Metadata-Version: 2.1
Name: panw-utils
Version: 0.4.1
Summary: Palo Alto Networks Utilities
Home-page: https://github.com/dapacruz/panw-utils
Author: David Paul Cruz
Author-email: davidcruz72@gmail.com
License: MIT license
Keywords: panw_utils
Platform: UNKNOWN
Classifier: Development Status :: 2 - Pre-Alpha
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Natural Language :: English
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Requires-Dist: cryptography (==2.4.2)
Requires-Dist: netmiko

==========
panw-utils
==========


.. image:: https://img.shields.io/pypi/v/panw_utils.svg
        :target: https://pypi.python.org/pypi/panw_utils

.. image:: https://img.shields.io/travis/dapacruz/panw_utils.svg
        :target: https://travis-ci.org/dapacruz/panw_utils

.. image:: https://readthedocs.org/projects/panw-utils/badge/?version=latest
        :target: https://panw-utils.readthedocs.io/en/latest/?badge=latest
        :alt: Documentation Status




Palo Alto Networks Utilities


* Free software: MIT license
* Documentation: https://panw-utils.readthedocs.io.


Features
--------

panw-utils

* Returns a list of available commands

get-panw-api-key

* Returns the current API key, suitable for piping to pbcopy (macOS) or clip.exe (Windows)
* Command line options
* Platform independent
* Save default user and firewall
* Update saved settings
* Receives pipeline input (stdin)
* Uses a default firewall if one not provided
* Prompts for required parameters if none provided
* Multi-threaded

get-panw-firewalls

* Returns a list of firewalls including management address and serial number
* Output can be pasted directly into Excel
* Terse output option for piping to other commands
* Command line options
* Platform independent
* Save API key and default Panorama host
* Update saved settings
* Override/supply API key on the command line

get-panw-interfaces

* Returns a list of firewalls interfaces
* Output can be pasted directly into Excel
* Terse output option for piping to other commands
* Command line options
* Platform independent
* Save API key and default firewall
* Update saved settings
* Override/supply API key on the command line
* Filter on interface properties
* Multi-threaded

get-panw-config

* Returns the firewall configuration (set/XML format)
* Command line options
* Platform independent
* Save key based auth preference, default user and default firewall
* Update saved settings
* Multi-threaded


Usage
=====

To return a list of firewalls use the ``get-panw-firewalls`` command::

    $ get-panw-firewalls
    Host                          	MgmtIP         	Serial      	Model   	Uptime              	SwVersion
    ==============================	===============	============	========	====================	=========
    fw01.domain.com                     1.1.1.1  	013999999999	PA-5220 	208 days, 6:49:53   	8.0.9
    fw01.domain.com                     1.1.1.2  	013999999998	PA-5220 	208 days, 7:27:28   	8.0.9

To return a list of firewall hostnames use the ``get-panw-firewalls`` command (suitable for piping to other commands)::

    $ get-panw-firewalls -t
    fw01.domain.com
    fw01.domain.com

To return a list of firewall interfaces use the ``get-panw-interfaces`` command::

    $ get-panw-interfaces fw01.domain.com
    Firewall                 	Interface           	State	IpAddress
    =========================	====================	=====	====================
    fw01.domain.com      	ethernet1/1         	up   	N/A
    fw01.domain.com      	ethernet1/12        	up   	N/A
    fw01.domain.com      	ethernet1/2         	up   	172.17.111.251/24
    fw01.domain.com      	ethernet1/21        	up   	N/A
    fw01.domain.com      	ethernet1/22        	up   	N/A
    fw01.domain.com      	ethernet1/5         	up   	172.19.222.206/28
    fw01.domain.com      	ethernet1/7         	up   	N/A
    fw01.domain.com      	ha1-a               	up   	1.1.1.1/30
    fw01.domain.com      	ha1-b               	up   	1.1.1.9/30
    fw01.domain.com      	hsci-a              	up   	1.1.1.5/30
    fw01.domain.com      	hsci-b              	up   	N/A
    fw01.domain.com      	tunnel              	up   	N/A
    fw01.domain.com      	tunnel.1800         	up   	N/A
    fw01.domain.com      	vlan                	up   	N/A

