You are on page 1of 9

Auto provisioning PAN-OS

Tech Note
PAN-OS 4.1

Revision A
2011, Palo Alto Networks, Inc.

Contents
Overview.............................................................................................................................................................. 3
Why Auto Provisioning .................................................................................................................................... 3
Terms and Concepts ......................................................................................................................................... 3
XML ....................................................................................................................................................................................................... 3
XPATH .................................................................................................................................................................................................. 4
Platforms and Software Versions ................................................................................................................... 4
PAN-Perl Package.............................................................................................................................................. 4
Installation .......................................................................................................................................................................................... 4
Modules .............................................................................................................................................................................................. 4
pancli................................................................................................................................................................................................ 5
Panxapi ............................................................................................................................................................................................ 5
Panamount .................................................................................................................................................................................... 6
Configure a Customer Firewall Tenant using panamount .......................................................................................... 6
Template Customizations ............................................................................................................................................................ 9

[2]
2011, Palo Alto Networks, Inc.

Overview
The intent of this tech note is to show case how PAN-OS can be auto provisioned using PAN-Perl package. The PAN-
Perl package includes Perl convenience libraries and functions which interact with XML-API running on PAN-OS to
provision the firewall automatically.

Why Auto Provisioning


Through auto provisioning PAN-OS empowers network security administrators to scale by wrapping complex
configurations into a simple boilerplate template, which could be used repeatedly to develop large scale security
configurations and multiple firewalls tenants with-in the PAN-OS security gateway. Auto provisioning helps minimize
operator errors while maximize their operational efficiencies.

Terms and Concepts


x
x

XML
XPATH

XML
Extensible Markup Language (XML) is a standard of representing structured information. It is a meta-language for
defining customized tags that are applied to a data set. In the context of PAN-OS the data set is the configuration and
customized tags are the individual elements within the configuration. For example: security zones, policies, interfaces
etc. PAN-OS natively supports XML for the operation and configuration of Palo Alto Network firewalls.
Here is a simple example of security policy configuration in XML format.

The XML API provides XML representation of PAN-OS configuration statements and operational mode commands.
Both PAN-OS command-line interface (CLI) and Web-UI communicates with PAN-OS infrastructure using XML.
The commands that the PAN-OS user issues via CLI or Web-UI are converted into XML format for processing.
After processing, PAN-OS return the output in the form of XML document, which is converted back into readable
format by both CLI and WEB-UI.

[3]
2011, Palo Alto Networks, Inc.

XPATH
XPATH is a language for addressing parts of XML document. In the context of PAN-OS, xpath supplies the
position/location where a particular configuration needs to be added, deleted or retrieved. Essentially xpath supplies
the context for the XML operation.
The xpath to retrieve the security polices in vsys1 would be as follows-
xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security

Platforms and Software Versions


The document is applicable to all Palo Alto firewalls running PAN-OS 4.1. However the configuration shown in this
document was tested using the following platform and software version.
x PA-5060 device running PAN-OS 4.1
x PAN Perl package at https://live.paloaltonetworks.com/docs/DOC-2485

PAN-Perl Package
Installation
The document assumes that you have a working PAN-Perl environment. Please refer to the following document, if
you need help on installation and prerequisite modules for the package to work.
https://live.paloaltonetworks.com/docs/DOC-1910
Once you have a working PAN-Perl package installed, you must create .panrc file under bin directory of the PAN-Perl
home directory. In the examples listed below the home directory is PAN-perl-20111226 and we have created .panrc in
PAN-perl-20111226/bin
Following is an example of .panrc file accessing a PAN-OS firewall with management IP 10.2.133.5, and with
XVHUQDPHDGPLQDQGSDVVZRUGDGPLQ7he API requests to the firewall can be made using api_key instead of using
username /password. We describe the key generation process LQSDQ[DSLVHFWLRQ
username=admin
password=admin
hostname=10.2.133.15
export TEMPLATE_HOME=/home/ksomu/pan/PAN-perl-20111226/templates/
api_key=mFKUs6WY6oYwxKbJUmiXciJ7I3qfiyKcl888I/XOlhA=
Once the file is created you have to source the file (as shown below) so that perl commands will start using the
environment variables listed in the .panrc.
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ source .panrc

