Skip to main content

No project description provided

Project description

pins

Find out which firewall security policy is being shadowed and write your own custom checks.

logo.png

What pins really is?

It is a CLI tool to run a analysis of provided firewall security policies against a predefined series of checks called Scenarios.

It started as a tool to detect shadowing firewall rules. It evolved into a small framework that allows to define different scenario very easily.

[!NOTE] As of today, pins only supports security policies from Palo Alto Firewall (and Panorama).

Installation

You can install using:

# pip
pip install pins

# poetry
poetry add pins

# pipx
pipx install pins

Quick Start

To use pins with Palo Alto firewalls, you'll first need to export security rules. The simplest way to export security rules is using curl. First, get API key:

# Linux
API_KEY=$(curl -k -s "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>" | grep -o "<key>.*</key>" | sed -e 's/<key>//g' -e 's/<\/key>//g')

# Windows
$API_KEY = (Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>").response.result.key

Then export security rules:

# Linux
curl -k -o policies.xml "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security"

# Windows
Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security" -OutFile policies.xml

[!IMPORTANT] You may need to update the xpath to match your specific environment.

Once you have your security policies file, from the same directory, run:

pins run shadowing policies.xml

Usage

Once installed, you can run it using pins command:

pins

To list available scenarios:

pins list

To run scenario on your own firewall rules:

pins run shadowing policies.json

To see how it works for yourself, run scenario on example data:

pins run example shadowing
$ pins run example shadowing
Executing Shadowing scenario
Shadowed rules detection complete
Analyzing results...
[rule-example2] Rule is shadowed by: ['rule-example1']

Scenarios

List of currently available scenarios.

Shadowing

Identifies policies that will never be triggered because they're completely hidden behind earlier rules in the processing order.

It checks if all these elements are covered by a preceding rule:

  • Same action (allow/deny)
  • Same or broader source and destination zones
  • Same or broader source and destination addresses
  • Same or broader applications
  • Same or broader services (ports)

When all conditions match, the later rule is flagged as shadowed.

Shadowing by Value

Advanced version of Shadowing. It analyze the actual IP addresses behind Address Objects and Address Groups.

It identifies shadowing at the precise IP subnet level by resolving Address's name to actual IP address.

Requirements

This scenario needs three input files:

  • Security rules file
  • Address groups file
  • Address objects file

Details

How does it work?

It's pretty straightforward.

flowchart TD
    SelectScenario[Select Scenario]
    SelectScenario --> LoadRules[Load Security Rules]
    LoadRules --> FilterRules[Filter Security Rules]
    FilterRules --> RunChecks[Run Checks for each Rule]
    RunChecks --> Analyze[Analyze Results]
    Analyze --> Report[Create Report]

What Scenarios is?

A scenario is a set of checks that evaluate firewall rules against specific issues or configurations. Each scenario is designed to identify particular problem, such as shadowing rules, rules without logging, or other security policy issues.

What Check is?

A check is simply a function. It takes security policy or policies as an argument, assess whether the policies fulfill a check or not.

Contribution & Development

If you'd like to contribute, follow these steps:

git clone https://github.com/Kanguros/pins
cd pins
poetry install --with=dev
pre-commit install --install-hooks
pre-commit run --all-files

Feel free to open issues or submit pull requests!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

policy_inspector-0.1.1.tar.gz (17.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

policy_inspector-0.1.1-py3-none-any.whl (21.4 kB view details)

Uploaded Python 3

File details

Details for the file policy_inspector-0.1.1.tar.gz.

File metadata

  • Download URL: policy_inspector-0.1.1.tar.gz
  • Upload date:
  • Size: 17.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-1021-azure

File hashes

Hashes for policy_inspector-0.1.1.tar.gz
Algorithm Hash digest
SHA256 2583e729ce13e51472450b3fb95f1c32106aea2d2105ba215c65432e7aa738ec
MD5 a61475ef7da276a4ca00c51ab5f72beb
BLAKE2b-256 591862ede680b6e03892aaad13599642263937e57763f063d4ab681bc4113d91

See more details on using hashes here.

File details

Details for the file policy_inspector-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: policy_inspector-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 21.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-1021-azure

File hashes

Hashes for policy_inspector-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6260b4dadebe872304f8fe5568ffcd6cfe32450d74b9dc076b8001f47277322f
MD5 85971048c9f204f259f654715eb11b7b
BLAKE2b-256 901406d077376263155b7fb3ebc73a604d5ea45dbff6a8a4d9eed393a241ac93

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page