Device::PaloAlto::Firewall - Interact with the Palo Alto firewall API
version 0.091
Device::PaloAlto::Firewall provides interfaces to retrieve information from a Palo Alto firewall.
my $firewall = Device::PaloAlto::Firewall->new(uri => 'http://localhost.localdomain', username => 'admin', password => 'complex_password') my $environ = $firewall->environmentals(); my $interfaces = $firewall->interfaces();
A key point is that that methods only retrieve information. There are no methods within this module to modify or commit configuration.
If the methods succeed they generally return either an ARRAYREF or a HASHREF. This includes an empty ARRAYREF or HASHREF if something is not configured or there are no entries (e.g. no OSPF neighbours).
If the method fails - either because the device is unreachable, there's an authentication issue, or the device has thrown an error - it will croak a message and return undef.
What type (ARRAYREF, HASHREF, etc) a method returns will be in each method's section, however the full data structures is not documented. They don't adhere to a strict schema, but examples for each method are provided on the Device::PaloAlto:Firewall::Return page.
The new() constructor takes the following arguments:
new()
uri - A HTTP or HTTPS URI to the firewall.
uri
username - a username to authenticate to the device.
username
password - a password for the username.
password
These methods affect the way requests are made to the firewalls.
Manually authenticates to the firewall and retrieves an API key which is stored internally in the object. If the authentication succeeds, returns 1. If the authentication fails or the device is not accessible, returns undef.
If this isn't called explicitly, the first method to make a request to the firewall will see there is no API key and call authenticate(). This is presented to the user as it useful to test for connectivity and authentication before making other requests.
authenticate()
Enables/disables the verification of the peer certificate and hostname if 'https' is used for API calls. By default TLS peer verification is enabled.
$fw->verify_hostname(1); Enable TLS peer verification $fw->verify_hostname(0); Disable TLS verification
Enables/disables the local caching of requests and responses to the firewall. This is disabled by default.
$fw->optimise(1); # Enable optimisation my $system_info = $fw->system_info(); # API call to retrieve interface information $system_info = $fw->system_info(); # Information retrieved from local cache
The first call to system_info() will make an API call to the firewall and cache the result. The second request will retrieve the response from the local cache without making an API call. Under the covers it uses Memoize to cache the API request call. This means that each function & arguments receive their own cache. For example:
system_info()
Memoize
$fw->optimise(1); my $default_vr bgp_peers = $fw->bgp_peers(vrouter => 'default'); my $other_vr_bgp_peers = $fw->bgp_peers(vrouter => 'other');
Both of these methods would make an API call to the firewall as the arguments differ.
Enables/disables tracing of the requests and responses to/from the firewall. If trace is set to 1, a file named <uri>_<datetime>.trace is created in the current working directory (e.g. 192.168.1.1_10-09-11_03:22:31.trace). This file is has the string representations of the HTTP requests and responses written to it.i If trace is set to 2, a stacktrace is written as well.
As the trace represents requests/responses to/from the firewall, if the optimise() method is set to 1 only non-cached requests and responses are written to the file.
optimise()
If the trace file cannot be opened, a warning is printed and trace reset back to 0;
Retrieves a Device::PaloAlto::Firewall::Test object for this firewall.
Device::PaloAlto::Firewall::Test
use Test::More; my $test = Device::PaloAlto::Firewall->new(uri => 'http://remote_pa.domain', username => 'test', password => 'test')->tester(); ok( $test->interfaces_up(interfaces => ['ethernet1/1']) );
For more information, see the Device::PaloAlto::Firewall::Test documentation.
These methods retrieve information on the firewall platform.
Returns system information from the firewall.
my $system_info = $fw->system_info(); say "Current Time on Firewall: $system_info->{time}";
Returns information on the system environmentals. This includes the fantray and fans, power supplies and power, temperature. Note: virtual machines don't have any environmental information and won't return any information.
Retrieves information on the high availability status of the firewall.
Asks the firewall to make a request to the Palo Alto update server to get a list of the available PAN-OS software. Returns an ARRAYREF of all of the software available. If it cannot reach the server, an empty ARRAYREF is returned.
Asks the firewall to make a request to the Palo Alto update server to get a list of the available content. Returns an ARRAYREF of all of the content available. If it cannot reach the server, an empty ARRAYREF is returned.
