Palo Alto to HTML Script (2 of 30)

 

I posted this on Palo Alto’s support site a while ago, but here it is in the open.

I wrote a perl script that I am using to display the ruleset from 4.1 through 6.x firewalls. It is as simple as I know how to make it, which probably isn’t that simple. I am not a developer, and if you look at my code it shows. I have seen several people ask for tag and zone based views, plus ability to export to excel, so this is an alternative method until PA supports that. You can look at the blurred screenshots to get an idea of what it does.

GitHub Repository

pa_tag_view_1

pa_zone_view_1

Some notes about installing it.

  • As I said I am no developer, so you take all risks when installing
  • I have not ran this in many environments so it might not work in all cases, I can help troubleshot if need be
  • I have a few ideas for adding features, if there is interest I can look to add more such features

Known issues

  • It requires you to leave your authkey in an unencrypted file on your server, which is not a good idea
  • The menu is pretty weak, I don’t think it will work with IE, I tested with chrome and Firefox
  • Excel will warn you about format, if you ignore it should open up and you can re-save
  • I don’t have the coloring down correct to show diff between Pan pushed configs and non-pushed, I do however bold the lines on regular

Install instructions

Prerequisite: 

Define a web and script root

You need a user/group that is going to be able to run these scripts and be readable 
by apache. Since apache will read the xml file (at least using CGI), even if not using CGI
apache still has to be able to read the images and css files you untar'd 

Install cpan modules:
use REST::Client
use XML::Simple

optional:
use CGI <if you want dynamic pages>
use Data::Dumper <for troubleshooting>

Step 1:

move files in respective web and script roots
e.g.

cd /srv/www/htdocs/parules
mv /tmp/parules /srv/www/htdocs/parules
cd /scripts/pascripts/
mv /tmp/pascripts /scripts/

Step 1a:

If you did not untrar or upload with correct owner, you can change it as such:
Change owner:user for all files, using that magic user that is described above
e.g.
chown -R scriptuser:apachegroup /srv/www/htdocs/parules
chown -R scriptuser:apachegroup /scripts/pascripts

Step 2: 

use your favorite editor to change the following to your respective enviroment variables:
my $webroot = '/srv/www/htdocs/parules';
my $scriptroot = '/scripts/pascripts';

in the following files:
xmlformatter.pl
runall.pl
pa.pl
checkxml.pl


Step 3:

Make sure you have modules
run 
sh checkmodule.sh
If anything responds, update that cpan module, unless it is CGI,
and you are not using CGI

Step 4:

optional:
updated config.txt for any columns you don't want showing by default,
simply change any 1 to a 0

Step 5: 

Get keys by running getkey.pl script

./getkey.pl <device> <username> <password>
e.g.
./getkey.pl test-fw01.example.com admin password

Step 6:

With that information populate fw.txt, ensuring there are always
2 commas as depicted in the file. The first column is the name as it shows, 
the next is the device it will connect to (think IP) if different then the
name in the first column

Step 7:
Run runall.pl
./runall.pl get
This goes through all the FWs listed in fw.txt and creates xml

Step 8a:

If you are running via CGI, go to your website at webroot/pa.pl
e.g. http://example.com/parules/pa.pl

Step 8b: 

If you are not using CGI

run:
./runall.pl push
visit your website at webroot/index.htm
e.g. http://example.com/parules/index.htm

 

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>