def run(self):
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
ioc = None
ioc_clear = []
for i in list(response.json().get("artifacts")):
if 'url' in str(i):
ioc = i.get("data")
for i in ioc:
if i == "[" or i == "]":
continue
else:
ioc_clear.append(i)
ioc = "".join(ioc_clear)
fw = firewall.Firewall(self.hostname_PaloAltoNGFW,
api_username=self.User_PaloAltoNGFW,
api_password=self.Password_PaloAltoNGFW)
panos.objects.CustomUrlCategory.refreshall(fw)
block_list = fw.find(self.name_internal_URL_category,
panos.objects.CustomUrlCategory)
ioc_list = block_list.about().get('url_value')
if ioc not in ioc_list:
ioc_list.append(ioc)
temp1 = panos.objects.CustomUrlCategory(
self.name_internal_URL_category, url_value=ioc_list)
fw.add(temp1)
temp1.create()
self.report({'message': 'message sent'})
def run(self):
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
ioc = None
ioc_clear = []
for i in list(response.json().get("artifacts")):
if 'ip' in str(i):
ioc = i.get("data")
for i in ioc:
if i == "[" or i == "]":
continue
else:
ioc_clear.append(i)
ioc = "".join(ioc_clear)
fw = firewall.Firewall(self.hostname_PaloAltoNGFW,
api_username=self.User_PaloAltoNGFW,
api_password=self.Password_PaloAltoNGFW)
panos.objects.AddressObject.refreshall(fw)
if ioc not in str(fw.find(ioc, panos.objects.AddressObject)):
new_ioc_object = panos.objects.AddressObject(
ioc, ioc, description="Blocked ip address")
fw.add(new_ioc_object)
new_ioc_object.create()
panos.objects.AddressGroup.refreshall(fw)
block_list = fw.find(self.name_external_Address_Group,
panos.objects.AddressGroup)
ioc_list = block_list.about().get('static_value')
if ioc not in ioc_list:
ioc_list.append(ioc)
temp1 = panos.objects.AddressGroup(
self.name_external_Address_Group, static_value=ioc_list)
fw.add(temp1)
temp1.apply()
self.report({'message': 'message sent'})
def run(self):
self.instance_type = self.get_param('data._type')
if self.instance_type == 'case_artifact':
user = self.get_param('data.data')
if self.instance_type == 'alert':
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
user=None
user_list_alert=[]
for i in list(response.json().get("artifacts")):
if 'username' in str(i):
ioc = i.get("data")
for i in ioc:
if i == "[" or i == "]":
continue
else:
user_list_alert.append(i)
user="".join(user_list_alert)
if self.instance_type == 'case':
import requests
case_id = self.get_param('data._id')
payload = {
"query": { "_parent": { "_type": "case", "_query": { "_id": case_id } } },
"range": "all"
}
headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {}'.format(self.TheHive_API_key) }
thehive_api_url_case_search = '{}/api/case/artifact/_search'.format(self.TheHive_instance)
r = requests.post(thehive_api_url_case_search, data=json.dumps(payload), headers=headers)
if r.status_code != requests.codes.ok:
self.error(json.dumps(r.text))
a=None
data = r.json()
for n in data:
if n.get('dataType') == 'username':
user=n.get('data')
fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
current_security_rules =panos.policies.SecurityRule.refreshall(rulebase)
user_list=[]
for i in current_security_rules:
if i.about().get('name') == self.name_security_rule:
user_list=i.about().get("source_user")
if user not in user_list:
user_list.append(user)
if "any" in user_list:
user_list.remove("any")
desired_rule_params = None
for i in current_security_rules:
if self.name_security_rule == i.about().get("name"):
rule_atrib = i.about()
rule_atrib.update({"source_user": user_list})
desired_rule_params = rule_atrib
new_rule = panos.policies.SecurityRule(**desired_rule_params)
rulebase.add(new_rule)
new_rule.apply()
fw.commit()
self.report({'message': 'Responder successfully added %s to %s' % (user,self.name_security_rule)})
def run(self):
self.instance_type = self.get_param('data._type')
if self.instance_type == 'case_artifact':
ioc = self.get_param('data.data')
if self.instance_type == 'alert':
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
ioc=None
ioc_clear=[]
