/ 
Device-Firewall-PaloAlto-0.1.9
River stage one • 1 direct dependent • 1 total dependent
/ Device::Firewall::PaloAlto::Test

NAME

Device::Firewall::PaloAlto::Test - Test module for Palo Alto firewalls

VERSION

version 0.1.9

SYNOPSIS

use Test::More;
my $test = Device::Firewall::PaloAlto->new(username => 'admin', password => 'admin')->auth->test;
ok( $test->interfaces(['ethernet1/1', 'ethernet1/2']), 'Interfaces are up' );

# Test whether a flow would pass through the firewall
my $result = $fw->test->rulebase(
    from => 'Trust',
    to => 'Untrust',
    source => '192.0.2.1',
    to => '203.0.113.0',
    destination-p

DESCRIPTION

This module holds methods that perform tests on the current state of the firewall.

METHODS

new

The new() method can be used, but in general it's easier to call the test() method from the Device::Firewall::PaloAlto module.

# Can use it in this manner
my $fw = Device::Firewall::PaloAlto->new(username => 'admin', password => 'admin');
$fw->auth or croak "Could not authenticate to the firewall";
my $test = Device::Firewall::PaloAlto::Test->new($fw);

# Generally better to use it in this manner
my $test = Device::Firewall::PaloAlto->new(username => 'admin', password => 'admin')->auth->test or croak "Could not create test module";

interfaces

Takes a list of interface names and returns true if all interfaces are up, or false if any interfaces are down.

Returns false if the operation to retreive the interfaces fails.

ok( $fw->test->interfaces('ethernet1/1'), 'Internet interface' );

arp

Takes a list of IP address and returns true if all of them have entries in the ARP table. Returns false if any IP does not have and entry.

ARP entries are considered valid if their state is 'static' or 'complete'.

sec_policy

This function takes arguments related to a traffic flow through the firewall and determines the action the security rulebase would have taken on the flow.

It returns a Device::Firewall::PaloAlto::Test::SecPolicy object.

The function will attempt to use a protocol specified as a case-insensitive string. Valid examples include 'tcp', 'udp', 'esp', and 'pim'. It will warn if it cannot determine the protocol. When in doubt, use the protocol's decimal value rather than a string.

my $result = $fw->test->sec_policy {
    from => 'Trust',
    to => 'Untrust',
    src_ip => '192.0.2.1',
    dst_ip => '203.0.113.1',
    protocol => 6,
    dst_port => 443,
    app => 'any',
    category => 'any',
    user => 'test\test_user'
);

nat_policy

This function takes arguments related to a traffic flow through the firewall and determines the action the NAT rulebase would have taken on the flow.

It returns a Device::Firewall::PaloAlto::Test::NATPolicy object.

my $result = $fw->test->nat_policy(
    from => 'Trust',
    to => 'Untrust',
    src_ip => '192.0.2.1',
    dst_ip => '203.0.113.1',
    src_port => 40514,
    dst_port => 443,
    protocol => 6,
    egress_interface => 'ethernet1/1'
);

fib_lookup

my $route = $fw->test->fib_lookup(
    ip => '192.0.2.24',
    virtual_router => 'default' 
);

Takes an IP address and a virtual router and returns a Device::Firewall::PaloAlto::Test::FIB object.

AUTHOR

Greg Foletta <greg@foletta.org>

COPYRIGHT AND LICENSE

This software is copyright (c) 2019 by Greg Foletta.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.