def setUp(self): logging.basicConfig(level=10) # Get current test (in string with format): # tests.test_pandevice.TestPandevice.test_refresh_interfaces_mock test_method = self.id() if test_method.endswith("_mock"): # This is a test with a mock firewall mock.patch.object(firewall.pan.xapi, 'PanXapi', mock.MagicMock()) self.d = firewall.Firewall(hostname="fake-hostname", api_username="******", api_password="******", ) self.d._retrieve_api_key = mock.Mock(return_value="fakekey") # Trigger attempt to populate API key by accessing xapi self.xapi = self.d.xapi else: # This is a test against a real firewall and panorama self.p = panorama.Panorama(hostname=TESTRAMA_HOSTNAME, api_username=TESTRAMA_USERNAME, api_password=TESTRAMA_PASSWORD, ) self.d = firewall.Firewall(hostname=TESTFW_HOSTNAME, api_username=TESTFW_USERNAME, api_password=TESTFW_PASSWORD, )
def getDevicePhash(device, password, module): if 'hostname' not in device or 'username' not in device or 'password' not in device: module.fail_json(msg='Device credentials not specified!') dev = firewall.Firewall(device['hostname'], device['username'], device['password']) phash = dev.request_password_hash(password) return phash
def configureDataLakeWithPSK(device, password, psk, module): # request logging-service-forwarding certificate fetch-noproxy pre-shared-key <value> try: if 'hostname' not in device or 'username' not in device or 'password' not in device: module.fail_json(msg='Device credentials not specified!') ngfw = firewall.Firewall(device['hostname'], device['username'], device['password']) #print("Configuring Data Lake on NGFW") cmd='<request><logging-service-forwarding><certificate><fetch-noproxy><pre-shared-key>{}</pre-shared-key></fetch-noproxy></certificate></logging-service-forwarding></request>'.format(psk) response = ngfw.op(cmd=cmd, cmd_xml=False) result = response.find('./result').text if result: reg = r'^Successfully scheduled logging service certificate fetch job with a job id of ([0-9]*)$' m = re.search(reg, result) if m and m.group(1): job_id = m.group(1) if job_id: res = syncjob(ngfw, job_id=job_id) if not res: raise pan.xapi.PanXapiError('Not success') else: raise pan.xapi.PanXapiError('Job ID not found') else: raise pan.xapi.PanXapiError('Unexpected response: {}'.format(result)) else: raise pan.xapi.PanXapiError('No result in response') #print("Configured Data Lake on NGFW") except Exception as e: module.fail_json(msg='Fail on Data Lake PSK configuration: {}'.format(e)) return False return True
def pano_connect(): # Instantiate a Firewall with serial fw = firewall.Firewall(serial=fw_serial) # Instantiate a Panorama with hostname and credentials pano = panorama.Panorama(pano_addr, pano_user, pano_pass) # Add the Firewall as a child of Panorama pano.add(fw) return fw, pano
def getDeviceSerial(fw): if 'hostname' not in fw or 'username' not in fw or 'password' not in fw: raise RuntimeError('Device credentials not specified!') device = firewall.Firewall(fw['hostname'], fw['username'], fw['password']) devInfo = device.refresh_system_info() devSerial = devInfo.serial print('Device Serial = {}'.format(devSerial)) return devSerial
def getDeviceSerial(fw, module): if 'hostname' not in fw or 'username' not in fw or 'password' not in fw: module.fail_json(msg='Device credentials not specified!') device = firewall.Firewall(fw['hostname'], fw['username'], fw['password']) devInfo = device.refresh_system_info() devSerial = devInfo.serial #print('Device Serial = {}'.format(devSerial)) return devSerial
def test2(fqdn, user, passwd): try: fw = firewall.Firewall(fqdn["fqdn"], user, passwd) xml = fw.op('show system info', xml=True) print('Test2 is success on...', fqdn["app"]) return True except: print('Error in test2') return False
def ngfwCommit(fw, devicegroup, module): try: ngfw = firewall.Firewall(fw['hostname'], fw['username'], fw['password']) #print("Committing on NGFW") ngfw.commit(sync=True) #print("Committed on NGFW") except Exception as e: module.fail_json(msg='Fail on commit: {}'.format(e)) return True
def pan_firewall(hostname='', api_key=''): try: fw = pan_fw.Firewall(hostname=hostname, api_key=api_key) version, platform, serial = parse( "SystemInfo(version='{}', platform='{}', serial='{}')", str(fw.refresh_system_info())).fixed logger.debug('FW version={}:FW platform={}: FW serial={}'.format( version, platform, serial)) return fw except Exception as e: logger.error('Cannot connect to PAN:{}'.format(str(e))) return None
def get_fw_connection(): """ Make firewall connection Returns ------- fw : Firewall A PanDevice for firewall """ key = config.paloalto['key'] fw_ip = config.paloalto['firewall_ip'] fw = firewall.Firewall(hostname=fw_ip, api_key=key) return fw
def test_vsys_xpath_unchanged(): expected = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']" c = firewall.Firewall('127.0.0.1', 'admin', 'admin') c.vsys = 'vsys3' assert expected == c.xpath_vsys() c.vsys = None vsys = device.Vsys('vsys3') c.add(vsys) assert expected == vsys.xpath_vsys() zone = network.Zone('myzone') vsys.add(zone) assert expected == zone.xpath_vsys()
def lambda_handler(event, context): print("[Lambda handler]Received event: " + json.dumps(event, indent=2)) fw_ip = os.environ['FWIP'] username = os.environ['USERNAME'] password = os.environ['PASSWORD'] untrust_zone_name = os.environ['UNTRUST_ZONE'] trust_zone_name = os.environ['TRUST_ZONE'] security_rule_name = os.environ['SECURITY_RULE_NAME'] rule_action = os.environ.get('RULE_ACTION', 'deny') guard_duty_dag_name = os.environ.get("GD_DAG_NAME", "default_gd_dag_name") tag_for_gd_ips = os.environ.get("FW_DAG_TAG", "AWS:GD") print("Establish a connection with the firewall") fw = firewall.Firewall(fw_ip, username, password) group_name='pan_gd_dag' print("Process threat intelligence.") returned_ips = handle_gd_threat_intel(event, context) all_address_groups, _ = get_all_address_group(fw) print ("The following is a list of exists DAGS on the FW: {}".format(all_address_groups)) if guard_duty_dag_name not in all_address_groups: print("DAG with name {} does not exist on the Firewall".format(group_name)) print("Process / handle the creation of the DAG with Tag: {}".format(tag_for_gd_ips)) handle_dags(fw, guard_duty_dag_name, tag_for_gd_ips) else: print("DAG with name {} already exists on the Firewall.".format(guard_duty_dag_name)) print("Process / handle the creation of ip to tag registrations") if type(returned_ips) == list: for ip in returned_ips: print("Register IP {}".format(ip)) handle_dag_ip(fw, ip, tag_for_gd_ips) else: print("Register First IP {}".format(returned_ips)) handle_dag_ip(fw, returned_ips, tag_for_gd_ips) print("Process / handle the creation of security rules.") handle_security_rule(fw, security_rule_name, 'Rules based on Guard Duty', untrust_zone_name, trust_zone_name, [guard_duty_dag_name], rule_action) fw.commit(sync=True) print("All operations done...")
def jobOneStatus(fqdn, user, passwd): try: fw = firewall.Firewall(fqdn["fqdn"], api_username=user, api_password=passwd) xml = fw.op("<show><jobs><id>1</id></jobs></show>", cmd_xml=False, xml=True) parsedDoc = xmltodict.parse(xml) status = parsedDoc['response']['result']['job']['status'] if status == 'FIN': print("Success on...", fqdn["app"]) return True else: return False except: print("Failed....!!") return False
def deploy_interface(): fw_deploy = request.form.get('firewall') for i in Creds.objects: fwip = i.fwip.encode('utf-8') username = i.username.encode('utf-8') password = i.password.encode('utf-8') if fwip == None: error = 'ERR2222-No creds in the Creds DB. Log out and login again' return render_template('main/dberror.html') ints = [] # get info from firewall...must have active interfaces fw = firewall.Firewall(fwip, username, password) interfaces = network.EthernetInterface.refreshall(fw, add=False) for eth in interfaces: ints.append(eth) return render_template('main/interface_chooser.html', interfaces=ints, fwip=fwip)
def lambda_handler(event, context): print("[Lambda handler]Received event: " + json.dumps(event, indent=2)) fw_ip = os.environ['FWIP'] username = os.environ['USERNAME'] password = os.environ['PASSWORD'] print("Establish a connection with the firewall") fw = firewall.Firewall(fw_ip, username, password) group_name = 'pan_gd_dag' print("Process threat intelligence.") ipAddressV4 = handle_gd_threat_intel(event, context) print("Process / handle the creation of DAGs") handle_dags(fw, group_name, 'Recon:IAMUser') print("Process / handle the creation of ip to tag registrations") handle_dag_tags(fw, ipAddressV4, 'Recon:IAMUser') print("Process / handle the creation of security rules.") handle_security_rule(fw, 'aws_gd_source_rules', 'Rules based on Guard Duty', 'external', 'web', [group_name], 'deny') fw.commit(sync=True) print("All operations done...")
def mainx(): ''' capture login info ''' # Get the credentials from the user username = request.form.get('username') password = request.form.get('password') fwip = request.form.get('fwip') # Clear creds for storing Creds.objects().delete() creds = Creds(fwip=fwip, username=username, password=password) try: creds.save() except: error = 'ERR002-Failed to save creds to the database' return render_template('main/dberror.html') # First, let's create the firewall object that we want to modify. fw = firewall.Firewall(fwip, username, password) banner = 'You authenticated using %s credentials' % (fwip) return render_template('main/mainx.html', banner=banner)
def get_7K_info(device_dict, collection): """ Checks Palo firewall to see if model and family are in the 7K family, sets variables, and then gets 7K info Parameters ---------- device_dict : dict A dictionary of Panorama connected devices collection : Collection A MongoDB database collection """ logger.info('Starting') key = config.paloalto['key'] for device in device_dict: fw_dict = device_dict.get(device) model = fw_dict.get('model') ip_addr = fw_dict.get('ip-address') if model == 'PA-7080': smc_slot = '6' lpc_slot = '7' ps_total = 8 slot_total = 12 elif model == 'PA-7050': smc_slot = '4' lpc_slot = '8' ps_total = 4 slot_total = 8 fw = firewall.Firewall(hostname=ip_addr, api_key=key) get_7K_chassis_info(fw, collection, ip_addr, slot_total) get_7K_power_info(fw, collection, ip_addr, smc_slot, ps_total) get_7K_fan_info(fw, collection, ip_addr, smc_slot) get_7K_amc_info(fw, collection, ip_addr, lpc_slot)
def __init__(self, username, password, ip, ike_profile, ipsec_profile, ike_gw, ipsec_tunnel, tunnel_interface): """ @param ike_gws @type dict @param ipsec_tunnels @type list @param tunnel_interfaces @type dict """ self.username = username self.password = password self.ip = ip self.fw_dev_hndl = firewall.Firewall(self.ip, self.username, self.password) self.ike_profile = ike_profile self.ipsec_profile = ipsec_profile self.ipsec_tunnels = ipsec_tunnel self.ike_gws = ike_gw self.tunnel_interfaces = tunnel_interface
def local_lambda_handler(fw_ip, username, password,ipaddress_list): """ This function is intended primarily for testing purposes and to be invoked directly from the shell. :param fw_ip: :param username: :param context: :return: """ fw = firewall.Firewall(fw_ip, username, password) group_name = 'local_pan_gd_dag' print("Process threat intelligence.") ipAddressV4 = ipaddress print("Process / handle the creation of DAGs") all_address_groups, _ = get_all_address_group(fw) print all_address_groups if group_name not in all_address_groups: print("DAG with name {} does not exist on the Firewall".format(group_name)) handle_dags(fw, group_name, 'Recon:IAMUser') else: print("DAG with name {} already exists on the Firewall.".format(group_name)) print("Process / handle the creation of ip to tag registrations") for ip in ipaddress_list: print("Register IP {}".format(ip)) handle_dag_ip(fw, ip, 'Recon:IAMUser') print("Process / handle the creation of security rules.") handle_security_rule(fw, 'local_aws_gd_source_rules', 'Rules based on Guard Duty', untrust_zone_name, trust_zone_name, [group_name], 'deny') fw.commit(sync=True) print("All operations done...")
def _check(obj, vsys, with_pano, chk_import=False): if chk_import: func = 'xpath_import_base' else: func = 'xpath' fw = firewall.Firewall('127.0.0.1', 'admin', 'admin', serial='01234567890') fw.vsys = vsys fw.add(obj) if with_pano: pano = panorama.Panorama('127.0.0.1', 'admin2', 'admin2') pano.add(fw) expected = getattr(obj, func)() fw.remove(obj) fw.vsys = None vsys = device.Vsys(vsys or 'vsys1') fw.add(vsys) vsys.add(obj) result = getattr(obj, func)() assert expected == result
def init(): ''' Environment variables: PD_USERNAME PD_PASSWORD PD_PANORAMAS PD_FIREWALLS ''' global live_devices global one_fw_per_version global one_device_per_version global one_panorama_per_version global ha_pairs global panorama_fw_combinations # Get os.environ stuff to set the live_devices global. try: username = os.environ['PD_USERNAME'] password = os.environ['PD_PASSWORD'] panos = os.environ['PD_PANORAMAS'].split() fws = os.environ['PD_FIREWALLS'].split() except KeyError as e: print('NOT RUNNING LIVE TESTS - missing "{0}"'.format(e)) return # Add each panorama to the live_devices. for hostname in panos: c = panorama.Panorama(hostname, username, password) try: c.refresh_system_info() except Exception as e: raise ValueError('Failed to connect to panorama {0}: {1}'.format( hostname, e)) # There should only be one panorama per version. version = c._version_info if version in live_devices: raise ValueError('Two panoramas, same version: {0} and {1}'.format( live_devices[version]['pano'].hostname, hostname)) live_devices.setdefault(version, {'fws': [], 'pano': None}) live_devices[version]['pano'] = c # Add each firewall to the live_devices. for hostname in fws: c = firewall.Firewall(hostname, username, password) try: c.refresh_system_info() except Exception as e: raise ValueError('Failed to connect to firewall {0}: {1}'.format( hostname, e)) # Multiple firewalls are allowed per version, but only ever the first # two will be used. version = c._version_info live_devices.setdefault(version, {'fws': [], 'pano': None}) live_devices[version]['fws'].append(c) # Set: # one_fw_per_version # one_device_type_per_version # one_panorama_per_version for version in live_devices: pano = live_devices[version]['pano'] fws = live_devices[version]['fws'] if fws: fw = random.choice(fws) one_device_type_per_version.append((fw, desc(fw=version))) one_fw_per_version.append((fw, desc(fw=version))) if pano is not None: one_panorama_per_version.append((pano, desc(pano=version))) one_device_type_per_version.append((pano, desc(pano=version))) # Set: ha_pairs for version in live_devices: fws = live_devices[version]['fws'] if len(fws) >= 2: ha_pairs.append((fws[:2], version)) # Set panorama_fw_combinations for pano_version in live_devices: pano = live_devices[pano_version]['pano'] if pano is None: continue for fw_version in live_devices: fws = live_devices[fw_version]['fws'] if not fws or pano_version < fw_version: continue fw = random.choice(fws) panorama_fw_combinations.append(( (pano, fw), desc(pano_version, fw_version), ))
def init_fw_handle(self): """ Initialize a handle to the firewall """ self.fw_hndl = firewall.Firewall(self.fw_ip, self.u_name, self.paswd) print self.fw_hndl.refresh_system_info()
def main(username, password, rg_name, azure_region): """ Main function :param username: :param password: :param rg_name: Resource group name prefix :param azure_region: Region :return: """ username = username password = password WebInBootstrap_vars = {'RG_Name': rg_name, 'Azure_Region': azure_region} WebInDeploy_vars = { 'Admin_Username': username, 'Admin_Password': password, 'Azure_Region': azure_region } WebInFWConf_vars = {'Admin_Username': username, 'Admin_Password': password} # Set run_plan to TRUE is you wish to run terraform plan before apply run_plan = False kwargs = {"auto-approve": True} # return_code, outputs = apply_tf('./WebInBootstrap', WebInBootstrap_vars, 'WebInBootstrap') if return_code == 0: share_prefix = 'jenkins-demo' resource_group = outputs['Resource_Group']['value'] bootstrap_bucket = outputs['Bootstrap_Bucket']['value'] storage_account_access_key = outputs['Storage_Account_Access_Key'][ 'value'] update_status('web_in_bootstrap_status', 'success') else: logger.info("WebInBootstrap failed") update_status('web_in_bootstap_status', 'error') print(json.dumps(status_output)) exit(1) share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key) WebInDeploy_vars.update( {'Storage_Account_Access_Key': storage_account_access_key}) WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket}) WebInDeploy_vars.update({'RG_Name': resource_group}) WebInDeploy_vars.update({'Attack_RG_Name': resource_group}) WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name}) # # Build Infrastructure # # return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy') logger.debug( 'Got Return code for deploy WebInDeploy {}'.format(return_code)) update_status('web_in_deploy_output', web_in_deploy_output) if return_code == 0: update_status('web_in_deploy_status', 'success') albDns = web_in_deploy_output['ALB-DNS']['value'] fwMgt = web_in_deploy_output['MGT-IP-FW-1']['value'] nlbDns = web_in_deploy_output['NLB-DNS']['value'] fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value'] logger.info("Got these values from output of WebInDeploy \n\n") logger.info("AppGateway address is {}".format(albDns)) logger.info("Internal loadbalancer address is {}".format(nlbDns)) logger.info("Firewall Mgt address is {}".format(fwMgt)) else: logger.info("WebInDeploy failed") update_status('web_in_deploy_status', 'error') print(json.dumps(status_output)) exit(1) # # Check firewall is up and running # # api_key = getApiKey(fwMgtIP, username, password) while True: err = getFirewallStatus(fwMgtIP, api_key) if err == 'cmd_error': logger.info("Command error from fw ") elif err == 'no': logger.info("FW is not up...yet") # print("FW is not up...yet") time.sleep(60) continue elif err == 'almost': logger.info("MGT up waiting for dataplane") time.sleep(20) continue elif err == 'yes': logger.info("FW is up") break logger.debug( 'Giving the FW another 10 seconds to fully come up to avoid race conditions' ) time.sleep(10) fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password) logger.info("Updating firewall with latest content pack") update_fw(fwMgtIP, api_key) # # Configure Firewall # WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP}) logger.info("Applying addtional config to firewall") return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf') if return_code == 0: update_status('web_in_fw_conf', 'success') logger.info("WebInFWConf failed") else: logger.info("WebInFWConf failed") update_status('web_in_deploy_status', 'error') print(json.dumps(status_output)) exit(1) logger.info("Commit changes to firewall") fw.commit() logger.info("waiting for commit") time.sleep(60) logger.info("waiting for commit") # # Check Jenkins # logger.info('Checking if Jenkins Server is ready') res = getServerStatus(albDns) if res == 'server_up': logger.info('Jenkins Server is ready') logger.info('\n\n ### Deployment Complete ###') logger.info( '\n\n Connect to Jenkins Server at http://{}'.format(albDns)) else: logger.info('Jenkins Server is down') logger.info('\n\n ### Deployment Complete ###') # dump out status to stdout print(json.dumps(status_output))
def fw_connect(): return firewall.Firewall(pano_addr, pano_user, pano_pass)
def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair): username = username password = password aws_access_key = aws_access_key aws_secret_key = aws_secret_key aws_region = aws_region ec2_key_pair = ec2_key_pair albDns = '' nlbDns = '' fwMgtIP = '' WebInDeploy_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region, 'ServerKeyName': ec2_key_pair, # 'bootstrap_s3bucket': bootstrap_bucket } waf_conf_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region, 'ServerKeyName': ec2_key_pair, 'alb_arn': albDns, 'nlb-dns': nlbDns } WebInFWConf_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region, 'ServerKeyName': ec2_key_pair, 'mgt-ipaddress-fw1': fwMgtIP, 'nlb-dns': nlbDns, 'username': username, 'password': password } # # Set run_plan to TRUE is you wish to run terraform plan before apply run_plan = False kwargs = {"auto-approve": True} # return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy') logger.debug( 'Got Return code for deploy WebInDeploy {}'.format(return_code)) # update_status('web_in_deploy_stdout', stdout) update_status('web_in_deploy_output', web_in_deploy_output) if return_code == 0: update_status('web_in_deploy_status', 'success') albDns = web_in_deploy_output['ALB-DNS']['value'] fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value'] nlbDns = web_in_deploy_output['NLB-DNS']['value'] fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value'] logger.info("Got these values from output of WebInDeploy \n\n") logger.info("AppGateway address is {}".format(albDns)) logger.info("Internal loadbalancer address is {}".format(nlbDns)) logger.info("Firewall Mgt address is {}".format(fwMgtIP)) else: logger.info("WebInDeploy failed") update_status('web_in_deploy_status', 'error') print(json.dumps(status_output)) exit(1) WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgtIP WebInFWConf_vars['nlb-dns'] = nlbDns WebInDeploy_vars['alb_dns'] = albDns WebInDeploy_vars['nlb-dns'] = nlbDns # # Apply WAF Rules # return_code, waf_conf_out = apply_tf('./waf_conf', waf_conf_vars, 'Waf_conf') logger.debug('Got Return code for deploy waf_conf {}'.format(return_code)) update_status('waf_conf_output', waf_conf_out) # update_status('waf_conf_stdout', stdout) # update_status('waf_conf_stderr', stderr logger.debug('Got Return code to deploy waf_conf {}'.format(return_code)) if return_code == 0: update_status('waf_conf_status', 'success') else: logger.info("waf_conf failed") update_status('waf_conf_status', 'error') print(json.dumps(status_output)) exit(1) # # Check firewall is up and running # # api_key = getApiKey(fwMgtIP, username, password) #FIXME Add timeout after 3 minutes while True: err = getFirewallStatus(fwMgtIP, api_key) if err == 'cmd_error': logger.info("Command error from fw ") elif err == 'no': logger.info("FW is not up...yet") # print("FW is not up...yet") time.sleep(60) continue elif err == 'almost': logger.info("MGT up waiting for dataplane") time.sleep(20) continue elif err == 'yes': logger.info("FW is up") break logger.debug( 'Giving the FW another 10 seconds to fully come up to avoid race conditions' ) time.sleep(10) fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password) logger.info("Updating firewall with latest content pack") update_fw(fwMgtIP, api_key) # # Configure Firewall # return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf') if return_code == 0: update_status('web_in_fw_conf', 'success') logger.info("WebInFWConf success") else: logger.info("WebInFWConf failed") update_status('web_in_deploy_status', 'error') print(json.dumps(status_output)) exit(1) logger.info("Commit changes to firewall") fw.commit() time.sleep(60) logger.info("waiting for commit") # # Check Jenkins # logger.info('Checking if Jenkins Server is ready') res = getServerStatus(albDns) if res == 'server_up': logger.info('Jenkins Server is ready') logger.info('\n\n ### Deployment Complete ###') logger.info( '\n\n Connect to Jenkins Server at http://{}'.format(albDns)) else: logger.info('Jenkins Server is down') logger.info('\n\n ### Deployment Complete ###')
def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair, bootstrap_bucket): username = username password = password aws_access_key = aws_access_key aws_secret_key = aws_secret_key aws_region = aws_region ec2_key_pair = ec2_key_pair albDns = '' nlbDns = '' fwMgt = '' default_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region } WebInDeploy_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region, 'ServerKeyName': ec2_key_pair, 'bootstrap_s3bucket': bootstrap_bucket } waf_conf_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region, 'ServerKeyName': ec2_key_pair, 'alb_arn': albDns, 'nlb-dns': nlbDns } WebInFWConf_vars = { 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key, 'aws_region': aws_region, 'ServerKeyName': ec2_key_pair, 'mgt-ipaddress-fw1': fwMgt, 'nlb-dns': nlbDns, 'username': username, 'password': password } # Set run_plan to TRUE is you wish to run terraform plan before apply run_plan = False kwargs = {"auto-approve": True} # Class Terraform uses subprocess and setting capture_output to True will capture output capture_output = kwargs.pop('capture_output', False) if capture_output is True: stderr = subprocess.PIPE stdout = subprocess.PIPE else: # if capture output is False, then everything will essentially go to stdout and stderrf stderr = sys.stderr stdout = sys.stdout start_time = time.asctime() print(f'Starting Deployment at {start_time}\n') # Build Infrastructure tf = Terraform(working_dir='./WebInDeploy') tf.cmd('init') if run_plan: # print('Calling tf.plan') tf.plan(capture_output=False, var=WebInDeploy_vars) return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True, **kwargs) web_in_deploy_output = tf.output() logger.debug( 'Got Return code for deploy WebInDeploy {}'.format(return_code1)) # update_status('web_in_deploy_stdout', stdout) update_status('web_in_deploy_output', web_in_deploy_output) if return_code1 != 0: logger.info("WebInDeploy failed") update_status('web_in_deploy_status', 'error') update_status('web_in_deploy_stderr', stderr) print(json.dumps(status_output)) exit(1) else: update_status('web_in_deploy_status', 'success') albDns = tf.output('ALB-DNS') fwMgt = tf.output('MGT-IP-FW-1') nlbDns = tf.output('NLB-DNS') fwMgtIP = fwMgt WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt WebInFWConf_vars['nlb-dns'] = nlbDns WebInDeploy_vars['alb_dns'] = albDns WebInDeploy_vars['nlb-dns'] = nlbDns # # Apply WAF Rules # tf = Terraform(working_dir='./waf_conf') tf.cmd('init') kwargs = {"auto-approve": True} logger.info("Applying WAF config to App LB") if run_plan: tf.plan(capture_output=capture_output, var=vars, **kwargs) return_code3, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True, var=waf_conf_vars, **kwargs) waf_conf_out = tf.output() update_status('waf_conf_output', waf_conf_out) # update_status('waf_conf_stdout', stdout) # update_status('waf_conf_stderr', stderr) logger.debug('Got Return code to deploy waf_conf {}'.format(return_code3)) if return_code3 != 0: logger.info("waf_conf failed") update_status('waf_conf_status', 'error') update_status('waf_conf_stderr', stderr) print(json.dumps(status_output)) exit(1) else: update_status('waf_conf_status', 'success') logger.info("Got these values from output of first run\n\n") logger.info("ALB address is {}".format(albDns)) logger.info("nlb address is {}".format(nlbDns)) logger.info("Firewall Mgt address is {}".format(fwMgt)) # # Check firewall is up and running # # api_key = getApiKey(fwMgtIP, username, password) while True: err = getFirewallStatus(fwMgtIP, api_key) if err == 'cmd_error': logger.info("Command error from fw ") elif err == 'no': logger.info("FW is not up...yet") # print("FW is not up...yet") time.sleep(60) continue elif err == 'almost': logger.info("MGT up waiting for dataplane") time.sleep(20) continue elif err == 'yes': logger.info("FW is up") break logger.debug( 'Giving the FW another 10 seconds to fully come up to avoid race conditions' ) time.sleep(10) fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password) logger.info("Updating firewall with latest content pack") update_fw(fwMgtIP, api_key) updateHandle = updater.ContentUpdater(fw) # updateHandle.download(fw) # logger.info("Waiting 