Palo Alto firewall operating system PANOS includes a REST API which allows to run commands and capable of providing device-level information. Palo Alto provides also free ‘Palo Alto Networks Device Framework’ (called pandevice, currently in alpha version) to interact with firewalls (as well as management server Panorama) in a way conceptually similar to interaction with the device via the GUI or CLI. In this article I am showing how to schedule commands on PaloAlto firewalls using pandevice and Jenkins which is continuous integration and delivery (CI/CD) application capable of scheduling jobs (see my post ‘Jenkins as system job scheduler’ )
First obvious automation of firewall operations is scheduling policy installation. The best practice is to make changes after working hours. In Jenkins I have two jobs scheduled:
- Firewall commit – to commit changes on active firewall (pandevice.fw.commit_all.py)
- Panorama commit – to commit changes on management server (pandevice.pano.commit_all.py)
Both jobs can be pictured in Jenkins using graphviz, see below. Panorama commit job is triggered by Firewall commit job (second job runs after first job is completed). Panorama commit is not always enough, because, for example, firewall can be connected to Active Directory servers and ‘Group Mapping Settings’ updates have to be done there.
Posted March 9, 2016on:
I’m using mini-PC Brix from Gigabyte in my home lab since middle of 2014. It’s size of palm hand. I’m using it with SSD 250GB disk and 16GB memory. I started with vSphere 5.1 installed but recently reinstalled to Ubuntu 14.04. I found out that VMware is more ‘resources demanding’, specially new versions 5.5 and 6. I also experienced difficulty to obtain all evals I wanted to play with. Not to mention that it was almost impossible to use my USB 1TB disk other than assigned to on of the VMs.
On Ubuntu I am using KVM and VirtualBox for virtualization and can do pretty much the same as I did on vSphere. Plus connecting and sharing external USB disk is very straightforward. The only disadvantage is that I do everything with command line. Recently I learned that I can do even better with free Proxmox VE. It’s based on KVM and gives very intuitive web gui.
I’ve not posted anything in last 3 years. I can see few drafts from June of 2015 which I never published. In Dec I posted my article about developing software for firewall or rather Linux based network device monitoring at Indeni. I will be posting at packetpushers.net soon, added ‘Automation’ to the posts categories here.
I’ve done a lot of programming in 2015, mainly Python and JS and Node.js. I’m in the middle of my moderndeveloper.com full stack journey. I hope to improve my blog visually with what I’ve learned in the area of JS Front-End Development.
Recently I found in polish newspaper (also here) that because of their association with this odd behavior, lemming “suicide” is a frequently used metaphor in reference to people who go along unquestioningly with popular opinion, with potentially dangerous or fatal consequences like gay marriage supporters
Last year I’ve seen news about IOU – Cisco IOS running on Unix. I was using GNS3 in the past, had not time to try IOU until last weekend. I’ve created Amazon EC2 Ubuntu instance with half of GB memory and run 3 routers connected with LAN interface. It worked great, see below