for i in list(response.json().get("artifacts")):
if 'ip' in str(i):
ioc = i.get("data")
for i in ioc:
if i == "[" or i == "]":
continue
else:
ioc_clear.append(i)
ioc="".join(ioc_clear)
if self.instance_type == 'case':
import requests
case_id = self.get_param('data._id')
payload = {
"query": { "_parent": { "_type": "case", "_query": { "_id": case_id } } },
"range": "all"
}
headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {}'.format(self.TheHive_API_key) }
thehive_api_url_case_search = '{}/api/case/artifact/_search'.format(self.TheHive_instance)
r = requests.post(thehive_api_url_case_search, data=json.dumps(payload), headers=headers)
if r.status_code != requests.codes.ok:
self.error(json.dumps(r.text))
a=None
data = r.json()
for n in data:
if n.get('dataType') == 'ip':
ioc=n.get('data')
fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
panos.objects.AddressGroup.refreshall(fw)
block_list = fw.find(self.name_external_Address_Group, panos.objects.AddressGroup)
ioc_list = block_list.about().get('static_value')
if f"thehive-{ioc}" in ioc_list:
ioc_list.remove(f"thehive-{ioc}")
temp1 = panos.objects.AddressGroup(self.name_external_Address_Group, static_value=ioc_list)
fw.add(temp1)
temp1.apply()
panos.objects.AddressObject.refreshall(fw)
if f"thehive-{ioc}" in str(fw.find(f"thehive-{ioc}", panos.objects.AddressObject)):
try:
deleted_ioc = fw.find(f"thehive-{ioc}", panos.objects.AddressObject)
deleted_ioc.delete()
except:
self.report({'message': 'Responder did not comlite. Warning in AddressObject'})
self.report({'message': 'Responder successfully deleted %s from %s' % (f"thehive-{ioc}",self.name_external_Address_Group)})
fw.commit()
def run(self):
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
data_list = []
data = None
for i in response.json().get("artifacts"):
if "'port'," in str(i):
ioc = i.get("data")
data_list.append(i.get("data"))
elif "'protocol'," in str(i):
ioc = i.get("data")
data_list.append(i.get("data"))
data = " ".join(data_list)
protocol = re.findall(r'[a-z]+', str(data))
protocol = str("".join(protocol)).lower()
port = re.findall(r'[0-9]+', str(data))
port = "".join(port)
fw = firewall.Firewall(self.hostname_PaloAltoNGFW,
api_username=self.User_PaloAltoNGFW,
api_password=self.Password_PaloAltoNGFW)
panos.objects.ServiceGroup.refreshall(fw)
raise IOError("to")
block_list = fw.find(self.name_internal_Service_Group,
panos.objects.ServiceGroup)
port_list = block_list.about().get('value')
if port in port_list:
port_list.remove(port)
temp1 = panos.objects.ServiceGroup(
self.name_internal_Service_Group, value=port_list)
fw.add(temp1)
temp1.apply()
block_list = fw.find(self.name_external_Service_Group,
panos.objects.ServiceGroup)
port_list = block_list.about().get('value')
if port in port_list:
port_list.remove(port)
temp1 = panos.objects.ServiceGroup(
self.name_external_Service_Group, value=port_list)
fw.add(temp1)
temp1.apply()
panos.objects.ServiceObject.refreshall(fw)
if port in str(fw.find(port, panos.objects.ServiceObject)):
deleted_ioc = fw.find(port, panos.objects.ServiceObject)
deleted_ioc.delete()
self.report({'message': 'message sent'})
def test_vsys_xpath_unchanged():
expected = (
"/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']"
)
c = firewall.Firewall("127.0.0.1", "admin", "admin")
c.vsys = "vsys3"
assert expected == c.xpath_vsys()
c.vsys = None
vsys = device.Vsys("vsys3")
c.add(vsys)
assert expected == vsys.xpath_vsys()
zone = network.Zone("myzone")
vsys.add(zone)
assert expected == zone.xpath_vsys()
def _check(obj, vsys, with_pano, chk_import=False):
if chk_import:
func = "xpath_import_base"
else:
func = "xpath"
fw = firewall.Firewall("127.0.0.1", "admin", "admin", serial="01234567890")
fw.vsys = vsys
fw.add(obj)
if with_pano:
pano = panorama.Panorama("127.0.0.1", "admin2", "admin2")
pano.add(fw)
expected = getattr(obj, func)()
fw.remove(obj)
fw.vsys = None
vsys = device.Vsys(vsys or "vsys1")
fw.add(vsys)
vsys.add(obj)
result = getattr(obj, func)()
assert expected == result
def main():