    $ get-panw-firewalls -t | get-panw-interfaces
    Firewall                 	Interface           	State	IpAddress
    =========================	====================	=====	====================
    fw01.domain.com      	ethernet1/1         	up   	N/A
    fw01.domain.com      	ethernet1/12        	up   	N/A
    fw01.domain.com      	ethernet1/2         	up   	172.17.111.251/24
    fw01.domain.com      	ethernet1/21        	up   	N/A
    fw01.domain.com      	ethernet1/22        	up   	N/A
    fw01.domain.com      	ethernet1/5         	up   	172.19.222.206/28
    fw01.domain.com      	ethernet1/7         	up   	N/A
    fw02.domain.com      	ethernet1/1         	up   	N/A
    fw02.domain.com      	ethernet1/12        	up   	N/A
    fw02.domain.com      	ethernet1/2         	up   	172.17.111.251/24
    fw02.domain.com      	ethernet1/21        	up   	N/A
    fw02.domain.com      	ethernet1/22        	up   	N/A
    fw02.domain.com      	ethernet1/5         	up   	172.19.222.206/28
    fw02.domain.com      	ethernet1/7         	up   	N/A

To return the firewall configuration use the ``get-panw-config`` command::

    $ get-panw-config
    ============================
    = fw01.domain.com =
    ============================
    <response status="success"><result><config version="8.0.0" urldb="paloaltonetworks">
      <mgt-config>
        <users>
          <entry name="admin">
            <phash>xxxxx</phash>
            <permissions>
              <role-based>
                <superuser>yes</superuser>
              </role-based>
            </permissions>
          </entry>
          <entry name="user1">
            <permissions>
              <role-based>
                <superuser>yes</superuser>
              </role-based>
            </permissions>
            <phash>xxxxx</phash>
          </entry>
    <--- Output truncated --->

To return the configuration of multiple firewalls pipe the output of ``get-panw-firewalls -t`` to the ``get-panw-config`` command::

    $ get-panw-firewalls -t | get-panw-config
    ============================
    = fw01.domain.com =
    ============================
    <response status="success"><result><config version="8.0.0" urldb="paloaltonetworks">
      <mgt-config>
        <users>
          <entry name="admin">
            <phash>xxxxx</phash>
            <permissions>
              <role-based>
                <superuser>yes</superuser>
              </role-based>
            </permissions>
          </entry>
          <entry name="user1">
            <permissions>
              <role-based>
                <superuser>yes</superuser>
              </role-based>
            </permissions>
            <phash>xxxxx</phash>
          </entry>
    <--- Output truncated --->

    ============================
    = fw02.domain.com =
    ============================
    <response status="success"><result><config version="8.0.0" urldb="paloaltonetworks">
      <mgt-config>
        <users>
          <entry name="admin">
            <phash>xxxxx</phash>
            <permissions>
              <role-based>
                <superuser>yes</superuser>
              </role-based>
            </permissions>
          </entry>
          <entry name="user1">
            <permissions>
              <role-based>
                <superuser>yes</superuser>
              </role-based>
            </permissions>
            <phash>xxxxx</phash>
          </entry>
    <--- Output truncated --->

To return a portion of the firewall configuration use the ``get-panw-config`` command with the ``--xpath`` option::

    get-panw-config --xpath "/config/mgt-config/users"
    ============================
    = fw01.domain.com =
    ============================
    <response status="success"><result><users>
      <entry name="admin">
        <phash>xxxxx</phash>
        <permissions>
          <role-based>
            <superuser>yes</superuser>
          </role-based>
        </permissions>
      </entry>
    </users></result></response>

To return the set configuration of multiple firewalls pipe the output of ``get-panw-firewalls -t`` to the ``get-panw-config`` command::

