Skip to main content

No project description provided

Project description

pins

Find out which firewall security policy is being shadowed and write your own custom checks.

logo.png

What pins really is?

It is a CLI tool to run a analysis of provided firewall security policies against a predefined series of checks called Scenarios.

It started as a tool to detect shadowing firewall rules. It evolved into a small framework that allows to define different scenario very easily.

[!NOTE] As of today, pins only supports security policies from Palo Alto Firewall (and Panorama).

Installation

You can install using:

# pip
pip install pins

# poetry
poetry add pins

# pipx
pipx install pins

Quick Start

To use pins with Palo Alto firewalls, you'll first need to export security rules. The simplest way to export security rules is using curl. First, get API key:

# Linux
API_KEY=$(curl -k -s "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>" | grep -o "<key>.*</key>" | sed -e 's/<key>//g' -e 's/<\/key>//g')

# Windows
$API_KEY = (Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>").response.result.key

Then export security rules:

# Linux
curl -k -o policies.xml "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security"

# Windows
Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security" -OutFile policies.xml

[!IMPORTANT] You may need to update the xpath to match your specific environment.

Once you have your security policies file, from the same directory, run:

pins run shadowing policies.xml

Usage

Once installed, you can run it using pins command:

pins

To list available scenarios:

pins list

To run scenario on your own firewall rules:

pins run shadowing policies.json

To see how it works for yourself, run scenario on example data:

pins run example shadowing
$ pins run example shadowing
Executing Shadowing scenario
Shadowed rules detection complete
Analyzing results...
[rule-example2] Rule is shadowed by: ['rule-example1']

Scenarios

List of currently available scenarios.

Shadowing

Identifies policies that will never be triggered because they're completely hidden behind earlier rules in the processing order.

It checks if all these elements are covered by a preceding rule:

  • Same action (allow/deny)
  • Same or broader source and destination zones
  • Same or broader source and destination addresses
  • Same or broader applications
  • Same or broader services (ports)

When all conditions match, the later rule is flagged as shadowed.

Shadowing by Value

Advanced version of Shadowing. It analyze the actual IP addresses behind Address Objects and Address Groups.

It identifies shadowing at the precise IP subnet level by resolving Address's name to actual IP address.

Requirements

This scenario needs three input files:

  • Security rules file
  • Address groups file
  • Address objects file

Details

How does it work?

It's pretty straightforward.

flowchart TD
    SelectScenario[Select Scenario]
    SelectScenario --> LoadRules[Load Security Rules]
    LoadRules --> FilterRules[Filter Security Rules]
    FilterRules --> RunChecks[Run Checks for each Rule]
    RunChecks --> Analyze[Analyze Results]
    Analyze --> Report[Create Report]

What Scenarios is?

A scenario is a set of checks that evaluate firewall rules against specific issues or configurations. Each scenario is designed to identify particular problem, such as shadowing rules, rules without logging, or other security policy issues.

What Check is?

A check is simply a function. It takes security policy or policies as an argument, assess whether the policies fulfill a check or not.

Contribution & Development

If you'd like to contribute, follow these steps:

git clone https://github.com/Kanguros/pins
cd pins
poetry install --with=dev
pre-commit install --install-hooks
pre-commit run --all-files

Feel free to open issues or submit pull requests!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

policy_inspector-0.1.0.tar.gz (17.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

policy_inspector-0.1.0-py3-none-any.whl (21.2 kB view details)

Uploaded Python 3

File details

Details for the file policy_inspector-0.1.0.tar.gz.

File metadata

  • Download URL: policy_inspector-0.1.0.tar.gz
  • Upload date:
  • Size: 17.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-1021-azure

File hashes

Hashes for policy_inspector-0.1.0.tar.gz
Algorithm Hash digest
SHA256 1e65f494017de3b43f842d632073925e80e8be78731ede86a31159505f9a07a0
MD5 b425ad89e61908218e0d7fd486b8e694
BLAKE2b-256 022e1ad6e9954e0a5cbc9f390df58615e0d308f6436aa2ed2cead31b5ee7972d

See more details on using hashes here.

File details

Details for the file policy_inspector-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: policy_inspector-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 21.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-1021-azure

File hashes

Hashes for policy_inspector-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a9abc355e78e94443fae2700025c97821e0e2bbd8124c5ce093ff0510adf151c
MD5 718a9c3aa9f2c043067578c16dad4b53
BLAKE2b-256 92df93f30529d6f04cfc03233b5c74a86f2ca59b8b101f0b2be1c963a09ca378

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page