Wednesday, November 18, 2015

PHP configuration for use with Palo Alto Networks Configurator

Palo Alto Networks has a tool that allows you to gather configuration information from a firewalls and Panorama systems.
The PHP scripts can be found here.
https://github.com/PaloAltoNetworks-BD/pan-configurator/

Download and extract the files to your system. I chose to extract them to c:\pan-configurator-master

Example scripts for how to use are found at the links below (they do require a Palo Alto Networks customer account)
https://live.paloaltonetworks.com/t5/SDK-API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CLI/ta-p/53321
https://live.paloaltonetworks.com/t5/SDK-API-Articles/Simple-export-of-rules-as-Excel-or-HTML/ta-p/65082
https://live.paloaltonetworks.com/t5/SDK-API-Articles/PAN-Configurator-scripting-library-and-utilities/ta-p/52163

If you don't have PHP already installed on your Windows system, here is how I configured my system.
Download and install PHP to your machine from http://www.php.net. I used version 5.5.3.0 and installed to c:\php
Once the PHP has been installed, copy the php.ini-production to php.ini, and edit the following lines by removinig the semicolons:
include_path = ".;c:\php\includes"
; On windows:
extension_dir = "ext"
;  Enable cURL extension in PHP
extension=php_curl.dll


Copy the following dll’s to the c:\windows\system32 directory
ssleay32.dll
libeay32.dll
libssh2.dll
php_curl.dll

If you want to be able to run the scripts from directories other than c:\php update your path at the command line with the following command: set path=%path%;"c:\php"

When you connect to a device the first time it will ask for either a username and password or an API key
You can generate an API key via your browser - https:///api/?type=keygen&user=&password=
Replace the data in between < > with the appropriate date for your system

I used php C:\pan-configurator-master\utils\rules-edit.php in=api://10.200.132.43 actions=exportToExcel:my-home-rules.xls location=vsys1 ruletype=all to pull the security, decryption and nat policies from my home firewalls.
Take your time with this tool and test all of you commands in a lab before using them in production