updated: 2023-04-17
Palo Alto API
Working with Palo Alto Firewall and the official SDK I found it difficult to get the info I wanted in the format I needed in some casees. So, I begain writting out some code that would handle the work for me.
Github project
How to Use
Install the package which has been tested mostlyon 3.8+
python -m pip install paloaltoapi
Configuration Variables
Use environment variables for configurations:
sample:
export CERT='<path/to/cert'
export DOMAIN='example.com'
Default values are:
CERT Values can be True, False or a certifcate path. It is used as a value if one is not passed when connecting to Panorama or a Firewall. Defaults to no SSL Verification if not set.
Sample Usage
Sample usages between the different classes and how to use them.
URL Class
The URL class gives the abilty to search for custom URL Categories and be able to add or remove items from a list.
Here is a sample of just being able to retrieve the information.
import os
from paloaltoapi.device_groups.objects.urlcategory.url_categories import UrlCategories
CERT = os.getenv("CERT", None)
if not CERT:
CERT = False
url = UrlCategories(device='panorama.com', api_key="<api-token>", certstore=CERT) # you can also specify username and password instead to auto populate the token
category_list = url.list_url_category(name='custom-category-name', device_groups='Internet')
"""
returns formatted list in JSON format
[{'@name': 'custom-category-name', '@location': 'device-group', '@device-group': 'Internet', '@loc': 'Internet', 'list': {'member': ['google.com', '^.google.com', 'ec2.^.amazonaws.com]}, 'type': 'URL List'}]
With this list you can extract the members and add remove or manipulate the members in the URL Custom Category
"""
Address Group Class
This class allows us to look search and edit an address group and the location it is in Panorama. Similar work can be done within the Address Class that allows you to adjust, add, or remove addresses.
import os
from paloaltoapi.device_groups.objects.address_groups import AddressGroups
CERT = os.getenv("CERT", None)
if not CERT:
CERT = False
addr_grp = AddressGroups(device='panorama.com', api_key="<api-token>", certstore=CERT)
address_group_list = addr_grp.list_address_group(address_grp='grp-ext-crl-microsoft',location='Internet')
print(address_group_list)
"""
Returns a list of the address group name specified like:
['ext-hst-crl.microsoft.com-1', 'ext-hst-crl.microsoft.com-2', 'ext-hst-crl.microsoft.com-3']
"""
list_address_groups = addr_grp.get_address_group_by_name(address_groups=['grp-ext-crl-microsoft','grp-ext-ms-updates'])
print(list_address_groups)
"""
searches for the address groups and lists out all the values associated with each in a dictionary it does not specify the location; that needs to be adjusted
{
'grp-ext-crl-microsoft': [
'ext-hst-crl.microsoft.com-1', 'ext-hst-crl.microsoft.com-2', 'ext-hst-crl.microsoft.com-3'
],
'grp-ext-ms-updates': [
'ext-net-akam', 'ext-net-ms2'
]
}
"""
Sample URL Update
In some cases you need to add a URL to an existing URL Category. Here is a sample code that would import that using this module and commit the updated Domain.
NOTE: It would be better using the EDL functionality or the tagging functionality over this; but this is more of a legacy version
from paloaltoapi.device_groups.objects.urlcategory import url_categories
urls = url_categories.UrlCategories(device="panorama.com", api_key="12345")
# edit an existing URL Category
response = urls.edit_url_category(name='url_category_name', member=['new.com', 'another-url.com'], device_group="Shared")
Dynamic Tagging
Dynamic Tagging is used to ensure that an IP is assocated with a specific Tag and if a DAG (Dynamic Address Group) has a regular expression to add that tag or the list of tags to that group adding this will automatically add these IP addresses to those DAG’s that are assocated with specific rules. This will auto permit or auto-remove access to rule without making an acutal commit to the rule. This is a great usage to NAC (quarentine) a posible malitious IP based off logging, create dynamic rules around containers that are created and destroyed on demand, and many other useful ways of orchestrating existing policies/rules wihtout the requirement of waiting for a full commit.
from paloaltoapi.tags.dynamic_tags import AutoTags
# is_panorama sets the ability to tag at panorama and sync or on the Firewall itself
auto_tag = AutoTags(device="panorama.com", api_ke="12345", is_panorama=False)
# Get a list of the registered IP's
response = auto_tag.get_registered_ip(tag="AutoTag")
# response will have list of all IP's registered with that tag name
response = auto_tag.delete_registered_ip(tag="AutoTag", ip_list=['1.1.1.1', '2.2.2.2'])
# response will remove all listed IP's that are regestered with thtat tag
response = auto_tag.add_registered_ip(tag="AutoTag", ip_list=['10.0.0.1', '10.0.0.2'])
# response will have added the listed IP's to the tag which will automatically add the IP's as a registered IP