Parsing Palo Alto Config XML into PowerShell Objects
One of my customers is converting into an NSX-based network design. In order to facilitate this conversion, they need to understand the rules that exist on their Palo Alto firewall and then recreate those desired behaviors in the NSX microsegmentation. Their challenge was that their Palo Alto had a fairly complex ruleset, one that no one wanted to try and recreate by hand in NSX. I'm sure that you can see where this is going.
Before we could create anything in NSX (via the ever-evolving PowerNSX module), we had to understand the configuration of the existing firewall. When I asked about exporting the configuration, the networking team told me that they had two options: JSON or XML. Not knowing what I was likely to get working, I asked for them both, then tried convertfrom-JSON and import-clixml on the provided files. Neither worked, so I had to do some digging.
After banging my head into a wall for a while, one of my coworkers gave me a copy of a script that he got from Palo Alto, that was built to do exactly this. Unfortunately, that script failed to import the XML file that I had (my XML tree was slightly different than the tree that his script was expecting; I tried to write my version to be as generic as possible), but it revealed a technique for parsing the config that I had not seen before: simply cast the contents of the xml file as XML, like this: [xml](get-content config.xml)
Once I had an XML object, I was able to dig through the contents of the config file without too much difficulty, eventually generating an array of firewall rules that could then be recreated in the NSX environment.
The script has two parameters: -vsys and -panConfigXML. -vsys is used to specify which vsys on the Palo Alto firewall should be analyzed, in case the environment is subdivided (such as a service provider might do) and only one section is desired. If no -vsys is specified, the script will examine the whole config file for firewall rules. -panConfigXML is the XML PowerShell object from the PAN config, so you can use that trick from before and call the script like $rules = ./Parse-PANConfig.ps1 -panConfigXML [xml](get-content config.xml). That command will parse the config.xml file and will store all of the discovered firewall rules in the $rules variable. That output is designed to be easily output as a CSV, so each field may need to be split on "," if that output is going to be used as input for another script.
And, there you have it! I hope that this script proves useful for someone, at least as a tool that helps you to write your own script in the same way that my coworker's script helped me to put this together. As always: this script worked for me but that's no guarantee that it'll work for you... be careful about running scripts that you find on the internet... don't drink and drive... you know the drill.
Before we could create anything in NSX (via the ever-evolving PowerNSX module), we had to understand the configuration of the existing firewall. When I asked about exporting the configuration, the networking team told me that they had two options: JSON or XML. Not knowing what I was likely to get working, I asked for them both, then tried convertfrom-JSON and import-clixml on the provided files. Neither worked, so I had to do some digging.
After banging my head into a wall for a while, one of my coworkers gave me a copy of a script that he got from Palo Alto, that was built to do exactly this. Unfortunately, that script failed to import the XML file that I had (my XML tree was slightly different than the tree that his script was expecting; I tried to write my version to be as generic as possible), but it revealed a technique for parsing the config that I had not seen before: simply cast the contents of the xml file as XML, like this: [xml](get-content config.xml)
Once I had an XML object, I was able to dig through the contents of the config file without too much difficulty, eventually generating an array of firewall rules that could then be recreated in the NSX environment.
The script has two parameters: -vsys and -panConfigXML. -vsys is used to specify which vsys on the Palo Alto firewall should be analyzed, in case the environment is subdivided (such as a service provider might do) and only one section is desired. If no -vsys is specified, the script will examine the whole config file for firewall rules. -panConfigXML is the XML PowerShell object from the PAN config, so you can use that trick from before and call the script like $rules = ./Parse-PANConfig.ps1 -panConfigXML [xml](get-content config.xml). That command will parse the config.xml file and will store all of the discovered firewall rules in the $rules variable. That output is designed to be easily output as a CSV, so each field may need to be split on "," if that output is going to be used as input for another script.
And, there you have it! I hope that this script proves useful for someone, at least as a tool that helps you to write your own script in the same way that my coworker's script helped me to put this together. As always: this script worked for me but that's no guarantee that it'll work for you... be careful about running scripts that you find on the internet... don't drink and drive... you know the drill.
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,