This plugin enables you to list firewall rules defined on your Palo Alto Networks firewall or Panorama management server directly in NetBox. The URL <NETBOX>/plugins/paloalto/<object> will list all firewall rules associated with object (see limitations further down).
NetBox 2.8 and higher.
Tested on Panorama PAN-OS 9.1 and PA-220 PAN-OS 9.1.
Add netbox-paloalto to your local_requirements.txt.
Add netbox_paloalto to configuration.py like this:
PLUGINS = ['netbox_paloalto']
Run ./upgrade.sh which will download the package and run the necessary database migrations.
Add you firewall/Panorama (can have multiple) through the Admin GUI of NetBox.
Assume a NetBox object with name Server01 and IP 1.2.3.4.
Available settings in PLUGINS_CONFIG is:
transform: True/False - Netbox object is transformed before the search in Panorama/firewall.
Additional search term will be Server01.3.4. Default: False
nesting: <int> - The number of levels of nesting within address groups to perform. Default: 1
See Palo Alto Networks documentation on generating your API key. As this plugin is only reading the configuration a read-only user is recommended.
- Limited nesting for address groups as default
- Does not include "any" rules based on zones (can't tell the zone from the object name)
- Does not match with subnet rules (you can have a rule saying 10.0.0.0/8 is allowed, but your object with the address 10.1.1.1 is not listed)
- Does currently not support other rule types than security rules (no NAT/Decryption/etc)