex_token": os.environ.get("WEBEX_TOKEN"),
        "webex_signing_secret": os.environ.get("WEBEX_SIGNING_SECRET"),
        # Mattermost
        "enable_mattermost": os.environ.get("ENABLE_MATTERMOST", False),
        "mattermost_api_token": os.environ.get("MATTERMOST_API_TOKEN"),
        "mattermost_url": os.environ.get("MATTERMOST_URL"),
        # MS Teams
        "enable_ms_teams": os.environ.get("ENABLE_MS_TEAMS", False),
        "microsoft_app_id": os.environ.get("MICROSOFT_APP_ID"),
        "microsoft_app_password": os.environ.get("MICROSOFT_APP_PASSWORD"),
    },
    "nautobot_plugin_chatops_panorama": {
        "panorama_host": os.environ.get("PANORAMA_HOST"),
        "panorama_user": os.environ.get("PANORAMA_USER"),
        "panorama_password": os.environ.get("PANORAMA_PASSWORD"),
    },
}

Environment Variables

You will need to set the following environment variables for your Nautobot instance, then restart the services for them to take effect.

  • PANORAMA_HOST - This is the management DNS/IP address used to reach your Panorama instance.
  • PANORAMA_USER - A user account with API access to Panorama.
  • PANORAMA_PASSWORD - The password that goes with the above user account.
export PANORAMA_HOST="{{ Panorama DNS/URL }}"
export PANORAMA_USER="{{ Panorama account username }}"
export PANORAMA_PASSWORD="{{ Panorama account password }}"

If the base Nautobot Chatops plugin is not already installed, the following environment variables are required for the chat platform in use. The Platform-specific Setup document describes how to retrieve the tokens and secrets for each chat platform that will need to be used in the environment variables.

It is only necessary to create the environment variables shown below for the chat platform you will be using. To make the environment variables persistent, add them to the ~/.bash_profile for the user running Nautobot.

# Slack
export ENABLE_SLACK="true"
export SLACK_API_TOKEN="foobar"
export SLACK_SIGNING_SECRET="foobar"
# Webex
export ENABLE_WEBEX="true"
export WEBEX_TOKEN="foobar"
export WEBEX_SIGNING_SECRET="foobar"
# Mattermost
export ENABLE_MATTERMOST="false"
export MATTERMOST_API_TOKEN="foobar"
export MATTERMOST_URL="foobar"
# Microsoft Teams
export ENABLE_MS_TEAMS="false"
export MICROSOFT_APP_ID="foobar"
export MICROSOFT_APP_PASSWORD="foobar"

When deploying as Docker containers, all of the above environment variables should be defined in the file development/creds.env. An example credentials file creds.env.example is available in the development folder.

Access Control

Just like with the regular /nautobot command from the base Nautobot ChatOps plugin, the /panorama command supports access control through the Access Grants menu in Nautobot. See section Grant Access to the Chatbot in the installation guide for the base Nautobot ChatOps plugin for setting this up.

Questions

For any questions or comments, please check the FAQ first and feel free to swing by the Network to Code slack channel (channel #networktocode). Sign up here

Screenshots

Help

Validate Rule Exists Success

Validate Rule Exists Failure

Upload Software

Capture Traffic Filter

Capture Traffic

Get Devices

Get DeviceGroups

Get Device Rules

nautobot-plugin-chatops-panorama's People

Contributors

armartirosyan avatar dependabot[bot] avatar fragmentedpacket avatar itdependsnetworks avatar jamesholland-uk avatar jdrew82 avatar matt852 avatar phillsimonds avatar qduk avatar smk4664 avatar ubajze avatar whitej6 avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

whitej6 jamesholland-uk rhwendt kevinhuy

nautobot-plugin-chatops-panorama's Issues

Enhance get-device-rules function to return rules configured via Panorama

Environment

  • Python version: 3.9.9
  • Nautobot version: 1.2.8 via Docker Compose
  • nautobot-chatops version: 1.7.0
  • nautobot-plugin-chatops-panorama version: 1.1.0

Proposed Functionality

  • Currently, the get-device-rules feature only returns rules configured locally on the managed firewalls.
  • Ideally, as a plugin targeting Panorama specifically, the rules configured in Panorama and pushed to managed devices would also be included in the output from this function.

Use Case

  • Most organisations using Panorama would push rules to firewalls from Panorama, as opposed to configure the rules locally on firewalls. Therefore, the usefulness of the get-device-rules would be dramatically increased by enhancing this feature.

