def setUp(self):
logging.basicConfig(level=10)
# Get current test (in string with format):
# tests.test_pandevice.TestPandevice.test_refresh_interfaces_mock
test_method = self.id()
if test_method.endswith("_mock"):
# This is a test with a mock firewall
mock.patch.object(firewall.pan.xapi, 'PanXapi', mock.MagicMock())
self.d = firewall.Firewall(hostname="fake-hostname",
api_username="******",
api_password="******",
)
self.d._retrieve_api_key = mock.Mock(return_value="fakekey")
# Trigger attempt to populate API key by accessing xapi
self.xapi = self.d.xapi
else:
# This is a test against a real firewall and panorama
self.p = panorama.Panorama(hostname=TESTRAMA_HOSTNAME,
api_username=TESTRAMA_USERNAME,
api_password=TESTRAMA_PASSWORD,
)
self.d = firewall.Firewall(hostname=TESTFW_HOSTNAME,
api_username=TESTFW_USERNAME,
api_password=TESTFW_PASSWORD,
)
def getDevicePhash(device, password, module):
if 'hostname' not in device or 'username' not in device or 'password' not in device:
module.fail_json(msg='Device credentials not specified!')
dev = firewall.Firewall(device['hostname'], device['username'], device['password'])
phash = dev.request_password_hash(password)
return phash
def configureDataLakeWithPSK(device, password, psk, module):
# request logging-service-forwarding certificate fetch-noproxy pre-shared-key <value>
try:
if 'hostname' not in device or 'username' not in device or 'password' not in device:
module.fail_json(msg='Device credentials not specified!')
ngfw = firewall.Firewall(device['hostname'], device['username'], device['password'])
#print("Configuring Data Lake on NGFW")
cmd='<request><logging-service-forwarding><certificate><fetch-noproxy><pre-shared-key>{}</pre-shared-key></fetch-noproxy></certificate></logging-service-forwarding></request>'.format(psk)
response = ngfw.op(cmd=cmd, cmd_xml=False)
result = response.find('./result').text
if result:
reg = r'^Successfully scheduled logging service certificate fetch job with a job id of ([0-9]*)$'
m = re.search(reg, result)
if m and m.group(1):
job_id = m.group(1)
if job_id:
res = syncjob(ngfw, job_id=job_id)
if not res:
raise pan.xapi.PanXapiError('Not success')
else:
raise pan.xapi.PanXapiError('Job ID not found')
else:
raise pan.xapi.PanXapiError('Unexpected response: {}'.format(result))
else:
raise pan.xapi.PanXapiError('No result in response')
#print("Configured Data Lake on NGFW")
except Exception as e:
module.fail_json(msg='Fail on Data Lake PSK configuration: {}'.format(e))
return False
return True
def pano_connect():
# Instantiate a Firewall with serial
fw = firewall.Firewall(serial=fw_serial)
# Instantiate a Panorama with hostname and credentials
pano = panorama.Panorama(pano_addr, pano_user, pano_pass)
# Add the Firewall as a child of Panorama
pano.add(fw)
return fw, pano
def getDeviceSerial(fw):
if 'hostname' not in fw or 'username' not in fw or 'password' not in fw:
raise RuntimeError('Device credentials not specified!')
device = firewall.Firewall(fw['hostname'], fw['username'], fw['password'])
devInfo = device.refresh_system_info()
devSerial = devInfo.serial
print('Device Serial = {}'.format(devSerial))
return devSerial
def getDeviceSerial(fw, module):
if 'hostname' not in fw or 'username' not in fw or 'password' not in fw:
module.fail_json(msg='Device credentials not specified!')
device = firewall.Firewall(fw['hostname'], fw['username'], fw['password'])
devInfo = device.refresh_system_info()
devSerial = devInfo.serial
#print('Device Serial = {}'.format(devSerial))
return devSerial
def test2(fqdn, user, passwd):
try:
fw = firewall.Firewall(fqdn["fqdn"], user, passwd)
xml = fw.op('show system info', xml=True)
print('Test2 is success on...', fqdn["app"])
return True
except:
print('Error in test2')
return False
def ngfwCommit(fw, devicegroup, module):
try:
ngfw = firewall.Firewall(fw['hostname'], fw['username'], fw['password'])
#print("Committing on NGFW")
ngfw.commit(sync=True)
#print("Committed on NGFW")
except Exception as e:
module.fail_json(msg='Fail on commit: {}'.format(e))
return True
def pan_firewall(hostname='', api_key=''):
try:
fw = pan_fw.Firewall(hostname=hostname, api_key=api_key)
version, platform, serial = parse(
"SystemInfo(version='{}', platform='{}', serial='{}')",
str(fw.refresh_system_info())).fixed
logger.debug('FW version={}:FW platform={}: FW serial={}'.format(
version, platform, serial))
return fw
except Exception as e:
logger.error('Cannot connect to PAN:{}'.format(str(e)))
return None
def get_fw_connection():
"""
Make firewall connection
Returns
-------
fw : Firewall
A PanDevice for firewall
"""
key = config.paloalto['key']
fw_ip = config.paloalto['firewall_ip']
fw = firewall.Firewall(hostname=fw_ip, api_key=key)
return fw
def test_vsys_xpath_unchanged():
expected = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']"
c = firewall.Firewall('127.0.0.1', 'admin', 'admin')
c.vsys = 'vsys3'
assert expected == c.xpath_vsys()
c.vsys = None
vsys = device.Vsys('vsys3')
c.add(vsys)
assert expected == vsys.xpath_vsys()
zone = network.Zone('myzone')
vsys.add(zone)
assert expected == zone.xpath_vsys()
def lambda_handler(event, context):
print("[Lambda handler]Received event: " + json.dumps(event, indent=2))
fw_ip = os.environ['FWIP']
username = os.environ['USERNAME']
password = os.environ['PASSWORD']
untrust_zone_name = os.environ['UNTRUST_ZONE']
trust_zone_name = os.environ['TRUST_ZONE']
security_rule_name = os.environ['SECURITY_RULE_NAME']
rule_action = os.environ.get('RULE_ACTION', 'deny')
guard_duty_dag_name = os.environ.get("GD_DAG_NAME", "default_gd_dag_name")
tag_for_gd_ips = os.environ.get("FW_DAG_TAG", "AWS:GD")
print("Establish a connection with the firewall")
fw = firewall.Firewall(fw_ip, username, password)
group_name='pan_gd_dag'
print("Process threat intelligence.")