3 minutes for content update to download") # time.sleep(210) # updateHandle.install() # # Configure Firewall # tf = Terraform(working_dir='./WebInFWConf') tf.cmd('init') kwargs = {"auto-approve": True} logger.info("Applying addtional config to firewall") WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt if run_plan: tf.plan(capture_output=capture_output, var=WebInFWConf_vars) # update initial vars with generated fwMgt ip return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True, var=WebInFWConf_vars, **kwargs) web_in_fw_conf_out = tf.output() update_status('web_in_fw_conf_output', web_in_fw_conf_out) # update_status('web_in_fw_conf_stdout', stdout) logger.debug( 'Got Return code for deploy WebInFwConf {}'.format(return_code2)) if return_code2 != 0: logger.error("WebFWConfy failed") update_status('web_in_fw_conf_status', 'error') update_status('web_in_fw_conf_stderr', stderr) print(json.dumps(status_output)) exit(1) else: update_status('web_in_fw_conf_status', 'success') logger.info("Commit changes to firewall") fw.commit() logger.info("waiting for commit") time.sleep(60) logger.info("waiting for commit") # # Check Jenkins # logger.info('Checking if Jenkins Server is ready') # FIXME - add outputs for all 3 dirs res = getServerStatus(albDns) if res == 'server_up': logger.info('Jenkins Server is ready') logger.info('\n\n ### Deployment Complete ###') logger.info( '\n\n Connect to Jenkins Server at http://{}'.format(albDns)) else: logger.info('Jenkins Server is down') logger.info('\n\n ### Deployment Complete ###') # dump out status to stdout print(json.dumps(status_output))
def main(fwUsername, fwPasswd): albDns = '' nlbDns = '' fwMgt = '' # Set run_plan to TRUE is you wish to run terraform plan before apply run_plan = False deployment_status = {} kwargs = {"auto-approve": True} # Class Terraform uses subprocess and setting capture_output to True will capture output # capture_output = kwargs.pop('capture_output', True) # # if capture_output is True: # stderr = subprocess.PIPE # stdout = subprocess.PIPE # else: # stderr = sys.stderr # stdout = sys.stdout # # Build Infrastructure # tf = Terraform(working_dir='./WebInDeploy') tf.cmd('init') if run_plan: print('Calling tf.plan') tf.plan(capture_output=False) return_code1, stdout, stderr = tf.apply(capture_output=False, skip_plan=True, **kwargs) #return_code1 =0 print('Got return code {}'.format(return_code1)) if return_code1 != 0: logger.info("WebInDeploy failed") deployment_status = {'WebInDeploy': 'Fail'} write_status_file(deployment_status) exit() else: deployment_status = {'WebInDeploy': 'Success'} write_status_file(deployment_status) albDns = tf.output('ALB-DNS') fwMgt = tf.output('MGT-IP-FW-1') nlbDns = tf.output('NLB-DNS') # fwUsername = "******" # fwPasswd = "PaloAlt0!123!!" fw_trust_ip = fwMgt # # Apply WAF Rules # tf = Terraform(working_dir='./waf_conf') tf.cmd('init') kwargs = {"auto-approve": True} logger.info("Applying WAF config to App LB") if run_plan: tf.plan(capture_output=False, var={'alb_arn': nlbDns}, **kwargs) return_code3, stdout, stderr = tf.apply(capture_output=False, skip_plan=True, var={ 'alb_arn': nlbDns, 'int-nlb-fqdn': nlbDns }, **kwargs) if return_code3 != 0: logger.info("waf_conf failed") deployment_status.update({'waf_conf': 'Fail'}) write_status_file(deployment_status) exit() else: deployment_status.update({'waf_conf': 'Success'}) write_status_file(deployment_status) logger.info("Got these values from output of first run\n\n") logger.info("ALB address is {}".format(albDns)) logger.info("nlb address is {}".format(nlbDns)) logger.info("Firewall Mgt address is {}".format(fwMgt)) # # Check firewall is up and running # class FWNotUpException(Exception): pass err = 'no' api_key = '' api_key = getApiKey(fw_trust_ip, fwUsername, fwPasswd) while True: err = getFirewallStatus(fw_trust_ip, api_key) if err == 'cmd_error': logger.info("Command error from fw ") #raise FWNotUpException('FW is not up! Request Timeout') elif err == 'no': logger.info("FW is not up...yet") print("FW is not up...yet") time.sleep(60) continue #raise FWNotUpException('FW is not up!') elif err == 'almost': logger.info("MGT up waiting for dataplane") time.sleep(20) continue elif err == 'yes': logger.info("[INFO]: FW is up") break fw = firewall.Firewall(hostname=fw_trust_ip, api_username=fwUsername, api_password=fwPasswd) logger.info("Updating firewall with latest content pack") updateHandle = updater.ContentUpdater(fw) updateHandle.download() logger.info("Waiting 3 minutes for content update to download") time.sleep(210) updateHandle.install() # # Configure Firewall # tf = Terraform(working_dir='./WebInFWConf') tf.cmd('init') kwargs = {"auto-approve": True} logger.info("Applying addtional config to firewall") if run_plan: tf.plan(capture_output=False, var={ 'mgt-ipaddress-fw1': fwMgt, 'int-nlb-fqdn': nlbDns }) return_code2, stdout, stderr = tf.apply(capture_output=False, skip_plan=True, var={ 'mgt-ipaddress-fw1': fwMgt, 'nlb-dns': nlbDns, 'aws_access_key': aws_access_key, 'aws_secret_key': aws_secret_key }, **kwargs) #return_code2 = 0 if return_code2 != 0: logger.info("WebFWConfy failed") deployment_status.update({'WebFWConfy': 'Fail'}) write_status_file(deployment_status) exit() else: deployment_status.update({'WebFWConf': 'Success'}) write_status_file(deployment_status) logger.info("Commit changes to firewall") fw.commit() logger.info('Checking if Jenkins Server is ready') # tf = Terraform(working_dir='./WebInDeploy') # albDns = tf.output('ALB-DNS') count = 0 max_tries = 3 while True: if count < max_tries: res = getServerStatus(albDns) if res == 'server_down': count = count + 1 time.sleep(2) continue elif res == 'server_up': break else: break logger.info('Jenkins Server is ready') logger.info('\n\n ### Deployment Complete ###') logger.info('\n\n Connect to Jenkins Server at http://{}'.format(albDns))
