Palo Alto Networks Utilities
Project description
panw-utils
Palo Alto Networks Utilities
Free software: MIT license
Documentation: https://panw-utils.readthedocs.io.
Features
panw-utils
Returns a list of available commands
get-panw-api-key
Returns the current API key, suitable for piping to pbcopy (macOS) or clip.exe (Windows)
Command line options
Platform independent
Save default user and firewall
Update saved settings
Receives pipeline input (stdin)
Uses a default firewall if one not provided
Prompts for required parameters if none provided
Multi-threaded
get-panw-firewalls
Returns a list of firewalls including management address and serial number
Output can be pasted directly into Excel
Terse output option for piping to other commands
Command line options
Platform independent
Save API key and default Panorama host
Update saved settings
Override/supply API key on the command line
get-panw-interfaces
Returns a list of firewalls interfaces
Output can be pasted directly into Excel
Terse output option for piping to other commands
Command line options
Platform independent
Save API key and default firewall
Update saved settings
Override/supply API key on the command line
Filter on interface properties
Multi-threaded
get-panw-config
Returns the firewall configuration (set/XML format)
Command line options
Platform independent
Save key based auth preference, default user and default firewall
Update saved settings
Multi-threaded
run-panw-cmd
Executes arbitrary CLI commands
Command line options
Platform independent
Save key based auth preference, default user and default firewall
Update saved settings
Multi-threaded
Usage
To return a list of firewalls use the get-panw-firewalls command:
$ get-panw-firewalls Host MgmtIP Serial Model Uptime SwVersion ============================== =============== ============ ======== ==================== ========= fw01.domain.com 1.1.1.1 013999999999 PA-5220 208 days, 6:49:53 8.0.9 fw02.domain.com 1.1.1.2 013999999998 PA-5220 208 days, 7:27:28 8.0.9
To return a list of firewall hostnames use the get-panw-firewalls command (suitable for piping to other commands):
$ get-panw-firewalls -t fw01.domain.com fw02.domain.com
To return a list of firewall interfaces use the get-panw-interfaces command:
$ get-panw-interfaces fw01.domain.com Firewall Interface State IpAddress ========================= ==================== ===== ==================== fw01.domain.com ethernet1/1 up N/A fw01.domain.com ethernet1/12 up N/A fw01.domain.com ethernet1/2 up 172.17.111.251/24 fw01.domain.com ethernet1/21 up N/A fw01.domain.com ethernet1/22 up N/A fw01.domain.com ethernet1/5 up 172.19.222.206/28 fw01.domain.com ethernet1/7 up N/A fw01.domain.com ha1-a up 1.1.1.1/30 fw01.domain.com ha1-b up 1.1.1.9/30 fw01.domain.com hsci-a up 1.1.1.5/30 fw01.domain.com hsci-b up N/A fw01.domain.com tunnel up N/A fw01.domain.com tunnel.1800 up N/A fw01.domain.com vlan up N/A $ get-panw-firewalls -t | get-panw-interfaces Firewall Interface State IpAddress ========================= ==================== ===== ==================== fw01.domain.com ethernet1/1 up N/A fw01.domain.com ethernet1/12 up N/A fw01.domain.com ethernet1/2 up 172.17.111.251/24 fw01.domain.com ethernet1/21 up N/A fw01.domain.com ethernet1/22 up N/A fw01.domain.com ethernet1/5 up 172.19.222.206/28 fw01.domain.com ethernet1/7 up N/A fw02.domain.com ethernet1/1 up N/A fw02.domain.com ethernet1/12 up N/A fw02.domain.com ethernet1/2 up 172.17.111.251/24 fw02.domain.com ethernet1/21 up N/A fw02.domain.com ethernet1/22 up N/A fw02.domain.com ethernet1/5 up 172.19.222.206/28 fw02.domain.com ethernet1/7 up N/A
To return the firewall configuration use the get-panw-config command:
$ get-panw-config ============================ = fw01.domain.com = ============================ <response status="success"><result><config version="8.0.0" urldb="paloaltonetworks"> <mgt-config> <users> <entry name="admin"> <phash>xxxxx</phash> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> </entry> <entry name="user1"> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> <phash>xxxxx</phash> </entry> <--- Output truncated --->
To return the configuration of multiple firewalls pipe the output of get-panw-firewalls -t to the get-panw-config command:
$ get-panw-firewalls -t | get-panw-config ============================ = fw01.domain.com = ============================ <response status="success"><result><config version="8.0.0" urldb="paloaltonetworks"> <mgt-config> <users> <entry name="admin"> <phash>xxxxx</phash> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> </entry> <entry name="user1"> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> <phash>xxxxx</phash> </entry> <--- Output truncated ---> ============================ = fw02.domain.com = ============================ <response status="success"><result><config version="8.0.0" urldb="paloaltonetworks"> <mgt-config> <users> <entry name="admin"> <phash>xxxxx</phash> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> </entry> <entry name="user1"> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> <phash>xxxxx</phash> </entry> <--- Output truncated --->
To return a portion of the firewall configuration use the get-panw-config command with the --xpath option:
get-panw-config --xpath "/config/mgt-config/users" ============================ = fw01.domain.com = ============================ <response status="success"><result><users> <entry name="admin"> <phash>xxxxx</phash> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> </entry> </users></result></response>