Asks the firewall to make a request to the Palo Alto update server to get a list of the available antivirus signatures. Returns an ARRAYREF of all of the signatures available. If it cannot reach the server, an empty ARRAYREF is returned.
Asks the firewall to make a request to the Palo Alto update server to get a list of the GlobalProtect clients available. Returns an ARRAYREF of all of the clients available. If it cannot reach the server, an empty ARRAYREF is returned.
Returns an ARRAYREF with information on the licenses installed on the firewall. Includes active and expired licenses. If there are no licenses installed on the firewall, an empty ARRAYREF is returned.
These methods retrieve network information from the firewall.
Retrieves interface information.
Retrieves information on the logical interface counters.
Retrives information on the routing table for a particular virtual router. If no vrouter argument is specified it retrieves the 'default' vrouter's routing table.
vrouter
my $default_vr_table = $fw->routing_table(); my $corp_vr_table = $fw->routing_table(vrouter => 'corp');
Retrieves information on the configured BGP peers for a particular virtual router. If no vrouter argument is specified it retrieves the 'default' vrouter's BGP peers.
my $default_vr_bgp_peers = $fw->bgp_peers(); my $corp_vr_bgp_peers = $fw->bgp_peers(vrouter => 'corp');
Retrieves information the local routing information base (RIB) for a specific virtual router. If no vrouter argument is specified, the 'default' vrouter's loc RIB is returned.
my $default_vr_rib = $fw->bgp_rib(); my $corp_vr_rib = $fw->bgp_rib(vrouter => 'corp');
If BGP is not configured, or there are no prefixes in the local RIB, an empty ARRAYREF is returned. Otherwise an ARRAYREF is returned containing the prefixes in the local RIB.
Returns and ARRAYREF containing information on the current OSPF neighbours for a specific virtual router. If no vrouter argument is specified, the 'default' vrouter's neighbours are returned.
If OSPF is not configured, or there are no OSPF neighbours up, an empty ARRAYREF
Neighbours are returned who have not completed a full OSPF handshake - for example they may be in EXSTART if there is an MTU mismatch on the interface.
Retrieves information on the PIM neighbours for a specific virtual router. If no vrouter argument is specified, the neighbours for the 'default' vrouter are returned.
my $pim_neighbours = $fw->pim_neighbours(vrouter => 'corp');
If PIM is not configured, or there are currently no neighbours, an empty ARRAYREF is returned.
Returns information on BFD peers.
These methods retrieve information on the management / operational status of the firewall.
Retrieves information on the current synchronisation and reachability of configured NTP peers.
Returns information on the current Panorama runtime status.
These methods retrieve information on the security functions of the firewall.
Returns the ip to user mapping table.
Returns the state of the servers used to monitor User-ID IP-to-user mappings.
Returns information on active IKE (Phase 1) VPN peers.
Returns information on the active IPSEC (Phase 2) VPN peers.
Returns dataplane IPSEC VPN tunnel information.
Greg Foletta, <greg at foletta.org>
<greg at foletta.org>
Please report any bugs or feature requests to bug-device-paloalto-firewall at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Device-PaloAlto-Firewall. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
bug-device-paloalto-firewall at rt.cpan.org
You can find documentation for this module with the perldoc command.
perldoc Device::PaloAlto::Firewall
You can also look for information at:
RT: CPAN's request tracker (report bugs here)
http://rt.cpan.org/NoAuth/Bugs.html?Dist=Device-PaloAlto-Firewall
AnnoCPAN: Annotated CPAN documentation
http://annocpan.org/dist/Device-PaloAlto-Firewall
CPAN Ratings
http://cpanratings.perl.org/d/Device-PaloAlto-Firewall
Search CPAN
http://search.cpan.org/dist/Device-PaloAlto-Firewall/
Copyright 2017 Greg Foletta.
This program is free software; you can redistribute it and/or modify it under the terms of the the Artistic License (2.0). You may obtain a copy of the full license at:
http://www.perlfoundation.org/artistic_license_2_0
Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license.
If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license.
This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder.
This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed.
Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
To install Device::PaloAlto::Firewall, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Device::PaloAlto::Firewall
CPAN shell
perl -MCPAN -e shell install Device::PaloAlto::Firewall
For more information on module installation, please visit the detailed CPAN module installation guide.