Sunday, November 8, 2020

Palo Alto firewall - How to import Address Objects in CSV to Firewall or Panorama


You have been asked by the InfoSec team to block 300 malicious IP addresses. How to achieve this?

It takes all day to manually enter IP addresses into objects and put them into a group in Panorama or firewall. Fortunately, when I faced this problem, I was able to find an excellent tool to automate this task.

This tool, created by Irek Romaniuk, makes it easy to push a CSV file with IP address objects into Panorama. I'm a Mac user, so I had to run it in Windows VM, but it saved me a lot of time so I didn't complain.

The following step-by-step guide explains how to push multiple IP addresses to Panorama. Of course, it is also working with a firewall.

* If you want to see a step-by-step tutorial, please check out this YouTube video.
https://youtu.be/WzFQpk1EuSQ


Step 1. Download the pan-cli.exe at the following GitHub site.

https://github.com/IrekRomaniuk/pan-cli

If the above URL is not available, you may download the file at this link:

https://github.com/analysisman/pan-cli


Step 2. Create or modify the CSV file.

Create a CSV file with the following format or modify the file you received from the InfoSec team.

Here is a sample CSV file you can down and modify: address-sample.csv


Step 3. Run the command as below.

C:\NETools\PAN-Automation>pan-cli.exe

Copyright 2017 @IrekRomaniuk. Package using github.com/scottdware/go-panos by Scott Ware to interact with Palo Alto and Panorama devices using the XML API.


* Usage:
pan-cli [command]

Available Commands:
create Create objects on the device
load Loads address object from csv file
tag Tag firewall object
version Print the version number of pan-cli

Flags:
--config string Yaml config file
-d, --device string Device to connect
-g, --devicegroup string Panorama devicegroup
-u, --login string Login name (default "admin")
-p, --password string Password
-s, --shared True for shared objects

Use "pan-cli [command] --help" for more information about a command.




▶ Usage with Device Group


pan-cli.exe load -f "sample.csv" -u admin -p "password" -d "10.10.10.1" -g device-group-name


▶ Usage with Shared Object


pan-cli.exe load -f "blocklist.csv" -u admin -p "password" -d "10.10.10.1" -s



* Examples of Success:

C:\NETools\PAN-Automation>pan-cli.exe load -f "ipblock_list_11112020.csv" -u admin -p "adminpassword" -d "10.10.10.100" -s

C:\NETools\PAN-Automation>



* Examples of Fail:

If there is space behind the IP address, you might be getting the following error.

C:\NETools\PAN-Automation>pan-cli.exe load -f "ipblock_list_11112020.csv" -u admin -p "adminpassword" -d "10.10.10.100" -s

2020/11/11 13:15:43 error code 12: Invalid object - Xpath or element values provided are not complete


Step 4. Verify the objects and group on Panorama or Firewall.


※ Excel Tip

If you want to add a specific prefix such as ransomware, cnc, etc. before the IP address on the A column, you can use this function: =CONCATENATE("cnc_",C1)

This function will add 'cnc_' from the C1 column. And then you need to drag and scroll from the A1 down to the bottom.



* Reference URL:
- Package using go-panos using the XML API


4 comments:

  1. Download file Pan-cli.exe is not avaible ?

    ReplyDelete
  2. The url showing 404 error and no download tht pan-cli.exe

    ReplyDelete
  3. script working fine but description field not working after creating the object iff you wil check for desciption its empty, can you wi that one also

    ReplyDelete