Skip to content

Instantly share code, notes, and snippets.

@kubsoo

kubsoo/config_palo.py

Last active March 19, 2018 21:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kubsoo/cf5880a46bd69300c746f8daaf27859e to your computer and use it in GitHub Desktop.
Save kubsoo/cf5880a46bd69300c746f8daaf27859e to your computer and use it in GitHub Desktop.
Download ZIP
Python script which adds security rule on Palo Alto firewalls using REST API.
Raw
config_palo.py
#!/usr/bin/python
import requests, getpass, re
## list of firewalls
firewalls_ip = [
'192.168.0.201',
'192.168.0.202',
'192.168.0.203',
]
## login and password for firewall
username = raw_input("Please enter your username: ")
password = getpass.getpass("Please enter your password: ")
## generate api key
url = "https://192.168.0.201/api/?type=keygen&user={}&password={}"
response = requests.get(url.format(username,password), verify=False)
response.raise_for_status()
regex = re.compile(r'<key>(.*)<\/key>')
key = regex.findall(response.text)[0]
print ("\nYour API key is: %s\n") % (key)
rule_path = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules"
rule_name = "permit_any"
rule = """
<entry name="{}">
<to>
<member>any</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>any</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>deny</action>
<log-start>no</log-start>
<description>permit any any rule</description>
<disabled>no</disabled>
</entry>
"""
for ip in firewalls_ip:
print ("Adding security rule to: %s\n") % (ip)
url = "https://"+ip+"/api/?type=config&action=set&key={}&xpath={}&element={}"
response = requests.post(url.format(key,rule_path,rule.format(rule_name)), verify=False)
response.raise_for_status()
print (response.text)
print ("Moving security rule ...\n")
move = raw_input("Do you want to move security rule ? (y/n) ")
if move == "y":
rule_pos = raw_input("Insert rule name after which you want to place new rule: ")
url = "https://"+ip+"/api/?type=config&action=move&key={}&xpath={}/entry[@name='{}']&where=after&dst={}"
response = requests.get(url.format(key,rule_path,rule_name,rule_pos), verify=False)
response.raise_for_status()
print (response.text)
print ("Commiting changes ...\n")
commit = raw_input("Are you sure you want to commit ? (y/n) ")
if commit == "y":
url = "https://"+ip+"/api/?type=commit&key={}&cmd=<commit></commit>"
commit_response = requests.post(url.format(key),verify=False)
commit_response.raise_for_status()
print (response.text)
else:
print ("Commit cancelled !\n")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment