NAME

Device::PaloAlto::Firewall::Test- Run a suite of tests against Palo Alto firewalls.

VERSION

version 0.08

SYNOPSIS

This module contains a set of methods that run tests against an Palo Alto firewall. The functions take arguments and return 1 or 0 depending on the current runtime state of the firewall.

These methods should be used in conjunction with the ok() function provided by Test::More. Multiple '.t' files can be created with tests for each firewall and run using the prove test harness.

use Device::PaloAlto::Firewall;
use Test::More qw{ no_plan };

my $tester = Device::PaloAlto::Firewall->new(uri => 'https://test_firewall.int', username => 'ro_account', password => 'complex_password)->tester();

ok( $tester->environmentals(), "No alarms on the firewall" ); 
ok( $tester->interfaces_up(interfaces => ['ethernet1/1']), "WAN interface is up"); 

SUBROUTINES

System Tests

These methods test system related aspects of the firewalls.

version

Takes a version (as a string) and returns 1 if the firewall is running that version of PAN-OS. Returns 0 if it is running a different version.

ok( $fw_test->version(version => '7.1.2'), "Firewall running PAN-OS 7.1.2");

Hotfixes (version suffixed with '-h1', '-h2', etc) are considered equivalent to their base versions.

environmentals

Returns 1 if there are no environmental alarms. These are platform dependent, but generally consist of fantray and fans, power supplies and power, and temperature. If there are any alarms, returns 0.

VMs don't have any environmental information. In this instance the test will succeed, but a warning is generated.

ok( $test->environmentals(), "No environmental alarms" );

Network Tests

These methods test network related functions of the firewalls.

interfaces_up

interfaces_up takes an ARRAYREF of interfaces are returns 1 if all of the interfaces are up. Returns 0 if any of the interfaces are down.

Interfaces are matched in case insensitive manner.

ok( 
    $fw_test->interfaces_up(
        interfaces => ['ethernet1/1', 'ethernet1/2']), "Interfaces are up"
    )
);

interfaces_duplex

interfaces_duplex takes an ARRAYREF of interfaces and returns 1 if all the interfaces are in a full duplex state. Returns 0 if any of the interfaces are not in a full dupex state. Returns 0 and warns if it detects a virtual machine as it cannot report on the duplex state.

The names of the interfaces are matched in a case-insensitive manner.

ok( 
    $fw_test->interfaces_duplex(
        interfaces => ['ethernet1/1', 'ethernet./(2|3)']
    ), "Interfaces are running full duplex"
 );

interface_errors_logical

Takes a percent argument between (0, 100] and returns 0 if, for any interface:

  • The number of input errors divided by the number of input packets is greater than or equal to percent, OR

  • The number of output errors divided by the number of output packets is greater than or equal to percent.

Otherwise it returns 1. If no percent argument is supplied, it defaults to 1%.

ok( 
    $fw_test->interface_errors_logical(percent => 2), "No interfaces with more than 2% errors"
 );

routes_exist

Takes an ARRAYREF of routes and searches for these routes in the virtual router specified by vrouter. If all of the exact routes are present in the routing table it returns 1. If any exact routes are not present, it returns 0.

routes is mandatory. vrouter is optional, and is set to 'default' if not specified. An empty ARRAYREF will emit a warning but will still return 1.

ok( 
    $fw_test->routes_exist(
        vrouter => 'virt_router_a',
        routes => ['192.0.2.0/30', '192.0.2.128/25']
    ), "All expected routes are present in 'virt_router_a'"
);

bgp_peers_up

Returns 1 if all of the BGP peers specified in the peer_ips are established. Returns 0 if any of the peers are not in the established state.

vrouter specifies the virtual router that the BGP peers are configured under. If not supplied, the vrouter 'default' will be used.

ok( 
    $fw_test->bgp_peers_ip(
        vrouter => 'virt_router_a',
        peer_ips => ['192.0.2.1', '192.0.2.20']
    ), "BGP peerings for 'virt_router-a' are up"
);

bgp_prefixes_in_rib

Returns 1 if all of the prefixes specified in the prefixes are present in the local routing information base (RIB) for a specific vrouter. Returns 0 if any of the prefixes are not present.

If vrouter is not specified, the vrouter 'default' will be used.

Note that this only determines whether a prefix is present within the RIB. It doesn't take into account how many times the prefix is present or what peer it received it from. The prefix could also have been locally originated and this would still return 1.

ok( 
    $fw_test->bgp_prefixes_in_rib(
        vrouter => 'virt_router_a',
        prefixes => ['192.168.0.0/24', '0.0.0.0/0']
    ), "Default and local private range prefixes in RIB"
);

ospf_neighbours_up

Returns 1 if all of the OSPF neighbours specified in the neighbours argument are up for a specific vrouter. Neighbours are specified by their IP address, NOT by their router ID. Returns 0 if any of the neighbours are not in a 'full' state (i.e. in init/2-way/extart/exchange state), or the neighbour was not returned at all and is therefore down.

If a vrouter is not specified, the vrouter 'default' will be used.

ok(
    $fw_test->ospf_neighbours_up(
        vrouter => 'virt_router_a',
        neighbours => ['192.168.1.1', '172.16.2.1']
    ), "Expected OSPF neighbours are up"
);

pim_neighbours_up

Returns 1 if all of the PIM neighbours specified in the neighbours argument are up for a specific vrouter. Neighbours are specified by their IP address. are up within a specific vrouter. Returns 0 if any of the neighbours are not up.