for state in range(0,7): if (zones[state][3]) == "present": vlans.append(zones[state][1]) zones_names.append(zones[state][0]) routing_instance.append(zones[state][2]) addresses.append(zones[state][4]) # Before we begin, you'll need to use the pandevice documentation both # for this example and for any scripts you may write for yourself. The # docs can be found here: # # http://pandevice.readthedocs.io/en/latest/reference.html # # First, let's create the firewall object that we want to modify. fw = firewall.Firewall(HOSTNAME, USERNAME, PASSWORD) print('Firewall system info: {0}'.format(fw.refresh_system_info())) # Sanity Check #1: the intent here is that the interface we # specified above should not already be in use. If the interface is # already in use, then just quit out. #Creates Untrust Interface untrust_int = network.EthernetInterface("ethernet1/1", \ mode = "layer3", \ ip = untrust_cidr)
def main(username, password, GCP_region, Billing_Account): """ Main function :param username: :param password: :param rg_name: Resource group name prefix :param azure_region: Region :return: """ username = username password = password # TODO maybe use a zone lookup but for now use region-B GCP_Zone = GCP_region + '-b' WebInDeploy_vars = { 'GCP_Zone': GCP_Zone, 'GCP_Region': GCP_region, 'Billing_Account': Billing_Account, 'Admin_Username': username, 'Admin_Password': password } WebInFWConf_vars = {'Admin_Username': username, 'Admin_Password': password} # Set run_plan to TRUE is you wish to run terraform plan before apply run_plan = False kwargs = {"auto-approve": True} # # Build Infrastructure # # return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy') logger.debug( 'Got Return code for deploy WebInDeploy {}'.format(return_code)) update_status('web_in_deploy_output', web_in_deploy_output) if return_code == 0: update_status('web_in_deploy_status', 'success') albDns = web_in_deploy_output['ALB-DNS']['value'] nlbDns = web_in_deploy_output['NATIVE-DNS']['value'] fwMgtIP = web_in_deploy_output['FW_Mgmt_IP']['value'] logger.info("Got these values from output of WebInDeploy \n\n") logger.info("AppGateway address is {}".format(albDns)) logger.info("Firewall Mgt address is {}".format(fwMgtIP)) else: logger.info("WebInDeploy failed") update_status('web_in_deploy_status', 'error') print(json.dumps(status_output)) exit(1) # # Check firewall is up and running # # api_key = getApiKey(fwMgtIP, username, password) while True: err = getFirewallStatus(fwMgtIP, api_key) if err == 'cmd_error': logger.info("Command error from fw ") elif err == 'no': logger.info("FW is not up...yet") # print("FW is not up...yet") time.sleep(60) continue elif err == 'almost': logger.info("MGT up waiting for dataplane") time.sleep(20) continue elif err == 'yes': logger.info("FW is up") break logger.debug( 'Giving the FW another 10 seconds to fully come up to avoid race conditions' ) time.sleep(10) fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password) logger.info("Updating firewall with latest content pack") update_fw(fwMgtIP, api_key) # # Configure Firewall # WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP}) logger.info("Applying addtional config to firewall") return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf') logger.debug('Got return code {}'.format(return_code)) if return_code == 0: update_status('web_in_fw_conf', 'success') logger.info("WebInFWConf succeeded") else: logger.info("WebInFWConf failed") update_status('web_in_deploy_status', 'error') print(json.dumps(status_output)) exit(1) logger.info("Commit changes to firewall") fw.commit() logger.info("waiting for commit") time.sleep(60) logger.info("waiting for commit") # # Check Jenkins # logger.info('Checking if Jenkins Server is ready') res = getServerStatus(albDns) if res == 'server_up': logger.info('Jenkins Server is ready') logger.info('\n\n ### Deployment Complete ###') logger.info( '\n\n Connect to Jenkins Server at http://{}'.format(albDns)) else: logger.info('Jenkins Server is down') logger.info('\n\n ### Deployment Complete ###') # dump out status to stdout print(json.dumps(status_output))
