NAME
App::PaloAlto::PolicyVerify - Test firewall rules using log files.
VERSION
version 0.0.2
SYNOPSIS
This is the supporting module for the pa_policy_verify application.
DESCRIPTION
This module contains the methods used by the pa_policy_verify application. It takes in information allowing it to connect to a Palo Alto firewall, and a logfile containing flows - source/destination IP & ports, and a protocol.
It then runs each flow in the log against the security rulebase currently installed on the Palo Alto firewall and returns a result. The result contains:
The main use case is when migrating from a different firewall to the Palo Alto. It allows for the qualification of the migrated rulebase prior to the cutover of production flows.
METHODS
new
my
$fw_tester
= App::PaloAlto::PolicyVerify->new(
username
=>
'admin'
,
password
=>
'redacted'
,
insecure
=> 0,
vr
=>
'default'
,
vsys
=> 1,
logfile
=>
'/home/user/logs.csv'
,
sepchar
=>
','
,
fields
=>
'0,1,2,3,4'
);
Contructs the object. Each argument maps to a command line switch in pa_policy_verify. Please refer to its documentation for information and default values.
The only argument without a default is logfile
.
sepchar
$fw_tester
->sepchar(
';'
);
Sets the separating character between the fields in the logfile.
logfile
$fw_tester
->logfile(
'/home/user/logfile.csv'
);
Sets the logfile containing flow information that will be run against the firewall.
fields
$fw_tester
->fields(
src_ip
=> 3,
dst_ip
=> 4,
src_port
=> 8,
dst_port
=> 9,
protocol
=> 20
);
Sets the column number in the logfile where each of the 5-tuple flow information resides.
run
$fw_tester
->run();
Runs the flows contained in the logfile against the firewall.
AUTHOR
Greg Foletta <greg@foletta.org>
COPYRIGHT AND LICENSE
This software is copyright (c) 2019 by Greg Foletta.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.