    $ get-panw-firewalls -t | get-panw-config --format set | egrep "^=|virtual-router"
    Collecting set configuration via ssh ...
    ============================
    = fw01.domain.com =
    ============================
    set network virtual-router default protocol bgp enable no
    set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
    set network virtual-router default protocol bgp dampening-profile default reuse 0.5
    set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
    set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
    set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
    set network virtual-router default protocol bgp dampening-profile default enable yes
    set network virtual-router default interface [ ethernet1/1 ]
    set network virtual-router default routing-table ip static-route "Default Route" nexthop ip-address 192.168.197.254
    set network virtual-router default routing-table ip static-route "Default Route" path-monitor enable no
    set network virtual-router default routing-table ip static-route "Default Route" path-monitor failure-condition any
    set network virtual-router default routing-table ip static-route "Default Route" path-monitor hold-time 2
    set network virtual-router default routing-table ip static-route "Default Route" metric 10
    set network virtual-router default routing-table ip static-route "Default Route" destination 0.0.0.0/0
    set network virtual-router default routing-table ip static-route "Default Route" route-table unicast
    ============================
    = fw02.domain.com =
    ============================
    set network virtual-router default protocol bgp enable no
    set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
    set network virtual-router default protocol bgp dampening-profile default reuse 0.5
    set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
    set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
    set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
    set network virtual-router default protocol bgp dampening-profile default enable yes
    set network virtual-router default interface [ ethernet1/1 ]
    set network virtual-router default routing-table ip static-route "Default Route" nexthop ip-address 10.69.26.62
    set network virtual-router default routing-table ip static-route "Default Route" path-monitor enable no
    set network virtual-router default routing-table ip static-route "Default Route" path-monitor failure-condition any
    set network virtual-router default routing-table ip static-route "Default Route" path-monitor hold-time 2
    set network virtual-router default routing-table ip static-route "Default Route" metric 10
    set network virtual-router default routing-table ip static-route "Default Route" destination 0.0.0.0/0
    set network virtual-router default routing-table ip static-route "Default Route" route-table unicast

To ping all interfaces in an "up" state with a 1 second timeout, count 1, filter HA subnets::

    $ get-panw-firewalls -t | grep fw01.domain.com | get-panw-interfaces --if-state up -t | grep -v 1.1.1. | xargs -n1 ping -c 1 -t 1
    PING 10.170.196.241 (10.170.196.241): 56 data bytes
    64 bytes from 10.170.196.241: icmp_seq=0 ttl=57 time=63.845 ms

    --- 10.170.196.241 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 63.845/63.845/63.845/0.000 ms
    PING 10.170.118.254 (10.170.118.254): 56 data bytes
    64 bytes from 10.170.118.254: icmp_seq=0 ttl=57 time=63.471 ms

    --- 10.170.118.254 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 63.471/63.471/63.471/0.000 ms
    PING 10.171.119.254 (10.171.119.254): 56 data bytes
    64 bytes from 10.171.119.254: icmp_seq=0 ttl=57 time=63.862 ms

    --- 10.171.119.254 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 63.862/63.862/63.862/0.000 ms
    PING 10.170.111.254 (10.170.111.254): 56 data bytes
    64 bytes from 10.170.111.254: icmp_seq=0 ttl=57 time=63.931 ms

    --- 10.170.111.254 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 63.931/63.931/63.931/0.000 ms
    PING 10.170.92.126 (10.170.92.126): 56 data bytes
    64 bytes from 10.170.92.126: icmp_seq=0 ttl=57 time=63.768 ms

    --- 10.170.92.126 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 63.768/63.768/63.768/0.000 ms


=======
History
=======

0.0.1 (2019-02-16)
------------------

* First release on PyPI.

0.1.5 (2019-02-17)
-------------------

* Update README.rst.
* Update descriptions.
* Implement helper command (panw-utils).

0.1.6 (2019-02-17)
-------------------

* Fix bug in saved settings update

0.1.11 (2019-02-17)
-------------------

* Configure Travis CI

0.2.0 (2019-03-07)
-------------------

* Added get-panw-config

0.3.0 (2019-04-07)
-------------------

* Implement concurrency
* Redirect headers to sys.stderr to make grep friendly
* Add model, uptime and  software version to output

0.4.0 (2019-04-12)
-------------------

* Migrate from multi-processing to multi-threading


