import requests, json, xmltodict, xlsxwriter, socketdef return_error_string(

1. import requests, json, xmltodict, xlsxwriter, socket
2.  
3. def return_error_string(error_msg, status_code, response_text):
4. return """Error:
5. (msg) {error_message}
6. (response status) {response_status}
7. (response msg) {response_message}""".format(error_message=error_msg,
8. response_status=response.status_code,
9. response_message=response.text)
10.  
11. def retrieve_paloalto_token(url, username, password):
12. """
13. Creates a token for leveraging the Palo-Alto API
14.  
15. Arguments: String (Username), String (Password)
16. Returns: String (Token)
17.  
18. >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
19. >>>assert(token, '')
20. """
21. pa_token = ""
22. response = requests.post(url + '/?type=keygen&user=' + username + '&password=' + password,
23. verify=False)
24. if response.status_code >= 200 and response.status_code < 300:
25. pa_token = xmltodict.parse(response.text)['response']['result']['key']
26. else:
27. error_string = return_error_string("Exception was raised while retireving a Palo-Alto Token.",
28. response.status_code, response.text)
29. raise Exception(error_string)
30. return pa_token
31.  
32. def audit_rules(url, pa_token):
33. """
34. Retrieves the rules from the PaloAlto device
35.  
36. Arguments: String (Token)
37. Returns: Dicitionary Encaspulating the policies
38.  
39. >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
40. >>>rules = audit_rules(token)
41. >>>assert(len(rules) > 0)
42. """
43. rules = []
44. response = requests.post(url + '/?type=config&action=show&key=' + pa_token + '&xpath=/config/devices/entry/vsys/entry/rulebase/security',
45. verify=False)
46. if response.status_code >= 200 and response.status_code < 300:
47. rules = xmltodict.parse(response.text)['response']['result']['security']['rules']['entry']
48. else:
49. error_string = return_error_string("Exception was raised while querying for rules",
50. response.status_code, response.text)
51. raise Exception(error_string)
52. return rules
53.  
54. def get_groups(url, token):
55. """
56. Retrieves the groups
57.  
58. Arguments: String (URL), String (Token)
59. Returns: groups (List)
60.  
61. >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
62. >>>rules = audit_rules(token)
63. >>>assert(len(rules) > 0)
64. """
65. group_groups = []
66. response = requests.post(url + '/?type=config&action=get&key=' + token + '&xpath=/config/devices/entry/vsys/entry/address-group',
67. verify=False)
68. if response.status_code >= 200 and response.status_code < 300:
69. address_groups = xmltodict.parse(response.text)['response']['result']['address-group']['entry']
70. else:
71. error_string = return_error_string("Exception was raised while getting named addresses",
72. response.status_code, response.text)
73. raise Exception(error_string)
74. return address_groups
75.  
76. def get_named_address(url, token):
77. """
78. Retrieves the named addresses
79.  
80. Arguments: String (URL), String (Token)
81. Returns: named_addresses (List)
82.  
83. >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
84. >>>rules = audit_rules(token)
85. >>>assert(len(rules) > 0)
86. """
87. address_groups = []
88. response = requests.post(url + '/?type=config&action=get&key=' + token + '&xpath=/config/devices/entry/vsys/entry/address',
89. verify=False)
90. if response.status_code >= 200 and response.status_code < 300:
91. address_groups = xmltodict.parse(response.text)['response']['result']['address']['entry']
92. else:
93. error_string = return_error_string("Exception was raised while getting named addresses",
94. response.status_code, response.text)
95. raise Exception(error_string)
96. return address_groups
97.  
98. def main(url, username, password):
99. pa_token = retrieve_paloalto_token(url, username, password)
100.  
101. rules = audit_rules(url, pa_token)
102. named_addresses = get_named_address(url, pa_token)
103. groups = get_groups(url, pa_token)
104.  
105. for rule in rules:
106. group_address = ip_address = None
107.  
108. source_members = rule['source']['member'] if isinstance(rule['source']['member'], list) else [rule['source']['member']]
109. destination_members = rule['destination']['member'] if isinstance(rule['destination']['member'], list) else [rule['destination']['member']]
110. service_members = rule['service']['member'] if isinstance(rule['service']['member'], list) else [rule['service']['member']]
111.  
112. ip_addresses = resolve_firewall_containers(source_members, named_addresses, groups)
113.  
114. workbook = xlsxwriter.workbook()
115. worksheet =
116.  
117. return
118.  
119. def resolve_firewall_containers(containers, named_address_list, containers_list):
120. """
121. Recursively unravel group network objects, named addresses, and application profiles
122.  
123. Arguments: containers (list), named_address_list (list), containers_list (list)
124. Returns: ip_addresses (list)
125.  
126. TODO:
127. Add doctesting for this module
128.  
129. """
130.  
131.  
132. i_address = []
133. g_address = []
134.  
135. containers = containers if isinstance(containers, list) else [containers]
136. for container in containers:
137. try: g_address = next((item['static']['member'] for item in containers_list if container == item['@name']), None)
138. except: pass
139.  
140. if g_address is not None:
141. container = g_address
142. i_address += resolve_firewall_containers(container, named_address_list, containers_list)
143. else:
144. try: i_address.append(next((item['ip-netmask'] for item in named_address_list if container == item['@name']), None))
145. except: i_address.append(container)
146.  
147. return i_address
148.  
149. if __name__ == "__main__":
150.  
151. palo_alto_url = 'https://xxxxxxxxxx/api'
152. username = 'mhansen'
153. password = 'xxxxxxxxx'
154.  
155. main(palo_alto_url, username, password)