In this tutorial we will implement a tool to export Security and NAT Rulebases from PAN-OS NGFW in CSV format, using the API (what else?). We will build the tool using Go.
To follow this tutorial, it is recommended that that you are familiar with the concepts of Palo Alto Networks Next-Generation Firewalls, Security Policies and APIs.
Make sure you have a Palo Alto Networks Next-Generation Firewall deployed and that you have administrative access to its Management interface via HTTPS. To avoid potential disruptions, it's recommended to run all the tests on a non-production environment.
Let's start from basics, just some code to start a connection to PAN-OS API:
Change the values in the highlighted lines to adapt the code to your environment. Save the code in
panos-export.go file and run:
The output should look like:
Let's remove those ugly, against-all-the-security-best-practices constants from the code and move them to the command line as arguments:
Note that we have added the
-k flag to disable certificate verification. By default certificate verification is enabled in this code. If your code was working before but now the tool fails with
cannot validate certificate, you may want to add
-k to your command line.
Let's try on the shell:
Now that we have been able to connect to the PAN-OS API we need to grab the security rulebase in order to export it. If we were using the XML API directly we could do this with the
get command of the config API, with the right XPath. The result is an XML dump of the security rulebase.
Sample shell session:
PAN Go makese our life lot easier by wrapping all of this in some handy abstractions. We can just use the client.Policies.Security namespace to get access to the candidate Security Rulebase:
On the shell:
With our code we are retrieving the candidate rulebase. It would be nice if the tool could also generate a warning when there are pending changes, to notify the user that running config may be out sync with the candidate config we are exporting.
We can perform this check using the op command
show config list changes and then look if there are pending changes on the security rulebase. An easy way to check the response schema of the command is using the API web UI available on PAN-OS at
We use the following op command to select only pending changes affecting policies and objects:
In PAN Go we can use the native XML support built into Go runtime to help unmarshaling the response. The PAN Go code to run the command and check the result looks like this:
When changes are detected the output looks like:
Going back to our rulebase, we now have all the rules - we just need to convert them into CSV format. Easily done using the Go package
csv. Final result:
On the shell:
One amazing thing of Go is the support for multiple platform with the same code and toolchain. You can build the tool for multiple platform/OS on the same devel environment without special tools. Just set
GOARCH environment variables to what you need before running
go build. Example, for building for Linux, Mac OS X, Raspberry PI and Windows: