Skip to main content

Simple Script that logins to a Palo Alto firewall and checks license status. to be used in conjunction with a monitoring software, like Nagios that reads exit codes

Project description

Palo Alto License Check

Simple script to be integrated into Icinga to alert the NOC team when firewall is set to expire in 60 days, 3 days or has already expired. This was built as a solution where Palo Altos Panorama is not configured or to costly.

Installation

##Using PIP

This package is uploaded to the PyPI and can be run as a command line program

pip install pa-license-check

This will install a CLI tool called 'palicensecheck'. It will allow you to do the following

  1. Create an INI file that it uses to read the firewall
  2. Adds new clients to the INI File
  3. Checks the licensing status and returns an exit code

##Using Poetry

You can install this by cloning the repo in Github and then using Poetry to install all the dependencies and setup the enviroment. You can use this for development purposes if you wish to do so.

  1. Clone the project
    1. Navigate to the root of the project directory
  2. Using Poetry run the following command 2. To install poetry please see their page for further instructions
poetry install

How it works

The primary purpose for this script was as a stop gap between implementing Panorama and the lack of system expiration date from the SNMP MIBs that are included in Monitoring Software like LibreNMS.

The script makes an API call to the chosen firewall and parses through the XML its returned. It grabs the feature name and the expiration date. It checks the expiration date against the current date. If the firewall expiration date is greater than 60 days, it returns a system code of 0 which indicates no errors. If the expiration date is within 60 days, it returns a system code of 1, prompting a warning. If the Expiration date is within 3 days, it returns a system code of 2, which indicates critical error. This will help give us visibility into the Palo Altos to ensure no firewall goes expired and without support from the vendor.

60 days was chosen to allow ample time for Support or the Provisioning team to request a renewal quote and proceed through the Kissflow process.

Custom Exit Codes

The script utilizes a "Cusom Exit Code" to keep track of various states. This is not to be confused with the system exit codes, which are used to tell Icinga what severity. This is strictly for keeping track within the function itself! I decided to Document it in case anyone wanted to expand on this.

CustomExitCode is 0; Everything is ok
CustomExitCode is 1; Warning, Hit 60 days
CustomExitCode is 2; Warning, Coutning down from 60 days
CustomExitCode is 3; Error, we are less than 3 days from expiration
CustomExitCode is 4; We are past expiration date

Running the script

Generating INI File

On the first initial run, you'll need to build the INI file. You can easily do this by running

palicensecheck create-ini-file

It will then ask you a series of questions

please enter the firewall you wish to monitor
hank.kingofthe.hill
please enter the Firewall Key
wah5eeGhee7thah2waechohshai6ah6iphugh4ahpoophaeva0aeTutah6ohSooPopane
Please enter the clients name, I.E. ACME
Strikland

It will then create the INI file in the root directory of the script Which will look like this.

[strikland]
key = wah5eeGhee7thah2waechohshai6ah6iphugh4ahpoophaeva0aeTutah6ohSooPopane
fw = hank.kingofthe.hill

Adding clients to the INI file

You can easily add new clients to the INI file by running the following command

palicensecheck add-client-ini

It will then walk you through a series of questions to help build the file.

please enter the firewall you wish to monitor
thatherton.fueles.demo
please enter the Firewall Key
oogoo1eec0ef0ong2ix0sheingughae8oongiebaicee3que0ShaD6rau0Looch9
Please enter the clients name, I.E. ACME
thatherton
fw_key.ini file appended with new information

here we can see the expanded file

[strikland]
key = wah5eeGhee7thah2waechohshai6ah6iphugh4ahpoophaeva0aeTutah6ohSooPopane
fw = hank.kingofthe.hill
[thatherton]
key = oogoo1eec0ef0ong2ix0sheingughae8oongiebaicee3que0ShaD6rau0Looch9
fw = thatherton.fueles.demo

Checking the license Status

To run the script and check the status, simply run the following command

palicensecheck check-license --client strikland

Its important to remember that the argument after the --client param must match the group name in your INI file.

To Do

I cobbled this together to what it is today in a few hours time updating it. Please let me know if there are bugs, issues or any features you would like added.

  • Testing against various firewalls
  • Implement API Automatic Key creation for easier deployment
  • Need to adjust some error catching

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pa_license_check-0.1.1.tar.gz (6.0 kB view details)

Uploaded Source

Built Distribution

pa_license_check-0.1.1-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file pa_license_check-0.1.1.tar.gz.

File metadata

  • Download URL: pa_license_check-0.1.1.tar.gz
  • Upload date:
  • Size: 6.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.12 CPython/3.9.5 Darwin/21.2.0

File hashes

Hashes for pa_license_check-0.1.1.tar.gz
Algorithm Hash digest
SHA256 9bd8d774422f7207d40cee0edf278d5fcd33641bee5d72d7c749f8ad1385a307
MD5 00fc0e38a4a1d985803c6b07a191d884
BLAKE2b-256 20bb35812b392a6d4d1b8497db425ecb97f6565e58cb0521cdc9e88ecf1ec551

See more details on using hashes here.

File details

Details for the file pa_license_check-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for pa_license_check-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 60037027f36c30f08e455686e18485c22184b78807f584530f469aa00254a6a4
MD5 89af36de50482b1c04f9b960573cce6c
BLAKE2b-256 997d926c6497b8ef6a770073310332179212f290fb0e67b91d5be16f47760adc

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page