def create_profilepackage(rules, addresses): device_groups = ['test_dg'] devicegroup_objects = {'test_dg': collections.defaultdict(list)} devicegroup_objects['test_dg']['Addresses'] = addresses devicegroup_objects['test_dg']['all_active_child_firewalls'] = [ "fake_firewall" ] devicegroup_exclusive_objects = { 'test_dg': collections.defaultdict(list) } devicegroup_exclusive_objects["test_dg"]['SecurityPreRules'] = rules profilepackage = ProfilePackage( api_key='', pan_config=PanConfig('<_/>'), settings=ConfigurationSettings().get_config(), device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects=devicegroup_objects, devicegroup_exclusive_objects=devicegroup_exclusive_objects, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(shared_addresses, shared_addressgroups, shared_securityprerules, shared_natprerules, dg_addresses, dg_securityprerules): device_groups = ["shared"] devicegroup_objects = { "shared": collections.defaultdict(list), "test_dg": collections.defaultdict(list) } devicegroup_objects['shared']['all_child_device_groups'] = [ "shared", "test_dg" ] devicegroup_objects["shared"]['Addresses'] = shared_addresses devicegroup_objects["shared"]['AddressGroups'] = shared_addressgroups devicegroup_objects["shared"][ 'SecurityPreRules'] = shared_securityprerules devicegroup_objects["shared"]['NATPreRules'] = shared_natprerules devicegroup_objects["test_dg"]['SecurityPreRules'] = dg_addresses devicegroup_objects["test_dg"]['NATPreRules'] = dg_securityprerules profilepackage = ProfilePackage( api_key='', pan_config=PanConfig('<_/>'), settings=ConfigurationSettings().get_config(), device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects=devicegroup_objects, devicegroup_exclusive_objects={}, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(allowed_group_profile, pan_config): device_groups = ['test_dg'] rules = pan_config.get_devicegroup_policy('SecurityPreRules', 'test_dg') devicegroup_exclusive_objects = { 'test_dg': { 'SecurityPreRules': rules, 'SecurityPostRules': [] } } settings = ConfigurationSettings().get_config() settings['Allowed Group Profiles'] = allowed_group_profile profilepackage = ProfilePackage( api_key='', pan_config=PanConfig('<_/>'), settings=settings, device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects={}, devicegroup_exclusive_objects=devicegroup_exclusive_objects, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(pan_config): device_groups = ["shared"] settings = ConfigurationSettings().get_config() profilepackage = ProfilePackage(api_key='', pan_config=pan_config, settings=settings, device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects={}, devicegroup_exclusive_objects={}, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(pan_config, mandated_log_profile): device_groups = ['test_dg'] settings = ConfigurationSettings().get_config() settings['Mandated Logging Profile'] = mandated_log_profile profilepackage = ProfilePackage(api_key='', pan_config=pan_config, settings=settings, device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects={}, devicegroup_exclusive_objects={}, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(services): device_groups = ["shared"] devicegroup_objects = {"shared": {}} devicegroup_objects["shared"]['Services'] = services profilepackage = ProfilePackage( api_key='', pan_config=PanConfig('<_/>'), settings=ConfigurationSettings().get_config(), device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects=devicegroup_objects, devicegroup_exclusive_objects=[], rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(addresses, ignored_dns_prefixes): device_groups = ["shared"] devicegroup_objects = {"shared": {}} devicegroup_objects["shared"]['Addresses'] = addresses settings = ConfigurationSettings().get_config() settings['Ignored DNS Prefixes'] = ",".join(ignored_dns_prefixes) profilepackage = ProfilePackage( api_key='', pan_config=PanConfig('<_/>'), settings=settings, device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects=devicegroup_objects, devicegroup_exclusive_objects={}, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(pan_config): device_groups = ["shared"] devicegroup_objects = { "shared": collections.defaultdict(list), "test_dg": collections.defaultdict(list) } devicegroup_objects['shared']['all_child_device_groups'] = [ "shared", "test_dg" ] profilepackage = ProfilePackage( api_key='', pan_config=pan_config, settings=ConfigurationSettings().get_config(), device_group_hierarchy_children={}, device_group_hierarchy_parent={}, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects=devicegroup_objects, devicegroup_exclusive_objects={}, rule_limit_enabled=False, no_api=False) return profilepackage
def create_profilepackage(shared_addresses, dg_addresses, shared_address_groups, dg_address_groups): device_groups = ["shared", "test_dg"] device_group_hierarchy_parent = {"test_dg": "shared"} devicegroup_objects = {"shared": {}, "test_dg": {}} devicegroup_objects["shared"]['Addresses'] = shared_addresses devicegroup_objects["test_dg"]['Addresses'] = dg_addresses devicegroup_objects["shared"]['AddressGroups'] = shared_address_groups devicegroup_objects["test_dg"]['AddressGroups'] = dg_address_groups profilepackage = ProfilePackage( api_key='', pan_config=PanConfig('<_/>'), settings=ConfigurationSettings().get_config(), device_group_hierarchy_children={}, device_group_hierarchy_parent=device_group_hierarchy_parent, device_groups_and_firewalls={}, device_groups=device_groups, devicegroup_objects=devicegroup_objects, devicegroup_exclusive_objects={}, rule_limit_enabled=False, no_api=False) return profilepackage
def main(): description = """\ Retrieves PAN FW policy and checks it for various issues.""" validator_descriptions = '\n'.join( f"{readable_name} - {description}" for readable_name, description, f in sorted( get_policy_validators().values())) epilog = f"""Here is a detailed list of the {len(get_policy_validators().keys())} supported validators: {validator_descriptions} """ parser = argparse.ArgumentParser( description=description, epilog=epilog, formatter_class=argparse.RawDescriptionHelpFormatter) group = parser.add_mutually_exclusive_group(required=True) group.add_argument("--all", help="Run validators on all Device Groups", action='store_true') group.add_argument("--device-group", help="Device Group to run through validator") parser.add_argument( "--validator", help="Only run specified validators (repeat for multiple)", choices=sorted(get_policy_validators().keys()), action='append') parser.add_argument("--quiet", help="Silence output", action='store_true') parser.add_argument( "--config", help=f"Config file to read (default is {DEFAULT_CONFIGFILE})", default=DEFAULT_CONFIGFILE) parser.add_argument( "--api", help=f"File with API Key (default is {DEFAULT_API_KEYFILE})", default=DEFAULT_API_KEYFILE) parser.add_argument( "--no-api", help="Skip validators that require making API requests", action='store_true') parser.add_argument( "--xml", help= "Process an XML file from 'Export Panorama configuration version'. This does not use an API key and implies --no-api" ) parser.add_argument( "--debug", help="Write all debug output to pan_validator_debug_YYMMDD_HHMMSS.log", action='store_true') parser.add_argument( "--limit", help="Limit processing to the first N rules (useful for debugging)", type=int) parsed_args = parser.parse_args() configure_logging(parsed_args.debug, not parsed_args.quiet) logger.debug( f"Script launched with the following arguments {' '.join(sys.argv)}") if parsed_args.xml: api_key = '' parsed_args.no_api = True xml_string = "_xml" else: api_key = load_api_key(parsed_args.api) xml_string = '' if parsed_args.validator: validators = { validator: get_policy_validators()[validator] for validator in parsed_args.validator } else: validators = get_policy_validators() # Build the output string if parsed_args.device_group: devicegroup_string = "_" + parsed_args.device_group else: devicegroup_string = '' if parsed_args.validator: validators_string = "_" + "_".join(sorted(parsed_args.validator)) else: validators_string = '' if parsed_args.limit: limit_string = "_limit" + str(parsed_args.limit) else: limit_string = "" if parsed_args.no_api: no_api_string = "_noapi" else: no_api_string = "" output_fname = f'pan_analyzer_output_{EXECUTION_START_TIME}{devicegroup_string}{xml_string}{no_api_string}{validators_string}{limit_string}.txt' logger.debug(f"Writing