One or two years ago I had to migrate and document the policies of an firewall appliance from Palo Alto Networks, but there was no way to export the information in a human-readable format. So wrote a small Python script to export the policies as HTML file.
To run the script the following requirements have to be met.
The script has been tested with PAN-OS 6.1.x. It uses a file called running-config.xml as input and creates a file called output.html to export the policies as HTML.
#!/usr/bin/env python
import sys
from lxml import etree
def write_td(fp, elements):
fp.write("<td>")
if not isinstance(elements, list):
elements = [elements]
fp.write("<ul>")
for elem in elements:
fp.write("<li>%s</li>" % elem)
fp.write("</ul>")
fp.write("</td>")
filename_input = "running-config.xml"
filename_output = "output.html"
if len(sys.argv) > 1:
filename_input = sys.argv[1]
if len(sys.argv) > 2:
filename_output = sys.argv[1]
root = etree.parse(filename_input)
fp = open(filename_output, "w")
fp.write("<html><head></head><body>\n")
fp.write("<table border=1>\n")
value_names = ["from", "to", "source", "destination", "source-user", "category", "application", "service", "hip-profiles", "tag"]
fp.write("<thead><tr>")
fp.write("<th>Name</th>")
for n in value_names:
fp.write("<th>%s</th>" % n)
fp.write("</tr></thead>")
fp.write("<tbody>")
for elem in root.xpath("//rulebase/security/rules/entry"):
fp.write("<tr>")
write_td(fp, elem.get("name"))
for n in value_names:
write_td(fp, [tmp.strip() for tmp in elem.xpath("%s/member/text()" % n)])
fp.write("</tr>\n")
fp.write("</tbody>")
fp.write("</table>\n")
fp.write("</body></html>")
You can download the file as tohtml.py.
Links
- Website: Python (English)
- Website: Python module lxml (English)
- Website: Palo Alto Networks (English)