def main(username, password, rg_name, azure_region): username = username password = password WebInBootstrap_vars = {'RG_Name': rg_name, 'Azure_Region': azure_region} WebInDeploy_vars = { 'Admin_Username': username, 'Admin_Password': password, 'Azure_Region': azure_region } WebInFWConf_vars = {'Admin_Username': username, 'Admin_Password': password} # Set run_plan to TRUE is you wish to run terraform plan before apply run_plan = False kwargs = {"auto-approve": True} # Class Terraform uses subprocess and setting capture_output to True will capture output capture_output = kwargs.pop('capture_output', False) if capture_output is True: stderr = subprocess.PIPE stdout = subprocess.PIPE else: # if capture output is False, then everything will essentially go to stdout and stderrf stderr = sys.stderr stdout = sys.stdout start_time = time.asctime() print(f'Starting Deployment at {start_time}\n') # Create Bootstrap tf = Terraform(working_dir='./WebInBootstrap') tf.cmd('init') if run_plan: # print('Calling tf.plan') tf.plan(capture_output=False) return_code1, stdout, stderr = tf.apply(vars=WebInBootstrap_vars, capture_output=capture_output, skip_plan=True, **kwargs) resource_group = tf.output('Resource_Group') bootstrap_bucket = tf.output('Bootstrap_Bucket') storage_account_access_key = tf.output('Storage_Account_Access_Key') web_in_bootstrap_output = tf.output() logger.debug( 'Got Return code for deploy WebInDeploy {}'.format(return_code1)) update_status('web_in_deploy_stdout', stdout) update_status('web_in_bootstrap_output', web_in_bootstrap_output) if return_code1 != 0: logger.info("WebInBootstrap failed") update_status('web_in_bootstap_status', 'error') update_status('web_in_bootstrap_stderr', stderr) print(json.dumps(status_output)) exit(1) else: update_status('web_in_bootstrap_status', 'success') share_prefix = 'jenkins-demo' share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key) WebInDeploy_vars.update( {'Storage_Account_Access_Key': storage_account_access_key}) WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket}) WebInDeploy_vars.update({'RG_Name': resource_group}) WebInDeploy_vars.update({'Attack_RG_Name': resource_group}) WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name}) # Build Infrastructure tf = Terraform(working_dir='./WebInDeploy') # print("vars {}".format(WebInDeploy_vars)) tf.cmd('init') if run_plan: # print('Calling tf.plan') tf.plan(capture_output=False, var=WebInDeploy_vars) return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True, **kwargs) web_in_deploy_output = tf.output() logger.debug( 'Got Return code for deploy WebInDeploy {}'.format(return_code1)) update_status('web_in_deploy_stdout', stdout) update_status('web_in_deploy_output', web_in_deploy_output) if return_code1 != 0: logger.info("WebInDeploy failed") update_status('web_in_deploy_status', 'error') update_status('web_in_deploy_stderr', stderr) print(json.dumps(status_output)) exit(1) else: update_status('web_in_deploy_status', 'success') albDns = tf.output('ALB-DNS') fwMgt = tf.output('MGT-IP-FW-1') nlbDns = tf.output('NLB-DNS') fwMgtIP = tf.output('MGT-IP-FW-1') logger.info("Got these values from output \n\n") logger.info("AppGateway address is {}".format(albDns)) logger.info("Internal loadbalancer address is {}".format(nlbDns)) logger.info("Firewall Mgt address is {}".format(fwMgt)) # # Check firewall is up and running # # api_key = getApiKey(fwMgtIP, username, password) while True: err = getFirewallStatus(fwMgtIP, api_key) if err == 'cmd_error': logger.info("Command error from fw ") elif err == 'no': logger.info("FW is not up...yet") # print("FW is not up...yet") time.sleep(60) continue elif err == 'almost': logger.info("MGT up waiting for dataplane") time.sleep(20) continue elif err == 'yes': logger.info("FW is up") break logger.debug( 'Giving the FW another 10 seconds to fully come up to avoid race conditions' ) time.sleep(10) fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password) logger.info("Updating firewall with latest content pack") update_fw(fwMgtIP, api_key) # # Configure Firewall # WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP}) tf = Terraform(working_dir='./WebInFWConf') tf.cmd('init') kwargs = {"auto-approve": True} logger.info("Applying addtional config to firewall") WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt if run_plan: tf.plan(capture_output=capture_output, var=WebInFWConf_vars) # update initial vars with generated fwMgt ip return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True, var=WebInFWConf_vars, **kwargs) web_in_fw_conf_out = tf.output() update_status('web_in_fw_conf_output', web_in_fw_conf_out) # update_status('web_in_fw_conf_stdout', stdout) logger.debug( 'Got Return code for deploy WebInFwConf {}'.format(return_code2)) if return_code2 != 0: logger.error("WebInFWConf failed") update_status('web_in_fw_conf_status', 'error') update_status('web_in_fw_conf_stderr', stderr) print(json.dumps(status_output)) exit(1) else: update_status('web_in_fw_conf_status', 'success') logger.info("Commit changes to firewall") fw.commit() logger.info("waiting for commit") time.sleep(60) logger.info("waiting for commit") # # Check Jenkins # logger.info('Checking if Jenkins Server is ready') # FIXME - add outputs for all 3 dirs res = getServerStatus(albDns) if res == 'server_up': logger.info('Jenkins Server is ready') logger.info('\n\n ### Deployment Complete ###') logger.info( '\n\n Connect to Jenkins Server at http://{}'.format(albDns)) else: logger.info('Jenkins Server is down') logger.info('\n\n ### Deployment Complete ###') # dump out status to stdout print(json.dumps(status_output))