returned_ips = handle_gd_threat_intel(event, context)
all_address_groups, _ = get_all_address_group(fw)
print ("The following is a list of exists DAGS on the FW: {}".format(all_address_groups))
if guard_duty_dag_name not in all_address_groups:
print("DAG with name {} does not exist on the Firewall".format(group_name))
print("Process / handle the creation of the DAG with Tag: {}".format(tag_for_gd_ips))
handle_dags(fw, guard_duty_dag_name, tag_for_gd_ips)
else:
print("DAG with name {} already exists on the Firewall.".format(guard_duty_dag_name))
print("Process / handle the creation of ip to tag registrations")
if type(returned_ips) == list:
for ip in returned_ips:
print("Register IP {}".format(ip))
handle_dag_ip(fw, ip, tag_for_gd_ips)
else:
print("Register First IP {}".format(returned_ips))
handle_dag_ip(fw, returned_ips, tag_for_gd_ips)
print("Process / handle the creation of security rules.")
handle_security_rule(fw, security_rule_name,
'Rules based on Guard Duty',
untrust_zone_name, trust_zone_name,
[guard_duty_dag_name], rule_action)
fw.commit(sync=True)
print("All operations done...")
def jobOneStatus(fqdn, user, passwd):
try:
fw = firewall.Firewall(fqdn["fqdn"],
api_username=user,
api_password=passwd)
xml = fw.op("<show><jobs><id>1</id></jobs></show>",
cmd_xml=False,
xml=True)
parsedDoc = xmltodict.parse(xml)
status = parsedDoc['response']['result']['job']['status']
if status == 'FIN':
print("Success on...", fqdn["app"])
return True
else:
return False
except:
print("Failed....!!")
return False
def deploy_interface():
fw_deploy = request.form.get('firewall')
for i in Creds.objects:
fwip = i.fwip.encode('utf-8')
username = i.username.encode('utf-8')
password = i.password.encode('utf-8')
if fwip == None:
error = 'ERR2222-No creds in the Creds DB. Log out and login again'
return render_template('main/dberror.html')
ints = []
# get info from firewall...must have active interfaces
fw = firewall.Firewall(fwip, username, password)
interfaces = network.EthernetInterface.refreshall(fw, add=False)
for eth in interfaces:
ints.append(eth)
return render_template('main/interface_chooser.html',
interfaces=ints,
fwip=fwip)
def lambda_handler(event, context):
print("[Lambda handler]Received event: " + json.dumps(event, indent=2))
fw_ip = os.environ['FWIP']
username = os.environ['USERNAME']
password = os.environ['PASSWORD']
print("Establish a connection with the firewall")
fw = firewall.Firewall(fw_ip, username, password)
group_name = 'pan_gd_dag'
print("Process threat intelligence.")
ipAddressV4 = handle_gd_threat_intel(event, context)
print("Process / handle the creation of DAGs")
handle_dags(fw, group_name, 'Recon:IAMUser')
print("Process / handle the creation of ip to tag registrations")
handle_dag_tags(fw, ipAddressV4, 'Recon:IAMUser')
print("Process / handle the creation of security rules.")
handle_security_rule(fw, 'aws_gd_source_rules',
'Rules based on Guard Duty', 'external', 'web',
[group_name], 'deny')
fw.commit(sync=True)
print("All operations done...")
def mainx():
'''
capture login info
'''
# Get the credentials from the user
username = request.form.get('username')
password = request.form.get('password')
fwip = request.form.get('fwip')
# Clear creds for storing
Creds.objects().delete()
creds = Creds(fwip=fwip, username=username, password=password)
try:
creds.save()
except:
error = 'ERR002-Failed to save creds to the database'
return render_template('main/dberror.html')
# First, let's create the firewall object that we want to modify.
fw = firewall.Firewall(fwip, username, password)
banner = 'You authenticated using %s credentials' % (fwip)
return render_template('main/mainx.html', banner=banner)
def get_7K_info(device_dict, collection):
"""
Checks Palo firewall to see if model and family are in the 7K family,
sets variables, and then gets 7K info
Parameters
----------
device_dict : dict
A dictionary of Panorama connected devices
collection : Collection
A MongoDB database collection
"""
logger.info('Starting')
key = config.paloalto['key']
for device in device_dict:
fw_dict = device_dict.get(device)
model = fw_dict.get('model')
ip_addr = fw_dict.get('ip-address')
if model == 'PA-7080':
smc_slot = '6'
lpc_slot = '7'
ps_total = 8
slot_total = 12
elif model == 'PA-7050':
smc_slot = '4'
lpc_slot = '8'
ps_total = 4
slot_total = 8
fw = firewall.Firewall(hostname=ip_addr, api_key=key)
get_7K_chassis_info(fw, collection, ip_addr, slot_total)
get_7K_power_info(fw, collection, ip_addr, smc_slot, ps_total)
get_7K_fan_info(fw, collection, ip_addr, smc_slot)
get_7K_amc_info(fw, collection, ip_addr, lpc_slot)
def __init__(self, username, password, ip, ike_profile, ipsec_profile,
ike_gw, ipsec_tunnel, tunnel_interface):
"""
@param ike_gws
@type dict
@param ipsec_tunnels
@type list
@param tunnel_interfaces
@type dict
"""
self.username = username
self.password = password
self.ip = ip
self.fw_dev_hndl = firewall.Firewall(self.ip, self.username,
self.password)
self.ike_profile = ike_profile
self.ipsec_profile = ipsec_profile
self.ipsec_tunnels = ipsec_tunnel
self.ike_gws = ike_gw
self.tunnel_interfaces = tunnel_interface
def local_lambda_handler(fw_ip, username, password,ipaddress_list):
"""
This function is intended primarily for testing
purposes and to be invoked directly from the
shell.