OSRB - Docs review

Prior to open sourcing, please add the following to the docs:

  • Info in the About section
  • Info about the app; currently it has the A plugin for Nautobot. from the cookie cutter
    • What the app is
    • What the app does
    • Why the app is useful, use cases, etc

Bug with upload software version selection

Environment

  • Python version: 3.6.13
  • Nautobot version: 1.1.0
  • nautobot-chatops version: 1.3.1
  • nautobot-plugin-chatops-panorama version:

Expected Behavior

The next available OS's to display

Observed Behavior

If trying to pick an available option that isn't shown, and you click "Next...", you get this:

Hey @Matt Vitale, you've requested to upload menu_offset-99 to PA-VM.
Starting download now...
There was an issue uploading menu_offset-99 to PA-VM. version menu_offset-99 not available for download

Steps to Reproduce

  1. Run /panorama upload-software
  2. With more than 100 options to pick from, scroll to the bottom and select "Next..."

Sync-firewalls does not add public IP address, causes issues with packet-capture

Environment

  • Python version:
  • Nautobot version:
  • nautobot-chatops version:
  • nautobot-plugin-chatops-panorama version:

Expected Behavior

After running /panorama sync-firewalls, the command /panorama packet-capture should work.

Observed Behavior

When running /panorama sync-firewalls, the primary IP is saved correctly, however I believe it pulls from Ethernet1/1, which may be the internal RFC1918 address. This command should account for any and all active interfaces with IP addresses assigned.

Because of this, /panorama packet-capture may not use the correct IP address to connect, as it connects directly to the device instead of through Panorama. This will affect other future commands that connect in a similar manner.

Steps to Reproduce

  1. Run /panorama sync-firewalls
  2. Run /panorama packet-capture with any valid values. Must connect to a firewall device where you normally connect through a different IP address than what's assigned as its primary IP in Nautobot (from sync-firewalls)

Command validate-objects doesn't work

Environment

  • Python version:
  • Nautobot version:
  • nautobot-chatops version:
  • nautobot-plugin-chatops-panorama version:

Expected Behavior

The command should work.

Observed Behavior

This error occurs:

 *An internal error occurred:
['“PA-VM” is not a valid UUID.']*

Steps to Reproduce

  1. Run command /panorama validate-objects PA-VM all Demo

Bug with validate-rule-exists command when supplying parameters

Environment

  • Python version:
  • Nautobot version:
  • nautobot-chatops version:
  • nautobot-plugin-chatops-panorama version:

Expected Behavior

It should work.

Observed Behavior

This error occurs:

 *An internal error occurred:
invalid literal for int() with base 10: 'tcp'*

This command works when using the menu dropdown dialog box.

Steps to Reproduce

  1. Run this command: /panorama validate-rule-exists PA-VM 10.0.50.100 10.0.20.20 tcp 636

get-device-rules fails if there are disconnected managed devices

Environment

  • Python version: 3.9.9
  • Nautobot version: 1.2.8 via Docker Compose
  • nautobot-chatops version: 1.7.0
  • nautobot-plugin-chatops-panorama version: 1.1.0

Expected Behavior

/panorama get-device-rules works even if there are managed devices (firewalls) which are disconnected

Observed Behavior

/panorama get-device-rules fails if there are one or more managed devices (firewalls) which are disconnected, with error message: *An internal error occurred: <SERIAL-NUMBER> not connected*
Screenshot 2022-03-22 at 21 04 58

Steps to Reproduce

  1. Install Nautobot and plugin components per instructions, and configure appropriately for Panorama access
  2. Have at least one managed device be in "disconnected" state (for example, temporarily turn off a firewall)
  3. Execute /panorama get-device-rules in Slack, observe the error message
  4. Then ensure all devices are connected again, re-execute the slash command, and no error is observed

Remove reliance on Nautobot inventory from capture-traffic command

Environment

  • Nautobot version: . 1.1.0
  • nautobot-chatops version: 1.5.0
  • nautobot-plugin-chatops-panorama version: . 0.2.0

Proposed Functionality

The current command capture-traffic is the only command available that requires the Palo Alto devices to be properly configured in Nautobot.

With the migration of the sync-firewalls command over to the SSOT plugin, this command needs to be reworked to pull device info from Panorama instead of Nautobot.

As a side note, this may also resolve issue #89.

Use Case

Fully abstracts out reliance on Nautobot DCIM, as previously discussed and decided on.

Plugin unable to access Panorama's managed devices

Environment

OS:

  • Ubuntu 20.04.4 VM on GCP
  • Docker version: 20.10.12, build e91ed57
  • Docker Compose version: v2.2.3

Inside container:

  • Python version: 3.9.9
  • Nautobot version: 1.2.4 in Dockerfile, GUI/CLI reports: 5f65c8a48643 (v1.0.3)
  • nautobot-chatops version: 1.6.0
  • nautobot-plugin-chatops-panorama version: 1.0.0

Issue

In Slack:
a) Type /panorama get-device-rules and receive a drop-down list of Panorama's managed devices from which to select, then get the rules from that device

a) Error:
Screenshot 2022-03-08 at 20 32 50

Or....

b) Type /panorama get-device-rules <managed-device-hostname>, then get the rules from that device

b) Empty rulebase:
Screenshot 2022-03-08 at 20 32 01

Steps to Reproduce

  1. Panorama 10.1.4 installed (HA pair) as VMs in ESXi
  2. Nautobot installed using "docker compose" per instructions
  3. Docker compose modified to include install of chatops plugin and Panorama chatops plugin, as well as custom TLS cert/key, and Slack as the chatops platform
  4. Execute "slash commands" in Slack

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.