Giter Site home page Giter Site logo

cpainchaud / pan-configurator Goto Github PK

View Code? Open in Web Editor NEW
220.0 106.0 40.0 14.61 MB

Framework and utilities to easily manage and edit Palo Alto Network PANOS devices

License: Other

PHP 93.67% Shell 0.17% HTML 0.19% JavaScript 5.97%
paloaltonetworks firewall panorama panos api panw pan

pan-configurator's Introduction

IMPORTANT NOTICE

Since my departure, my friend and fantastic programmer Sven Waschkut from Palo Alto Networks has been actively supporting and updating this project. PAN has now officially added a repository on their official Github account. So latest features and cool things can be found (Docker CLI!) here

Anything below here will remain for the purpose of archiving!

PAN-Configurator

PAN-Configurator is a PHP library aimed at making PANOS config changes easy (and XML free ;), maintainable and allowing complex scenarios like rule merging, unused object tracking, conversion of checkpoint exclusion groups, massive rule editing, AppID conversion โ€ฆ to name the ones I do on a regular basis and which are not offered by our GUI. It will work seamlessly on local config file or API.

Homepage : download latest sources on GitHub. Windows package with PHP binaries here: dev.zip

Requirements : PHP 5.5 with curl module

Usage: include the file lib/panconfigurator.php in your own script to load the necessary classes.

File tree:

  • /lib/ contains library files source code
  • /utils/ contains ready to run scripts, more information in utils/readme.txt
  • /doc/index.html has all classes documentations
  • /example-xxx.php are examples about using this library

With less than 20 lines of code, you should be able to solve most of your needs. Brief overview:

Loading a config from a file :

    $pan = new PANConf();
    $pan->load_from_file('myconfig.xml');

Prefer to load it from API candidate config ?

    $connector = panAPIConnector::findOrCreateConnectorFromHost('fw1.mycompany.com');
    $pan = new PANConf();
    $pan->API_load_from_candidate($connector);

Delete unused objects from a config :

    foreach($pan->addressStore->addressObjects() as $object )
      if( $object->countReferences() == 0 )
        $pan->addressStore->remove($object);

Want to know where an object is used ?

    $object = $pan->addressStore->find('H-WebServer4');
    foreach( $object->getReferences() as $ref )
       print $ref->toString()."\n";

Replace that object by another one :

    $object->replaceMeGlobally($anotherObject);

Want to add security profile group 'Block-Forward-Critical-High' in rules which have destination zone 'External' and source zone 'DMZ'?

    foreach( $vsys1->securityRules->rules() as $rule )
       if( $rule->from->has('DMZ') && $rule->to->has('External') )
           $rule->setSecurityProfileGroup('Block-Forward-Critical-High');

Do you hate scripting ? Utility script 'rules-edit.php' is a swiss knife to edit rules and takes advantage of PAN Configurator library from a single CLI query, ie :

Do you want to enable log at start for rule going to DMZ zone and that has only object group 'Webfarms' as a destination ?

rules-edit.php in=api://fw1.mycompany.com actions=logStart-Enable 'filter=(to has dmz) and (dst has.only Webfarms)'

You are not sure about your filter and want to see rules before making changes ? Use action 'display' :

rules-edit.php  in=api://fw1.mycompany.com actions=display 'filter=(to has dmz) and (dst has.only Webfarms)'

Change all rules using Application + Any service to application default ?

rules-edit.php in=api://fw1.mycompany.com actions=service-Set-AppDefault 'filter=!(app is.any) and (service is.any)'

Move post-SecurityRules with source zone 'dmz' or source object 'Admin-networks' to pre-Security rule ?

rules-edit.php  in=api://panorama.mycompany.com actions=invertPreAndPost 'filter=((from has dmz) or (source has Admin-networks) and (rule is.postrule))'

Want to know what actions are supported ?

rules-edit.php  listActions
rules-edit.php listFilters

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.