:param fw_ip:
:param username:
:param context:
:return:
"""
fw = firewall.Firewall(fw_ip, username, password)
group_name = 'local_pan_gd_dag'
print("Process threat intelligence.")
ipAddressV4 = ipaddress
print("Process / handle the creation of DAGs")
all_address_groups, _ = get_all_address_group(fw)
print all_address_groups
if group_name not in all_address_groups:
print("DAG with name {} does not exist on the Firewall".format(group_name))
handle_dags(fw, group_name, 'Recon:IAMUser')
else:
print("DAG with name {} already exists on the Firewall.".format(group_name))
print("Process / handle the creation of ip to tag registrations")
for ip in ipaddress_list:
print("Register IP {}".format(ip))
handle_dag_ip(fw, ip, 'Recon:IAMUser')
print("Process / handle the creation of security rules.")
handle_security_rule(fw, 'local_aws_gd_source_rules',
'Rules based on Guard Duty',
untrust_zone_name, trust_zone_name,
[group_name], 'deny')
fw.commit(sync=True)
print("All operations done...")
def _check(obj, vsys, with_pano, chk_import=False):
if chk_import:
func = 'xpath_import_base'
else:
func = 'xpath'
fw = firewall.Firewall('127.0.0.1', 'admin', 'admin', serial='01234567890')
fw.vsys = vsys
fw.add(obj)
if with_pano:
pano = panorama.Panorama('127.0.0.1', 'admin2', 'admin2')
pano.add(fw)
expected = getattr(obj, func)()
fw.remove(obj)
fw.vsys = None
vsys = device.Vsys(vsys or 'vsys1')
fw.add(vsys)
vsys.add(obj)
result = getattr(obj, func)()
assert expected == result
def init():
'''
Environment variables:
PD_USERNAME
PD_PASSWORD
PD_PANORAMAS
PD_FIREWALLS
'''
global live_devices
global one_fw_per_version
global one_device_per_version
global one_panorama_per_version
global ha_pairs
global panorama_fw_combinations
# Get os.environ stuff to set the live_devices global.
try:
username = os.environ['PD_USERNAME']
password = os.environ['PD_PASSWORD']
panos = os.environ['PD_PANORAMAS'].split()
fws = os.environ['PD_FIREWALLS'].split()
except KeyError as e:
print('NOT RUNNING LIVE TESTS - missing "{0}"'.format(e))
return
# Add each panorama to the live_devices.
for hostname in panos:
c = panorama.Panorama(hostname, username, password)
try:
c.refresh_system_info()
except Exception as e:
raise ValueError('Failed to connect to panorama {0}: {1}'.format(
hostname, e))
# There should only be one panorama per version.
version = c._version_info
if version in live_devices:
raise ValueError('Two panoramas, same version: {0} and {1}'.format(
live_devices[version]['pano'].hostname, hostname))
live_devices.setdefault(version, {'fws': [], 'pano': None})
live_devices[version]['pano'] = c
# Add each firewall to the live_devices.
for hostname in fws:
c = firewall.Firewall(hostname, username, password)
try:
c.refresh_system_info()
except Exception as e:
raise ValueError('Failed to connect to firewall {0}: {1}'.format(
hostname, e))
# Multiple firewalls are allowed per version, but only ever the first
# two will be used.
version = c._version_info
live_devices.setdefault(version, {'fws': [], 'pano': None})
live_devices[version]['fws'].append(c)
# Set:
# one_fw_per_version
# one_device_type_per_version
# one_panorama_per_version
for version in live_devices:
pano = live_devices[version]['pano']
fws = live_devices[version]['fws']
if fws:
fw = random.choice(fws)
one_device_type_per_version.append((fw, desc(fw=version)))
one_fw_per_version.append((fw, desc(fw=version)))
if pano is not None:
one_panorama_per_version.append((pano, desc(pano=version)))
one_device_type_per_version.append((pano, desc(pano=version)))
# Set: ha_pairs
for version in live_devices:
fws = live_devices[version]['fws']
if len(fws) >= 2:
ha_pairs.append((fws[:2], version))
# Set panorama_fw_combinations
for pano_version in live_devices:
pano = live_devices[pano_version]['pano']
if pano is None:
continue
for fw_version in live_devices:
fws = live_devices[fw_version]['fws']
if not fws or pano_version < fw_version:
continue
fw = random.choice(fws)
panorama_fw_combinations.append((
(pano, fw),
desc(pano_version, fw_version),
))
def init_fw_handle(self):
"""
Initialize a handle to the firewall
"""
self.fw_hndl = firewall.Firewall(self.fw_ip, self.u_name, self.paswd)
print self.fw_hndl.refresh_system_info()
def main(username, password, rg_name, azure_region):
"""
Main function
:param username:
:param password:
:param rg_name: Resource group name prefix
:param azure_region: Region
:return:
"""
username = username
password = password
WebInBootstrap_vars = {'RG_Name': rg_name, 'Azure_Region': azure_region}
WebInDeploy_vars = {
'Admin_Username': username,
'Admin_Password': password,
'Azure_Region': azure_region
}
WebInFWConf_vars = {'Admin_Username': username, 'Admin_Password': password}
# Set run_plan to TRUE is you wish to run terraform plan before apply
run_plan = False
kwargs = {"auto-approve": True}
#
return_code, outputs = apply_tf('./WebInBootstrap', WebInBootstrap_vars,
'WebInBootstrap')
if return_code == 0:
share_prefix = 'jenkins-demo'
resource_group = outputs['Resource_Group']['value']
bootstrap_bucket = outputs['Bootstrap_Bucket']['value']
storage_account_access_key = outputs['Storage_Account_Access_Key'][
'value']
update_status('web_in_bootstrap_status', 'success')
else:
logger.info("WebInBootstrap failed")
update_status('web_in_bootstap_status', 'error')