Modules
The package comes with the following Perl modules.
x pancli
x panxapi
x panamount
x expthreat

[4]
2011, Palo Alto Networks, Inc.

pancli
pancli is an operational mode command. It is used to remotely execute command on a PAN-OS device and display
command output.
Show system information
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ pancli 'show system info'
hostname: PA-5060-1
ip-address: 10.2.133.15
netmask: 255.255.0.0
default-gateway: 10.2.0.1
mac-address: 00:90:0b:17:f6:32
time: Mon Jan 23 15:35:19 2012
uptime: 39 days, 0:19:46
family: 5000
model: PA-5060
serial: 0008C100105
sw-version: 4.1.1
multi-vsys: on
Show system multi-vsys flag

ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ pancli 'show system info
| match vsys'

multi-vsys: on

Panxapi
Panxapi is command line program for accessing the PAN-OS XML API. This command is used to perform the
following requests.
1) edit/set/delete/retrieve the configuration of the device
2) edit/set/delete/retrieve the device configuration at a given xpath
3) commit configuration
4) to generate API key
The following is an example to configure security policies on a multi VSYS device. In this example we configure a
security policy in VSYS4 using panxapi. You have to first create a file that has the security policy configuration in the
;0/IRUPDW,QWKLVH[DPSOHZHFUHDWHGDILOHFDOOHGRXWSXW-UXOHXQGHU3$1-perl-20111226(Home) directory. Once
this file is created, you can use the panxapi command to create the security policy at the given xpath as shown below
panxapi -l admin: admin -S output-rule
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys4'
]/rulebase/security/rules"
The ;0/FRQWHQWRIWKHILOHRXWSut-UXOHLVVKRZQEHORZ.
<entry name="default"><from><member>trust</member></from><to>
<member>untrust</member></to><source><member>4.1.1.0/24</member></source>
<destination><member>any</member></destination><service><member>any</member>
</service><application><member>dns</member><member>web-browsing
</member></application><action>allow</action><log-end>yes</log-end></entry>
The following is an example to delete security polices in vsys4 using panxapi.

[5]
2011, Palo Alto Networks, Inc.


panxapi d
"/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys4
']/rulebase/security/rules
If you intent not to use username and password to connect to the device, you have an option to use API Key. List the
API key in the .panrc file. The following is an example to create an API key
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/$ panxapi -l admin:admin -h
10.2.133.15 -k

keygen: success
API key: "0RgWc42Oi0vDx2WRUIUM6A=="

Panamount
Panamount is used to add, delete and show template-defined configurations on a PAN-OS device. It uses the PAN-OS
XML API to perform configuration operations.
Templates are available in templates directory of the package. As you see below there are two predefined templates
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/templates$ ls
l3tag1 l3vsystag1
The Template l3tag1 implements a trust and untrust zone VLAN tagged interface configuration within the default
virtual system (vsys1). However if you plan to create multiple customer tenants within your environment you would
need to use l3vsystag1. The following example will describe how to use l3vsystag1 template.
l3vsystag1 template implements a trust and un-trust zone with a vlan tagged interface configuration with in a private
virtual system. The template creates the following configuration
x
x
x
x
x
x
x
x

A Virtual System (Vsys) is created


A Virtual Router (VR) is configured
Following security zones are created and each security zone is configured with an interface
o trust
o un-trust
The interfaces in the security zones are configured under the VR
The VR and interfaces are imported into Vsys. The security zones are assigned to the Vsys as well
A management profile is created and applied on the interface in the trust zone
A Security and NAT policy are created
A Vsys admin user is created for managing the Vsys

Configure a Customer Firewall Tenant using panamount


The following topology is used to configure and test a firewall tenant provisioned using panamount.

[6]
2011, Palo Alto Networks, Inc.

Provide necessary parameters to panamount. Specify the name of the template you would like to use and its location.
In the .panrc file we have mentioned the path of TEMPLATE_HOME. The intent of the Pan-id is to provide a pre-
defined identifier to identify the template instance. The best practice is to provide a unique Pan-id for each customer
Vsys.
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ panamount --debug --set
--template-dir $TEMPLATE_HOME --template l3vsystag1 --pan-id custA_1234 --
trust-int ethernet1/14.30 --trust-ip 4.1.1.10/24 --untrust-int
ethernet1/14.10 --untrust-ip 192.168.2.10/24 --route 0.0.0.0/0 192.168.2.20 -
-route 5.1.1.0/24 4.1.1.1 commit

commit: Commit job enqueued with jobid 10
As you notice from the above example, we have specified the default route and also a route to reach 5.1.1.0/24
network. 7KHGHEXJIODJLVRSWLRQDOIt is used to display the debug output as the FW is configured. The pan-id,
which is the customer name and the template name, which is l3vsystag1 are combined to form the name of the Vsys.
Confirmation of the configuration deployment
When the above command is issued, the following configuration is committed on the device.
x

A Virtual System is created.


VR Configuration (Device > Virtual Systems)

[7]
2011, Palo Alto Networks, Inc.

A Virtual router is created. The Pan-id is used to name the Virtual router
Virtual Systems Configuration (Network > Virtual Routers)

Security Zones are created with in the Vsys. Interfaces are assigned with address and are placed within the Virtual
Router. A management profile is assigned to trust interface.
Security Zone Configuration (Network > Interfaces)

A Security policy and a NAT policy are created by default by the template.
Security policy Configuration (Policies > Security)

NAT policy Configuration (Policies > NAT)

The following command is used to check the active template instances running on your device.
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ panamount --show --
template-dir $TEMPLATE_HOME --template l3vsystag1

template pan-id vsys
----------------------------------------------------------
l3vsystag1 custA_1234 vsys4
l3vsystag1 custB_5678 vsys5
When this template is deployed for multiple customers, multiple instances of this template could be running on your
PAN-OS device. It is important to assign a unique Pan-id for every customer.
The following command is used to delete an active template instances running on your device.
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ panamount --debug --
delete --template-dir $TEMPLATE_HOME --template l3vsystag1 --pan-id custA_1234
--trust-int ethernet1/14.30 --trust-ip 4.1.1.10/24 --untrust-int
ethernet1/14.10 --untrust-ip 192.168.2.10/24 --route 0.0.0.0/0 192.168.2.20 -
-route 4.1.1.0/24 4.1.1.1 commit

commit: Commit job enqueued with jobid 12
The available templates after deleting CustA_1234 are as follows -

[8]
2011, Palo Alto Networks, Inc.



ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ panamount --show --
template-dir $TEMPLATE_HOME --template l3vsystag1

template pan-id vsys
----------------------------------------------------------
l3vsystag1 custB_5678 vsys5

Template Customizations
7KHVHFXULW\SROLF\LQVWDOOHGE\WKHWHPSODWHKDVMXVWZHE-EURZVLQJDVWKHDOORZHGDSSOLFDWLRQ+RZHYHUZLWKMXVW
web-browsing DNS traffic will be dropped. We could use Panxapi module to create XML configuration for additional
members in allowed applications of the security policy. In this case the additional application member will be DNS.
We then apply the configuration at the appropriate xpath (below in orange). And finally we commit the configuration.
The following commands are used to modify the existing security policy
ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$

echo '<application><member>dns</member><member>web-
browsing</member></application>' > dns.xml

ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ panxapi -e ./dns.xml
"/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys4
']/rulebase/security/rules/entry[@name='rule1']/application"

edit: success: command succeeded

ksomu@ksomu-VirtualBox:~/pan/PAN-perl-20111226/bin$ panxapi -C

commit: success: Commit job enqueued with jobid 17

[9]
2011, Palo Alto Networks, Inc.