Device::PaloAlto::Firewall::Test- Run a suite of tests against Palo Alto firewalls.
version 0.091
This module contains a set of methods that run tests against an Palo Alto firewall. The functions take arguments and return 1 or 0 depending on the current runtime state of the firewall.
These methods should be used in conjunction with the ok() function provided by Test::More. Multiple '.t' files can be created with tests for each firewall and run using the prove test harness.
ok()
Test::More
prove
use Device::PaloAlto::Firewall; use Test::More qw{ no_plan }; my $tester = Device::PaloAlto::Firewall->new(uri => 'https://test_firewall.int', username => 'ro_account', password => 'complex_password)->tester(); ok( $tester->environmentals(), "No alarms on the firewall" ); ok( $tester->interfaces_up(interfaces => ['ethernet1/1']), "WAN interface is up");
These methods test platform related aspects of the firewalls.
Takes a version (as a string) and returns 1 if the firewall is running that version of PAN-OS. Returns 0 if it is running a different version.
version
ok( $fw_test->version(version => '7.1.2'), "Firewall running PAN-OS 7.1.2");
Hotfixes (version suffixed with '-h1', '-h2', etc) are considered equivalent to their base versions.
Returns 1 if there are no environmental alarms. These are platform dependent, but generally consist of fantray and fans, power supplies and power, and temperature. If there are any alarms, returns 0.
VMs don't have any environmental information. In this instance the test will succeed, but a warning is generated.
ok( $test->environmentals(), "No environmental alarms" );
Returns 1 if all of the licenses on the firewall are active. Returns 0 if any of the licenses have expired, or if there are no licenses installed.
These methods test network related functions of the firewalls.
interfaces_up takes an ARRAYREF of interfaces are returns 1 if all of the interfaces are up. Returns 0 if any of the interfaces are down.
interfaces_up
Interfaces are matched in case insensitive manner.
ok( $fw_test->interfaces_up( interfaces => ['ethernet1/1', 'ethernet1/2']), "Interfaces are up" ) );
interfaces_duplex takes an ARRAYREF of interfaces and returns 1 if all the interfaces are in a full duplex state. Returns 0 if any of the interfaces are not in a full dupex state. Returns 0 and warns if it detects a virtual machine as it cannot report on the duplex state.
interfaces_duplex
The names of the interfaces are matched in a case-insensitive manner.
ok( $fw_test->interfaces_duplex( interfaces => ['ethernet1/1', 'ethernet./(2|3)'] ), "Interfaces are running full duplex" );
Takes a percent argument between (0, 100] and returns 0 if, for any interface:
percent
The number of input errors divided by the number of input packets is greater than or equal to percent, OR
The number of output errors divided by the number of output packets is greater than or equal to percent.
Otherwise it returns 1. If no percent argument is supplied, it defaults to 1%.
ok( $fw_test->interface_errors_logical(percent => 2), "No interfaces with more than 2% errors" );
Takes an ARRAYREF of routes and searches for these routes in the virtual router specified by vrouter. If all of the exact routes are present in the routing table it returns 1. If any exact routes are not present, it returns 0.
vrouter
routes is mandatory. vrouter is optional, and is set to 'default' if not specified. An empty ARRAYREF will emit a warning but will still return 1.
routes
ok( $fw_test->routes_exist( vrouter => 'virt_router_a', routes => ['192.0.2.0/30', '192.0.2.128/25'] ), "All expected routes are present in 'virt_router_a'" );
Returns 1 if all of the BGP peers specified in the peer_ips are established. Returns 0 if any of the peers are not in the established state.
peer_ips
vrouter specifies the virtual router that the BGP peers are configured under. If not supplied, the vrouter 'default' will be used.
ok( $fw_test->bgp_peers_ip( vrouter => 'virt_router_a', peer_ips => ['192.0.2.1', '192.0.2.20'] ), "BGP peerings for 'virt_router-a' are up" );
Returns 1 if all of the prefixes specified in the prefixes are present in the local routing information base (RIB) for a specific vrouter. Returns 0 if any of the prefixes are not present.
prefixes
If vrouter is not specified, the vrouter 'default' will be used.
Note that this only determines whether a prefix is present within the RIB. It doesn't take into account how many times the prefix is present or what peer it received it from. The prefix could also have been locally originated and this would still return 1.
ok( $fw_test->bgp_prefixes_in_rib( vrouter => 'virt_router_a', prefixes => ['192.168.0.0/24', '0.0.0.0/0'] ), "Default and local private range prefixes in RIB" );
Returns 1 if all of the OSPF neighbours specified in the neighbours argument are up for a specific vrouter. Neighbours are specified by their IP address, NOT by their router ID. Returns 0 if any of the neighbours are not in a 'full' state (i.e. in init/2-way/extart/exchange state), or the neighbour was not returned at all and is therefore down.
neighbours
If a vrouter is not specified, the vrouter 'default' will be used.
ok( $fw_test->ospf_neighbours_up( vrouter => 'virt_router_a', neighbours => ['192.168.1.1', '172.16.2.1'] ), "Expected OSPF neighbours are up" );
Returns 1 if all of the PIM neighbours specified in the neighbours argument are up for a specific vrouter. Neighbours are specified by their IP address. are up within a specific vrouter. Returns 0 if any of the neighbours are not up.
ok( $fw_test->pim_neighbours_up( vrouter => 'virt_router_a', neighbours => ['192.168.1.1', '172.16.2.1'] ), "Expected PIM adjacencies are up" );
Takes an ARRAYREF of interface names and returns 1 if:
All of the interfaces have BFD sessions associated with them, and
All of the BFD sessions are up.
Otherwise it returns 0. If no interfaces are specified (and empty ARRAYREF), all BFD sessions are checked.
ok( $fw_test->bfd_peers_up( interfaces => ['ethernet1/1', 'ethernet1/2'] ), "All BFD sessions are up" );
Returns 0 if the firewall is not synchronised with an NTP peer. Returns 1 if the firewall is synchronised with at least one NTP peer.
ok( $fw_test->ntp_synchronised(), "Firewall is synchronised with at least one NTP server" );
Returns 1 if all of the configured NTP servers are reachable. Returns 0 if any of the configured NTP servers are not reachable.
ok ( $fw_test->ntp_reachable(), "Firewall can reach all of its NTP servers" );
Returns 1 if the firewall is connectedt to all of the configured Panorama management servers, otherwise it returns 0. Also returns 0 if no Panorama servers are configured.
ok( $fw_test->panorama_connected(), "Firewall is connected to Panorama" );
These methods test aspects of the high availability function of the firewalls.
Returns 1 if HA is enabled on the devices. Returns if HA is not enabled.
ok( $test->ha_enabled(), "HA is enabled on the firewall" );
Returns 1 if the firewall is in the same state as the state parameter passed to the function. Returns 0 if it is not, or if HA is not enabled on the device.
state
ok( $test->ha_state(state => 'active'), "Firewall is in the active HA state" ); ok( $test->ha_state(state => 'passive'), "Firewall is in the passive HA state" );
The SCALAR string passed must be either 'active' or 'passive', however it is case insensitive.
Returns 1 if the app, threat, antivirus, PAN-OS and GlobalProtect versions match between the HA peers. Returns 0 if any one of these do not match, or HA is not enabled on the device.
ok( $test->ha_version(), "HA peers have matching versions" );
Returns 1 if the peer firewall is considerd 'up', and that the HA1, heartbeat backup and HA2 connections are 'up'. Returns 0 if any one of these conditions is not 'up'.
ok( $test->ha_peer_up(), "HA peer is up" );
Returns 1 if the configuration has been successfully synchronised between the devices. Returns 0 if the configuration has not been synchronised, if config synchronisation is not enabled, or if HA is not enabled.
ok( $test->ha_config_sync(), "Config is sync'ed between HA peers" );
These methods test the firewall/security functionality of the firewall.
Takes a domain and an ARRAYREF of users as arguments. Returns 1 if there is a valid IP mapping for all of the users within the specified domain.
domain
users
If no domain is specified then the users are matched for any domain. If no domain or users are specified then it returns 1 if there is any user to IP mapping, and 0 if there are none.
ok( $fw_test->ip_user_mapping( domain => 'internal.local', users => ['user_a', 'user_b'] ), "Valid User/IP mappings for user_a & user_b" );
Takes an ARRAYREF of servers returns 1 if all of the servers are connnected. Returns 0 if any of the servers are not connected. Each server must be specified as their fully qualified domain name, e.g. 'ad01.domain.int'.
servers
If no servers argument is given, returns 1 if all of the servers configured are connected, and returns 0 of any of the servers are not connected.
ok( $fw_test->userid_server_monitor( servers => ['ad01.int', 'ad02.int'] ), "AD servers reachable for UserID" );
Takes an ARRAYREF of peer_ips and returns 1 if all of the VPN tunnels are up. A VPN tunnel is considered up if its phase 1 (IKE) security association up, and all of its phase 2 (IPSEC) security associations are up.
If any of the VPN tunnels are not up - including not being configured at all, then it it returns 0.
ok( $fw_test->vpn_tunnels_up( peer_ips => ['192.168.1.1', '172.16.2.1'] ), "3rd party VPN tunnels are up" );
Greg Foletta, <greg at foletta.org>
<greg at foletta.org>
Please report any bugs or feature requests to bug-device-firewall-paloaltoat rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Device-PaloAlto-Firewall. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
bug-device-firewall-paloaltoat rt.cpan.org
You can find documentation for this module with the perldoc command.
perldoc Device::PaloAlto::Firewall::Test
You can also look for information at:
RT: CPAN's request tracker (report bugs here)
http://rt.cpan.org/NoAuth/Bugs.html?Dist=Device-PaloAlto-Firewall
AnnoCPAN: Annotated CPAN documentation
http://annocpan.org/dist/Device-PaloAlto-Firewall
CPAN Ratings
http://cpanratings.perl.org/d/Device-PaloAlto-Firewall
Search CPAN
http://search.cpan.org/dist/Device-PaloAlto-Firewall/
Copyright 2016 Greg Foletta.
This program is free software; you can redistribute it and/or modify it under the terms of the the Artistic License (2.0). You may obtain a copy of the full license at:
http://www.perlfoundation.org/artistic_license_2_0
Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license.
If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license.
This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder.
This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed.
Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
To install Device::PaloAlto::Firewall, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Device::PaloAlto::Firewall
CPAN shell
perl -MCPAN -e shell install Device::PaloAlto::Firewall
For more information on module installation, please visit the detailed CPAN module installation guide.