# Before we begin, you'll need to use the pan-os-python documentation both
# for this example and for any scripts you may write for yourself. The
# docs can be found here:
#
# http://pan-os-python.readthedocs.io/en/latest/reference.html
#
# First, let's create the firewall object that we want to modify.
fw = firewall.Firewall(HOSTNAME, USERNAME, PASSWORD)
print("Firewall system info: {0}".format(fw.refresh_system_info()))
print("Desired interface: {0}".format(INTERFACE))
# Sanity Check #1: the intent here is that the interface we
# specified above should not already be in use. If the interface is
# already in use, then just quit out.
print("Making sure interface is not currently in use...")
interfaces = network.EthernetInterface.refreshall(fw, add=False)
for eth in interfaces:
if eth.name == INTERFACE:
print("Interface {0} already in use! Please choose another".format(
INTERFACE))
return
# Sanity Check #2: this has to be a multi-vsys system. So let's make
# sure that we have multiple vsys to work with. If there is only one
# vsys, quit out.
#
# Pulling the entire vsys config from each vsys is going to be large amount
# of XML, so we'll specify that we only need the names of the different
# vsys, not their entire subtrees.
vsys_list = device.Vsys.refreshall(fw, name_only=True)
print("Found the following vsys: {0}".format(vsys_list))
if len(vsys_list) < 2:
print("Only {0} vsys present, need 2 or more.".format(len(vsys_list)))
return
# Let's make our base interface that we're going to make subinterfaces
# out of.
print("Creating base interface {0} in layer2 mode".format(INTERFACE))
base = network.EthernetInterface(INTERFACE, "layer2")
# Like normal, after creating the object, we need to add it to the
# firewall, then finally invoke "create()" to create it.
fw.add(base)
base.create()
# Now let's go ahead and make all of our subinterfaces.
eth = None
for tag in range(1, 601):
name = "{0}.{1}".format(INTERFACE, tag)
eth = network.Layer2Subinterface(name, tag)
# Choose one of the vsys at random to put it into.
vsys = random.choice(vsys_list)
# Now add the subinterface to that randomly chosen vsys.
vsys.add(eth)
# You'll notice that we didn't invoke "create()" on the subinterfaces like
# you would expect. This is because we're going to use the bulk create
# function to create all of the subinterfaces in one shot, which has huge
# performance gains from doing "create()" on each subinterface one-by-one.
#
# The function we'll use is "create_similar()". Create similar is saying,
# "I want to create all objects similar to this one in my entire pan-os-python
# object tree." In this case, since we'd be invoking it on a subinterface
# of INTERFACE (our variable above), we are asking pan-os-python to create all
# subinterfaces of INTERFACE, no matter which vsys it exists in.
#
# We just need any subinterface to do this. Since our last subinterface
# was saved to the "eth" variable in the above loop, we can just use that
# to invoke "create_similar()".
print("Creating subinterfaces...")
start = datetime.datetime.now()
eth.create_similar()
print("Creating subinterfaces took: {0}".format(datetime.datetime.now() -
start))
# Now let's explore updating them. Let's say this is a completely
# different script, and we want to update all of the subinterfaces
# for INTERFACE. Since this is a completely new script, we don't have any
# information other than the firewall and the interface INTERFACE. So
# let's start from scratch at this point, and remake the firewall object
# and connect.
print("\n--------\n")
fw = firewall.Firewall(HOSTNAME, USERNAME, PASSWORD)
print("Firewall system info: {0}".format(fw.refresh_system_info()))
print("Desired interface: {0}".format(INTERFACE))
# Make the base interface object and connect it to our pan-os-python tree.
base = network.EthernetInterface(INTERFACE, "layer2")
fw.add(base)
# Now let's get all the subinterfaces for INTERFACE. Since our firewall's
# default vsys is "None", this will get all subinterfaces of INTERFACE,
# regardless of which vsys it exists in.
print("Refreshing subinterfaces...")
subinterfaces = network.Layer2Subinterface.refreshall(base)
print("Found {0} subinterfaces".format(len(subinterfaces)))
# Now let's go ahead and update all of them.
for eth in subinterfaces:
eth.comment = "Tagged {0} and in vsys {1}".format(eth.tag, eth.vsys)
# Now that we have updated all of the subinterfaces, we need to save
# the changes to the firewall. But hold on a second, the vsys for these
# subinterfaces is currently "None". We first need to organize these
# subinterfaces into the vsys they actually exist in before we can
# apply these changes to the firewall.
#
# This is where you can use the function "organize_into_vsys()". This
# takes all objects currently attached to your pan-os-python object tree
# and organizes them into the vsys they belong to.
#
# We haven't gotten the current vsys yet (this is a new script, remember),
# but the function can take care of that for us. So let's just invoke it
# to organize our pan-os-python object tree into vsys.
print("Organizing subinterfaces into vsys...")
fw.organize_into_vsys()
# Now we're ready to save our changes. We'll use "apply_similar()",
# and it behaves similarly to "create_similar()" in that you can invoke
# it from any subinterface of INTERFACE and it will apply all of the
# changes to subinterfaces of INTERFACE only.
#
# We just need one subinterface to invoke this function. Again, we'll
# simply use the subinterface currently saved in the "eth" variable
# from our update loop we did just above.
#
# NOTE: As an "apply()" function, apply does a replace of config, not
# a simple update. So you must be careful that all other objects are
# currently attached to your pan-os-python object tree when using apply
# functions. In our case, we have already refreshed all layer2
# subinterfaces, and we are the only ones working with INTERFACE, so we
# are safe to use this function.
print("Updating all subinterfaces...")
start = datetime.datetime.now()
eth.apply_similar()
print("Updating subinterfaces took: {0}".format(datetime.datetime.now() -
start))
# Finally, all that's left is to delete all of the subinterfaces. This
# is just like you think: we first need to refresh all of the
# subinterfaces of INTERFACE, organize them into their appropriate vsys,
# then invoke "delete_similar()" to delete everything.
print("Deleting all subinterfaces...")
start = datetime.datetime.now()
eth.delete_similar()
print("Deleting subinterfaces took: {0}".format(datetime.datetime.now() -
start))
# Lastly, let's just delete the base interface INTERFACE.
print("Deleting base interface...")
base.delete()
# And now we're done! If performance is a bottleneck in your automation,
# or dealing with vsys is troublesome, consider using the vsys organizing
# and/or bulk functions!
print("Done!")