print(json.dumps(status_output))
exit(1)
share_name = create_azure_fileshare(share_prefix, bootstrap_bucket,
storage_account_access_key)
WebInDeploy_vars.update(
{'Storage_Account_Access_Key': storage_account_access_key})
WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket})
WebInDeploy_vars.update({'RG_Name': resource_group})
WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
#
# Build Infrastructure
#
#
return_code, web_in_deploy_output = apply_tf('./WebInDeploy',
WebInDeploy_vars,
'WebInDeploy')
logger.debug(
'Got Return code for deploy WebInDeploy {}'.format(return_code))
update_status('web_in_deploy_output', web_in_deploy_output)
if return_code == 0:
update_status('web_in_deploy_status', 'success')
albDns = web_in_deploy_output['ALB-DNS']['value']
fwMgt = web_in_deploy_output['MGT-IP-FW-1']['value']
nlbDns = web_in_deploy_output['NLB-DNS']['value']
fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
logger.info("Got these values from output of WebInDeploy \n\n")
logger.info("AppGateway address is {}".format(albDns))
logger.info("Internal loadbalancer address is {}".format(nlbDns))
logger.info("Firewall Mgt address is {}".format(fwMgt))
else:
logger.info("WebInDeploy failed")
update_status('web_in_deploy_status', 'error')
print(json.dumps(status_output))
exit(1)
#
# Check firewall is up and running
#
#
api_key = getApiKey(fwMgtIP, username, password)
while True:
err = getFirewallStatus(fwMgtIP, api_key)
if err == 'cmd_error':
logger.info("Command error from fw ")
elif err == 'no':
logger.info("FW is not up...yet")
# print("FW is not up...yet")
time.sleep(60)
continue
elif err == 'almost':
logger.info("MGT up waiting for dataplane")
time.sleep(20)
continue
elif err == 'yes':
logger.info("FW is up")
break
logger.debug(
'Giving the FW another 10 seconds to fully come up to avoid race conditions'
)
time.sleep(10)
fw = firewall.Firewall(hostname=fwMgtIP,
api_username=username,
api_password=password)
logger.info("Updating firewall with latest content pack")
update_fw(fwMgtIP, api_key)
#
# Configure Firewall
#
WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
logger.info("Applying addtional config to firewall")
return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf',
WebInFWConf_vars, 'WebInFWConf')
if return_code == 0:
update_status('web_in_fw_conf', 'success')
logger.info("WebInFWConf failed")
else:
logger.info("WebInFWConf failed")
update_status('web_in_deploy_status', 'error')
print(json.dumps(status_output))
exit(1)
logger.info("Commit changes to firewall")
fw.commit()
logger.info("waiting for commit")
time.sleep(60)
logger.info("waiting for commit")
#
# Check Jenkins
#
logger.info('Checking if Jenkins Server is ready')
res = getServerStatus(albDns)
if res == 'server_up':
logger.info('Jenkins Server is ready')
logger.info('\n\n ### Deployment Complete ###')
logger.info(
'\n\n Connect to Jenkins Server at http://{}'.format(albDns))
else:
logger.info('Jenkins Server is down')
logger.info('\n\n ### Deployment Complete ###')
# dump out status to stdout
print(json.dumps(status_output))
def fw_connect():
return firewall.Firewall(pano_addr, pano_user, pano_pass)
def main(username, password, aws_access_key, aws_secret_key, aws_region,
ec2_key_pair):
username = username
password = password
aws_access_key = aws_access_key
aws_secret_key = aws_secret_key
aws_region = aws_region
ec2_key_pair = ec2_key_pair
albDns = ''
nlbDns = ''
fwMgtIP = ''
WebInDeploy_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region,
'ServerKeyName': ec2_key_pair,
# 'bootstrap_s3bucket': bootstrap_bucket
}
waf_conf_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region,
'ServerKeyName': ec2_key_pair,
'alb_arn': albDns,
'nlb-dns': nlbDns
}
WebInFWConf_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region,
'ServerKeyName': ec2_key_pair,
'mgt-ipaddress-fw1': fwMgtIP,
'nlb-dns': nlbDns,
'username': username,
'password': password
}
# # Set run_plan to TRUE is you wish to run terraform plan before apply
run_plan = False
kwargs = {"auto-approve": True}
#
return_code, web_in_deploy_output = apply_tf('./WebInDeploy',
WebInDeploy_vars,
'WebInDeploy')
logger.debug(
'Got Return code for deploy WebInDeploy {}'.format(return_code))
# update_status('web_in_deploy_stdout', stdout)
update_status('web_in_deploy_output', web_in_deploy_output)
if return_code == 0:
update_status('web_in_deploy_status', 'success')
albDns = web_in_deploy_output['ALB-DNS']['value']
fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
nlbDns = web_in_deploy_output['NLB-DNS']['value']
fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
logger.info("Got these values from output of WebInDeploy \n\n")
logger.info("AppGateway address is {}".format(albDns))
logger.info("Internal loadbalancer address is {}".format(nlbDns))
logger.info("Firewall Mgt address is {}".format(fwMgtIP))
else:
logger.info("WebInDeploy failed")
update_status('web_in_deploy_status', 'error')
print(json.dumps(status_output))
exit(1)
WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgtIP
WebInFWConf_vars['nlb-dns'] = nlbDns
WebInDeploy_vars['alb_dns'] = albDns
WebInDeploy_vars['nlb-dns'] = nlbDns
#
# Apply WAF Rules
#
return_code, waf_conf_out = apply_tf('./waf_conf', waf_conf_vars,
'Waf_conf')
