def main(): parser = argparse.ArgumentParser() parser.add_argument('--panorama', help='hostname or ip of panorama', required=True) parser.add_argument('--user', help='username for auth to panorama', required=True) parser.add_argument( '--out_file', help='filename for output csv e.g. mkey_status_prod.csv', required=True) args = parser.parse_args() try: panorama = Panorama(args.panorama, args.user, getpass()) except PanDeviceError as e: print(e.message) cmd = 'show devices connected' try: res = panorama.op(cmd, xml=True) except PanDeviceError as e: print(e.message) sys.exit(1) print('Authenticated to {}.'.format(args.panorama)) print( 'Generating master key status report on Panorama-connected firewalls...' ) devs_connected = xmltodict.parse( res)['response']['result']['devices']['entry'] master_key_props_list = [] for dev in devs_connected: firewall = Firewall(serial=dev['serial']) panorama.add(firewall) cmd = 'show system masterkey-properties' master_key_props = xmltodict.parse(firewall.op( cmd, xml=True))['response']['result'] master_key_props['hostname'] = dev['hostname'] master_key_props_list.append(master_key_props) with open(args.out_file, 'w', newline='') as file_obj: fieldnames = master_key_props_list[0].keys() writer_obj = csv.DictWriter(file_obj, fieldnames=fieldnames) writer_obj.writeheader() for dev_mkey_props in master_key_props_list: writer_obj.writerow(dev_mkey_props) print('Done.')
def main(): parser = argparse.ArgumentParser() parser.add_argument('--panorama', help='hostname or ip of panorama', required=True) parser.add_argument('--user', help='username for auth to panorama', required=True) args = parser.parse_args() try: panorama = Panorama(args.panorama, args.user, getpass()) except PanDeviceError as e: print(e.message) cmd = 'show devices connected' try: res = panorama.op(cmd, xml=True) except PanDeviceError as e: print(e.message) sys.exit(1) devs_connected = xmltodict.parse( res)['response']['result']['devices']['entry'] ha_devices_out_of_sync = [] for dev in devs_connected: firewall = Firewall(serial=dev['serial']) panorama.add(firewall) cmd = 'show high-availability state' ha_state = xmltodict.parse(firewall.op(cmd, xml=True))['response']['result'] if ha_state['enabled'] == 'yes': if ha_state['group']['running-sync'] != 'synchronized': ha_devices_out_of_sync.append(dev['hostname']) if ha_devices_out_of_sync: for dev in ha_devices_out_of_sync: print(dev) else: print('All HA devices configuration in sync!')
def main(): parser = argparse.ArgumentParser() parser.add_argument('--panorama', help='hostname or ip of panorama', required=True) parser.add_argument( '--master_device', help='hostname or ip of firewall to retrieve group-mappings', required=True) parser.add_argument( '--dg', help= 'device group of the pre-rulebase that contain user-group-based policies', required=True) args = parser.parse_args() try: panorama = Panorama(args.panorama, input('Panorama username: '******'Panorama password: '******'show devices connected' try: res = panorama.op(cmd, xml=True) except PanDeviceError as e: print(e.message) sys.exit(1) devs_connected = xmltodict.parse( res)['response']['result']['devices']['entry'] firewall = None for dev in devs_connected: if dev['hostname'] == args.master_device or dev[ 'ip-address'] == args.master_device: firewall = Firewall(serial=dev['serial']) break if firewall is not None: try: panorama.add(firewall) except PanDeviceError as e: print(e.message) else: print( 'Master device (firewall) is not managed by Panorama. Attempting direct connection to firewall...' ) try: firewall = Firewall(args.master_device, input('Firewall username: '******'Firewall password: '******'Retrieving user-group-mappings on master device: "{}"...'.format( args.master_device)) cmd = 'show user group list' try: res = firewall.op(cmd, xml=True) except PanDeviceError as e: print(e.message) user_group_data = xmltodict.parse(res)['response']['result'] user_group_list = re.findall(r'cn=.*?dc=com', user_group_data) print('Number of mapped user-groups found: {}\n'.format( len(user_group_list))) print('Currently mapped user-groups: ') for user_group in user_group_list: print('"{}"'.format(user_group)) print('\n') try: DeviceGroup.refreshall(panorama) target_dg = panorama.find(args.dg, DeviceGroup) if target_dg is None: print( 'Device group "{}" not found on Panorama device. Aborting...'. format(args.dg)) sys.exit() prb = PreRulebase() target_dg.add(prb) dg_pre_rules = SecurityRule.refreshall(prb) except PanDeviceError as e: print(e.message) print('Retrieving user-based security policy from device-group: "{}"...'. format(args.dg)) user_based_rules = [] for rule in dg_pre_rules: if not 'any' in rule.source_user: user_based_rules.append(rule) print('Number of user-based security rules found: {}\n'.format( len(user_based_rules))) for rule in user_based_rules: print('Validating user-based security rule: "{}"...'.format(rule.name)) for user in rule.source_user: if not user in user_group_list: print('Invalid user-group: "{}"'.format(user)) print('\n')