salt.modules.panos

Module to provide Palo Alto compatibility to Salt

codeauthor:

Spencer Ervin <spencer_ervin@hotmail.com>

maturity:

new

depends:

none

platform:

unix

New in version 2018.3.0.

Configuration

This module accepts connection configuration details either as parameters, or as configuration settings in pillar as a Salt proxy. Options passed into opts will be ignored if options are passed into pillar.

About

This execution module was designed to handle connections to a Palo Alto based firewall. This module adds support to send connections directly to the device through the XML API or through a brokered connection to Panorama.

salt.modules.panos.add_config_lock()

Prevent other users from changing configuration until the lock is released.

CLI Example:

salt '*' panos.add_config_lock
salt.modules.panos.check_antivirus()

Get anti-virus information from PaloAlto Networks server

CLI Example:

salt '*' panos.check_antivirus
salt.modules.panos.check_software()

Get software information from PaloAlto Networks server.

CLI Example:

salt '*' panos.check_software
salt.modules.panos.clear_commit_tasks()

Clear all commit tasks.

CLI Example:

salt '*' panos.clear_commit_tasks
salt.modules.panos.commit()

Commits the candidate configuration to the running configuration.

CLI Example:

salt '*' panos.commit
salt.modules.panos.deactivate_license(key_name=None)

Deactivates an installed license. Required version 7.0.0 or greater.

key_name(str): The file name of the license key installed.

CLI Example:

salt '*' panos.deactivate_license key_name=License_File_Name.key
salt.modules.panos.delete_license(key_name=None)

Remove license keys on disk.

key_name(str): The file name of the license key to be deleted.

CLI Example:

salt '*' panos.delete_license key_name=License_File_Name.key
salt.modules.panos.download_antivirus()

Download the most recent anti-virus package.

CLI Example:

salt '*' panos.download_antivirus
salt.modules.panos.download_software_file(filename=None, synch=False)

Download software packages by filename.

Parameters:
  • filename (str) -- The filename of the PANOS file to download.

  • synch (bool) -- If true then the file will synch to the peer unit.

CLI Example:

salt '*' panos.download_software_file PanOS_5000-8.0.0
salt '*' panos.download_software_file PanOS_5000-8.0.0 True
salt.modules.panos.download_software_version(version=None, synch=False)

Download software packages by version number.

Parameters:
  • version (str) -- The version of the PANOS file to download.

  • synch (bool) -- If true then the file will synch to the peer unit.

CLI Example:

salt '*' panos.download_software_version 8.0.0
salt '*' panos.download_software_version 8.0.0 True
salt.modules.panos.fetch_license(auth_code=None)

Get new license(s) using from the Palo Alto Network Server.

auth_code

The license authorization code.

CLI Example:

salt '*' panos.fetch_license
salt '*' panos.fetch_license auth_code=foobar
salt.modules.panos.get_address(address=None, vsys='1')

Get the candidate configuration for the specified get_address object. This will not return address objects that are marked as pre-defined objects.

address(str): The name of the address object.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_address myhost
salt '*' panos.get_address myhost 3
salt.modules.panos.get_address_group(addressgroup=None, vsys='1')

Get the candidate configuration for the specified address group. This will not return address groups that are marked as pre-defined objects.

addressgroup(str): The name of the address group.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_address_group foobar
salt '*' panos.get_address_group foobar 3
salt.modules.panos.get_admins_active()

Show active administrators.

CLI Example:

salt '*' panos.get_admins_active
salt.modules.panos.get_admins_all()

Show all administrators.

CLI Example:

salt '*' panos.get_admins_all
salt.modules.panos.get_antivirus_info()

Show information about available anti-virus packages.

CLI Example:

salt '*' panos.get_antivirus_info
salt.modules.panos.get_arp()

Show ARP information.

CLI Example:

salt '*' panos.get_arp
salt.modules.panos.get_cli_idle_timeout()

Show timeout information for this administrative session.

CLI Example:

salt '*' panos.get_cli_idle_timeout
salt.modules.panos.get_cli_permissions()

Show cli administrative permissions.

CLI Example:

salt '*' panos.get_cli_permissions
salt.modules.panos.get_disk_usage()

Report filesystem disk space usage.

CLI Example:

salt '*' panos.get_disk_usage
salt.modules.panos.get_dns_server_config()

Get the DNS server configuration from the candidate configuration.

CLI Example:

salt '*' panos.get_dns_server_config
salt.modules.panos.get_domain_config()

Get the domain name configuration from the candidate configuration.

CLI Example:

salt '*' panos.get_domain_config
salt.modules.panos.get_dos_blocks()

Show the DoS block-ip table.

CLI Example:

salt '*' panos.get_dos_blocks
salt.modules.panos.get_fqdn_cache()

Print FQDNs used in rules and their IPs.

CLI Example:

salt '*' panos.get_fqdn_cache
salt.modules.panos.get_ha_config()

Get the high availability configuration.

CLI Example:

salt '*' panos.get_ha_config

Show high-availability link-monitoring state.

CLI Example:

salt '*' panos.get_ha_link
salt.modules.panos.get_ha_path()

Show high-availability path-monitoring state.

CLI Example:

salt '*' panos.get_ha_path
salt.modules.panos.get_ha_state()

Show high-availability state information.

CLI Example:

salt '*' panos.get_ha_state
salt.modules.panos.get_ha_transitions()

Show high-availability transition statistic information.

CLI Example:

salt '*' panos.get_ha_transitions
salt.modules.panos.get_hostname()

Get the hostname of the device.

CLI Example:

salt '*' panos.get_hostname
salt.modules.panos.get_interface_counters(name='all')

Get the counter statistics for interfaces.

Parameters:

name (str) -- The name of the interface to view. By default, all interface statistics are viewed.

CLI Example:

salt '*' panos.get_interface_counters
salt '*' panos.get_interface_counters ethernet1/1
salt.modules.panos.get_interfaces(name='all')

Show interface information.

Parameters:

name (str) -- The name of the interface to view. By default, all interface statistics are viewed.

CLI Example:

salt '*' panos.get_interfaces
salt '*' panos.get_interfaces ethernet1/1
salt.modules.panos.get_job(jid=None)

List all a single job by ID.

jid

The ID of the job to retrieve.

CLI Example:

salt '*' panos.get_job jid=15
salt.modules.panos.get_jobs(state='all')

List all jobs on the device.

state

The state of the jobs to display. Valid options are all, pending, or processed. Pending jobs are jobs that are currently in a running or waiting state. Processed jobs are jobs that have completed execution.

CLI Example:

salt '*' panos.get_jobs
salt '*' panos.get_jobs state=pending
salt.modules.panos.get_lacp()

Show LACP state.

CLI Example:

salt '*' panos.get_lacp
salt.modules.panos.get_license_info()

Show information about owned license(s).

CLI Example:

salt '*' panos.get_license_info
salt.modules.panos.get_license_tokens()

Show license token files for manual license deactivation.

CLI Example:

salt '*' panos.get_license_tokens
salt.modules.panos.get_lldp_config()

Show lldp config for interfaces.

CLI Example:

salt '*' panos.get_lldp_config
salt.modules.panos.get_lldp_counters()

Show lldp counters for interfaces.

CLI Example:

salt '*' panos.get_lldp_counters
salt.modules.panos.get_lldp_local()

Show lldp local info for interfaces.

CLI Example:

salt '*' panos.get_lldp_local
salt.modules.panos.get_lldp_neighbors()

Show lldp neighbors info for interfaces.

CLI Example:

salt '*' panos.get_lldp_neighbors
salt.modules.panos.get_local_admins()

Show all local administrator accounts.

CLI Example:

salt '*' panos.get_local_admins
salt.modules.panos.get_logdb_quota()

Report the logdb quotas.

CLI Example:

salt '*' panos.get_logdb_quota
salt.modules.panos.get_master_key()

Get the master key properties.

CLI Example:

salt '*' panos.get_master_key
salt.modules.panos.get_ntp_config()

Get the NTP configuration from the candidate configuration.

CLI Example:

salt '*' panos.get_ntp_config
salt.modules.panos.get_ntp_servers()

Get list of configured NTP servers.

CLI Example:

salt '*' panos.get_ntp_servers
salt.modules.panos.get_operational_mode()

Show device operational mode setting.

CLI Example:

salt '*' panos.get_operational_mode
salt.modules.panos.get_panorama_status()

Show panorama connection status.

CLI Example:

salt '*' panos.get_panorama_status
salt.modules.panos.get_permitted_ips()

Get the IP addresses that are permitted to establish management connections to the device.

CLI Example:

salt '*' panos.get_permitted_ips
salt.modules.panos.get_platform()

Get the platform model information and limitations.

CLI Example:

salt '*' panos.get_platform
salt.modules.panos.get_predefined_application(application=None)

Get the configuration for the specified pre-defined application object. This will only return pre-defined application objects.

application(str): The name of the pre-defined application object.

CLI Example:

salt '*' panos.get_predefined_application saltstack
salt.modules.panos.get_security_rule(rulename=None, vsys='1')

Get the candidate configuration for the specified security rule.

rulename(str): The name of the security rule.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_security_rule rule01
salt '*' panos.get_security_rule rule01 3
salt.modules.panos.get_service(service=None, vsys='1')

Get the candidate configuration for the specified service object. This will not return services that are marked as pre-defined objects.

service(str): The name of the service object.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_service tcp-443
salt '*' panos.get_service tcp-443 3
salt.modules.panos.get_service_group(servicegroup=None, vsys='1')

Get the candidate configuration for the specified service group. This will not return service groups that are marked as pre-defined objects.

servicegroup(str): The name of the service group.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_service_group foobar
salt '*' panos.get_service_group foobar 3
salt.modules.panos.get_session_info()

Show device session statistics.

CLI Example:

salt '*' panos.get_session_info
salt.modules.panos.get_snmp_config()

Get the SNMP configuration from the device.

CLI Example:

salt '*' panos.get_snmp_config
salt.modules.panos.get_software_info()

Show information about available software packages.

CLI Example:

salt '*' panos.get_software_info
salt.modules.panos.get_system_date_time()

Get the system date/time.

CLI Example:

salt '*' panos.get_system_date_time
salt.modules.panos.get_system_files()

List important files in the system.

CLI Example:

salt '*' panos.get_system_files
salt.modules.panos.get_system_info()

Get the system information.

CLI Example:

salt '*' panos.get_system_info
salt.modules.panos.get_system_services()

Show system services.

CLI Example:

salt '*' panos.get_system_services
salt.modules.panos.get_system_state(mask=None)

Show the system state variables.

mask

Filters by a subtree or a wildcard.

CLI Example:

salt '*' panos.get_system_state
salt '*' panos.get_system_state mask=cfg.ha.config.enabled
salt '*' panos.get_system_state mask=cfg.ha.*
salt.modules.panos.get_uncommitted_changes()

Retrieve a list of all uncommitted changes on the device. Requires PANOS version 8.0.0 or greater.

CLI Example:

salt '*' panos.get_uncommitted_changes
salt.modules.panos.get_users_config()

Get the local administrative user account configuration.

CLI Example:

salt '*' panos.get_users_config
salt.modules.panos.get_vlans()

Show all VLAN information.

CLI Example:

salt '*' panos.get_vlans
salt.modules.panos.get_xpath(xpath='')

Retrieve a specified xpath from the candidate configuration.

xpath(str): The specified xpath in the candidate configuration.

CLI Example:

salt '*' panos.get_xpath /config/shared/service
salt.modules.panos.get_zone(zone='', vsys='1')

Get the candidate configuration for the specified zone.

zone(str): The name of the zone.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_zone trust
salt '*' panos.get_zone trust 2
salt.modules.panos.get_zones(vsys='1')

Get all the zones in the candidate configuration.

vsys(str): The string representation of the VSYS ID.

CLI Example:

salt '*' panos.get_zones
salt '*' panos.get_zones 2
salt.modules.panos.install_antivirus(version=None, latest=False, synch=False, skip_commit=False)

Install anti-virus packages.