def run(self):
self.instance_type = self.get_param('data._type')
if self.instance_type == 'case_artifact':
ioc = self.get_param('data.data')
if self.instance_type == 'alert':
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
ioc = None
ioc_clear = []
for i in list(response.json().get("artifacts")):
if 'ip' in str(i):
ioc = i.get("data")
for i in ioc:
if i == "[" or i == "]":
continue
else:
ioc_clear.append(i)
ioc = "".join(ioc_clear)
if self.instance_type == 'case':
import requests
case_id = self.get_param('data._id')
payload = {
"query": {
"_parent": {
"_type": "case",
"_query": {
"_id": case_id
}
}
},
"range": "all"
}
headers = {
'Content-Type': 'application/json',
'Authorization': 'Bearer {}'.format(self.TheHive_API_key)
}
thehive_api_url_case_search = '{}/api/case/artifact/_search'.format(
self.TheHive_instance)
r = requests.post(thehive_api_url_case_search,
data=json.dumps(payload),
headers=headers)
if r.status_code != requests.codes.ok:
self.error(json.dumps(r.text))
a = None
data = r.json()
for n in data:
if n.get('dataType') == 'ip':
ioc = n.get('data')
fw = firewall.Firewall(self.hostname_PaloAltoNGFW,
api_username=self.User_PaloAltoNGFW,
api_password=self.Password_PaloAltoNGFW)
panos.objects.AddressObject.refreshall(fw)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(
rulebase)
if f"thehive-{ioc}" not in str(
fw.find(f"thehive-{ioc}", panos.objects.AddressObject)):
new_ioc_object = panos.objects.AddressObject(
f"thehive-{ioc}",
ioc,
description="TheHive Blocked ip address")
fw.add(new_ioc_object)
new_ioc_object.create()
panos.objects.AddressGroup.refreshall(fw)
block_list = fw.find("TheHive Block list external IP address",
panos.objects.AddressGroup)
if block_list != None:
ioc_list = block_list.about().get('static_value')
if f"thehive-{ioc}" not in ioc_list:
ioc_list.append(f"thehive-{ioc}")
temp1 = panos.objects.AddressGroup(
"TheHive Block list external IP address",
static_value=ioc_list)
fw.add(temp1)
temp1.apply()
elif block_list == None:
temp1 = panos.objects.AddressGroup(
"TheHive Block list external IP address",
static_value=f"thehive-{ioc}")
fw.add(temp1)
temp1.apply()
desired_rule_params = None
for i in current_security_rules:
if self.name_security_rule == i.about().get("name"):
rule_atrib = i.about()
temp_rule_atrib = rule_atrib.get("destination")
if "TheHive Block list external IP address" not in temp_rule_atrib:
temp_rule_atrib.append(
"TheHive Block list external IP address")
if "any" in temp_rule_atrib:
temp_rule_atrib.remove("any")
rule_atrib.update({"destination": temp_rule_atrib})
desired_rule_params = rule_atrib
else:
desired_rule_params = rule_atrib
new_rule = panos.policies.SecurityRule(**desired_rule_params)
rulebase.add(new_rule)
new_rule.apply()
fw.commit()
self.report({
'message':
'Responder successfully added %s into TheHive Block list external IP address from %s'
% (ioc, self.name_security_rule)
})
# Use config.toml for the settings. No commit command is sent the firewall. Commits will need to be
# ran manually from the GUI to verify the correct config.
#
########################################################################################################################
from panos import firewall, objects, network, policies
import toml
import csv
# load settings
settings = toml.load('config.toml')
# connect to firewalls
print("Connecting to Firewalls")
fw = firewall.Firewall(settings['firewalls']['fw'], api_key=settings['api_key']['key'])
fw.set_ha_peers(firewall.Firewall(settings['firewalls']['fw_ha'], api_key=settings['api_key']['key']))
# Check HA pair first #########################
print("Checking HA configuration")
fw.refresh_ha_active()
if not fw.config_synced():
print("I need to sync the configs first.")
fw.synchronize_config()
###############################################
# Open endpoints csv
cradle_reader = csv.DictReader(open('endpoints.csv', 'rt', encoding='utf8'))
#######################################################################################################################
def run(self):
self.instance_type = self.get_param('data._type')
if self.instance_type == 'case_artifact':
data = self.get_param('data.data')
port=str(data).split('-')[0]
protocol=str(data).split('-')[1]
protocol=re.findall(r'[a-z]+',str(protocol)); protocol=str("".join(protocol)).lower()
port=re.findall(r'[0-9]+',str(port)); port="".join(port)
if self.instance_type == 'alert':
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
data_list=[]
data=None
for i in response.json().get("artifacts"):
if "'port-protocol'," in str(i):
data_list.append(i.get("data"))
port=str(data_list).split('-')[0]
protocol=str(data_list).split('-')[1]
protocol=re.findall(r'[a-z]+',str(protocol)); protocol=str("".join(protocol)).lower()
port=re.findall(r'[0-9]+',str(port)); port="".join(port)
if self.instance_type == 'case':
import requests
case_id = self.get_param('data._id')
payload = {
"query": { "_parent": { "_type": "case", "_query": { "_id": case_id } } },
"range": "all"
}
headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {}'.format(self.TheHive_API_key) }
thehive_api_url_case_search = '{}/api/case/artifact/_search'.format(self.TheHive_instance)
r = requests.post(thehive_api_url_case_search, data=json.dumps(payload), headers=headers)
if r.status_code != requests.codes.ok:
self.error(json.dumps(r.text))
a=None
data = r.json()
data_list = []
for n in data:
if "'port-protocol'," in str(n):
data_list.append(n.get("data"))
port=str(data_list).split('-')[0]
protocol=str(data_list).split('-')[1]
protocol=re.findall(r'[a-z]+',str(protocol)); protocol=str("".join(protocol)).lower()
port=re.findall(r'[0-9]+',str(port)); port="".join(port)
fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
panos.objects.ServiceObject.refreshall(fw)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
current_security_rules =panos.policies.SecurityRule.refreshall(rulebase)
if f"thehive-{port}-{protocol}" not in str(fw.find(f"thehive-{port}-{protocol}", panos.objects.ServiceObject)):
new_port_object = panos.objects.ServiceObject(f"thehive-{port}-{protocol}", protocol, description="TheHive Blocked port",destination_port=port)
fw.add(new_port_object)
new_port_object.create()
panos.objects.ServiceGroup.refreshall(fw)
block_list = fw.find("TheHive Block list for external port communication", panos.objects.ServiceGroup)
if block_list != None:
port_list = block_list.about().get('value')
if f"thehive-{port}-{protocol}" not in port_list:
port_list.append(f"thehive-{port}-{protocol}")
temp1 = panos.objects.ServiceGroup("TheHive Block list for external port communication", value=port_list)
fw.add(temp1)
temp1.apply()
elif block_list == None:
temp1 = panos.objects.ServiceGroup("TheHive Block list for external port communication", value=f"thehive-{port}-{protocol}")
fw.add(temp1)
temp1.apply()
desired_rule_params = None
for i in current_security_rules:
if self.name_security_rule == str(i.about().get("name")):
rule_atrib = i.about()
temp_rule_atrib = rule_atrib.get("service")
if "TheHive Block list for external port communication" not in temp_rule_atrib:
temp_rule_atrib.append("TheHive Block list for external port communication")
if "application-default" in temp_rule_atrib:
temp_rule_atrib.remove("application-default")
rule_atrib.update({"service": temp_rule_atrib})
desired_rule_params = rule_atrib
else:
desired_rule_params = rule_atrib
new_rule = panos.policies.SecurityRule(**desired_rule_params)
rulebase.add(new_rule)
new_rule.apply()
fw.commit()
self.report({'message': 'Responder successfully added %s into TheHive Block list for external port communication to %s' % (port,self.name_security_rule)})
def init():
"""
Environment variables:
PD_USERNAME
PD_PASSWORD
PD_PANORAMAS
PD_FIREWALLS
"""
global live_devices
global one_fw_per_version
global one_device_per_version
global one_panorama_per_version
global ha_pairs
global panorama_fw_combinations
# Get os.environ stuff to set the live_devices global.
try:
username = os.environ["PD_USERNAME"]
password = os.environ["PD_PASSWORD"]
panos = os.environ["PD_PANORAMAS"].split()
fws = os.environ["PD_FIREWALLS"].split()
except KeyError as e:
print('NOT RUNNING LIVE TESTS - missing "{0}"'.format(e))
return
# Add each panorama to the live_devices.
for hostname in panos:
c = panorama.Panorama(hostname, username, password)
try:
c.refresh_system_info()
except Exception as e:
raise ValueError("Failed to connect to panorama {0}: {1}".format(
hostname, e))
# There should only be one panorama per version.
version = c._version_info
if version in live_devices:
raise ValueError("Two panoramas, same version: {0} and {1}".format(
live_devices[version]["pano"].hostname, hostname))
live_devices.setdefault(version, {"fws": [], "pano": None})
live_devices[version]["pano"] = c
# Add each firewall to the live_devices.
for hostname in fws:
c = firewall.Firewall(hostname, username, password)
try:
c.refresh_system_info()
except Exception as e:
raise ValueError("Failed to connect to firewall {0}: {1}".format(
hostname, e))
# Multiple firewalls are allowed per version, but only ever the first
# two will be used.
version = c._version_info
live_devices.setdefault(version, {"fws": [], "pano": None})
live_devices[version]["fws"].append(c)
# Set:
# one_fw_per_version
# one_device_type_per_version
# one_panorama_per_version
for version in live_devices:
pano = live_devices[version]["pano"]
fws = live_devices[version]["fws"]
if fws:
fw = random.choice(fws)
one_device_type_per_version.append((fw, desc(fw=version)))
one_fw_per_version.append((fw, desc(fw=version)))
if pano is not None:
one_panorama_per_version.append((pano, desc(pano=version)))
one_device_type_per_version.append((pano, desc(pano=version)))
# Set: ha_pairs
for version in live_devices:
fws = live_devices[version]["fws"]
if len(fws) >= 2:
ha_pairs.append((fws[:2], version))
# Set panorama_fw_combinations
for pano_version in live_devices:
pano = live_devices[pano_version]["pano"]
if pano is None:
continue
for fw_version in live_devices:
fws = live_devices[fw_version]["fws"]
if not fws or pano_version < fw_version:
continue
fw = random.choice(fws)
panorama_fw_combinations.append((
(pano, fw),
desc(pano_version, fw_version),
))
def run(self):
self.instance_type = self.get_param('data._type')
if self.instance_type == 'case_artifact':
data = self.get_param('data.data')
port = str(data).split('-')[0]
protocol = str(data).split('-')[1]
protocol = re.findall(r'[a-z]+', str(protocol))
protocol = str("".join(protocol)).lower()
port = re.findall(r'[0-9]+', str(port))
port = "".join(port)
if self.instance_type == 'alert':
alertId = self.get_param('data.id')
response = self.api.get_alert(alertId)
data_list = []
data = None
for i in response.json().get("artifacts"):
if "'port-protocol'," in str(i):
data_list.append(i.get("data"))
port = str(data_list).split('-')[0]
protocol = str(data_list).split('-')[1]
protocol = re.findall(r'[a-z]+', str(protocol))
protocol = str("".join(protocol)).lower()
port = re.findall(r'[0-9]+', str(port))
port = "".join(port)
if self.instance_type == 'case':
import requests
case_id = self.get_param('data._id')
payload = {
"query": {
"_parent": {
"_type": "case",
"_query": {
"_id": case_id
}
}
},
"range": "all"
}
headers = {
'Content-Type': 'application/json',
'Authorization': 'Bearer {}'.format(self.TheHive_API_key)
}
thehive_api_url_case_search = '{}/api/case/artifact/_search'.format(
self.TheHive_instance)
r = requests.post(thehive_api_url_case_search,
data=json.dumps(payload),
headers=headers)
if r.status_code != requests.codes.ok:
self.error(json.dumps(r.text))
a = None
data = r.json()
data_list = []
for n in data:
if "'port-protocol'," in str(n):
data_list.append(n.get("data"))
port = str(data_list).split('-')[0]
protocol = str(data_list).split('-')[1]
protocol = re.findall(r'[a-z]+', str(protocol))
protocol = str("".join(protocol)).lower()
port = re.findall(r'[0-9]+', str(port))
port = "".join(port)
fw = firewall.Firewall(self.hostname_PaloAltoNGFW,
api_username=self.User_PaloAltoNGFW,
api_password=self.Password_PaloAltoNGFW)
panos.objects.ServiceGroup.refreshall(fw)
block_list = fw.find(self.name_internal_Service_Group,
panos.objects.ServiceGroup)
port_list = block_list.about().get('value')
if f"thehive-{port}-{protocol}" in port_list:
port_list.remove(f"thehive-{port}-{protocol}")
temp1 = panos.objects.ServiceGroup(
self.name_internal_Service_Group, value=port_list)
fw.add(temp1)
temp1.apply()
panos.objects.ServiceObject.refreshall(fw)
self.report({
'message':
'Responder successfully deleted %s from %s' %
(port, self.name_internal_Service_Group)
})
fw.commit()
def eastwesthelper(pa_ip, username, password, pa_type, filename=None):
"""
Main point of entry.
Connect to PA/Panorama.
Grab security rules from pa/pan.
Modify them for intra-zone migration.
"""
for subnet in settings.EXISTING_TRUST_SUBNET:
if subnet.endswith("/32"):
mem.singleip = True
if pa_type == "panorama":
# Grab 'start' time
start = time.perf_counter()
panfw = panorama.Panorama(pa_ip, username, password)
# Grab the Device Groups and Template Names, we don't need Template names.
pa = pa_api.api_lib_pa(pa_ip, username, password, pa_type)
device_group = get_device_group(pa)
pre_rulebase = policies.PreRulebase()
post_rulebase = policies.PostRulebase()
dg = panorama.DeviceGroup(device_group)
dg.add(pre_rulebase)
dg.add(post_rulebase)
panfw.add(dg)
# Grab Objects and Rules
mem.address_object_entries = objects.AddressObject.refreshall(dg, add=False)#,add=False)
mem.address_group_entries = objects.AddressGroup.refreshall(dg, add=False)#,add=False)
#Grabbing the Shared address objects and groups..
shared = panorama.DeviceGroup('shared')
panfw.add(shared)
shared_objects = objects.AddressObject.refreshall(shared, add=False)
mem.address_object_entries += shared_objects
shared_groups = objects.AddressGroup.refreshall(shared, add=False)
mem.address_group_entries += shared_groups
# Add parent DG (like Shared), if used. Ask Chris Evans or me for details.
if settings.OBJ_PARENT_DEVICE_GROUP:
parent_dg = panorama.DeviceGroup(settings.OBJ_PARENT_DEVICE_GROUP)
panfw.add(parent_dg)
parent_objects = objects.AddressObject.refreshall(parent_dg, add=False)
mem.address_object_entries += parent_objects
parent_groups = objects.AddressGroup.refreshall(parent_dg, add=False)
mem.address_group_entries += parent_groups
# GRAB PRE/POST RULES
pre_security_rules = policies.SecurityRule.refreshall(pre_rulebase)#, add=False)
post_security_rules = policies.SecurityRule.refreshall(post_rulebase)#, add=False)
# Modify the rules, Pre & Post
if pre_security_rules:
eastwest_addnew_zone(pre_security_rules, panfw, pre_rulebase)
if post_security_rules:
eastwest_addnew_zone(post_security_rules, panfw, post_rulebase)
elif pa_type == "pa":
# Grab 'start' time
start = time.perf_counter()
panfw = firewall.Firewall(pa_ip, username, password)
# Grab Rules
mem.address_object_entries = objects.AddressObject.refreshall(panfw,add=False)
mem.address_group_entries = objects.AddressGroup.refreshall(panfw,add=False)
rulebase = policies.Rulebase()
panfw.add(rulebase)
security_rules = policies.SecurityRule.refreshall(rulebase)
# Modify the rules
if security_rules:
modified_rules = eastwest_addnew_zone(security_rules, panfw, rulebase)
# Finished
end = time.perf_counter()
runtime = end - start
print(f"Took {runtime} Seconds.\n")
#parser.add_argument("-x", "--xml", help="Optional XML Filename", type=str)
parser.add_argument("-u", "--username", help="Username", type=str)#, required=argrequired)
parser.add_argument("-i", "--ipaddress", help="IP or FQDN of PA/Panorama", type=str)#, required=argrequired)
args = parser.parse_args()
# IF XML, do not connect to PA/Pan
# if args.xml:
# print("NO LONGER IMPLEMENTED")
# sys.exit(0)
# Gather input
pa_ip = args.ipaddress
username = args.username
password = getpass("Enter Password: "******"Error connecting to: {pa_ip}\nCheck username/password and network connectivity.")
print()
print(e)
sys.exit(0)
# PA or Panorama?
pa_type = pa_api.get_pa_type()
# Run program
print("\nThank you...connecting..\n")
eastwesthelper(pa_ip, username, password, pa_type)
