NAME

Device::PaloAlto::Firewall - Interact with the Palo Alto firewall API

VERSION

version 0.08

SYNOPSIS

Device::PaloAlto::Firewall provides interfaces to retrieve information from a Palo Alto firewall.

my $firewall = Device::PaloAlto::Firewall->new(uri => 'http://localhost.localdomain', username => 'admin', password => 'complex_password')

my $environ = $firewall->environmentals();
my $interfaces = $firewall->interfaces();

A key point is that that methods only retrieve information. There are no methods within this module to modify or commit configuration.

The methods return either an ARRAYREF or HASHREF, and the data structure returned is largely unchanged from what the firewall returns. Some general cleaning may be have done, and some changes occur when the XML from the firewall is parsed and turned into a Perl structure.

For brevity, examples of the return values aren't documented within this document but in a separate Device::PaloAlto:Firewall::Return page.

CONSTRUCTOR

The new() constructor takes the following arguments:

  • uri - A HTTP or HTTPS URI to the firewall.

  • username - a username to authenticate to the device.

  • password - a password for the username.

METHODS

META

These methods affect the way requests are made to the firewalls.

authenticate

Manually authenticates to the firewall.

verify_hostname

Enables/disables the verification of the peer certificate and hostname if 'https' is used for API calls. By default TLS peer verification is enabled.

$fw->verify_hostname(1); Enable TLS peer verification
$fw->verify_hostname(0); Disable TLS verification

optimise

Enables/disables the local caching of requests and responses to the firewall. This is disabled by default.

$fw->optimise(1);                           # Enable optimisation
my $system_info = $fw->system_info();       # API call to retrieve interface information
$system_info = $fw->system_info();          # Information retrieved from local cache

The first call to system_info() will make an API call to the firewall and cache the result. The second request will retrieve the response from the local cache without making an API call. Under the covers it uses Memoize to cache the API request call. This means that each function & arguments receive their own cache. For example:

$fw->optimise(1); 
my $default_vr bgp_peers = $fw->bgp_peers(vrouter => 'default');
my $other_vr_bgp_peers = $fw->bgp_peers(vrouter => 'other');

Both of these methods would make an API call to the firewall as the arguments differ.

tester

Retrieves a Device::PaloAlto::Firewall::Test object for this firewall.

use Test::More;
my $test = Device::PaloAlto::Firewall->new(uri => 'http://remote_pa.domain', username => 'test', password => 'test')->tester();

ok( $test->interfaces_up(interfaces => ['ethernet1/1']) );

For more information, see the Device::PaloAlto::Firewall::Test documentation.

PLATFORM

These methods retrieve information on the firewall platform.

system_info

Returns system information from the firewall.

my $system_info = $fw->system_info();
say "Current Time on Firewall: $system_info->{time}";

environmentals

Returns information on the system environmentals. This includes the fantray and fans, power supplies and power, temperature. Note: virtual machines don't have any environmental information and won't return any information.

high_availability

Retrieves information on the high availability status of the firewall.

NETWORK

These methods retrieve network information from the firewall.

interfaces

Retrieves interface information.

interface_counters_logical

Retrieves information on the logical interface counters.

routing_table

Retrives information on the routing table for a particular virtual router. If no vrouter argument is specified it retrieves the 'default' vrouter's routing table.

my $default_vr_table = $fw->routing_table();
my $corp_vr_table = $fw->routing_table(vrouter => 'corp');

bgp_peers

Retrieves information on the configured BGP peers for a particular virtual router. If no vrouter argument is specified it retrieves the 'default' vrouter's BGP peers.

my $default_vr_bgp_peers = $fw->bgp_peers();
my $corp_vr_bgp_peers = $fw->bgp_peers(vrouter => 'corp');

bgp_rib

Retrieves information the local routing information base (RIB) for a specific virtual router. If no vrouter argument is specified, the 'default' vrouter's loc RIB is returned.

my $default_vr_rib = $fw->bgp_rib();
my $corp_vr_rib = $fw->bgp_rib(vrouter => 'corp');

If BGP is not configured, or there are no prefixes in the local RIB, an empty ARRAYREF is returned. Otherwise an ARRAYREF is returned containing the prefixes in the local RIB.

ospf_neighbours

Returns and ARRAYREF containing information on the current OSPF neighbours for a specific virtual router. If no vrouter argument is specified, the 'default' vrouter's neighbours are returned.

If OSPF is not configured, or there are no OSPF neighbours up, an empty ARRAYREF

Neighbours are returned who have not completed a full OSPF handshake - for example they may be in EXSTART if there is an MTU mismatch on the interface.

pim_neighbours

Retrieves information on the PIM neighbours for a specific virtual router. If no vrouter argument is specified, the neighbours for the 'default' vrouter are returned.

my $pim_neighbours = $fw->pim_neighbours(vrouter => 'corp');

If PIM is not configured, or there are currently no neighbours, an empty ARRAYREF is returned.

bfd_peers

Returns information on BFD peers.

MANAGEMENT

These methods retrieve information on the management / operational status of the firewall.

ntp

Retrieves information on the current synchronisation and reachability of configured NTP peers.

panorama_status

Returns information on the current Panorama runtime status.

SECURITY

These methods retrieve information on the security functions of the firewall.

ip_user_mapping

Returns the ip to user mapping table.

userid_server_monitor

Returns the state of the servers used to monitor User-ID IP-to-user mappings.

ike_peers

Returns information on active IKE (Phase 1) VPN peers.

ipsec_peers

Returns information on the active IPSEC (Phase 2) VPN peers.

vpn_tunnels

Returns dataplane IPSEC VPN tunnel information.

AUTHOR

Greg Foletta, <greg at foletta.org>

BUGS

Please report any bugs or feature requests to bug-device-paloalto-firewall at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Device-PaloAlto-Firewall. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Device::PaloAlto::Firewall

You can also look for information at:

ACKNOWLEDGEMENTS

LICENSE AND COPYRIGHT

Copyright 2017 Greg Foletta.

This program is free software; you can redistribute it and/or modify it under the terms of the the Artistic License (2.0). You may obtain a copy of the full license at:

http://www.perlfoundation.org/artistic_license_2_0

Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license.

If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license.

This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder.

This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed.

Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.