Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import requests, json, xmltodict, xlsxwriter, socket
- def return_error_string(error_msg, status_code, response_text):
- return """Error:
- (msg) {error_message}
- (response status) {response_status}
- (response msg) {response_message}""".format(error_message=error_msg,
- response_status=response.status_code,
- response_message=response.text)
- def retrieve_paloalto_token(url, username, password):
- """
- Creates a token for leveraging the Palo-Alto API
- Arguments: String (Username), String (Password)
- Returns: String (Token)
- >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
- >>>assert(token, '')
- """
- pa_token = ""
- response = requests.post(url + '/?type=keygen&user=' + username + '&password=' + password,
- verify=False)
- if response.status_code >= 200 and response.status_code < 300:
- pa_token = xmltodict.parse(response.text)['response']['result']['key']
- else:
- error_string = return_error_string("Exception was raised while retireving a Palo-Alto Token.",
- response.status_code, response.text)
- raise Exception(error_string)
- return pa_token
- def audit_rules(url, pa_token):
- """
- Retrieves the rules from the PaloAlto device
- Arguments: String (Token)
- Returns: Dicitionary Encaspulating the policies
- >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
- >>>rules = audit_rules(token)
- >>>assert(len(rules) > 0)
- """
- rules = []
- response = requests.post(url + '/?type=config&action=show&key=' + pa_token + '&xpath=/config/devices/entry/vsys/entry/rulebase/security',
- verify=False)
- if response.status_code >= 200 and response.status_code < 300:
- rules = xmltodict.parse(response.text)['response']['result']['security']['rules']['entry']
- else:
- error_string = return_error_string("Exception was raised while querying for rules",
- response.status_code, response.text)
- raise Exception(error_string)
- return rules
- def get_groups(url, token):
- """
- Retrieves the groups
- Arguments: String (URL), String (Token)
- Returns: groups (List)
- >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
- >>>rules = audit_rules(token)
- >>>assert(len(rules) > 0)
- """
- group_groups = []
- response = requests.post(url + '/?type=config&action=get&key=' + token + '&xpath=/config/devices/entry/vsys/entry/address-group',
- verify=False)
- if response.status_code >= 200 and response.status_code < 300:
- address_groups = xmltodict.parse(response.text)['response']['result']['address-group']['entry']
- else:
- error_string = return_error_string("Exception was raised while getting named addresses",
- response.status_code, response.text)
- raise Exception(error_string)
- return address_groups
- def get_named_address(url, token):
- """
- Retrieves the named addresses
- Arguments: String (URL), String (Token)
- Returns: named_addresses (List)
- >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
- >>>rules = audit_rules(token)
- >>>assert(len(rules) > 0)
- """
- address_groups = []
- response = requests.post(url + '/?type=config&action=get&key=' + token + '&xpath=/config/devices/entry/vsys/entry/address',
- verify=False)
- if response.status_code >= 200 and response.status_code < 300:
- address_groups = xmltodict.parse(response.text)['response']['result']['address']['entry']
- else:
- error_string = return_error_string("Exception was raised while getting named addresses",
- response.status_code, response.text)
- raise Exception(error_string)
- return address_groups
- def main(url, username, password):
- pa_token = retrieve_paloalto_token(url, username, password)
- rules = audit_rules(url, pa_token)
- named_addresses = get_named_address(url, pa_token)
- groups = get_groups(url, pa_token)
- for rule in rules:
- group_address = ip_address = None
- source_members = rule['source']['member'] if isinstance(rule['source']['member'], list) else [rule['source']['member']]
- destination_members = rule['destination']['member'] if isinstance(rule['destination']['member'], list) else [rule['destination']['member']]
- service_members = rule['service']['member'] if isinstance(rule['service']['member'], list) else [rule['service']['member']]
- ip_addresses = resolve_firewall_containers(source_members, named_addresses, groups)
- workbook = xlsxwriter.workbook()
- worksheet =
- return
- def resolve_firewall_containers(containers, named_address_list, containers_list):
- """
- Recursively unravel group network objects, named addresses, and application profiles
- Arguments: containers (list), named_address_list (list), containers_list (list)
- Returns: ip_addresses (list)
- TODO:
- Add doctesting for this module
- """
- i_address = []
- g_address = []
- containers = containers if isinstance(containers, list) else [containers]
- for container in containers:
- try: g_address = next((item['static']['member'] for item in containers_list if container == item['@name']), None)
- except: pass
- if g_address is not None:
- container = g_address
- i_address += resolve_firewall_containers(container, named_address_list, containers_list)
- else:
- try: i_address.append(next((item['ip-netmask'] for item in named_address_list if container == item['@name']), None))
- except: i_address.append(container)
- return i_address
- if __name__ == "__main__":
- palo_alto_url = 'https://xxxxxxxxxx/api'
- username = 'mhansen'
- password = 'xxxxxxxxx'
- main(palo_alto_url, username, password)
Add Comment
Please, Sign In to add comment