output to {output_fname}") no_api = parsed_args.no_api if not os.path.isfile(parsed_args.config): if parsed_args.config == DEFAULT_CONFIGFILE: ConfigurationSettings().write_config(parsed_args.config) logger.error( f"Config file '{parsed_args.config}' did not exist! Please edit the newly-created config and re-run." ) sys.exit(1) else: raise Exception( f"Config file '{parsed_args.config}' does not exist! Exiting") configuration_settings = ConfigurationSettings( parsed_args.config).get_config() start_time = time.time() profilepackage = load_config_package(configuration_settings, api_key, parsed_args.device_group, parsed_args.limit, no_api, parsed_args.xml) problems, total_problems = run_policy_validators(validators, profilepackage, output_fname) write_validator_output(problems, output_fname, 'text') end_time = time.time() logger.info(f"Full run took {end_time - start_time} seconds") logger.info(f"Detected a total of {total_problems} problems") return
def main(): description = """\ Fixes issues in PAN FW policies.""" fixer_descriptions = '\n'.join(f"{readable_name} - {description}" for readable_name, description, f in sorted( get_policy_fixers().values())) epilog = f"""Here is a detailed list of the {len(get_policy_fixers().keys())} supported fixers: {fixer_descriptions} """ parser = argparse.ArgumentParser( description=description, epilog=epilog, formatter_class=argparse.RawDescriptionHelpFormatter) group = parser.add_mutually_exclusive_group(required=True) group.add_argument("--all", help="Run fixer on all Device Groups", action='store_true') group.add_argument("--device-group", help="Device Group to run through fixer") parser.add_argument("--fixer", help="Fixer to run", choices=sorted(get_policy_fixers().keys()), required=True) parser.add_argument("--quiet", help="Silence output", action='store_true') parser.add_argument( "--config", help=f"Config file to read (default is {DEFAULT_CONFIGFILE})", default=DEFAULT_CONFIGFILE) parser.add_argument( "--api", help=f"File with API Key (default is {DEFAULT_API_KEYFILE})", default=DEFAULT_API_KEYFILE) parser.add_argument( "--debug", help="Write all debug output to pan_fixer_debug_YYMMDD_HHMMSS.log", action='store_true') parser.add_argument( "--limit", help="Limit processing to the first N rules (useful for debugging)", type=int) parsed_args = parser.parse_args() configure_logging(parsed_args.debug, not parsed_args.quiet) logger.debug(f"Execution began at {EXECUTION_START_TIME}") if not os.path.isfile(parsed_args.config): if parsed_args.config == DEFAULT_CONFIGFILE: ConfigurationSettings().write_config(parsed_args.config) logger.info( f"Config file '{parsed_args.config}' did not exist! Please edit the newly-created config and re-run." ) sys.exit(1) else: raise Exception( f"Config file '{parsed_args.config}' does not exist! Exiting") configuration_settings = ConfigurationSettings( parsed_args.config).get_config() try: with open(parsed_args.api) as fh: API_KEY = fh.read().strip() except OSError: logger.info(f"Unable to open file with API key '{parsed_args.api}'") API_KEY = get_and_save_API_key(parsed_args.api) fixers = {parsed_args.fixer: get_policy_fixers()[parsed_args.fixer]} # Build the output string if parsed_args.device_group: devicegroup_string = "_" + parsed_args.device_group else: devicegroup_string = '' if parsed_args.fixer: fixers_string = "_" + parsed_args.fixer else: fixers_string = '' if parsed_args.limit: limit_string = "_limit" + str(parsed_args.limit) else: limit_string = "" output_fname = f'pan_fixer_output_{EXECUTION_START_TIME}{devicegroup_string}{fixers_string}{limit_string}.txt' start_time = time.time() profilepackage = load_config_package(configuration_settings, API_KEY, parsed_args.device_group, parsed_args.limit, True, False) problems, total_problems = run_policy_fixers(fixers, profilepackage, output_fname) write_validator_output(problems, output_fname, 'text') end_time = time.time() logger.info("*" * 80) logger.info(f"Full run took {end_time - start_time} seconds") logger.info(f"Attempted to fix a total of {total_problems} problems") logger.info(f"Detected problems have been written to {output_fname}") return