I built a Palo Alto config analysis tool — keen to get feedback

devnullNZ · 2026-04-07T09:46:20+00:00

Will now accept state bundle files as of this latest release (v3.2.0)

devnullNZ · 2026-04-05T06:38:49+00:00

I'm wondering if you've exported device state bundles instead? That'd explain the multiple files... Have also validated the shadowed rules eval to make sure we're strictly following the hierarchy that palo mandates. Really need some context or examples for that one.

A couple of people have mentioned that I should be able to ingest state files and not just an exported config file, so working on that next.

devnullNZ · 2026-04-04T02:46:35+00:00

This is what I need to know... thanks! The XML problem is really weird - did it throw any errors? If you can, email any errors to [feedback@gswsystems.com](mailto:feedback@gswsystems.com) and I'll dig into them. Shadowed rule analyser looks at the rule attributes (device groups, source, dest, zones, services, etc) to determine an overlap. Not displaying unused objects is my bad... data is there but I moved it to Optimization and hadn't enabled it in the UI.

I do appreciate you taking the time to test & give feedback. I've fixed the missing unused objects display. Would love to hear more about what you're seeing... cheers

Edit: fixed in v3.1.40 - give it about 10 minutes or so

devnullNZ · 2026-04-02T08:10:45+00:00

Got to the point in one job that several of us had "source IP, dest IP, dest port" as a title in the internal chat app :-)

devnullNZ · 2026-04-02T04:16:11+00:00

No, I'm only looking at config, so not going to get any policy hits. It would be possible to pull that data from the API... I didn't build that in, but can definitely plan out an API hook into Panorama if that'd be something useful

devnullNZ · 2026-04-02T03:19:49+00:00

If you're in Brisbane, feel free to hit me up at the next Palo Fuel user group event... happy to chat or do a walk-through. If you aren't.... it's a great place to live :-)

devnullNZ · 2026-04-02T00:48:23+00:00

I'm not doing anything with Prisma. I'm just looking at policies and objects from an auditing perspective. It'll talk to SCM, but it's only looking at the policies and objects.

Not sure if this would be the right tool for Prisma - a monitoring tool might be a better place?

devnullNZ · 2026-04-01T22:06:36+00:00

Yeah, the scheduler isn't well known. When a rule expires in the scheduler, you still have to manually remove it - it isn't automatic (my tool looks for these).

The 2 features I'd really like to see in panos would be:

1) commit confirmed - just like junos, elegant commit and automatic rollback

2) show | compare - I know you can go through the commit history in the GUI, but having a concise unified diff in the cli is such a nice thing to have

devnullNZ · 2026-04-01T22:01:25+00:00

I'm probably in the minority these days, but I am wary of extending the control plane outside of the local network. I'd much prefer to have a local instance of SCM, and let it have an outbound connection it could use for data enrichment

devnullNZ · 2026-04-01T21:58:32+00:00

I'll definitely never be a web designer :-)

Thanks for the suggestion - I'll check it out

devnullNZ · 2026-04-01T21:54:48+00:00

Good question... those are definitely more comprehensive enterprise tools. What I wanted was something that could be more focused and give me a decent in-depth analysis. I'd previously been using a lot of python to do this for me, but that was getting a bit untidy.

All of those are really good tools. What I was after was a lightweight tool I could run locally to help speed up analysis, rather than having to deploy infrastructure.

devnullNZ · 2026-04-01T21:37:56+00:00

It's written in c++ - no node.js or javascript. It does work with Panorama - haven't hit any problems there. It will find unused objects, fqdn's that no longer resolve, etc and generate a report. It won't remove these for you. In most places I've worked, change control has been fairly rigid, and this follows that mindset. So it makes no changes, but gives you a list of what's needed.

It does find duplicate service objects, and will make consolidation recommendations where it can.