To return the set configuration of multiple firewalls pipe the output of get-panw-firewalls -t to the get-panw-config command:
$ get-panw-firewalls -t | get-panw-config --format set | egrep "^=|virtual-router" Collecting set configuration via ssh ... ============================ = fw01.domain.com = ============================ set network virtual-router default protocol bgp enable no set network virtual-router default protocol bgp dampening-profile default cutoff 1.25 set network virtual-router default protocol bgp dampening-profile default reuse 0.5 set network virtual-router default protocol bgp dampening-profile default max-hold-time 900 set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300 set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900 set network virtual-router default protocol bgp dampening-profile default enable yes set network virtual-router default interface [ ethernet1/1 ] set network virtual-router default routing-table ip static-route "Default Route" nexthop ip-address 192.168.197.254 set network virtual-router default routing-table ip static-route "Default Route" path-monitor enable no set network virtual-router default routing-table ip static-route "Default Route" path-monitor failure-condition any set network virtual-router default routing-table ip static-route "Default Route" path-monitor hold-time 2 set network virtual-router default routing-table ip static-route "Default Route" metric 10 set network virtual-router default routing-table ip static-route "Default Route" destination 0.0.0.0/0 set network virtual-router default routing-table ip static-route "Default Route" route-table unicast ============================ = fw02.domain.com = ============================ set network virtual-router default protocol bgp enable no set network virtual-router default protocol bgp dampening-profile default cutoff 1.25 set network virtual-router default protocol bgp dampening-profile default reuse 0.5 set network virtual-router default protocol bgp dampening-profile default max-hold-time 900 set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300 set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900 set network virtual-router default protocol bgp dampening-profile default enable yes set network virtual-router default interface [ ethernet1/1 ] set network virtual-router default routing-table ip static-route "Default Route" nexthop ip-address 10.69.26.62 set network virtual-router default routing-table ip static-route "Default Route" path-monitor enable no set network virtual-router default routing-table ip static-route "Default Route" path-monitor failure-condition any set network virtual-router default routing-table ip static-route "Default Route" path-monitor hold-time 2 set network virtual-router default routing-table ip static-route "Default Route" metric 10 set network virtual-router default routing-table ip static-route "Default Route" destination 0.0.0.0/0 set network virtual-router default routing-table ip static-route "Default Route" route-table unicast
To ping all interfaces in an “up” state with a 1 second timeout, count 1, filter HA subnets:
$ get-panw-firewalls -t | grep fw01.domain.com | get-panw-interfaces --if-state up -t | grep -v 1.1.1. | xargs -n1 ping -c 1 -t 1 PING 10.170.196.241 (10.170.196.241): 56 data bytes 64 bytes from 10.170.196.241: icmp_seq=0 ttl=57 time=63.845 ms --- 10.170.196.241 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 63.845/63.845/63.845/0.000 ms PING 10.170.118.254 (10.170.118.254): 56 data bytes 64 bytes from 10.170.118.254: icmp_seq=0 ttl=57 time=63.471 ms --- 10.170.118.254 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 63.471/63.471/63.471/0.000 ms PING 10.171.119.254 (10.171.119.254): 56 data bytes 64 bytes from 10.171.119.254: icmp_seq=0 ttl=57 time=63.862 ms --- 10.171.119.254 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 63.862/63.862/63.862/0.000 ms PING 10.170.111.254 (10.170.111.254): 56 data bytes 64 bytes from 10.170.111.254: icmp_seq=0 ttl=57 time=63.931 ms --- 10.170.111.254 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 63.931/63.931/63.931/0.000 ms PING 10.170.92.126 (10.170.92.126): 56 data bytes 64 bytes from 10.170.92.126: icmp_seq=0 ttl=57 time=63.768 ms --- 10.170.92.126 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 63.768/63.768/63.768/0.000 ms
History
0.0.1 (2019-02-16)
First release on PyPI.
0.1.5 (2019-02-17)
Update README.rst.
Update descriptions.
Implement helper command (panw-utils).
0.1.6 (2019-02-17)
Fix bug in saved settings update
0.1.11 (2019-02-17)
Configure Travis CI
0.2.0 (2019-03-07)
Added get-panw-config
0.3.0 (2019-04-07)
Implement concurrency
Redirect headers to sys.stderr to make grep friendly
Add model, uptime and software version to output
0.4.0 (2019-04-12)
Migrate from multi-processing to multi-threading
0.5.0 (2019-04-13)
Added run-panw-cmd
0.6.0 (2020-09-14)
Added status, MAC address, zone, virtual router and comment to get-panw-interfaces output
Bumped requirements versions
0.7.0 (2020-09-14)
Convert get-panw-interfaces operational state to link state
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for panw_utils-0.7.10-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ad05e3e302110cc1dab759c201dab5e4f0dd7fc74b9fdba3352ed49ad4a1b421 |
|
MD5 | 986ae3189a9d1912e250b536e9ffb5f1 |
|
BLAKE2b-256 | a488024a59cba05a6cf3c7a15d319183d22598c9067d8afb2e6a768d068b6279 |