Thursday, August 25, 2011

Creating Palo Alto Reports at the Command Line

I have been working on creating reports on Palo Alto Firewalls from the command line.
For this scenario I have created two security policy rules for inbound and outbound. Now we want to get a weekly report that shows the top 50 applications that are flowing in each direction.

Either connect via the console port on the firewall or ssh:
Change to configuration mode:
configure

To configure the custom reports that will be used, the following syntax
set shared reports {name_of_report} period last-7-calendar-days topn 50 topm 10 query "rule eq "{rule_name}'" type traffic aggregate-by [ app from to ] values bytes sortby bytes

The text for the two custom reports would be:
set shared reports Inbound period last-7-calendar-days topn 50 topm 10 query "rule eq 'inbound_allow'" type traffic aggregate-by [ app from to ] values bytes sortby bytes
set shared reports Outbound period last-7-calendar-days topn 50 topm 10 query "rule eq 'outbound_allow'" type traffic aggregate-by [ app from to ] values bytes sortby bytes

Next set up the report group that will be used to assign the custom reports to the schedule:
set shared report-group {report_name} title-page no

The text for the custom report group
set shared report-group Weekly title-page no

Next add the custom reports to the report group
set shared report-group {report_name} custom-widget 1 custom-report {name_of_report}

The text for assigning the custom reports to the report
set shared report-group Weekly custom-widget 1 custom-report Inbound
set shared report-group Weekly custom-widget 2 custom-report Outbound

Next create the scheduler for the report
set shared email-scheduler {schedule_name} email-profile {email_profile} report-group {report_name} recurring weekly {day_of_week}

The text for creating the custom schedule:
set shared email-scheduler Weekly email-profile mail.example.com report-group Weekly recurring weekly monday

Don't forget to commit the configuration
commit

This process will generate a report that is delivered on Monday mornings to the email addresses that are configured for mail.example.com and will show the top 50 inbound and outbound applications by bytes. The report can then be used to narrow down what applications will be allowed inbound and outbound. The Palo Alto reporting features can also be used to identify what applications are being used by a particular service port to refine a security rule from using any application to specific applications.

Be safe out there.
James