Parameters:
  • version (str) -- The version of the PANOS file to install.

  • latest (bool) -- If true, the latest anti-virus file will be installed. The specified version option will be ignored.

  • synch (bool) -- If true, the anti-virus will synch to the peer unit.

  • skip_commit (bool) -- If true, the install will skip committing to the device.

CLI Example:

salt '*' panos.install_antivirus 8.0.0
salt.modules.panos.install_license()

Install the license key(s).

CLI Example:

salt '*' panos.install_license
salt.modules.panos.install_software(version=None)

Upgrade to a software package by version.

Parameters:

version (str) -- The version of the PANOS file to install.

CLI Example:

salt '*' panos.install_license 8.0.0
salt.modules.panos.reboot()

Reboot a running system.

CLI Example:

salt '*' panos.reboot
salt.modules.panos.refresh_fqdn_cache(force=False)

Force refreshes all FQDNs used in rules.

force

Forces all fqdn refresh

CLI Example:

salt '*' panos.refresh_fqdn_cache
salt '*' panos.refresh_fqdn_cache force=True
salt.modules.panos.remove_config_lock()

Release config lock previously held.

CLI Example:

salt '*' panos.remove_config_lock
salt.modules.panos.resolve_address(address=None, vsys=None)

Resolve address to ip address. Required version 7.0.0 or greater.

address

Address name you want to resolve.

vsys

The vsys name.

CLI Example:

salt '*' panos.resolve_address foo.bar.com
salt '*' panos.resolve_address foo.bar.com vsys=2
salt.modules.panos.save_device_config(filename=None)

Save device configuration to a named file.

filename

The filename to save the configuration to.

CLI Example:

salt '*' panos.save_device_config foo.xml
salt.modules.panos.save_device_state()

Save files needed to restore device to local disk.

CLI Example:

salt '*' panos.save_device_state
salt.modules.panos.set_authentication_profile(profile=None, deploy=False)

Set the authentication profile of the Palo Alto proxy minion. A commit will be required before this is processed.

CLI Example:

Parameters:
  • profile (str) -- The name of the authentication profile to set.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_authentication_profile foo
salt '*' panos.set_authentication_profile foo deploy=True
salt.modules.panos.set_hostname(hostname=None, deploy=False)

Set the hostname of the Palo Alto proxy minion. A commit will be required before this is processed.

CLI Example:

Parameters:
  • hostname (str) -- The hostname to set

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_hostname newhostname
salt '*' panos.set_hostname newhostname deploy=True
salt.modules.panos.set_management_http(enabled=True, deploy=False)

Enables or disables the HTTP management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_http
salt '*' panos.set_management_http enabled=False deploy=True
salt.modules.panos.set_management_https(enabled=True, deploy=False)

Enables or disables the HTTPS management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_https
salt '*' panos.set_management_https enabled=False deploy=True
salt.modules.panos.set_management_icmp(enabled=True, deploy=False)

Enables or disables the ICMP management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_icmp
salt '*' panos.set_management_icmp enabled=False deploy=True
salt.modules.panos.set_management_ocsp(enabled=True, deploy=False)

Enables or disables the HTTP OCSP management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_ocsp
salt '*' panos.set_management_ocsp enabled=False deploy=True
salt.modules.panos.set_management_snmp(enabled=True, deploy=False)

Enables or disables the SNMP management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_snmp
salt '*' panos.set_management_snmp enabled=False deploy=True
salt.modules.panos.set_management_ssh(enabled=True, deploy=False)

Enables or disables the SSH management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_ssh
salt '*' panos.set_management_ssh enabled=False deploy=True
salt.modules.panos.set_management_telnet(enabled=True, deploy=False)

Enables or disables the Telnet management service on the device.

CLI Example:

Parameters:
  • enabled (bool) -- If true the service will be enabled. If false the service will be disabled.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_management_telnet
salt '*' panos.set_management_telnet enabled=False deploy=True
salt.modules.panos.set_ntp_authentication(target=None, authentication_type=None, key_id=None, authentication_key=None, algorithm=None, deploy=False)

Set the NTP authentication of the Palo Alto proxy minion. A commit will be required before this is processed.

