def main():
parser = argparse.ArgumentParser()
parser.add_argument('--panorama',
help='hostname or ip of panorama',
required=True)
parser.add_argument('--user',
help='username for auth to panorama',
required=True)
parser.add_argument(
'--out_file',
help='filename for output csv e.g. mkey_status_prod.csv',
required=True)
args = parser.parse_args()
try:
panorama = Panorama(args.panorama, args.user, getpass())
except PanDeviceError as e:
print(e.message)
cmd = 'show devices connected'
try:
res = panorama.op(cmd, xml=True)
except PanDeviceError as e:
print(e.message)
sys.exit(1)
print('Authenticated to {}.'.format(args.panorama))
print(
'Generating master key status report on Panorama-connected firewalls...'
)
devs_connected = xmltodict.parse(
res)['response']['result']['devices']['entry']
master_key_props_list = []
for dev in devs_connected:
firewall = Firewall(serial=dev['serial'])
panorama.add(firewall)
cmd = 'show system masterkey-properties'
master_key_props = xmltodict.parse(firewall.op(
cmd, xml=True))['response']['result']
master_key_props['hostname'] = dev['hostname']
master_key_props_list.append(master_key_props)
with open(args.out_file, 'w', newline='') as file_obj:
fieldnames = master_key_props_list[0].keys()
writer_obj = csv.DictWriter(file_obj, fieldnames=fieldnames)
writer_obj.writeheader()
for dev_mkey_props in master_key_props_list:
writer_obj.writerow(dev_mkey_props)
print('Done.')
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--panorama',
help='hostname or ip of panorama',
required=True)
parser.add_argument('--user',
help='username for auth to panorama',
required=True)
args = parser.parse_args()
try:
panorama = Panorama(args.panorama, args.user, getpass())
except PanDeviceError as e:
print(e.message)
cmd = 'show devices connected'
try:
res = panorama.op(cmd, xml=True)
except PanDeviceError as e:
print(e.message)
sys.exit(1)
devs_connected = xmltodict.parse(
res)['response']['result']['devices']['entry']
ha_devices_out_of_sync = []
for dev in devs_connected:
firewall = Firewall(serial=dev['serial'])
panorama.add(firewall)
cmd = 'show high-availability state'
ha_state = xmltodict.parse(firewall.op(cmd,
xml=True))['response']['result']
if ha_state['enabled'] == 'yes':
if ha_state['group']['running-sync'] != 'synchronized':
ha_devices_out_of_sync.append(dev['hostname'])
if ha_devices_out_of_sync:
for dev in ha_devices_out_of_sync:
print(dev)
else:
print('All HA devices configuration in sync!')
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--panorama',
help='hostname or ip of panorama',
required=True)
parser.add_argument(
'--master_device',
help='hostname or ip of firewall to retrieve group-mappings',
required=True)
parser.add_argument(
'--dg',
help=
'device group of the pre-rulebase that contain user-group-based policies',
required=True)
args = parser.parse_args()
try:
panorama = Panorama(args.panorama, input('Panorama username: '******'Panorama password: '******'show devices connected'
try:
res = panorama.op(cmd, xml=True)
except PanDeviceError as e:
print(e.message)
sys.exit(1)
devs_connected = xmltodict.parse(
res)['response']['result']['devices']['entry']
firewall = None
for dev in devs_connected:
if dev['hostname'] == args.master_device or dev[
'ip-address'] == args.master_device:
firewall = Firewall(serial=dev['serial'])
break
if firewall is not None:
try:
panorama.add(firewall)
except PanDeviceError as e:
print(e.message)
else:
print(
'Master device (firewall) is not managed by Panorama. Attempting direct connection to firewall...'
)
try:
firewall = Firewall(args.master_device,
input('Firewall username: '******'Firewall password: '******'Retrieving user-group-mappings on master device: "{}"...'.format(
args.master_device))
cmd = 'show user group list'
try:
res = firewall.op(cmd, xml=True)
except PanDeviceError as e:
print(e.message)
user_group_data = xmltodict.parse(res)['response']['result']
user_group_list = re.findall(r'cn=.*?dc=com', user_group_data)
print('Number of mapped user-groups found: {}\n'.format(
len(user_group_list)))
print('Currently mapped user-groups: ')
for user_group in user_group_list:
print('"{}"'.format(user_group))
print('\n')
try:
DeviceGroup.refreshall(panorama)
target_dg = panorama.find(args.dg, DeviceGroup)
if target_dg is None:
print(
'Device group "{}" not found on Panorama device. Aborting...'.
format(args.dg))
sys.exit()
prb = PreRulebase()
target_dg.add(prb)
dg_pre_rules = SecurityRule.refreshall(prb)
except PanDeviceError as e:
print(e.message)
print('Retrieving user-based security policy from device-group: "{}"...'.
format(args.dg))
user_based_rules = []
for rule in dg_pre_rules:
if not 'any' in rule.source_user:
user_based_rules.append(rule)
print('Number of user-based security rules found: {}\n'.format(
len(user_based_rules)))
for rule in user_based_rules:
print('Validating user-based security rule: "{}"...'.format(rule.name))
for user in rule.source_user:
if not user in user_group_list:
print('Invalid user-group: "{}"'.format(user))
print('\n')
