Skip to main content

Detect and remediate configuration issues in Palo Alto Networks firewalls

Project description

Palo Alto Firewall Analyzer

BuildTest coverage

Python3 scripts for reviewing and fixing Palo Alto Firewall configurations

This repository contains the script pan_analyzer, which can detects and fix Palo Alto Network firewall configuration issues, as well as several other helper scripts.

The validators are designed to have as few false positives as possible. If there is a false positive, please report an issue!

pan_analyzer Quickstart

  1. Install the package with pip install pan_analyzer
  2. Run all validators on an XML configuration file downloaded with Panorama -> Setup -> Operations -> "Export Panorama configuration version": pan_analyzer --xml 12345.xml

Using pan_analyzer

The first time you launch pan_analyzer, it will create a PAN_CONFIG.cfg file in "~\.pan_policy_analyzer\ and instruct you to edit it. The second time you launch the analyzer it will detect that "API_KEY.txt" is not present, and will prompt you for credentials and save the retrieved API key to "API_KEY.txt"

  • Run all validators on all device groups: pan_analyzer

  • Run a single validator on all device groups: pan_analyzer --validator UnusedServices

  • Run a single validator on a single device group: pan_analyzer --device-group my_device_group --validator UnusedServices

  • Run all validators on an XML configuration file downloaded with "Export Panorama configuration version": pan_analyzer --xml 12345.xml

  • Run all validators on an XML configuration file downloaded with "Export Panorama configuration version" and choose type output file (formats support txt (text) and json (json)): pan_analyzer --xml 12345.xml --output text pan_analyzer --xml 12345.xml --output json

If you're not sure where to start, I recommend downloading an XML file from: Panorama -> Setup -> Operations -> Export Panorama configuration version and running: pan_analyzer.py --xml 12345.xml

Common Workflows

There are a few common workflows to clean the firewall configuration:

Consolidate Service Objects

Consolidate Service objects so there is only one object for each Service:

  • Delete unused Service objects: python pan_analyzer --fixer DeleteUnusedServices
  • Check if any Service objects have misleading names: python pan_analyzer --validator MisleadingServices
  • Consolidate service objects in use: python pan_analyzer --fixer ConsolidateServices
  • Delete the now-unused Service objects: python pan_analyzer --fixer DeleteUnusedServices
  • Define a convention in the config file, then rename to fit the naming convention: python pan_analyzer --fixer RenameUnconventionallyNamedServices

Consolidate Address Objects

Consolidate Address objects so there is only one object for each target:

  • Delete unused Address objects: python pan_analyzer --fixer DeleteUnusedAddresses
  • Delete Address objects with FQDNs that don't resolve: python pan_analyzer --validator BadHostname
  • Check if any Address objects have IPs in FQDNs: python pan_analyzer --validator FQDNContainsIP
  • Check if any Address objects have misleading names: python pan_analyzer --validator MisleadingAddresses
  • Replace Address objects using IPs with FQDNs: python pan_analyzer --fixer FixIPWithResolvingFQDN
  • Consolidate Address objects in use: python pan_analyzer --fixer ConsolidateAddresses
  • Delete the now-unused Address objects: python pan_analyzer --fixer DeleteUnusedAddresses
  • Make all FQDN objects use FQDNs: python pan_analyzer --fixer FixUnqualifiedFQDN
  • Define a convention in the config file, then rename objects to fit a naming convention: python pan_analyzer --fixer RenameUnconventionallyNamedAddresses

Known Issues

The validators for checking zones (ExtaZones, MissingZones, and ExtraRules) all require looking up the zones for address objects on the firewall. This requires many API requests and can take a very long time. Given that PA recommends limiting the number of concurrent API calls to five, and that's shared among the web UI, these calls are not parallelized. Because of these concerns, the default configuration skips those validators.

Other scripts

In addition to pan_analyzer, several other scripts are included in this package:

  • pan_categorization_lookup - Looks up categorization for either a single URL or a file with a list of URLs
  • pan_disable_rules - Takes a textfile with a list of security rules and disables them (useful for disabling rules found with PolicyOptimizer)
  • pan_dump_active_sessions - Dumps all active sessions from all firewalls
  • pan_run_command - Runs a single command on a single firewall
  • pan_zone_lookup - Looks up Zone for a single IP on all firewalls

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pan_analyzer-0.0.3.11.tar.gz (62.0 kB view details)

Uploaded Source

Built Distribution

pan_analyzer-0.0.3.11-py3-none-any.whl (81.6 kB view details)

Uploaded Python 3

File details

Details for the file pan_analyzer-0.0.3.11.tar.gz.

File metadata

  • Download URL: pan_analyzer-0.0.3.11.tar.gz
  • Upload date:
  • Size: 62.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.7

File hashes

Hashes for pan_analyzer-0.0.3.11.tar.gz
Algorithm Hash digest
SHA256 624622fbaa4647b84f66ba2df0e963b0e6c5df9cb465cc47d9111e23d5b16c53
MD5 0cf65c0b8ec619a6dd5dc238ba2a7064
BLAKE2b-256 0274bf49cae56d6a55bfc9a7dc68d25a062971e7ef398f88d785579a76970ffa

See more details on using hashes here.

File details

Details for the file pan_analyzer-0.0.3.11-py3-none-any.whl.

File metadata

File hashes

Hashes for pan_analyzer-0.0.3.11-py3-none-any.whl
Algorithm Hash digest
SHA256 40751292d0be4df26af2ceb6fcae0f16b1d73f707008ab5bf7c1f8493b24a372
MD5 43bf6e0c265584c26c54ad83f9936227
BLAKE2b-256 c12b9e596ddfc6d5a7ddabacd742332942125c70d2e4c7cd95a93954a6bf8f23

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page