Export policies from Palo Alto firewall

One or two years ago I had to migrate and document the policies of an firewall appliance from Palo Alto Networks, but there was no way to export the information in a human-readable format. So wrote a small Python script to export the policies as HTML file.

To run the script the following requirements have to be met.

The script has been tested with PAN-OS 6.1.x. It uses a file called running-config.xml as input and creates a file called output.html to export the policies as HTML.

#!/usr/bin/env python
import sys

from lxml import etree

def write_td(fp, elements):
    fp.write("<td>")
    if not isinstance(elements, list):
        elements = [elements]
    fp.write("<ul>")
    for elem in elements:
        fp.write("<li>%s</li>" % elem)
    fp.write("</ul>")
    fp.write("</td>")

filename_input = "running-config.xml"
filename_output = "output.html"

if len(sys.argv) > 1:
    filename_input = sys.argv[1]
if len(sys.argv) > 2:
    filename_output = sys.argv[1]

root = etree.parse(filename_input)

fp = open(filename_output, "w")

fp.write("<html><head></head><body>\n")
fp.write("<table border=1>\n")

value_names = ["from", "to", "source", "destination", "source-user", "category", "application", "service", "hip-profiles", "tag"]
fp.write("<thead><tr>")
fp.write("<th>Name</th>")
for n in value_names:
    fp.write("<th>%s</th>" % n)
fp.write("</tr></thead>")

fp.write("<tbody>")
for elem in root.xpath("//rulebase/security/rules/entry"):
    fp.write("<tr>")
    write_td(fp, elem.get("name"))
    for n in value_names:
        write_td(fp, [tmp.strip() for tmp in elem.xpath("%s/member/text()" % n)])
    fp.write("</tr>\n")

fp.write("</tbody>")
fp.write("</table>\n")
fp.write("</body></html>")

You can download the file as tohtml.py.

Related articles