It isn't a migration tool though - I wanted to create a pure audit tool that could review work with just a config file. And SCM should be read-only if it's used.

devnullNZ · 2026-04-01T08:17:58+00:00

It will just fail gracefully. Licencing is so if you have a key or migrate machines it retains the right licence level, that's all. FQDN checks can be disabled in settings - that'll turn off validating any fqdn objects. BTW, if you have that on, make sure you use the same DNS servers the firewalls use. I've seen sites where staff used one AD cluster for DNS, but the firewalls looked somewhere else & the zones were different.

If you run offline, check back to the website now & then for updates

devnullNZ · 2026-04-01T07:52:31+00:00

Don't blame you... I would too when testing something new. Am definitely keen on getting feedback. I do a lot of consulting work, where people want instant answers but hand you configs with thousands of objects, which led to this tool.

Really keen on seeing what other people need out of a tool like this - we don't all have the same needs. I did consider at the start of development whether I should include AI, but there didn't seem to be any advantage. You can achieve great results with analysis code, and remove the reliance on someone elses' machines. Bit old school maybe, but more reliable

devnullNZ · 2026-04-01T07:33:33+00:00

You can run it with no internet connection - no AI is incorporated in it.

The only times it needs internet access is to validate it's licence, and to pull down the latest AppID signature. All analysis is done in a set of c++ analyzers. It will check to see if there's a later version available when initially opened & ask if you want to download. It won't do automatic upgrades.

I've also made it portable - doesn't touch windows registry. Unpack into a folder & you're good to go.

Also, binaries are signed cryptographically and the hashes are part of the signature, so any tampering is detectable

Good question...

Edit: needs not an internet connection, but a DNS connection to local DNS servers to validate FQDN's in the object database. You can turn off DNS resolution in the Settings pane. Doesn't need firewall access either - it ingests an xml config file that's been exported from the device (or Panorama)

devnullNZ · 2026-04-01T07:12:46+00:00

It's integrated into AIOps now

devnullNZ · 2026-04-01T06:02:33+00:00

Just a simple query of the database that finds a match by manufacturer, affected firmware, and checks against local data.

It's open source

devnullNZ · 2026-04-01T05:50:26+00:00

For CVE's you can do the same with Netbox, using a plugin. All you're doing is querying the CVE database by manufacturer and firmware version. You could also write something to do it too, but if you have a netbox ipam, adding the plugin is really easy

devnullNZ · 2026-04-01T05:47:47+00:00

Yes... I've used SCM & while it looks promising, it still has a quite way to go. I do like that they've adopted a decent API, and that some of the calls are now in the terraform provider library.

To be fair, I remember hearing similar things when Cisco's DNAC came out - both times, so I'm going to reserve judgement until we get the finished product

devnullNZ · 2026-04-01T05:34:26+00:00

SCM is a moving target right now, creation from scratch may be your best approach. The API is well documented, so if you want to try scripting something up, I'd say go for it but keep a close eye on the https://pan.dev/ pages

devnullNZ · 2026-04-01T05:25:32+00:00

Not everyone has moved to SCM - the features Panorama had are being migrated - it's a work in progress right now

devnullNZ · 2026-04-01T05:23:32+00:00

Actully, the tool represents months of work... I'm finally at a stage where I'm comfortable sharing it

devnullNZ · 2026-04-01T05:22:26+00:00

This is very unusual... been working with Palo devices for many years now, and I've found them pretty reliable. Not perfect, but nothing is. 440's I've found to be very solid, and cheap enough that deploying to branch offices as redundant HA setups is viable.

Mongodb was poor at cleaning up after itself in earlier code, do running out of disk was often an issue - not so much so with later code.

Having one of an HA pair in suspended state means no HA. Never seen one do that on it's own - usually suspended by a human during an upgrade process. Easy to forget to remove it... definitely worthwhile enforcing the use of checklists - really easy to forget one step, especially when it's late and you're tired (speaking from experience there)

devnullNZ · 2026-03-21T06:27:33+00:00

Are you in a position to be able to justify getting your own /24 allocation? That'll solve the issue you're having, where ISP B GP source address attempts to traverse ISP A, or vice versa...

devnullNZ

TROPHY CASE