logger.debug('Got Return code for deploy waf_conf {}'.format(return_code))
update_status('waf_conf_output', waf_conf_out)
# update_status('waf_conf_stdout', stdout)
# update_status('waf_conf_stderr', stderr
logger.debug('Got Return code to deploy waf_conf {}'.format(return_code))
if return_code == 0:
update_status('waf_conf_status', 'success')
else:
logger.info("waf_conf failed")
update_status('waf_conf_status', 'error')
print(json.dumps(status_output))
exit(1)
#
# Check firewall is up and running
# #
api_key = getApiKey(fwMgtIP, username, password)
#FIXME Add timeout after 3 minutes
while True:
err = getFirewallStatus(fwMgtIP, api_key)
if err == 'cmd_error':
logger.info("Command error from fw ")
elif err == 'no':
logger.info("FW is not up...yet")
# print("FW is not up...yet")
time.sleep(60)
continue
elif err == 'almost':
logger.info("MGT up waiting for dataplane")
time.sleep(20)
continue
elif err == 'yes':
logger.info("FW is up")
break
logger.debug(
'Giving the FW another 10 seconds to fully come up to avoid race conditions'
)
time.sleep(10)
fw = firewall.Firewall(hostname=fwMgtIP,
api_username=username,
api_password=password)
logger.info("Updating firewall with latest content pack")
update_fw(fwMgtIP, api_key)
#
# Configure Firewall
#
return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf',
WebInFWConf_vars, 'WebInFWConf')
if return_code == 0:
update_status('web_in_fw_conf', 'success')
logger.info("WebInFWConf success")
else:
logger.info("WebInFWConf failed")
update_status('web_in_deploy_status', 'error')
print(json.dumps(status_output))
exit(1)
logger.info("Commit changes to firewall")
fw.commit()
time.sleep(60)
logger.info("waiting for commit")
#
# Check Jenkins
#
logger.info('Checking if Jenkins Server is ready')
res = getServerStatus(albDns)
if res == 'server_up':
logger.info('Jenkins Server is ready')
logger.info('\n\n ### Deployment Complete ###')
logger.info(
'\n\n Connect to Jenkins Server at http://{}'.format(albDns))
else:
logger.info('Jenkins Server is down')
logger.info('\n\n ### Deployment Complete ###')
def main(username, password, aws_access_key, aws_secret_key, aws_region,
ec2_key_pair, bootstrap_bucket):
username = username
password = password
aws_access_key = aws_access_key
aws_secret_key = aws_secret_key
aws_region = aws_region
ec2_key_pair = ec2_key_pair
albDns = ''
nlbDns = ''
fwMgt = ''
default_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region
}
WebInDeploy_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region,
'ServerKeyName': ec2_key_pair,
'bootstrap_s3bucket': bootstrap_bucket
}
waf_conf_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region,
'ServerKeyName': ec2_key_pair,
'alb_arn': albDns,
'nlb-dns': nlbDns
}
WebInFWConf_vars = {
'aws_access_key': aws_access_key,
'aws_secret_key': aws_secret_key,
'aws_region': aws_region,
'ServerKeyName': ec2_key_pair,
'mgt-ipaddress-fw1': fwMgt,
'nlb-dns': nlbDns,
'username': username,
'password': password
}
# Set run_plan to TRUE is you wish to run terraform plan before apply
run_plan = False
kwargs = {"auto-approve": True}
# Class Terraform uses subprocess and setting capture_output to True will capture output
capture_output = kwargs.pop('capture_output', False)
if capture_output is True:
stderr = subprocess.PIPE
stdout = subprocess.PIPE
else:
# if capture output is False, then everything will essentially go to stdout and stderrf
stderr = sys.stderr
stdout = sys.stdout
start_time = time.asctime()
print(f'Starting Deployment at {start_time}\n')
# Build Infrastructure
tf = Terraform(working_dir='./WebInDeploy')
tf.cmd('init')
if run_plan:
# print('Calling tf.plan')
tf.plan(capture_output=False, var=WebInDeploy_vars)
return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars,
capture_output=capture_output,
skip_plan=True,
**kwargs)
web_in_deploy_output = tf.output()
logger.debug(
'Got Return code for deploy WebInDeploy {}'.format(return_code1))
# update_status('web_in_deploy_stdout', stdout)
update_status('web_in_deploy_output', web_in_deploy_output)
if return_code1 != 0:
logger.info("WebInDeploy failed")
update_status('web_in_deploy_status', 'error')
update_status('web_in_deploy_stderr', stderr)
print(json.dumps(status_output))
exit(1)
else:
update_status('web_in_deploy_status', 'success')
albDns = tf.output('ALB-DNS')
fwMgt = tf.output('MGT-IP-FW-1')
nlbDns = tf.output('NLB-DNS')
fwMgtIP = fwMgt
WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
WebInFWConf_vars['nlb-dns'] = nlbDns
WebInDeploy_vars['alb_dns'] = albDns
WebInDeploy_vars['nlb-dns'] = nlbDns
#
# Apply WAF Rules
#
tf = Terraform(working_dir='./waf_conf')
tf.cmd('init')
kwargs = {"auto-approve": True}
logger.info("Applying WAF config to App LB")
if run_plan:
tf.plan(capture_output=capture_output, var=vars, **kwargs)
return_code3, stdout, stderr = tf.apply(capture_output=capture_output,
skip_plan=True,
var=waf_conf_vars,
**kwargs)
waf_conf_out = tf.output()
update_status('waf_conf_output', waf_conf_out)
# update_status('waf_conf_stdout', stdout)
# update_status('waf_conf_stderr', stderr)
logger.debug('Got Return code to deploy waf_conf {}'.format(return_code3))
if return_code3 != 0:
logger.info("waf_conf failed")
update_status('waf_conf_status', 'error')
update_status('waf_conf_stderr', stderr)
