I worked with Palo Alto Panorama at many enterprise companies and one of my struggle I had to face is the missing documentation or some kind of topology about the device-group hierarchy and the template-stacks with parent and child relationship. Where to put new config items, like identity provider settings in the hierarchy of templates for example, was always challenging since noone knew the right place.
Do you remember the coctail with the mixer guy represented by Palo Alto how to build up a template stack? :-) There was a funny picture I just put in here:
Or the old one with this pictures about stacking from the official documentation guide:
and device-group hierarchy again from the official documentation guide, its was used to make it clear how inheritance works on device-groups:
The visual representation of such data structures helps a lot, this 2-3 pictures above are good to understand the general concept for the exam about Panorama.
But, we dont need this visual effect only to understand the idea Palo Alto represents, we have to understand the idea behind that data structures for an enterprise where we have to work.
We can achieve the same visualisation with just 2 easy tools from the internet for free :-)
1. Python
2. Graphviz
I created a python script that can visualy represent you the device-group hierarchy and the template stack where you see the descedants and the anchestors in a clear topology.
And the second feature: I can add new configuration items to find out where they are located in the xml tree. I will come back to this later with a simple ldap example.
So this is the template, template-stack and device-group I configured in my lab:
This is just 11 device-groups and 13 templates in stasks, this is just for demostration purposes, I could have created more I know :-)
Enterprises can have hundred of device-groups and more templates in stack, and in such enviroment you simple loose the visilibity on the webui. I worked in large configurations and I run into that case, thats why I had to see that topology for dgs and stacks with a mouse click in 2 seconds. I could have painted it for myself in Visio, but I hate painting for such things that can be done via a little program.
The script basially need as an input the running config from Panorama in xml format and this is the result I get if I run the script:
The script have an additional json input. This contains the configuration items and for each item the xpath with that the script searches in the running configuration xml file. The default configuration items that are defined in a json file with a given xpath are the followings:
xml_elements1 = {
'template': [{
'xpath': './devices/entry/template/entry',
'vsys': {
'xpath': './config/devices/entry/vsys/entry',
'zone': './zone/entry'
}
}],
'template-stack': [{
'xpath': './devices/entry/template-stack/entry',
'templates': './templates/member',
'devices': './devices/entry'
}],
'device-group': [{
'xpath': './devices/entry/device-group/entry',
'devices': {
'xpath': './devices/entry',
'vsys': './vsys/entry'
},
}],
'device-group-p': [{
'xpath': './readonly/devices/entry/device-group/entry',
'parent-dg': './parent-dg'
}]
}
Lets add for example to the templates the ldap configuration item to see where they are implemented in the tree (see the new item under ldap):
xml_elements2 = {
'template': [{
'xpath': './devices/entry/template/entry',
'vsys': {
'xpath': './config/devices/entry/vsys/entry',
'zone': './zone/entry'
},
'ldap': './config/shared/server-profile/ldap/entry'
}],
'template-stack': [{
'xpath': './devices/entry/template-stack/entry',
'templates': './templates/member',
'devices': './devices/entry'
}],
'device-group': [{
'xpath': './devices/entry/device-group/entry',
'devices': {
'xpath': './devices/entry',
'vsys': './vsys/entry'
},
}],
'device-group-p': [{
'xpath': './readonly/devices/entry/device-group/entry',
'parent-dg': './parent-dg'
}]
}
And the result of the script looks like this:
As you see the ldap setting are actually doubled for not clear reason, they are on the branchoffice_ny_t for New York and on the branchoffice_wa_t for Washington. This should be in amer_t template (the parent of ny and wa templates) if the ldap content is the really the same.
And one more thing the template datacenter_t on the right side in the screenshot, it is nobodys child, that is something to investigate if its existence is really important or it can be safely deleted… This is what you dont see on the webui, or at least not so easy to find such things.
The code that does this can be found on my github site in the gists:
https://gist.github.com/itsecworks/35cef668b6fb2a3cd4b614f549b13004
Dear PS engineers at Palo Alto let me know if you need help on this! I promised in Cracow almost one year before to share it with you guys and now I did it. :-)
itsecworks 
Posted on October 29, 2023
0