| Next revision | Previous revision |
| paloaltonetworks:tools:pan_configurator [2020/05/19 09:43] – created bstafford | paloaltonetworks:tools:pan_configurator [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| ====== PAN Configurator ====== | ====== PAN Configurator ====== |
| In these examples, '''10.1.1.1''' is a Panorama appliance. | ===== Overview ===== |
| | [[https://github.com/cpainchaud/pan-configurator|PAN-Configurator]] is a PHP library for running actions on PAN-OS. |
| | |
| | There is a [[https://github.com/cpainchaud/pan-configurator-windows-package|Windows package]] for making it easy to run commands on Windows. |
| | |
| | Assuming you have plaged everything in "C:\Program Files\PAN Configurator" (Make sure your user has read/write access to this folder and sub-folders) |
| | |
| | Update the PATH variable with the following three entries |
| | * C:\Program Files\PAN Configurator\php; |
| | * C:\Program Files\PAN Configurator\Console2; |
| | * C:\Program Files\PAN Configurator\git\bin |
| | |
| | Create the following variables and values |
| | * PS1=\w> |
| | * PANCDIR=C:\Program Files\PAN Configurator\pan-configurator |
| | * HOME=C:\Program Files\PAN Configurator |
| | |
| | ===== Examples ===== |
| | In these examples, ''10.1.1.1'' is a Panorama appliance. |
| |
| Set all security policies to have 'default' as the log forwarding profile. | Set all security policies to have 'default' as the log forwarding profile. |
| <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default</code> | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default</code> |
| | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default 'filter=!( logprof is.set )'</code> |
| Set all security policies to have 'default' as the security profile group. | Set all security policies to have 'default' as the security profile group. |
| <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:default</code> | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:default</code> |
| | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-set:default 'filter=!( secprof is.set )'</code> |
| Set security policies to have 'SPG_Outbound' as the security profile group. Only set it on policies that have the tag 'outbound'. | Set security policies to have 'SPG_Outbound' as the security profile group. Only set it on policies that have the tag 'outbound'. |
| <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:SPG_Outbound 'filter=(tag has outbound)'</code> | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:SPG_Outbound 'filter=(tag has outbound)'</code> |
| Set all rules that deny traffic to have no security profile group | Set all rules that deny traffic to have no security profile group |
| <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'</code> | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'</code> |
| Set security policies to be targeted to a specific serial number <code>011122211122</code>. Only set it on policies that are targeted on firewall serial number <code>099887766554</code>. This is usefull when adding new firewalls to Panorama to replace an old firewall already in Panorama. | Set security policies to be targeted to a specific serial number ''011122211122''. Only set it on policies that are targeted on firewall serial number ''099887766554''. This is usefull when adding new firewalls to Panorama to replace an old firewall already in Panorama. |
| <code>pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DeviceGroupName actions=target-Add-Device:011122211122 'filter=(target has 099988899988)'</code> | <code>pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DeviceGroupName actions=target-Add-Device:011122211122 'filter=(target has 099988899988)'</code> |
| Update all security policies that have security profile group set to default and set it to security profile group spg-internal. | Update all security policies that have security profile group set to default and set it to security profile group spg-internal. |
| <code>pa_rule-edit in=api://10.1.1.1. ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:spg-internal 'filter=(secprof group.is default)'</code> | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:spg-internal 'filter=(secprof group.is default)'</code> |
| To replace destination zone | To replace destination zone |
| <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=to-Replace:OldZone,NewZone | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=to-Replace:OldZone,NewZone |
| * nat | * nat |
| * decryption | * decryption |
| | * pbf |
| | |
| | ===== Replace one app with another ===== |
| | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=app-Add:app-grp-icmp 'filter=( app has icmp )'</code> |
| | <code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=app-Remove:icmp 'filter=( app has app-grp-icmp )'</code> |
| | |
