Metadata-Version: 2.1
Name: pan-analyzer
Version: 0.0.3.2
Summary: Detect and remediate configuration issues in Palo Alto Networks firewalls
Author-email: Moshe Kaplan <me@moshekaplan.com>
License: CC0 1.0 Universal
        
        Statement of Purpose
        
        The laws of most jurisdictions throughout the world automatically confer
        exclusive Copyright and Related Rights (defined below) upon the creator and
        subsequent owner(s) (each and all, an "owner") of an original work of
        authorship and/or a database (each, a "Work").
        
        Certain owners wish to permanently relinquish those rights to a Work for the
        purpose of contributing to a commons of creative, cultural and scientific
        works ("Commons") that the public can reliably and without fear of later
        claims of infringement build upon, modify, incorporate in other works, reuse
        and redistribute as freely as possible in any form whatsoever and for any
        purposes, including without limitation commercial purposes. These owners may
        contribute to the Commons to promote the ideal of a free culture and the
        further production of creative, cultural and scientific works, or to gain
        reputation or greater distribution for their Work in part through the use and
        efforts of others.
        
        For these and/or other purposes and motivations, and without any expectation
        of additional consideration or compensation, the person associating CC0 with a
        Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
        and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
        and publicly distribute the Work under its terms, with knowledge of his or her
        Copyright and Related Rights in the Work and the meaning and intended legal
        effect of CC0 on those rights.
        
        1. Copyright and Related Rights. A Work made available under CC0 may be
        protected by copyright and related or neighboring rights ("Copyright and
        Related Rights"). Copyright and Related Rights include, but are not limited
        to, the following:
        
          i. the right to reproduce, adapt, distribute, perform, display, communicate,
          and translate a Work;
        
          ii. moral rights retained by the original author(s) and/or performer(s);
        
          iii. publicity and privacy rights pertaining to a person's image or likeness
          depicted in a Work;
        
          iv. rights protecting against unfair competition in regards to a Work,
          subject to the limitations in paragraph 4(a), below;
        
          v. rights protecting the extraction, dissemination, use and reuse of data in
          a Work;
        
          vi. database rights (such as those arising under Directive 96/9/EC of the
          European Parliament and of the Council of 11 March 1996 on the legal
          protection of databases, and under any national implementation thereof,
          including any amended or successor version of such directive); and
        
          vii. other similar, equivalent or corresponding rights throughout the world
          based on applicable law or treaty, and any national implementations thereof.
        
        2. Waiver. To the greatest extent permitted by, but not in contravention of,
        applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
        unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
        and Related Rights and associated claims and causes of action, whether now
        known or unknown (including existing as well as future claims and causes of
        action), in the Work (i) in all territories worldwide, (ii) for the maximum
        duration provided by applicable law or treaty (including future time
        extensions), (iii) in any current or future medium and for any number of
        copies, and (iv) for any purpose whatsoever, including without limitation
        commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
        the Waiver for the benefit of each member of the public at large and to the
        detriment of Affirmer's heirs and successors, fully intending that such Waiver
        shall not be subject to revocation, rescission, cancellation, termination, or
        any other legal or equitable action to disrupt the quiet enjoyment of the Work
        by the public as contemplated by Affirmer's express Statement of Purpose.
        
        3. Public License Fallback. Should any part of the Waiver for any reason be
        judged legally invalid or ineffective under applicable law, then the Waiver
        shall be preserved to the maximum extent permitted taking into account
        Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
        is so judged Affirmer hereby grants to each affected person a royalty-free,
        non transferable, non sublicensable, non exclusive, irrevocable and
        unconditional license to exercise Affirmer's Copyright and Related Rights in
        the Work (i) in all territories worldwide, (ii) for the maximum duration
        provided by applicable law or treaty (including future time extensions), (iii)
        in any current or future medium and for any number of copies, and (iv) for any
        purpose whatsoever, including without limitation commercial, advertising or
        promotional purposes (the "License"). The License shall be deemed effective as
        of the date CC0 was applied by Affirmer to the Work. Should any part of the
        License for any reason be judged legally invalid or ineffective under
        applicable law, such partial invalidity or ineffectiveness shall not
        invalidate the remainder of the License, and in such case Affirmer hereby
        affirms that he or she will not (i) exercise any of his or her remaining
        Copyright and Related Rights in the Work or (ii) assert any associated claims
        and causes of action with respect to the Work, in either case contrary to
        Affirmer's express Statement of Purpose.
        
        4. Limitations and Disclaimers.
        
          a. No trademark or patent rights held by Affirmer are waived, abandoned,
          surrendered, licensed or otherwise affected by this document.
        
          b. Affirmer offers the Work as-is and makes no representations or warranties
          of any kind concerning the Work, express, implied, statutory or otherwise,
          including without limitation warranties of title, merchantability, fitness
          for a particular purpose, non infringement, or the absence of latent or
          other defects, accuracy, or the present or absence of errors, whether or not
          discoverable, all to the greatest extent permissible under applicable law.
        
          c. Affirmer disclaims responsibility for clearing rights of other persons
          that may apply to the Work or any use thereof, including without limitation
          any person's Copyright and Related Rights in the Work. Further, Affirmer
          disclaims responsibility for obtaining any necessary consents, permissions
          or other rights required for any use of the Work.
        
          d. Affirmer understands and acknowledges that Creative Commons is not a
          party to this document and has no duty or obligation with respect to this
          CC0 or use of the Work.
        
        For more information, please see
        <http://creativecommons.org/publicdomain/zero/1.0/>
        
Project-URL: Homepage, https://github.com/moshekaplan/palo_alto_firewall_analyzer
Project-URL: Bug Tracker, https://github.com/moshekaplan/palo_alto_firewall_analyzer/issues
Classifier: Programming Language :: Python :: 3
Classifier: License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication
Classifier: Operating System :: OS Independent
Classifier: Development Status :: 3 - Alpha
Classifier: Topic :: System :: Networking :: Firewalls
Requires-Python: >=3.7
Description-Content-Type: text/markdown
Provides-Extra: test
License-File: LICENSE

# Palo Alto Firewall Analyzer

![Build](https://github.com/moshekaplan/palo_alto_firewall_analyzer/actions/workflows/test.yml/badge.svg)

Python3 scripts for reviewing and fixing Palo Alto Firewall configurations

This repository contains the script `pan_analyzer`, which can detects and fix Palo Alto Network firewall configuration issues, as well as several other helper scripts.

The validators are designed to have as few false positives as possible. If there is a false positive, please [report an issue](https://github.com/moshekaplan/palo_alto_firewall_analyzer/issues/new)!

## pan_analyzer Quickstart

1. Install the package with `pip install pan_analyzer`
2. Run all validators on an XML configuration file downloaded with Panorama -> Setup -> Operations -> "Export Panorama configuration version":
`pan_analyzer --xml 12345.xml`

## Using pan_analyzer

The first time you launch pan_analyzer, it will create a `PAN_CONFIG.cfg` file
in `"~\.pan_policy_analyzer\` and instruct you to edit it.
The second time you launch the analyzer it will detect that "API_KEY.txt" is not present,
and will prompt you for credentials and save the retrieved API key to "API_KEY.txt"

* Run all validators on all device groups:
`pan_analyzer`

* Run a single validator on all device groups:
`pan_analyzer --validator UnusedServices`

* Run a single validator on a single device group:
`pan_analyzer --device-group my_device_group --validator UnusedServices`

* Run all validators on an XML configuration file downloaded with "Export Panorama configuration version":
`pan_analyzer --xml 12345.xml`


If you're not sure where to start, I recommend downloading an XML file from:
`Panorama -> Setup -> Operations -> Export Panorama configuration version` and running: `pan_analyzer.py --xml 12345.xml`

## Common Workflows
There are a few common workflows to clean the firewall configuration:

### Consolidate Service Objects
Consolidate Service objects so there is only one object for each Service:
* Delete unused Service objects: `python pan_analyzer --fixer DeleteUnusedServices`
* Check if any Service objects have misleading names: `python pan_analyzer --validator MisleadingServices`
* Consolidate service objects in use: `python pan_analyzer --fixer ConsolidateServices`
* Delete the now-unused Service objects: `python pan_analyzer --fixer DeleteUnusedServices`
* Define a convention in the config file, then rename to fit the naming convention: `python pan_analyzer --fixer RenameUnconventionallyNamedServices`

### Consolidate Address Objects
Consolidate Address objects so there is only one object for each target:
* Delete unused Address objects: `python pan_analyzer --fixer DeleteUnusedAddresses`
* Delete Address objects with FQDNs that don't resolve: `python pan_analyzer --validator BadHostname`
* Check if any Address objects have IPs in FQDNs: `python pan_analyzer --validator FQDNContainsIP`
* Check if any Address objects have misleading names: `python pan_analyzer --validator MisleadingAddresses`
* Replace Address objects using IPs with FQDNs: `python pan_analyzer --fixer FixIPWithResolvingFQDN`
* Consolidate Address objects in use: `python pan_analyzer --fixer ConsolidateAddresses`
* Delete the now-unused Address objects: `python pan_analyzer --fixer DeleteUnusedAddresses`
* Make all FQDN objects use FQDNs: `python pan_analyzer --fixer FixUnqualifiedFQDN`
* Define a convention in the config file, then rename objects to fit a naming convention: `python pan_analyzer --fixer RenameUnconventionallyNamedAddresses`


## Known Issues

The validators for checking zones (ExtaZones, MissingZones, and ExtraRules) all
require looking up the zones for address objects on the firewall. This requires many API
requests and can take a very long time. Given that PA recommends limiting the number of
concurrent API calls to five, and that's shared among the web UI, these calls are not
parallelized. Because of these concerns, the default configuration skips those validators.

## Other scripts
In addition to **pan_analyzer**, several other scripts are included in this package:
* **pan_categorization_lookup** - Looks up categorization for either a single URL or a file with a list of URLs
* **pan_disable_rules** - Takes a textfile with a list of security rules and disables them (useful for disabling rules found with PolicyOptimizer)
* **pan_dump_active_sessions** - Dumps all active sessions from all firewalls
* **pan_run_command** - Runs a single command on a single firewall
* **pan_zone_lookup** - Looks up Zone for a single IP on all firewalls

## License ##

This project is in the worldwide [public domain](LICENSE).

This project is in the public domain within the United States, and
copyright and related rights in the work worldwide are waived through
the [CC0 1.0 Universal public domain
dedication](https://creativecommons.org/publicdomain/zero/1.0/).

All contributions to this project will be released under the CC0
dedication. By submitting a pull request, you are agreeing to comply
with this waiver of copyright interest.
