Simple Script that logins to a Palo Alto firewall and checks license status. to be used in conjunction with a monitoring software, like Nagios that reads exit codes
Project description
Palo Alto License Check
Simple script to be integrated into Icinga to alert the NOC team when firewall is set to expire in 60 days, 3 days or has already expired. This was built as a solution where Palo Altos Panorama is not configured or to costly.
Installation
##Using PIP
This package is uploaded to the PyPI and can be run as a command line program
pip install pa-license-check
This will install a CLI tool called 'palicensecheck'. It will allow you to do the following
- Create an INI file that it uses to read the firewall
- Adds new clients to the INI File
- Checks the licensing status and returns an exit code
##Using Poetry
You can install this by cloning the repo in Github and then using Poetry to install all the dependencies and setup the enviroment. You can use this for development purposes if you wish to do so.
- Clone the project
- Navigate to the root of the project directory
- Using Poetry run the following command 2. To install poetry please see their page for further instructions
poetry install
How it works
The primary purpose for this script was as a stop gap between implementing Panorama and the lack of system expiration date from the SNMP MIBs that are included in Monitoring Software like LibreNMS.
The script makes an API call to the chosen firewall and parses through the XML its returned. It grabs the feature name and the expiration date. It checks the expiration date against the current date. If the firewall expiration date is greater than 60 days, it returns a system code of 0 which indicates no errors. If the expiration date is within 60 days, it returns a system code of 1, prompting a warning. If the Expiration date is within 3 days, it returns a system code of 2, which indicates critical error. This will help give us visibility into the Palo Altos to ensure no firewall goes expired and without support from the vendor.
60 days was chosen to allow ample time for Support or the Provisioning team to request a renewal quote and proceed through the Kissflow process.
Custom Exit Codes
The script utilizes a "Cusom Exit Code" to keep track of various states. This is not to be confused with the system exit codes, which are used to tell Icinga what severity. This is strictly for keeping track within the function itself! I decided to Document it in case anyone wanted to expand on this.
CustomExitCode is 0; Everything is ok
CustomExitCode is 1; Warning, Hit 60 days
CustomExitCode is 2; Warning, Coutning down from 60 days
CustomExitCode is 3; Error, we are less than 3 days from expiration
CustomExitCode is 4; We are past expiration date
Running the script
Generating INI File
On the first initial run, you'll need to build the INI file. You can easily do this by running
palicensecheck create-ini-file
It will then ask you a series of questions
please enter the firewall you wish to monitor
hank.kingofthe.hill
please enter the Firewall Key
wah5eeGhee7thah2waechohshai6ah6iphugh4ahpoophaeva0aeTutah6ohSooPopane
Please enter the clients name, I.E. ACME
Strikland
It will then create the INI file in the root directory of the script Which will look like this.
[strikland]
key = wah5eeGhee7thah2waechohshai6ah6iphugh4ahpoophaeva0aeTutah6ohSooPopane
fw = hank.kingofthe.hill
Adding clients to the INI file
You can easily add new clients to the INI file by running the following command
palicensecheck add-client-ini
It will then walk you through a series of questions to help build the file.
please enter the firewall you wish to monitor
thatherton.fueles.demo
please enter the Firewall Key
oogoo1eec0ef0ong2ix0sheingughae8oongiebaicee3que0ShaD6rau0Looch9
Please enter the clients name, I.E. ACME
thatherton
fw_key.ini file appended with new information
here we can see the expanded file
[strikland]
key = wah5eeGhee7thah2waechohshai6ah6iphugh4ahpoophaeva0aeTutah6ohSooPopane
fw = hank.kingofthe.hill
[thatherton]
key = oogoo1eec0ef0ong2ix0sheingughae8oongiebaicee3que0ShaD6rau0Looch9
fw = thatherton.fueles.demo
Checking the license Status
To run the script and check the status, simply run the following command
palicensecheck check-license --client strikland
Its important to remember that the argument after the --client param must match the group name in your INI file.
To Do
I cobbled this together to what it is today in a few hours time updating it. Please let me know if there are bugs, issues or any features you would like added.
- Testing against various firewalls
- Implement API Automatic Key creation for easier deployment
- Need to adjust some error catching
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pa_license_check-0.1.1.tar.gz
.
File metadata
- Download URL: pa_license_check-0.1.1.tar.gz
- Upload date:
- Size: 6.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.12 CPython/3.9.5 Darwin/21.2.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9bd8d774422f7207d40cee0edf278d5fcd33641bee5d72d7c749f8ad1385a307 |
|
MD5 | 00fc0e38a4a1d985803c6b07a191d884 |
|
BLAKE2b-256 | 20bb35812b392a6d4d1b8497db425ecb97f6565e58cb0521cdc9e88ecf1ec551 |
File details
Details for the file pa_license_check-0.1.1-py3-none-any.whl
.
File metadata
- Download URL: pa_license_check-0.1.1-py3-none-any.whl
- Upload date:
- Size: 6.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.12 CPython/3.9.5 Darwin/21.2.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 60037027f36c30f08e455686e18485c22184b78807f584530f469aa00254a6a4 |
|
MD5 | 89af36de50482b1c04f9b960573cce6c |
|
BLAKE2b-256 | 997d926c6497b8ef6a770073310332179212f290fb0e67b91d5be16f47760adc |