print(json.dumps(status_output))
exit(1)
else:
update_status('waf_conf_status', 'success')
logger.info("Got these values from output of first run\n\n")
logger.info("ALB address is {}".format(albDns))
logger.info("nlb address is {}".format(nlbDns))
logger.info("Firewall Mgt address is {}".format(fwMgt))
#
# Check firewall is up and running
# #
api_key = getApiKey(fwMgtIP, username, password)
while True:
err = getFirewallStatus(fwMgtIP, api_key)
if err == 'cmd_error':
logger.info("Command error from fw ")
elif err == 'no':
logger.info("FW is not up...yet")
# print("FW is not up...yet")
time.sleep(60)
continue
elif err == 'almost':
logger.info("MGT up waiting for dataplane")
time.sleep(20)
continue
elif err == 'yes':
logger.info("FW is up")
break
logger.debug(
'Giving the FW another 10 seconds to fully come up to avoid race conditions'
)
time.sleep(10)
fw = firewall.Firewall(hostname=fwMgtIP,
api_username=username,
api_password=password)
logger.info("Updating firewall with latest content pack")
update_fw(fwMgtIP, api_key)
updateHandle = updater.ContentUpdater(fw)
# updateHandle.download(fw)
# logger.info("Waiting 3 minutes for content update to download")
# time.sleep(210)
# updateHandle.install()
#
# Configure Firewall
#
tf = Terraform(working_dir='./WebInFWConf')
tf.cmd('init')
kwargs = {"auto-approve": True}
logger.info("Applying addtional config to firewall")
WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
if run_plan:
tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
# update initial vars with generated fwMgt ip
return_code2, stdout, stderr = tf.apply(capture_output=capture_output,
skip_plan=True,
var=WebInFWConf_vars,
**kwargs)
web_in_fw_conf_out = tf.output()
update_status('web_in_fw_conf_output', web_in_fw_conf_out)
# update_status('web_in_fw_conf_stdout', stdout)
logger.debug(
'Got Return code for deploy WebInFwConf {}'.format(return_code2))
if return_code2 != 0:
logger.error("WebFWConfy failed")
update_status('web_in_fw_conf_status', 'error')
update_status('web_in_fw_conf_stderr', stderr)
print(json.dumps(status_output))
exit(1)
else:
update_status('web_in_fw_conf_status', 'success')
logger.info("Commit changes to firewall")
fw.commit()
logger.info("waiting for commit")
time.sleep(60)
logger.info("waiting for commit")
#
# Check Jenkins
#
logger.info('Checking if Jenkins Server is ready')
# FIXME - add outputs for all 3 dirs
res = getServerStatus(albDns)
if res == 'server_up':
logger.info('Jenkins Server is ready')
logger.info('\n\n ### Deployment Complete ###')
logger.info(
'\n\n Connect to Jenkins Server at http://{}'.format(albDns))
else:
logger.info('Jenkins Server is down')
logger.info('\n\n ### Deployment Complete ###')
# dump out status to stdout
print(json.dumps(status_output))
def main(fwUsername, fwPasswd):
albDns = ''
nlbDns = ''
fwMgt = ''
# Set run_plan to TRUE is you wish to run terraform plan before apply
run_plan = False
deployment_status = {}
kwargs = {"auto-approve": True}
# Class Terraform uses subprocess and setting capture_output to True will capture output
# capture_output = kwargs.pop('capture_output', True)
#
# if capture_output is True:
# stderr = subprocess.PIPE
# stdout = subprocess.PIPE
# else:
# stderr = sys.stderr
# stdout = sys.stdout
#
# Build Infrastructure
#
tf = Terraform(working_dir='./WebInDeploy')
tf.cmd('init')
if run_plan:
print('Calling tf.plan')
tf.plan(capture_output=False)
return_code1, stdout, stderr = tf.apply(capture_output=False,
skip_plan=True,
**kwargs)
#return_code1 =0
print('Got return code {}'.format(return_code1))
if return_code1 != 0:
logger.info("WebInDeploy failed")
deployment_status = {'WebInDeploy': 'Fail'}
write_status_file(deployment_status)
exit()
else:
deployment_status = {'WebInDeploy': 'Success'}
write_status_file(deployment_status)
albDns = tf.output('ALB-DNS')
fwMgt = tf.output('MGT-IP-FW-1')
nlbDns = tf.output('NLB-DNS')
# fwUsername = "******"
# fwPasswd = "PaloAlt0!123!!"
fw_trust_ip = fwMgt
#
# Apply WAF Rules
#
tf = Terraform(working_dir='./waf_conf')
tf.cmd('init')
kwargs = {"auto-approve": True}
logger.info("Applying WAF config to App LB")
if run_plan:
tf.plan(capture_output=False, var={'alb_arn': nlbDns}, **kwargs)
return_code3, stdout, stderr = tf.apply(capture_output=False,
skip_plan=True,
var={
'alb_arn': nlbDns,
'int-nlb-fqdn': nlbDns
},
**kwargs)
if return_code3 != 0:
logger.info("waf_conf failed")
deployment_status.update({'waf_conf': 'Fail'})
write_status_file(deployment_status)
exit()
else:
deployment_status.update({'waf_conf': 'Success'})
write_status_file(deployment_status)
logger.info("Got these values from output of first run\n\n")
logger.info("ALB address is {}".format(albDns))
logger.info("nlb address is {}".format(nlbDns))
logger.info("Firewall Mgt address is {}".format(fwMgt))
#
# Check firewall is up and running
#
class FWNotUpException(Exception):
pass
err = 'no'
api_key = ''
api_key = getApiKey(fw_trust_ip, fwUsername, fwPasswd)
while True:
err = getFirewallStatus(fw_trust_ip, api_key)
if err == 'cmd_error':
logger.info("Command error from fw ")
#raise FWNotUpException('FW is not up! Request Timeout')
elif err == 'no':
logger.info("FW is not up...yet")
print("FW is not up...yet")
time.sleep(60)
continue
#raise FWNotUpException('FW is not up!')
