I posted this on Palo Alto’s support site a while ago, but here it is in the open.
I wrote a perl script that I am using to display the ruleset from 4.1 through 6.x firewalls. It is as simple as I know how to make it, which probably isn’t that simple. I am not a developer, and if you look at my code it shows. I have seen several people ask for tag and zone based views, plus ability to export to excel, so this is an alternative method until PA supports that. You can look at the blurred screenshots to get an idea of what it does.
Some notes about installing it.
- As I said I am no developer, so you take all risks when installing
- I have not ran this in many environments so it might not work in all cases, I can help troubleshot if need be
- I have a few ideas for adding features, if there is interest I can look to add more such features
Known issues
- It requires you to leave your authkey in an unencrypted file on your server, which is not a good idea
- The menu is pretty weak, I don’t think it will work with IE, I tested with chrome and Firefox
- Excel will warn you about format, if you ignore it should open up and you can re-save
- I don’t have the coloring down correct to show diff between Pan pushed configs and non-pushed, I do however bold the lines on regular
Install instructions
Prerequisite: Define a web and script root You need a user/group that is going to be able to run these scripts and be readable by apache. Since apache will read the xml file (at least using CGI), even if not using CGI apache still has to be able to read the images and css files you untar'd Install cpan modules: use REST::Client use XML::Simple optional: use CGI <if you want dynamic pages> use Data::Dumper <for troubleshooting> Step 1: move files in respective web and script roots e.g. cd /srv/www/htdocs/parules mv /tmp/parules /srv/www/htdocs/parules cd /scripts/pascripts/ mv /tmp/pascripts /scripts/ Step 1a: If you did not untrar or upload with correct owner, you can change it as such: Change owner:user for all files, using that magic user that is described above e.g. chown -R scriptuser:apachegroup /srv/www/htdocs/parules chown -R scriptuser:apachegroup /scripts/pascripts Step 2: use your favorite editor to change the following to your respective enviroment variables: my $webroot = '/srv/www/htdocs/parules'; my $scriptroot = '/scripts/pascripts'; in the following files: xmlformatter.pl runall.pl pa.pl checkxml.pl Step 3: Make sure you have modules run sh checkmodule.sh If anything responds, update that cpan module, unless it is CGI, and you are not using CGI Step 4: optional: updated config.txt for any columns you don't want showing by default, simply change any 1 to a 0 Step 5: Get keys by running getkey.pl script ./getkey.pl <device> <username> <password> e.g. ./getkey.pl test-fw01.example.com admin password Step 6: With that information populate fw.txt, ensuring there are always 2 commas as depicted in the file. The first column is the name as it shows, the next is the device it will connect to (think IP) if different then the name in the first column Step 7: Run runall.pl ./runall.pl get This goes through all the FWs listed in fw.txt and creates xml Step 8a: If you are running via CGI, go to your website at webroot/pa.pl e.g. http://example.com/parules/pa.pl Step 8b: If you are not using CGI run: ./runall.pl push visit your website at webroot/index.htm e.g. http://example.com/parules/index.htm
0 Comments.