PaloAltoNetworks
Pulling complete rule-base from palo alto firewall
Is your feature request related to a problem?
I have around 100s of firewalls running I'm looking to automate rule addition on them but logging into panorama and fetching all of them is draining panorama resources it would be great if we can fetch all rules from Panos palo alto itself for each firewalls similar to the output we get when executed rule base command
Describe the solution you'd like
Describe alternatives you've considered
Additional context
I am curious what prevents you from fetching all rules via Panorama? (I suppose you manage all your firewalls via Panorama)
All you need to do is instantiate a Panorama() instance, then instantiate the target DeviceGroup() (that contains the firewalls of interest), then associate it with the Panorama instance, then create PreRulebase() and PostRulebase() and associate them to the device group. After that you can pull any rules you want (for example, current_security_rules_pre = SecurityRule.refreshall(rulebase_pre))
Is the issue that you are pulling policies from local firewalls as well as Panorama? If all policies are in Panorama, then:
from panos.panorama import *
from panos.policies import *
pano = Panorama(hn, un, ip)
# Retrieve Shared policies
PreRulebase.refreshall(pano)
PostRulebase.refreshall(pano)
# retrieve DeviceGroups which includes the Pre/PostRulebases
DeviceGroup.refreshall(pano)
The trick is in finding the inherited policies. My current method is somewhat specifc to my policy but I have been working on a way to use dg_hierarchy to automate it.
You could build on this by pulling the firewall policies and appending them to dg_hierarchy to see a complete list of rules that apply to the firewall.
Otherwise, you could retrieve the XML for the 'show config merged' operational command. You could pull a list of firewalls and send the request to each firewall rather than Panorama.
merged_config = fw.op("show config merged", xml=True)
