def run_it(chosen_dg):
# Initialize log file for exceptions
logging.basicConfig(level=logging.INFO, filename='exceptions.log')
with open(PAN_CFG_FILE, 'r') as f:
pan_cfg = xmltodict.parse(f.read())['response']['result']
device_groups = pan_cfg['config']['devices']['entry']['device-group'][
'entry']
dg_tree = [a for a in device_groups if a['@name'] == chosen_dg][0]
sec_tree = dg_tree['post-rulebase']['security']['rules']['entry']
# BUILD LIST FOR DUMPING TO WEBPAGE
rows = list()
for r in sec_tree:
try:
# resolve source address(es)
src_ip = export.resolve_address(r['source'].get('member'), pan_cfg)
# resolve destination address(es)
dst_ip = export.resolve_address(r['destination'].get('member'),
pan_cfg)
# Resolve destination port object(s) to a list of ports
if type(r['service']) == list:
dport = r['service'][0].get('member')
else:
dport = r['service'].get('member')
dst_port = export.resolve_service(dport, pan_cfg)
# Fill out table row with all rule details
row = (
str(r['@name']),
str(r['from'].get('member')),
str(r['source'].get('member')),
str(src_ip),
str(r['to'].get('member')),
str(r['destination'].get('member')),
str(dst_ip),
str(r['application'].get('member')),
str(r['service'].get('member')),
str(dst_port),
str(r['category'].get('member')),
str(r['action']),
str(
r.get('profile-setting',
{}).get('group', {}).get('member', 'none')),
str(r['log-setting']),
)
rows.append(row)
except BaseException as e:
logging.exception("UNABLE TO EXPORT RULE {} DUE TO {}".format(
r, e))
return render_template('export.html',
title='EXPORT RESULTS',
rows=rows,
chosen_dg=chosen_dg)
def test_ip_range_address_object():
assert resolve_address('fj_wan_011', TEST_PAN_CFG) == [
'21.162.177.100', '21.162.177.101', '21.162.177.102', '21.162.177.103',
'21.162.177.104', '21.162.177.105', '21.162.177.106', '21.162.177.107',
'21.162.177.108', '21.162.177.109', '21.162.177.110', '21.162.177.111',
'21.162.177.112', '21.162.177.113', '21.162.177.114', '21.162.177.115',
'21.162.177.116', '21.162.177.117', '21.162.177.118', '21.162.177.119',
'21.162.177.120', '21.162.177.121', '21.162.177.122', '21.162.177.123',
'21.162.177.124', '21.162.177.125', '21.162.177.126', '21.162.177.127',
'21.162.177.128', '21.162.177.129', '21.162.177.130', '21.162.177.131',
'21.162.177.132', '21.162.177.133', '21.162.177.134', '21.162.177.135',
'21.162.177.136', '21.162.177.137', '21.162.177.138', '21.162.177.139',
'21.162.177.140', '21.162.177.141', '21.162.177.142', '21.162.177.143',
'21.162.177.144', '21.162.177.145', '21.162.177.146', '21.162.177.147',
'21.162.177.148', '21.162.177.149', '21.162.177.150', '21.162.177.151',
'21.162.177.152', '21.162.177.153', '21.162.177.154', '21.162.177.155',
'21.162.177.156', '21.162.177.157', '21.162.177.158', '21.162.177.159',
'21.162.177.160', '21.162.177.161', '21.162.177.162', '21.162.177.163',
'21.162.177.164', '21.162.177.165', '21.162.177.166', '21.162.177.167',
'21.162.177.168', '21.162.177.169', '21.162.177.170', '21.162.177.171',
'21.162.177.172', '21.162.177.173', '21.162.177.174', '21.162.177.175',
'21.162.177.176', '21.162.177.177', '21.162.177.178', '21.162.177.179',
'21.162.177.180', '21.162.177.181', '21.162.177.182', '21.162.177.183',
'21.162.177.184', '21.162.177.185', '21.162.177.186', '21.162.177.187',
'21.162.177.188', '21.162.177.189', '21.162.177.190', '21.162.177.191',
'21.162.177.192', '21.162.177.193', '21.162.177.194', '21.162.177.195',
'21.162.177.196', '21.162.177.197', '21.162.177.198', '21.162.177.199',
'21.162.177.200'
]
def test_device_group_address_group_nested():
assert resolve_address('gp_allservers_01', TEST_PAN_CFG) == [
