Last active
March 19, 2018 21:11
-
-
Save kubsoo/cf5880a46bd69300c746f8daaf27859e to your computer and use it in GitHub Desktop.
Python script which adds security rule on Palo Alto firewalls using REST API.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import requests, getpass, re | |
## list of firewalls | |
firewalls_ip = [ | |
'192.168.0.201', | |
'192.168.0.202', | |
'192.168.0.203', | |
] | |
## login and password for firewall | |
username = raw_input("Please enter your username: ") | |
password = getpass.getpass("Please enter your password: ") | |
## generate api key | |
url = "https://192.168.0.201/api/?type=keygen&user={}&password={}" | |
response = requests.get(url.format(username,password), verify=False) | |
response.raise_for_status() | |
regex = re.compile(r'<key>(.*)<\/key>') | |
key = regex.findall(response.text)[0] | |
print ("\nYour API key is: %s\n") % (key) | |
rule_path = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules" | |
rule_name = "permit_any" | |
rule = """ | |
<entry name="{}"> | |
<to> | |
<member>any</member> | |
</to> | |
<from> | |
<member>any</member> | |
</from> | |
<source> | |
<member>any</member> | |
</source> | |
<destination> | |
<member>any</member> | |
</destination> | |
<source-user> | |
<member>any</member> | |
</source-user> | |
<category> | |
<member>any</member> | |
</category> | |
<application> | |
<member>any</member> | |
</application> | |
<service> | |
<member>any</member> | |
</service> | |
<hip-profiles> | |
<member>any</member> | |
</hip-profiles> | |
<action>deny</action> | |
<log-start>no</log-start> | |
<description>permit any any rule</description> | |
<disabled>no</disabled> | |
</entry> | |
""" | |
for ip in firewalls_ip: | |
print ("Adding security rule to: %s\n") % (ip) | |
url = "https://"+ip+"/api/?type=config&action=set&key={}&xpath={}&element={}" | |
response = requests.post(url.format(key,rule_path,rule.format(rule_name)), verify=False) | |
response.raise_for_status() | |
print (response.text) | |
print ("Moving security rule ...\n") | |
move = raw_input("Do you want to move security rule ? (y/n) ") | |
if move == "y": | |
rule_pos = raw_input("Insert rule name after which you want to place new rule: ") | |
url = "https://"+ip+"/api/?type=config&action=move&key={}&xpath={}/entry[@name='{}']&where=after&dst={}" | |
response = requests.get(url.format(key,rule_path,rule_name,rule_pos), verify=False) | |
response.raise_for_status() | |
print (response.text) | |
print ("Commiting changes ...\n") | |
commit = raw_input("Are you sure you want to commit ? (y/n) ") | |
if commit == "y": | |
url = "https://"+ip+"/api/?type=commit&key={}&cmd=<commit></commit>" | |
commit_response = requests.post(url.format(key),verify=False) | |
commit_response.raise_for_status() | |
print (response.text) | |
else: | |
print ("Commit cancelled !\n") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment