NAME
Device::PaloAlto::Firewall::Test- Run a suite of tests against Palo Alto firewalls.
VERSION
version 0.06
SYNOPSIS
This module contains a set of methods that run tests against an Palo Alto firewall. The functions take arguments and return 1 or 0 depending on the current runtime state of the firewall.
These methods should be used in conjunction with the ok() function provided by Test::More. Multiple '.t' files can be created with tests for each firewall and run using the prove test harness.
use Device::PaloAlto::Firewall;
use Test::More qw{ no_plan };
my $tester = Device::PaloAlto::Firewall->new(uri => 'https://test_firewall.int', username => 'ro_account', password => 'complex_password)->tester();
ok( $tester->environmentals(), "No alarms on the firewall" );
ok( $tester->interfaces_up(interfaces => ['ethernet1/1']), "WAN interface is up"); SUBROUTINES
System Tests
These methods test system related aspects of the firewalls.
environmentals
Returns 1 if there are no environmental alarms. These are platform dependent, but generally consist of fantray and fans, power supplies and power, and temperature. If there are any alarms, returns 0.
VMs don't have any environmental information. In this instance the test will succeed, but a warning is generated.
ok( $test->environmentals(), "No environmental alarms" );Network Tests
These methods test network related functions of the firewalls.
interfaces_up
interfaces_up takes an ARRAYREF that contains interface match criteria. Returns 0 if any of the interfaces matched are down. Internally the sub uses a case insensitive regex to create an array of interfaces that match all of the match criteria. Consider the following values of the 'interfaces' parameter:
ok( $fw_test->interfaces_up(interfaces => ['ethernet1/1', 'ethernet./(2|3)']), "Interfaces are up" );[ ] - will warn that the ARRAYREF is empty, however the sub will return 1 as no interfaces matches are 'down'.
['ethrnt1/1'] - a typo or any criteria that causes no interfaces to be matched will warn, however the sub will return 1 as no interfaces matched are 'down'.
['ethrnt1/1', 'ethernet1/2'] - if 'ethrnt1/1' matches no interfaces, and 'ethernet1/2' does, the return value will depend on whether 'ethernet1/2' is 'up' or 'down'.
interfaces_duplex
interfaces_duplex takes an ARRAYREF of interface match criteria. The match criteria can contain regex. See interfaces_up for some of the nuances around the matching.
It returns 1 if all of the interfaces are in a full duplex state. If any are not, it returns 0. If the device is a VM, physical interface state cannot be determined. The function will emit a warning, however it will still return a successful test.
ok(
$fw_test->interfaces_duplex(
interfaces => ['ethernet1/1', 'ethernet./(2|3)']
), "Interfaces are running full duplex"
);interface_errors_logical
Takes a percent argument between (0, 100], returns 0 if, for any interface:
The number of input errors divided by the number of input packets is greater than or equal to
percent, ORThe number of output errors dividied by the number of output packets is greater than or equal to
percent.
Otherwise it returns 1. If no percent argument is supplied, it is assumed to be 1%.
routes_exist
Takes an ARRAYREF of routes and searches for these routes in the virtual router specified by vrouter. If all of the exact routes are present in the routing table it returns 1. If any exact routes are not present, it returns 0.
routes is mandatory. vrouter is optional, and is set to 'default' if not specified. An empty ARRAYREF will emit a warning but will still return 1.
ok(
$fw_test->routes_exist(
vrouter => 'virt_router_a',
routes => ['192.0.2.0/30', '192.0.2.128/25']
), "All expected routes are present in 'virt_router_a'"
);bgp_peers_up
Returns 1 if all of the BGP peers specified in the peer_ips are established. Returns 0 if any of the peers are not in the established state.
vrouter specifies the virtual router that the BGP peers are configured under. If not supplied, the vrouter 'default' will be used.
ok(
$fw_test->bgp_peers_ip(
vrouter => 'virt_router_a',
peer_ips => ['192.0.2.1', '192.0.2.20']
), "BGP peerings for 'virt_router-a' are up"
);bfd_peers_up
Takes an ARRAYREF of interface names and returns 1 if:
All of the interfaces have BFD sessions associated with them, and
All of the BFD sessions are up.
Otherwise it returns 0. If no interfaces are specified, all BFD sessions are checked.
ntp_synchronised
Returns 0 if the firewall is not synchronised with an NTP peer. Returns 1 if the firewall is synchronised with at least one NTP peer.
ok( $fw_test->ntp_synchronised(), "Firewall is synchronised with at least one NTP server" );ntp_reachable
Returns 1 if all of the configured NTP servers are reachable. Returns 0 if any of the configured NTP servers are not reachable.
ok ( $fw_test->ntp_reachable(), "Firewall can reach all of its NTP servers" );High Availability Tests
These methods test aspects of the high availability function of the firewalls.
ha_enabled
Returns 1 if HA is enabled on the devices. Returns if HA is not enabled.
ok( $test->ha_enabled(), "HA is enabled on the firewall" );ha_state
Returns 1 if the firewall is in the same state as the state parameter passed to the function. Returns 0 if it is not, or if HA is not enabled on the device.
ok( $test->ha_state(state => 'active'), "Firewall is in the active HA state" );The SCALAR string passed must be either 'active' or 'passive', however it is case insensitive.
ha_version
Returns 1 if the app, threat, antivirus, PAN-OS and GlobalProtect versions match between the HA peers. Returns 0 if any one of these do not match, or HA is not enabled on the device.
ok( $test->ha_version(), "HA peers have matching versions" );ha_peer_up
Returns 1 if the peer firewall is considerd 'up', and that the HA1, heartbeat backup and HA2 connections are 'up'. Returns 0 if any one of these conditions is not 'up'.
ok( $test->ha_peer_up(), "HA peer is up" );ha_config_sync
Returns 1 if the configuration has been successfully synchronised between the devices. Returns 0 if the configuration has not been synchronised, if config synchronisation is not enabled, or if HA is not enabled.
Firewall Tests
ip_user_mapping
Takes a domain and an ARRAYREF of users as arguments. Returns 1 if there is a valid IP mapping for all of these users within that domain.
If no domain is specified then the users are matched for any domain. If no domain or users are specified then it returns 1 if there is any user to IP mapping, and 0 if there are none.
userid_server_monitor
Takes an ARRAYREF of servers returns 1 if all of the servers are connnected. Returns 0 if any of the servers are not connected. Each server must be specified as their fully qualified domain name, e.g. 'ad01.domain.int'.
If no servers argument is given, returns 1 if all of the servers configured are connected, and returns 0 of any of the servers are not connected.
AUTHOR
Greg Foletta, <greg at foletta.org>
BUGS
Please report any bugs or feature requests to bug-device-firewall-paloaltoat rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Device-PaloAlto-Firewall. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
SUPPORT
You can find documentation for this module with the perldoc command.
perldoc Device::PaloAlto::Firewall::TestYou can also look for information at:
RT: CPAN's request tracker (report bugs here)
http://rt.cpan.org/NoAuth/Bugs.html?Dist=Device-PaloAlto-Firewall
AnnoCPAN: Annotated CPAN documentation
CPAN Ratings
Search CPAN
ACKNOWLEDGEMENTS
LICENSE AND COPYRIGHT
Copyright 2016 Greg Foletta.
This program is free software; you can redistribute it and/or modify it under the terms of the the Artistic License (2.0). You may obtain a copy of the full license at:
http://www.perlfoundation.org/artistic_license_2_0
Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license.
If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license.
This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder.
This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed.
Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.