elif err == 'almost':
logger.info("MGT up waiting for dataplane")
time.sleep(20)
continue
elif err == 'yes':
logger.info("[INFO]: FW is up")
break
fw = firewall.Firewall(hostname=fw_trust_ip,
api_username=fwUsername,
api_password=fwPasswd)
logger.info("Updating firewall with latest content pack")
updateHandle = updater.ContentUpdater(fw)
updateHandle.download()
logger.info("Waiting 3 minutes for content update to download")
time.sleep(210)
updateHandle.install()
#
# Configure Firewall
#
tf = Terraform(working_dir='./WebInFWConf')
tf.cmd('init')
kwargs = {"auto-approve": True}
logger.info("Applying addtional config to firewall")
if run_plan:
tf.plan(capture_output=False,
var={
'mgt-ipaddress-fw1': fwMgt,
'int-nlb-fqdn': nlbDns
})
return_code2, stdout, stderr = tf.apply(capture_output=False,
skip_plan=True,
var={
'mgt-ipaddress-fw1': fwMgt,
'nlb-dns': nlbDns,
'aws_access_key':
aws_access_key,
'aws_secret_key':
aws_secret_key
},
**kwargs)
#return_code2 = 0
if return_code2 != 0:
logger.info("WebFWConfy failed")
deployment_status.update({'WebFWConfy': 'Fail'})
write_status_file(deployment_status)
exit()
else:
deployment_status.update({'WebFWConf': 'Success'})
write_status_file(deployment_status)
logger.info("Commit changes to firewall")
fw.commit()
logger.info('Checking if Jenkins Server is ready')
# tf = Terraform(working_dir='./WebInDeploy')
# albDns = tf.output('ALB-DNS')
count = 0
max_tries = 3
while True:
if count < max_tries:
res = getServerStatus(albDns)
if res == 'server_down':
count = count + 1
time.sleep(2)
continue
elif res == 'server_up':
break
else:
break
logger.info('Jenkins Server is ready')
logger.info('\n\n ### Deployment Complete ###')
logger.info('\n\n Connect to Jenkins Server at http://{}'.format(albDns))
for state in range(0,7):
if (zones[state][3]) == "present":
vlans.append(zones[state][1])
zones_names.append(zones[state][0])
routing_instance.append(zones[state][2])
addresses.append(zones[state][4])
# Before we begin, you'll need to use the pandevice documentation both
# for this example and for any scripts you may write for yourself. The
# docs can be found here:
#
# http://pandevice.readthedocs.io/en/latest/reference.html
#
# First, let's create the firewall object that we want to modify.
fw = firewall.Firewall(HOSTNAME, USERNAME, PASSWORD)
print('Firewall system info: {0}'.format(fw.refresh_system_info()))
# Sanity Check #1: the intent here is that the interface we
# specified above should not already be in use. If the interface is
# already in use, then just quit out.
#Creates Untrust Interface
untrust_int = network.EthernetInterface("ethernet1/1", \
mode = "layer3", \
ip = untrust_cidr)
def main(username, password, GCP_region, Billing_Account):
"""
Main function
:param username:
:param password:
:param rg_name: Resource group name prefix
:param azure_region: Region
:return:
"""
username = username
password = password
# TODO maybe use a zone lookup but for now use region-B
GCP_Zone = GCP_region + '-b'
WebInDeploy_vars = {
'GCP_Zone': GCP_Zone,
'GCP_Region': GCP_region,
'Billing_Account': Billing_Account,
'Admin_Username': username,
'Admin_Password': password
}
WebInFWConf_vars = {'Admin_Username': username, 'Admin_Password': password}
# Set run_plan to TRUE is you wish to run terraform plan before apply
run_plan = False
kwargs = {"auto-approve": True}
#
# Build Infrastructure
#
#
return_code, web_in_deploy_output = apply_tf('./WebInDeploy',
WebInDeploy_vars,
'WebInDeploy')
logger.debug(
'Got Return code for deploy WebInDeploy {}'.format(return_code))
update_status('web_in_deploy_output', web_in_deploy_output)
if return_code == 0:
update_status('web_in_deploy_status', 'success')
albDns = web_in_deploy_output['ALB-DNS']['value']
nlbDns = web_in_deploy_output['NATIVE-DNS']['value']
fwMgtIP = web_in_deploy_output['FW_Mgmt_IP']['value']
logger.info("Got these values from output of WebInDeploy \n\n")
logger.info("AppGateway address is {}".format(albDns))
logger.info("Firewall Mgt address is {}".format(fwMgtIP))
else:
logger.info("WebInDeploy failed")
update_status('web_in_deploy_status', 'error')
print(json.dumps(status_output))
exit(1)
#
# Check firewall is up and running
#
#
api_key = getApiKey(fwMgtIP, username, password)
while True:
err = getFirewallStatus(fwMgtIP, api_key)
if err == 'cmd_error':
logger.info("Command error from fw ")
elif err == 'no':
logger.info("FW is not up...yet")
# print("FW is not up...yet")
time.sleep(60)
continue
elif err == 'almost':
logger.info("MGT up waiting for dataplane")
time.sleep(20)
continue
elif err == 'yes':
logger.info("FW is up")
break
logger.debug(
'Giving the FW another 10 seconds to fully come up to avoid race conditions'
)
time.sleep(10)
fw = firewall.Firewall(hostname=fwMgtIP,
api_username=username,
api_password=password)
logger.info("Updating firewall with latest content pack")
update_fw(fwMgtIP, api_key)
#
# Configure Firewall
#
WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
logger.info("Applying addtional config to firewall")
return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf',
WebInFWConf_vars, 'WebInFWConf')
logger.debug('Got return code {}'.format(return_code))
if return_code == 0:
update_status('web_in_fw_conf', 'success')
logger.info("WebInFWConf succeeded")
else:
logger.info("WebInFWConf failed")
update_status('web_in_deploy_status', 'error')
print(json.dumps(status_output))
exit(1)
logger.info("Commit changes to firewall")
fw.commit()
logger.info("waiting for commit")
time.sleep(60)
logger.info("waiting for commit")
#
# Check Jenkins
#
logger.info('Checking if Jenkins Server is ready')
res = getServerStatus(albDns)
if res == 'server_up':
logger.info('Jenkins Server is ready')
logger.info('\n\n ### Deployment Complete ###')
logger.info(
'\n\n Connect to Jenkins Server at http://{}'.format(albDns))
else:
