API tools faq
paste
Guest User

Untitled

a guest
Sep 25th, 2018
60
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.43 KB | None | 0 0
raw download clone embed print report
  1. import requests, json, xmltodict, xlsxwriter, socket
  2.  
  3. def return_error_string(error_msg, status_code, response_text):
  4.     return """Error:
  5.                (msg)             {error_message}
  6.                (response status) {response_status}
  7.                (response msg)    {response_message}""".format(error_message=error_msg,
  8.                                                                response_status=response.status_code,
  9.                                                                response_message=response.text)
  10.  
  11. def retrieve_paloalto_token(url, username, password):
  12.     """
  13.    Creates a token for leveraging the Palo-Alto API
  14.  
  15.    Arguments: String (Username), String (Password)
  16.    Returns:   String (Token)
  17.  
  18.    >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
  19.    >>>assert(token, '')
  20.    """
  21.     pa_token           = ""
  22.     response           = requests.post(url + '/?type=keygen&user=' + username + '&password=' + password,
  23.                                        verify=False)
  24.     if response.status_code >= 200 and response.status_code < 300:
  25.         pa_token       = xmltodict.parse(response.text)['response']['result']['key']
  26.     else:
  27.         error_string   = return_error_string("Exception was raised while retireving a Palo-Alto Token.",
  28.                                             response.status_code, response.text)
  29.         raise Exception(error_string)
  30.     return pa_token
  31.  
  32. def audit_rules(url, pa_token):
  33.     """
  34.    Retrieves the rules from the PaloAlto device
  35.  
  36.    Arguments: String (Token)
  37.    Returns:   Dicitionary Encaspulating the policies
  38.  
  39.    >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
  40.    >>>rules = audit_rules(token)
  41.    >>>assert(len(rules) > 0)
  42.    """
  43.     rules      = []
  44.     response   = requests.post(url + '/?type=config&action=show&key=' + pa_token + '&xpath=/config/devices/entry/vsys/entry/rulebase/security',
  45.                                verify=False)
  46.     if response.status_code >= 200 and response.status_code < 300:
  47.         rules  = xmltodict.parse(response.text)['response']['result']['security']['rules']['entry']
  48.     else:
  49.         error_string   = return_error_string("Exception was raised while querying for rules",
  50.                                             response.status_code, response.text)
  51.         raise Exception(error_string)
  52.     return rules
  53.  
  54. def get_groups(url, token):
  55.     """
  56.    Retrieves the groups
  57.  
  58.    Arguments: String (URL), String (Token)
  59.    Returns:   groups (List)
  60.  
  61.    >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
  62.    >>>rules = audit_rules(token)
  63.    >>>assert(len(rules) > 0)
  64.    """
  65.     group_groups   = []
  66.     response       = requests.post(url + '/?type=config&action=get&key=' + token + '&xpath=/config/devices/entry/vsys/entry/address-group',
  67.                                    verify=False)
  68.     if response.status_code >= 200 and response.status_code < 300:
  69.         address_groups = xmltodict.parse(response.text)['response']['result']['address-group']['entry']
  70.     else:
  71.         error_string   = return_error_string("Exception was raised while getting named addresses",
  72.                                             response.status_code, response.text)
  73.         raise Exception(error_string)
  74.     return address_groups
  75.  
  76. def get_named_address(url, token):
  77.     """
  78.    Retrieves the named addresses
  79.  
  80.    Arguments: String (URL), String (Token)
  81.    Returns:   named_addresses (List)
  82.  
  83.    >>>token = instantiate_palo_alto_connection('test_user', 'xxxxx')
  84.    >>>rules = audit_rules(token)
  85.    >>>assert(len(rules) > 0)
  86.    """
  87.     address_groups = []
  88.     response       = requests.post(url + '/?type=config&action=get&key=' + token + '&xpath=/config/devices/entry/vsys/entry/address',
  89.                                    verify=False)
  90.     if response.status_code >= 200 and response.status_code < 300:
  91.         address_groups = xmltodict.parse(response.text)['response']['result']['address']['entry']
  92.     else:
  93.         error_string   = return_error_string("Exception was raised while getting named addresses",
  94.                                             response.status_code, response.text)
  95.         raise Exception(error_string)
  96.     return address_groups
  97.  
  98. def main(url, username, password):
  99.     pa_token          = retrieve_paloalto_token(url, username, password)
  100.    
  101.     rules             = audit_rules(url, pa_token)
  102.     named_addresses   = get_named_address(url, pa_token)
  103.     groups            = get_groups(url, pa_token)
  104.  
  105.     for rule in rules:
  106.         group_address       = ip_address = None
  107.  
  108.         source_members      = rule['source']['member']      if isinstance(rule['source']['member'], list) else [rule['source']['member']]
  109.         destination_members = rule['destination']['member'] if isinstance(rule['destination']['member'], list) else [rule['destination']['member']]
  110.         service_members     = rule['service']['member']     if isinstance(rule['service']['member'], list) else [rule['service']['member']]
  111.  
  112.         ip_addresses        = resolve_firewall_containers(source_members, named_addresses, groups)
  113.  
  114.         workbook            = xlsxwriter.workbook()
  115.         worksheet           =
  116.        
  117.     return
  118.  
  119. def resolve_firewall_containers(containers, named_address_list, containers_list):
  120.     """
  121.    Recursively unravel group network objects, named addresses, and application profiles
  122.  
  123.    Arguments: containers (list), named_address_list (list), containers_list (list)
  124.    Returns:   ip_addresses (list)
  125.  
  126.    TODO:
  127.        Add doctesting for this module
  128.  
  129.    """
  130.  
  131.  
  132.     i_address  = []
  133.     g_address  = []
  134.  
  135.     containers = containers if isinstance(containers, list) else [containers]
  136.     for container in containers:
  137.         try:    g_address = next((item['static']['member'] for item in containers_list if container == item['@name']), None)
  138.         except: pass
  139.        
  140.         if g_address is not None:
  141.             container  = g_address
  142.             i_address += resolve_firewall_containers(container, named_address_list, containers_list)
  143.         else:
  144.             try:    i_address.append(next((item['ip-netmask'] for item in named_address_list if container == item['@name']), None))
  145.             except: i_address.append(container)
  146.  
  147.     return i_address
  148.        
  149. if __name__ == "__main__":
  150.  
  151.     palo_alto_url = 'https://xxxxxxxxxx/api'
  152.     username      = 'mhansen'
  153.     password      = 'xxxxxxxxx'
  154.  
  155.     main(palo_alto_url, username, password)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!