NAME

Device::PaloAlto::Firewall - Interact with the Palo Alto firewall API

VERSION

version 0.091

SYNOPSIS

Device::PaloAlto::Firewall provides interfaces to retrieve information from a Palo Alto firewall.

my $firewall = Device::PaloAlto::Firewall->new(uri => 'http://localhost.localdomain', username => 'admin', password => 'complex_password')

my $environ = $firewall->environmentals();
my $interfaces = $firewall->interfaces();

A key point is that that methods only retrieve information. There are no methods within this module to modify or commit configuration.

RETURN VALUES

If the methods succeed they generally return either an ARRAYREF or a HASHREF. This includes an empty ARRAYREF or HASHREF if something is not configured or there are no entries (e.g. no OSPF neighbours).

If the method fails - either because the device is unreachable, there's an authentication issue, or the device has thrown an error - it will croak a message and return undef.

What type (ARRAYREF, HASHREF, etc) a method returns will be in each method's section, however the full data structures is not documented. They don't adhere to a strict schema, but examples for each method are provided on the Device::PaloAlto:Firewall::Return page.

CONSTRUCTOR

The new() constructor takes the following arguments:

  • uri - A HTTP or HTTPS URI to the firewall.

  • username - a username to authenticate to the device.

  • password - a password for the username.

METHODS

META

These methods affect the way requests are made to the firewalls.

authenticate

Manually authenticates to the firewall and retrieves an API key which is stored internally in the object. If the authentication succeeds, returns 1. If the authentication fails or the device is not accessible, returns undef.

If this isn't called explicitly, the first method to make a request to the firewall will see there is no API key and call authenticate(). This is presented to the user as it useful to test for connectivity and authentication before making other requests.

verify_hostname

Enables/disables the verification of the peer certificate and hostname if 'https' is used for API calls. By default TLS peer verification is enabled.

$fw->verify_hostname(1); Enable TLS peer verification
$fw->verify_hostname(0); Disable TLS verification

optimise

Enables/disables the local caching of requests and responses to the firewall. This is disabled by default.

$fw->optimise(1);                           # Enable optimisation
my $system_info = $fw->system_info();       # API call to retrieve interface information
$system_info = $fw->system_info();          # Information retrieved from local cache

The first call to system_info() will make an API call to the firewall and cache the result. The second request will retrieve the response from the local cache without making an API call. Under the covers it uses Memoize to cache the API request call. This means that each function & arguments receive their own cache. For example:

$fw->optimise(1); 
my $default_vr bgp_peers = $fw->bgp_peers(vrouter => 'default');
my $other_vr_bgp_peers = $fw->bgp_peers(vrouter => 'other');

Both of these methods would make an API call to the firewall as the arguments differ.

trace

Enables/disables tracing of the requests and responses to/from the firewall. If trace is set to 1, a file named <uri>_<datetime>.trace is created in the current working directory (e.g. 192.168.1.1_10-09-11_03:22:31.trace). This file is has the string representations of the HTTP requests and responses written to it.i If trace is set to 2, a stacktrace is written as well.

As the trace represents requests/responses to/from the firewall, if the optimise() method is set to 1 only non-cached requests and responses are written to the file.

If the trace file cannot be opened, a warning is printed and trace reset back to 0;

tester

Retrieves a Device::PaloAlto::Firewall::Test object for this firewall.

use Test::More;
my $test = Device::PaloAlto::Firewall->new(uri => 'http://remote_pa.domain', username => 'test', password => 'test')->tester();

ok( $test->interfaces_up(interfaces => ['ethernet1/1']) );

For more information, see the Device::PaloAlto::Firewall::Test documentation.

