Exporting Rulebases to CSV
note
In this tutorial we will implement a tool to export Security and NAT Rulebases from PAN-OS NGFW in CSV format, using the API (what else?). We will build the tool using Go.
#
RequirementsTo follow this tutorial, it is recommended that that you are familiar with the concepts of Palo Alto Networks Next-Generation Firewalls, Security Policies and APIs.
Make sure you have a Palo Alto Networks Next-Generation Firewall deployed and that you have administrative access to its Management interface via HTTPS. To avoid potential disruptions, it's recommended to run all the tests on a non-production environment.
We will use Go in this tutorial, but the same concepts can be reused in Python using PAN-OS-Python or pan-python.
#
Our tool: pan-export#
Hello World! (pango version)Let's start from basics, just some code to start a connection to PAN-OS API:
Change the values in the highlighted lines to adapt the code to your environment. Save the code in panos-export.go
file and run:
The output should look like:
#
Before moving forwardLet's remove those ugly, against-all-the-security-best-practices constants from the code and move them to the command line as arguments:
note
Note that we have added the -k
flag to disable certificate verification. By default certificate verification is enabled in this code. If your code was working before but now the tool fails with cannot validate certificate
, you may want to add -k
to your command line.
Let's try on the shell:
#
Get the candidate rulebaseNow that we have been able to connect to the PAN-OS API we need to grab the security rulebase in order to export it. If we were using the XML API directly we could do this with the get
command of the config API, with the right XPath. The result is an XML dump of the security rulebase.
Sample shell session:
PAN Go makese our life lot easier by wrapping all of this in some handy abstractions. We can just use the client.Policies.Security namespace to get access to the candidate Security Rulebase:
First we grab the list of policy names with client.Security.Policies.GetList, and then we iterate over it to retrieve the details of each single policy with client.Security.Policies.Get.
On the shell:
#
Checking for pending changesWith our code we are retrieving the candidate rulebase. It would be nice if the tool could also generate a warning when there are pending changes, to notify the user that running config may be out sync with the candidate config we are exporting.
We can perform this check using the op command show config list changes
and then look if there are pending changes on the security rulebase. An easy way to check the response schema of the command is using the API web UI available on PAN-OS at https://<firewall>/api
:
note
We use the following op command to select only pending changes affecting policies and objects: <show><config><list><changes><partial><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial></changes></list></config></show>
Result:
In PAN Go we can use the native XML support built into Go runtime to help unmarshaling the response. The PAN Go code to run the command and check the result looks like this:
When changes are detected the output looks like:
#
Dump to CSVGoing back to our rulebase, we now have all the rules - we just need to convert them into CSV format. Easily done using the Go package csv
. Final result:
On the shell:
#
Build it for multiple platformsOne amazing thing of Go is the support for multiple platform with the same code and toolchain. You can build the tool for multiple platform/OS on the same devel environment without special tools. Just set GOOS
and GOARCH
environment variables to what you need before running go build
. Example, for building for Linux, Mac OS X, Raspberry PI and Windows: