🧱 Palo Alto Networks Python Automation

DISCLAIMER! NOT AN EXPERT!

Python is a widely-used programming language known for its ease of use and readability. It is also known for its robust library of modules that make it a powerful tool for automation. This blog post will explore how to automate Palo Alto Networks Next-Generation Firewalls using Python.

I will start with an introduction to Palo Alto Networks. I will then briefly overview the Python scripting language and its benefits. This post is not a python training course but rather to inspire learning it and using it to make firewall management more effortless.

In the end, I will show you how to create two simple scripts. The first one is for gathering system information from your firewalls. The second one is for creating bulk rule sets for the security policy. This script is handy if you are building a firewall from scratch.

What is Palo Alto Networks?

Palo Alto Networks is a leading provider of network security solutions, including firewalls, intrusion detection systems (IDS), and network security appliances. Organizations of all sizes use their products to protect their networks from cyberattacks. They have developed something called the Palo Alto Networks Device Framework (pandevice), which is a python library for interacting with their Next-generation Firewalls. This makes it easy for developers to create custom scripts and tools to automate the tasks of network security monitoring and management.

What Is Python?

Python is a widely-used interpreted, general-purpose, high-level programming language with a design philosophy of “there’s only one way to do it, and that’s why it works.” It has a simple syntax and is easy to learn, making it a popular choice for scripting and automation. Some basics are below:

Python Variable

A Python variable is a name for a container for a value.
Typically assigned initially, the value remains valid until changed or deleted.
When you declare a Python variable, you give it a name and a value.
- Ex.
```
IP = "10.50.0.1"
```

Python List

A Python list is a collection of items, where each item is an object.
- Ex.
```
IP = ["10.50.0.1","10.50.0.2","10.50.0.3"]
```
A more complex list is called a two-dimensional array, which allows you to store multiple items in memory at once.
- Ex.
```
IP = [["HOSTNAME01", "10.50.0.1"],
      ["HOSTNAME02", "10.50.0.1"],
      ["HOSTNAME03", "10.50.0.3"]]
```

Python Loop

A Python loop is a block of code executed a certain number of times.
- Ex.
```
for IP in IPs:
	print(IP)
```

Python Condition

A Python condition is a boolean expression that determines if a code block will be executed.
- Ex.
```
if IP == 10.50.0.1
	print(IP)
else
	print("Wrong IP")
```

What Are The Benefits Of Using Python For Network Security Automation?

One of the benefits of using Python for network security automation is cross-platform. This means that you can use Python to automate Windows, Mac, and Linux systems tasks. Additionally, Python is available on many different platforms, so you can even automate tasks on mobile devices.

Python also has a rich set of libraries and tools that make network security automation easy. This includes libraries for network monitoring, data analysis, and machine learning. With these tools, you can easily detect and respond to security threats. Overall, Python is a versatile language that is easy to learn and use. It has a large community of developers who constantly create new tools and libraries to make network security automation easier. These benefits make Python a popular choice for any automation.

Automating PAN-OS Using Python

Python is known for its ability to be automated using various tools. This makes it an ideal language for automating tasks in Palo Alto Networks.

This section will show you how to use Python to automate various tasks in Palo Alto Firewalls. I will show you how to gather system information from multiple firewalls. I will then show you how to create security policy rules in bulk from a CSV file.

You only need a text editor (such as Notepad, Notepad++, or Vim) for right now. If you want to dive deeper into the syntax, I recommend giving the Palo Alto Networks Device Framework Docs a read. I will go over each line of code and briefly explain the function and then post the entire code at the end.

Show System Info

Open your text editor.

The first block of code is for importing python modules to use in the script.

# Importing the firewall module from PAN-OS-Python Framework.
from pandevice import firewall

# Importing the sys module. 
import sys

# Importing the regular expression operations module.
import re

We then go into a conditional statement and start defining the variables in a try block to test for errors such as wrong username, password, or IP.

if __name__ == '__main__':

  try:

    # Setting the user account made explicitly for API requests and identifying firewalls.
    USERNAME      = "USERNAME_HERE"
    PASSWORD      = "PASSWORD_HERE"
    FIREWALLS     = [["FW01_HOSTNAME","FW01_IP"], 
                     ["FW02_HOSTNAME","FW02_IP"]]

    # Operational Command
    command             = "show system info"

    # Defining filters to apply to the results.
    model_filter        = "<model>(.*)</model>"
    version_filter      = "<sw-version>(.*)</sw-version>"

After the variables are defined, we create a for loop for each firewall we are trying to get information from.

    # Creating PAN-OS-Python Framework firewall object and then executing command on object. 
    for FIREWALL_NAME, FIREWALL_IP in FIREWALLS:
      pan_fw_connect   = firewall.Firewall(hostname=FIREWALL_IP, api_username=USERNAME, api_password=PASSWORD)
      system_info      = pan_fw_connect.op(cmd=command, xml=True)

      #un-comment the line below to ignore filters and to see the full 'Show System Info' ouput
      #print(system_info)

      #Applying filters defined above to the results.
      model            = re.search(model_filter,str(system_info))
      system_version   = re.search(version_filter,str(system_info))

      #Displaying results.
      print(FIREWALL_NAME+" - model: "+model.group(1)+" - version: "+system_version.group(1))

We end it with an error handling if we can’t connect to the device and exit from the program.

  except:
    #If unable to connect to firewall device, deplay error with IP address.
    print("ERROR  : Unable to connect to "+FIREWALL_IP+". Check the Firewall IP address and API User Credentials.")
    sys.exit(0)

Full script

#!/usr/bin/env python
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

# Importing the firewall module from the PAN Device Framwork.
from pandevice import firewall
import sys
import re

if __name__ == '__main__':

  try:

    # Setting the user account made explicitly for API requests and identifying firewalls.
    USERNAME      = "USERNAME_HERE"
    PASSWORD      = "PASSWORD_HERE"
    FIREWALLS     = [["FW01_HOSTNAME","FW01_IP"], 
                     ["FW02_HOSTNAME","FW02_IP"]]

    # Operational Command
    command             = "show system info"

    # Defining filters to apply to results.
    model_filter        = "<model>(.*)</model>"
    version_filter      = "<sw-version>(.*)</sw-version>"

    # Creating PAN-OS-Python Framework firewall object and then executing command on object. 
    for FIREWALL_NAME, FIREWALL_IP in FIREWALLS:
      pan_fw_connect   = firewall.Firewall(hostname=FIREWALL_IP, api_username=USERNAME, api_password=PASSWORD)
      system_info      = pan_fw_connect.op(cmd=command, xml=True)

      #un-comment the line below to ignore filters and to see the full 'Show System Info' ouput
      #print(system_info)

      #Applying filters defined above to the results.
      model            = re.search(model_filter,str(system_info))
      system_version   = re.search(version_filter,str(system_info))

      #Displaying results.
      print(FIREWALL_NAME+" - model: "+model.group(1)+" - version: "+system_version.group(1))

  except:
    #If unable to connect to firewall device, deplay error with IP address.
    print("ERROR  : Unable to connect to "+FIREWALL_IP+". Check the Firewall IP address and API User Credentials.")
    sys.exit(0)

Creating Security Policies from a CSV file

Like before, we start with importing the python modules.

# Importing the firewall, objects, and policy modules from PAN-OS-Python Framework.
from pandevice import firewall
from pandevice import objects
from pandevice import policies

# Importing a module to time the code execution. Its good to know the commit time.
import timeit

# Importing CSV module to read the CSV file.
import csv
import sys

The conditional statement and variables.

if __name__ == '__main__':

  try: 

    # Setting the user account made explicitly for API requests, identifying the firewall, and CSV filepath.
    USERNAME       = "USERNAME_HERE"
    PASSWORD       = "PASSWORD_HERE"
    FIREWALL_IP    = "PAN_FW_IP_HERE"
    RULE_CSV       = "CSV_FILEPATH_HERE"

Creating the PAN-OS-Python Framework Firewall object.

    firewall = firewall.Firewall(hostname=FIREWALL_IP, api_username=USERNAME, api_password=PASSWORD)

To modify the security policies, we have to create the configuration tree (Firewall -> Rulebase -> SecurityPolicy) and add them to the Firewall object. More information here.

    # Create the rulebase container. 
    rulebase = panos.policies.Rulebase()
    # Add the rulebase container to the firewall object. 
    firewall.add(rulebase)

We can now start opening up the CSV file, reading its contents, and start creating a list of security rules.

    # Opens the csv file for reading
    file_      = open(RULE_CSV, 'r')
    # Using the reader object from the csv module to read the file.
    csv_reader = csv.reader(file_)
    # Using list comprehension to create a new list based on the upcoming 'for' statement.
    security_rules = []

    for row in csv_reader:
      # row[0] is the value of rule name
      # row[1] is the value of the source zone ( any )
      # row[2] is the value of the source IP
      # row[3] is the value of destination zone ( any )
      # row[4] is the value of the destination IP
      # row[5] is the value of the application
      # row[6] is the value of the service 
      # row[7] is the value of the action

        rule_name         = row[0]
        source_zone       = row[1].split(" ")
        source_ip         = row[2].split(" ")   
        destination_zone  = row[3].split(" ")    
        destination_ip    = row[4].split(" ")    
        application       = row[5].split(" ")    
        service           = row[6].split(" ")   
        action            = row[7] 

      # Creating a security policy rule for each entry in the CSV file.
        security_rules.append(policies.SecurityRule(name=rule_name, fromzone=source_zone, source=source_ip, tozone=destination_zone,  destination=destination_ip, application=application, service=service, action=action))

We add the security rules list to the Rulebase container. Using the find class, we look for one of the security rules objects in the configuration tree by name and tell python its location. Once python finds that object, we use the create_similar class to bulk create all objects (rules) similar to it.
```
    # Add the security_rules list to the Rulebase container. 
    # Firewall -> Rule Base -> Security Rule  
    rulebase.extend(security_rules)

    # Find every object similar and create it.
    rulebase.find('NAME_OF_RULE').create_similar()
    firewall.commit()
```

We end it with an error handling if we can’t connect to the device and exit from the program.

  except:
    print("ERROR   :  Check the IP address and credentials. Make sure the PATH of the CSV file is correct.")
    sys.exit(0)

full code

#!/usr/bin/env python
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

# Importing the firewall, objects, and policy modules from PAN-OS-Python Framework.
from pandevice import firewall
from pandevice import objects
from pandevice import policies

# Importing the module to time the code execution. Its good to know the commit time.
import timeit

# Importing CSV module to read the CSV file.
import csv
import sys

if __name__ == '__main__':

  try: 

    # Setting the user account made explicitly for API requests, identifying the firewall, and CSV filepath.
    USERNAME       = "USERNAME_HERE"
    PASSWORD       = "PASSWORD_HERE"
    FIREWALL_IP    = "PAN_FW_IP_HERE"
    RULE_CSV       = "CSV_FILEPATH_HERE"

    firewall = firewall.Firewall(hostname=FIREWALL_IP, api_username=USERNAME, api_password=PASSWORD)

    # Create the rulebase container. 
    rulebase = panos.policies.Rulebase()
    # Add the rulebase container to the firewall object. 
    firewall.add(rulebase)
        # Opens the csv file for reading
    file_      = open(RULE_CSV, 'r')
    # Using the reader object from the csv module to read the file.
    csv_reader = csv.reader(file_)
    # Using list comprehension to create a new list based on the upcoming 'for' statement.
    security_rules = []

    for row in csv_reader:
      # row[0] is the value of rule name
      # row[1] is the value of the source zone ( any )
      # row[2] is the value of the source IP
      # row[3] is the value of destination zone ( any )
      # row[4] is the value of the destination IP
      # row[5] is the value of the application
      # row[6] is the value of the service 
      # row[7] is the value of the action

        rule_name         = row[0]
        source_zone       = row[1].split(" ")
        source_ip         = row[2].split(" ")   
        destination_zone  = row[3].split(" ")    
        destination_ip    = row[4].split(" ")    
        application       = row[5].split(" ")    
        service           = row[6].split(" ")   
        action            = row[7] 

      # Creating a security policy rule for each entry in the CSV file.
        security_rules.append(policies.SecurityRule(name=rule_name, fromzone=source_zone, source=source_ip, tozone=destination_zone,  destination=destination_ip, application=application, service=service, action=action))
        # Add the security_rules list to the Rulebase container. 
    # Firewall -> Rule Base -> Security Rule  
    rulebase.extend(security_rules)

    # Find every object similar and create it.
    rulebase.find('NAME_OF_RULE').create_similar()
    firewall.commit()

  except:
    print("ERROR   :  Check the IP address and credentials. Make sure the PATH of the CSV file is correct.")
    sys.exit(0)

Well, that’s the end of it. Automating Palo Alto Network Firewalls with Python is a great way to save time and effort. It also helps to ensure that tasks are completed consistently and reliably. It’s never too late to start learning python, and with the way IT is headed, it’ll be a valuable tool in the future.

John Tai

🧱 Palo Alto Networks Python Automation – Coding The Future