CLI Example:

Parameters:
  • target (str) -- Determines the target of the authentication. Valid options are primary, secondary, or both.

  • authentication_type (str) -- The authentication type to be used. Valid options are symmetric, autokey, and none.

  • key_id (int) -- The NTP authentication key ID.

  • authentication_key (str) -- The authentication key.

  • algorithm (str) -- The algorithm type to be used for a symmetric key. Valid options are md5 and sha1.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' ntp.set_authentication target=both authentication_type=autokey
salt '*' ntp.set_authentication target=primary authentication_type=none
salt '*' ntp.set_authentication target=both authentication_type=symmetric key_id=15 authentication_key=mykey algorithm=md5
salt '*' ntp.set_authentication target=both authentication_type=symmetric key_id=15 authentication_key=mykey algorithm=md5 deploy=True
salt.modules.panos.set_ntp_servers(primary_server=None, secondary_server=None, deploy=False)

Set the NTP servers of the Palo Alto proxy minion. A commit will be required before this is processed.

CLI Example:

Parameters:
  • primary_server (str) -- The primary NTP server IP address or FQDN.

  • secondary_server (str) -- The secondary NTP server IP address or FQDN.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' ntp.set_servers 0.pool.ntp.org 1.pool.ntp.org
salt '*' ntp.set_servers primary_server=0.pool.ntp.org secondary_server=1.pool.ntp.org
salt '*' ntp.ser_servers 0.pool.ntp.org 1.pool.ntp.org deploy=True
salt.modules.panos.set_permitted_ip(address=None, deploy=False)

Add an IPv4 address or network to the permitted IP list.

CLI Example:

Parameters:
  • address (str) -- The IPv4 address or network to allow access to add to the Palo Alto device.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_permitted_ip 10.0.0.1
salt '*' panos.set_permitted_ip 10.0.0.0/24
salt '*' panos.set_permitted_ip 10.0.0.1 deploy=True
salt.modules.panos.set_timezone(tz=None, deploy=False)

Set the timezone of the Palo Alto proxy minion. A commit will be required before this is processed.

CLI Example:

Parameters:
  • tz (str) -- The name of the timezone to set.

  • deploy (bool) -- If true then commit the full candidate configuration, if false only set pending change.

salt '*' panos.set_timezone UTC
salt '*' panos.set_timezone UTC deploy=True
salt.modules.panos.shutdown()

Shutdown a running system.

CLI Example:

salt '*' panos.shutdown
salt.modules.panos.test_fib_route(ip=None, vr='vr1')

Perform a route lookup within active route table (fib).

ip (str): The destination IP address to test.

vr (str): The name of the virtual router to test.

CLI Example:

salt '*' panos.test_fib_route 4.2.2.2
salt '*' panos.test_fib_route 4.2.2.2 my-vr
salt.modules.panos.test_security_policy(sourcezone=None, destinationzone=None, source=None, destination=None, protocol=None, port=None, application=None, category=None, vsys='1', allrules=False)

Checks which security policy as connection will match on the device.

sourcezone (str): The source zone matched against the connection.

destinationzone (str): The destination zone matched against the connection.

source (str): The source address. This must be a single IP address.

destination (str): The destination address. This must be a single IP address.

protocol (int): The protocol number for the connection. This is the numerical representation of the protocol.

port (int): The port number for the connection.

application (str): The application that should be matched.

category (str): The category that should be matched.

vsys (int): The numerical representation of the VSYS ID.

allrules (bool): Show all potential match rules until first allow rule.

CLI Example:

salt '*' panos.test_security_policy sourcezone=trust destinationzone=untrust protocol=6 port=22
salt '*' panos.test_security_policy sourcezone=trust destinationzone=untrust protocol=6 port=22 vsys=2
salt.modules.panos.unlock_admin(username=None)

Unlocks a locked administrator account.

username

Username of the administrator.

CLI Example:

salt '*' panos.unlock_admin username=bob