This blog will showcase 4 Palo Alto Networks’ tools that will make your daily life easier.
PAN-Configurator is a PHP library aimed at making PANOS config changes easy. It may seem a little complex compared to the GUI based approach of the Palo Alto platform, but the commands are straightforward and the documentation provides some examples to get you started.
The tool can be used to manage large rulebases, execute complex rule merges, track unused objects and other actions which are not directly offered by the standard GUI.
The PAN configurator allows you to:
The tool comes as a free download at GitHub.
More information can be found on the Palo Alto Networks Live platform.
The Best Practice Assessment (BPA) tool, created by Palo Alto Networks, evaluates a device’s configuration by measuring the adoption of capabilities, validating whether the policies adhere to best practices, and providing recommendations and instructions for how to remediate failed best practice checks. The tool performs more than 200 security checks on a firewall or Panorama configuration and provides a pass/fail score for each check.
The BPA tool is easy to use and provides an instant report.
Please note that best practices always depend on a customer’s environment. The results should always be interpreted by an experienced engineer. The tool is fast, easy to use and provides an excellent starting point for a more secure and above all consistent configuration.
Upload config files to the BPA tool at the Palo Alto Customer Success portal.
MineMeld is an open-source application that streamlines the aggregation, enforcement and sharing of threat intelligence. The tool consists of 3 components.
MineMeld is a great tool for SOC-based operations and can help with automating some daily (NOC) tasks.
Technically it is not really a tool, “load config partial” is a command that can be used via the CLI. It provides a quick and safe way for copying or merging different firewall configuration. The XML export of a Palo Alto Networks firewall or Panorama appliance can be edited using any text editor, but blindly copying and pasting xml parts can and will lead to mistakes. Using the CLI you can merge configurations with ease. Upload the xml configuration of any firewall: this includes other device models or a Panorama config. You can then choose to merge all the address objects, interfaces, global protect config, … into your current candidate config. After a review using the GUI you can commit your changes. The load config partial command provides validation of the configuration to make sure the xml remains valid. Another practical use case is moving objects between device groups or templates in a Panorama environment.
More information about the command and its parameters can be found here.