PLATFORM

These methods retrieve information on the firewall platform.

system_info

Returns system information from the firewall.

my $system_info = $fw->system_info();
say "Current Time on Firewall: $system_info->{time}";

environmentals

Returns information on the system environmentals. This includes the fantray and fans, power supplies and power, temperature. Note: virtual machines don't have any environmental information and won't return any information.

high_availability

Retrieves information on the high availability status of the firewall.

software_check

Asks the firewall to make a request to the Palo Alto update server to get a list of the available PAN-OS software. Returns an ARRAYREF of all of the software available. If it cannot reach the server, an empty ARRAYREF is returned.

content_check

Asks the firewall to make a request to the Palo Alto update server to get a list of the available content. Returns an ARRAYREF of all of the content available. If it cannot reach the server, an empty ARRAYREF is returned.

antivirus_check

Asks the firewall to make a request to the Palo Alto update server to get a list of the available antivirus signatures. Returns an ARRAYREF of all of the signatures available. If it cannot reach the server, an empty ARRAYREF is returned.

gp_client_check

Asks the firewall to make a request to the Palo Alto update server to get a list of the GlobalProtect clients available. Returns an ARRAYREF of all of the clients available. If it cannot reach the server, an empty ARRAYREF is returned.

licenses

Returns an ARRAYREF with information on the licenses installed on the firewall. Includes active and expired licenses. If there are no licenses installed on the firewall, an empty ARRAYREF is returned.

NETWORK

These methods retrieve network information from the firewall.

interfaces

Retrieves interface information.

interface_counters_logical

Retrieves information on the logical interface counters.

routing_table

Retrives information on the routing table for a particular virtual router. If no vrouter argument is specified it retrieves the 'default' vrouter's routing table.

my $default_vr_table = $fw->routing_table();
my $corp_vr_table = $fw->routing_table(vrouter => 'corp');

bgp_peers

Retrieves information on the configured BGP peers for a particular virtual router. If no vrouter argument is specified it retrieves the 'default' vrouter's BGP peers.

my $default_vr_bgp_peers = $fw->bgp_peers();
my $corp_vr_bgp_peers = $fw->bgp_peers(vrouter => 'corp');

bgp_rib

Retrieves information the local routing information base (RIB) for a specific virtual router. If no vrouter argument is specified, the 'default' vrouter's loc RIB is returned.

my $default_vr_rib = $fw->bgp_rib();
my $corp_vr_rib = $fw->bgp_rib(vrouter => 'corp');

If BGP is not configured, or there are no prefixes in the local RIB, an empty ARRAYREF is returned. Otherwise an ARRAYREF is returned containing the prefixes in the local RIB.

ospf_neighbours

Returns and ARRAYREF containing information on the current OSPF neighbours for a specific virtual router. If no vrouter argument is specified, the 'default' vrouter's neighbours are returned.

If OSPF is not configured, or there are no OSPF neighbours up, an empty ARRAYREF

Neighbours are returned who have not completed a full OSPF handshake - for example they may be in EXSTART if there is an MTU mismatch on the interface.

pim_neighbours

Retrieves information on the PIM neighbours for a specific virtual router. If no vrouter argument is specified, the neighbours for the 'default' vrouter are returned.

my $pim_neighbours = $fw->pim_neighbours(vrouter => 'corp');

If PIM is not configured, or there are currently no neighbours, an empty ARRAYREF is returned.

bfd_peers

Returns information on BFD peers.

MANAGEMENT

These methods retrieve information on the management / operational status of the firewall.

ntp

Retrieves information on the current synchronisation and reachability of configured NTP peers.

panorama_status

Returns information on the current Panorama runtime status.

SECURITY

These methods retrieve information on the security functions of the firewall.

ip_user_mapping

Returns the ip to user mapping table.

userid_server_monitor

Returns the state of the servers used to monitor User-ID IP-to-user mappings.

ike_peers

Returns information on active IKE (Phase 1) VPN peers.

ipsec_peers

Returns information on the active IPSEC (Phase 2) VPN peers.

vpn_tunnels

Returns dataplane IPSEC VPN tunnel information.

AUTHOR

Greg Foletta, <greg at foletta.org>

BUGS

Please report any bugs or feature requests to bug-device-paloalto-firewall at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Device-PaloAlto-Firewall. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Device::PaloAlto::Firewall

You can also look for information at:

ACKNOWLEDGEMENTS

LICENSE AND COPYRIGHT

Copyright 2017 Greg Foletta.

This program is free software; you can redistribute it and/or modify it under the terms of the the Artistic License (2.0). You may obtain a copy of the full license at:

http://www.perlfoundation.org/artistic_license_2_0

Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license.

If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license.

This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder.

This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed.

Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.