'116.208.87.231/32', '64.166.244.218/32', '106.8.22.166/32',
'108.66.169.73/32', '51.116.2.245/32', '139.19.119.218/32',
'189.214.216.32/32', '188.233.51.195/32', '178.204.160.19/32',
'61.141.109.68/32', '197.137.183.238/32', '176.83.170.151/32',
'36.239.237.196/32', '131.126.184.9/32', '15.37.102.124/32',
'33.164.192.33/32', '106.247.42.79/32', '79.27.169.172/32',
'207.79.173.241/32', '23.81.253.60/32', '219.141.89.40/32',
'206.207.137.44/32', '22.65.99.177/32', '153.237.234.168/32',
'160.145.149.243/32', '143.21.213.101/32', '103.89.180.59/32',
'102.184.55.93/32', '82.128.208.220/32', '20.248.75.95/32',
'107.162.160.169/32', '24.248.51.219/32', '89.26.124.244/32',
'32.110.196.94/32', '95.121.129.124/32', '29.43.251.64/32',
'145.70.126.17/32', '85.18.216.189/32', '165.24.218.202/32',
'85.152.0.234/32', '180.198.23.43/32', '19.88.145.209/32',
'190.154.246.247/32', '172.0.158.11/32', '65.80.20.177/32',
'90.142.108.132/32', '3.9.215.181/32', '170.180.8.64/32', 'unknown',
'unknown', 'unknown', 'unknown', 'unknown', 'unknown'
]
def test_external_dynamic_list():
assert resolve_address('edl_sslabuse_ipv4_lab01',
TEST_PAN_CFG) == ['dynamic']
def test_shared_address_group():
assert resolve_address('gp_rfc1918_nets', TEST_PAN_CFG) == [
'10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'
]
def test_fqdn():
assert resolve_address('es007.lab.local', TEST_PAN_CFG) == ['dynamic']
def test_subnet_address_object():
assert resolve_address('n_10.2.2.0_24', TEST_PAN_CFG) == ['10.2.2.0/24']
def test_host_address_object():
assert resolve_address('ae_file_071', TEST_PAN_CFG) == ['201.93.236.81/32']
def test_unnamed_ip_address():
assert resolve_address('10.1.1.1/32', TEST_PAN_CFG) == '10.1.1.1/32'
def test_any():
assert resolve_address('any', TEST_PAN_CFG) == 'any'
def test_nonexistent_object():
assert resolve_address('nobody_knows_me', TEST_PAN_CFG) == ['unknown']
def download():
chosen_dg = 'child_dg_lab01'
# Initialize log file for exceptions
logging.basicConfig(level=logging.INFO, filename='exceptions.log')
with open(PAN_CFG_FILE, 'r') as f:
pan_cfg = xmltodict.parse(f.read())['response']['result']
device_groups = pan_cfg['config']['devices']['entry']['device-group'][
'entry']
dg_tree = [a for a in device_groups if a['@name'] == chosen_dg][0]
sec_tree = dg_tree['post-rulebase']['security']['rules']['entry']
# BUILD LIST FOR DUMPING TO WEBPAGE
rows = list()
rows.append([
'NAME',
'FROM',
'SOURCE',
'RESOLVED SRC',
'TO',
'DESTINATION',
'RESOLVED DST',
'APP',
'SERVICE',
'RESOLVED PT',
'CATEGORY',
'ACTION',
'PROFILE-SETTING',
'LOG-SETTING',
])
for r in sec_tree:
try:
# resolve source address(es)
src_ip = export.resolve_address(r['source'].get('member'), pan_cfg)
# resolve destination address(es)
dst_ip = export.resolve_address(r['destination'].get('member'),
pan_cfg)
# Resolve destination port object(s) to a list of ports
if type(r['service']) == list:
dport = r['service'][0].get('member')
else:
dport = r['service'].get('member')
dst_port = export.resolve_service(dport, pan_cfg)
# Fill out table row with all rule details
row = (
str(r['@name']),
str(r['from'].get('member')),
str(r['source'].get('member')),
str(src_ip),
str(r['to'].get('member')),
str(r['destination'].get('member')),
str(dst_ip),
str(r['application'].get('member')),
str(r['service'].get('member')),
str(dst_port),
str(r['category'].get('member')),
str(r['action']),
str(
r.get('profile-setting',
{}).get('group', {}).get('member', 'none')),
str(r['log-setting']),
)
rows.append(row)
except BaseException as e:
logging.exception("UNABLE TO EXPORT RULE {} DUE TO {}".format(
r, e))
return flask_excel.make_response_from_array(rows, "xlsx")