logger.info('Jenkins Server is down')
logger.info('\n\n ### Deployment Complete ###')
# dump out status to stdout
print(json.dumps(status_output))
def main(username, password, rg_name, azure_region):
username = username
password = password
WebInBootstrap_vars = {'RG_Name': rg_name, 'Azure_Region': azure_region}
WebInDeploy_vars = {
'Admin_Username': username,
'Admin_Password': password,
'Azure_Region': azure_region
}
WebInFWConf_vars = {'Admin_Username': username, 'Admin_Password': password}
# Set run_plan to TRUE is you wish to run terraform plan before apply
run_plan = False
kwargs = {"auto-approve": True}
# Class Terraform uses subprocess and setting capture_output to True will capture output
capture_output = kwargs.pop('capture_output', False)
if capture_output is True:
stderr = subprocess.PIPE
stdout = subprocess.PIPE
else:
# if capture output is False, then everything will essentially go to stdout and stderrf
stderr = sys.stderr
stdout = sys.stdout
start_time = time.asctime()
print(f'Starting Deployment at {start_time}\n')
# Create Bootstrap
tf = Terraform(working_dir='./WebInBootstrap')
tf.cmd('init')
if run_plan:
# print('Calling tf.plan')
tf.plan(capture_output=False)
return_code1, stdout, stderr = tf.apply(vars=WebInBootstrap_vars,
capture_output=capture_output,
skip_plan=True,
**kwargs)
resource_group = tf.output('Resource_Group')
bootstrap_bucket = tf.output('Bootstrap_Bucket')
storage_account_access_key = tf.output('Storage_Account_Access_Key')
web_in_bootstrap_output = tf.output()
logger.debug(
'Got Return code for deploy WebInDeploy {}'.format(return_code1))
update_status('web_in_deploy_stdout', stdout)
update_status('web_in_bootstrap_output', web_in_bootstrap_output)
if return_code1 != 0:
logger.info("WebInBootstrap failed")
update_status('web_in_bootstap_status', 'error')
update_status('web_in_bootstrap_stderr', stderr)
print(json.dumps(status_output))
exit(1)
else:
update_status('web_in_bootstrap_status', 'success')
share_prefix = 'jenkins-demo'
share_name = create_azure_fileshare(share_prefix, bootstrap_bucket,
storage_account_access_key)
WebInDeploy_vars.update(
{'Storage_Account_Access_Key': storage_account_access_key})
WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket})
WebInDeploy_vars.update({'RG_Name': resource_group})
WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
# Build Infrastructure
tf = Terraform(working_dir='./WebInDeploy')
# print("vars {}".format(WebInDeploy_vars))
tf.cmd('init')
if run_plan:
# print('Calling tf.plan')
tf.plan(capture_output=False, var=WebInDeploy_vars)
return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars,
capture_output=capture_output,
skip_plan=True,
**kwargs)
web_in_deploy_output = tf.output()
logger.debug(
'Got Return code for deploy WebInDeploy {}'.format(return_code1))
update_status('web_in_deploy_stdout', stdout)
update_status('web_in_deploy_output', web_in_deploy_output)
if return_code1 != 0:
logger.info("WebInDeploy failed")
update_status('web_in_deploy_status', 'error')
update_status('web_in_deploy_stderr', stderr)
print(json.dumps(status_output))
exit(1)
else:
update_status('web_in_deploy_status', 'success')
albDns = tf.output('ALB-DNS')
fwMgt = tf.output('MGT-IP-FW-1')
nlbDns = tf.output('NLB-DNS')
fwMgtIP = tf.output('MGT-IP-FW-1')
logger.info("Got these values from output \n\n")
logger.info("AppGateway address is {}".format(albDns))
logger.info("Internal loadbalancer address is {}".format(nlbDns))
logger.info("Firewall Mgt address is {}".format(fwMgt))
#
# Check firewall is up and running
# #
api_key = getApiKey(fwMgtIP, username, password)
while True:
err = getFirewallStatus(fwMgtIP, api_key)
if err == 'cmd_error':
logger.info("Command error from fw ")
elif err == 'no':
logger.info("FW is not up...yet")
# print("FW is not up...yet")
time.sleep(60)
continue
elif err == 'almost':
logger.info("MGT up waiting for dataplane")
time.sleep(20)
continue
elif err == 'yes':
logger.info("FW is up")
break
logger.debug(
'Giving the FW another 10 seconds to fully come up to avoid race conditions'
)
time.sleep(10)
fw = firewall.Firewall(hostname=fwMgtIP,
api_username=username,
api_password=password)
logger.info("Updating firewall with latest content pack")
update_fw(fwMgtIP, api_key)
#
# Configure Firewall
#
WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
tf = Terraform(working_dir='./WebInFWConf')
tf.cmd('init')
kwargs = {"auto-approve": True}
logger.info("Applying addtional config to firewall")
WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
if run_plan:
tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
# update initial vars with generated fwMgt ip
return_code2, stdout, stderr = tf.apply(capture_output=capture_output,
skip_plan=True,
var=WebInFWConf_vars,
**kwargs)
web_in_fw_conf_out = tf.output()
update_status('web_in_fw_conf_output', web_in_fw_conf_out)
# update_status('web_in_fw_conf_stdout', stdout)
logger.debug(
'Got Return code for deploy WebInFwConf {}'.format(return_code2))
if return_code2 != 0:
logger.error("WebInFWConf failed")
update_status('web_in_fw_conf_status', 'error')
update_status('web_in_fw_conf_stderr', stderr)
print(json.dumps(status_output))
exit(1)
else:
update_status('web_in_fw_conf_status', 'success')
logger.info("Commit changes to firewall")
fw.commit()
logger.info("waiting for commit")
time.sleep(60)
logger.info("waiting for commit")
#
# Check Jenkins
#
logger.info('Checking if Jenkins Server is ready')
# FIXME - add outputs for all 3 dirs
res = getServerStatus(albDns)
if res == 'server_up':
logger.info('Jenkins Server is ready')
logger.info('\n\n ### Deployment Complete ###')
logger.info(
'\n\n Connect to Jenkins Server at http://{}'.format(albDns))
else:
logger.info('Jenkins Server is down')
logger.info('\n\n ### Deployment Complete ###')
# dump out status to stdout
print(json.dumps(status_output))