If vrouter is not specified, the vrouter 'default' will be used.

ok(
    $fw_test->pim_neighbours_up(
        vrouter => 'virt_router_a',
        neighbours => ['192.168.1.1', '172.16.2.1']
    ), "Expected PIM adjacencies are up"
);

bfd_peers_up

Takes an ARRAYREF of interface names and returns 1 if:

  • All of the interfaces have BFD sessions associated with them, and

  • All of the BFD sessions are up.

Otherwise it returns 0. If no interfaces are specified (and empty ARRAYREF), all BFD sessions are checked.

ok(
    $fw_test->bfd_peers_up(
        interfaces => ['ethernet1/1', 'ethernet1/2']
    ), "All BFD sessions are up"
);

ntp_synchronised

Returns 0 if the firewall is not synchronised with an NTP peer. Returns 1 if the firewall is synchronised with at least one NTP peer.

ok( $fw_test->ntp_synchronised(), "Firewall is synchronised with at least one NTP server" );

ntp_reachable

Returns 1 if all of the configured NTP servers are reachable. Returns 0 if any of the configured NTP servers are not reachable.

ok ( $fw_test->ntp_reachable(), "Firewall can reach all of its NTP servers" );

panorama_connected

Returns 1 if the firewall is connectedt to all of the configured Panorama management servers, otherwise it returns 0. Also returns 0 if no Panorama servers are configured.

ok( $fw_test->panorama_connected(), "Firewall is connected to Panorama" );

High Availability Tests

These methods test aspects of the high availability function of the firewalls.

ha_enabled

Returns 1 if HA is enabled on the devices. Returns if HA is not enabled.

ok( $test->ha_enabled(), "HA is enabled on the firewall" );

ha_state

Returns 1 if the firewall is in the same state as the state parameter passed to the function. Returns 0 if it is not, or if HA is not enabled on the device.

ok( $test->ha_state(state => 'active'), "Firewall is in the active HA state" );
ok( $test->ha_state(state => 'passive'), "Firewall is in the passive HA state" );

The SCALAR string passed must be either 'active' or 'passive', however it is case insensitive.

ha_version

Returns 1 if the app, threat, antivirus, PAN-OS and GlobalProtect versions match between the HA peers. Returns 0 if any one of these do not match, or HA is not enabled on the device.

ok( $test->ha_version(), "HA peers have matching versions" );

ha_peer_up

Returns 1 if the peer firewall is considerd 'up', and that the HA1, heartbeat backup and HA2 connections are 'up'. Returns 0 if any one of these conditions is not 'up'.

ok( $test->ha_peer_up(), "HA peer is up" );

ha_config_sync

Returns 1 if the configuration has been successfully synchronised between the devices. Returns 0 if the configuration has not been synchronised, if config synchronisation is not enabled, or if HA is not enabled.

ok( $test->ha_config_sync(), "Config is sync'ed between HA peers" );

Firewall Tests

ip_user_mapping

Takes a domain and an ARRAYREF of users as arguments. Returns 1 if there is a valid IP mapping for all of the users within the specified domain.

If no domain is specified then the users are matched for any domain. If no domain or users are specified then it returns 1 if there is any user to IP mapping, and 0 if there are none.

ok(
    $fw_test->ip_user_mapping(
        domain => 'internal.local',
        users => ['user_a', 'user_b']
    ), "Valid User/IP mappings for user_a & user_b"
);

userid_server_monitor

Takes an ARRAYREF of servers returns 1 if all of the servers are connnected. Returns 0 if any of the servers are not connected. Each server must be specified as their fully qualified domain name, e.g. 'ad01.domain.int'.

If no servers argument is given, returns 1 if all of the servers configured are connected, and returns 0 of any of the servers are not connected.

ok(
    $fw_test->userid_server_monitor(
        servers => ['ad01.int', 'ad02.int']
    ), "AD servers reachable for UserID"
);

vpn_tunnels_up

Takes an ARRAYREF of peer_ips and returns 1 if all of the VPN tunnels are up. A VPN tunnel is considered up if its phase 1 (IKE) security association up, and all of its phase 2 (IPSEC) security associations are up.

If any of the VPN tunnels are not up - including not being configured at all, then it it returns 0.

ok(
    $fw_test->vpn_tunnels_up(
        peer_ips => ['192.168.1.1', '172.16.2.1']
    ), "3rd party VPN tunnels are up"
);

AUTHOR

Greg Foletta, <greg at foletta.org>

BUGS

Please report any bugs or feature requests to bug-device-firewall-paloaltoat rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Device-PaloAlto-Firewall. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Device::PaloAlto::Firewall::Test

You can also look for information at:

ACKNOWLEDGEMENTS

LICENSE AND COPYRIGHT

Copyright 2016 Greg Foletta.

This program is free software; you can redistribute it and/or modify it under the terms of the the Artistic License (2.0). You may obtain a copy of the full license at:

http://www.perlfoundation.org/artistic_license_2_0

Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license.

If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license.

This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder.

This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed.

Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.