Skip to content

Commit

Permalink
Security Readme Updates and test tool mods
Browse files Browse the repository at this point in the history
  • Loading branch information
@bhillkeyfactor
bhillkeyfactor committed Dec 11, 2024
1 parent b0b34a2 commit 90fadcb
Show file tree
Hide file tree
Showing 4 changed files with 106 additions and 17 deletions.
2 changes: 1 addition & 1 deletion PaloAltoTestConsole/KeyfactorClient.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ public async Task<KeyfactorEnrollmentResult> EnrollCertificate(string commonName
var request = new RestRequest("/KeyfactorAPI/Enrollment/PFX", Method.Post);
request.AddHeader("X-Keyfactor-Requested-With", "APIClient");
request.AddHeader("x-certificateformat", "PFX");
request.AddHeader("Authorization", "Basic Authtoken");
request.AddHeader("Authorization", "Basic Y29t");
request.AddHeader("Content-Type", "application/json");
var enrollRequest = new KeyfactorEnrollmentRequest
{
Expand Down
6 changes: 3 additions & 3 deletions PaloAltoTestConsole/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ public static InventoryJobConfiguration GetInventoryJobConfiguration()

var fileContent = File.ReadAllText("FirewallInventory.json").Replace("UserNameGoesHere", UserName)
.Replace("PasswordGoesHere", Password).Replace("ClientMachineGoesHere", ClientMachine)
.Replace("\"InventoryTrustedCerts\": false", intentoryTrustedReplaceString);
.Replace("\"InventoryTrustedCerts\": false", intentoryTrustedReplaceString).Replace("TemplateStackGoesHere", TemplateStackName);
var jsonObject = JObject.Parse(fileContent);

// Navigate to the InventoryTrustedCerts property and set it to true
Expand All @@ -225,7 +225,7 @@ public static InventoryJobConfiguration GetPanoramaInventoryJobConfiguration()
var fileContent = File.ReadAllText("PanoramaInventory.json").Replace("UserNameGoesHere", UserName)
.Replace("PasswordGoesHere", Password).Replace("TemplateNameGoesHere", StorePath)
.Replace("ClientMachineGoesHere", ClientMachine)
.Replace("DeviceGroupGoesHere", DeviceGroup);
.Replace("DeviceGroupGoesHere", DeviceGroup).Replace("TemplateStackGoesHere", TemplateStackName);


var jsonObject = JObject.Parse(fileContent);
Expand Down Expand Up @@ -278,7 +278,7 @@ public static ManagementJobConfiguration GetRemoveJobConfiguration()
var fileContent = File.ReadAllText("ManagementRemove.json").Replace("UserNameGoesHere", UserName)
.Replace("PasswordGoesHere", Password).Replace("TemplateNameGoesHere", StorePath)
.Replace("DeviceGroupGoesHere", DeviceGroup).Replace("AliasGoesHere", CertAlias)
.Replace("ClientMachineGoesHere", ClientMachine);
.Replace("ClientMachineGoesHere", ClientMachine).Replace("TemplateStackGoesHere", TemplateStackName);
var result =
JsonConvert.DeserializeObject<ManagementJobConfiguration>(fileContent);
return result;
Expand Down
18 changes: 11 additions & 7 deletions PaloAltoTestConsole/RunTest.bat
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
@echo off

cd C:\Users\asdf\source\repos\paloalto-firewall-orchestrator\PaloAltoTestConsole\bin\Debug\netcoreapp3.1
set FWMachine=asfd
set FWApiUser=asfd
set FWApiPassword=asfdsdfa
set PAMachine=afsd
set PAApiUser=bhisadfll
set PAApiPassword=adfssadf
set FWMachine=21.22.23.24
set FWApiUser=adf

set FWApiPassword=asdfasd
set PAMachine=20.172.0.1
set PAApiUser=sdfa
set PAApiPassword=ds!


echo ***********************************
Expand All @@ -31,7 +32,7 @@ set overwrite=false
set inventorytrusted=false
set templatestackname=""

REM goto :PANTemplates
#REM goto :PANTemplates

echo ************************************************************************************************************************
echo TC1 %mgt%. Should do the %mgt% and add anything in the chain
Expand Down Expand Up @@ -125,6 +126,7 @@ echo Starting Inventory Test Cases
echo ***********************************
set storepath=/config/shared
set casename=Inventory
set templatestackname=""

echo:
echo *************************************************************************************************
Expand Down Expand Up @@ -546,6 +548,8 @@ echo cert name: %cert%

PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -overwrite=%overwrite% -inventorytrusted=%inventorytrusted% -templatestackname=%templatestackname%


:paloinventory
echo:
echo:
echo ***********************************
Expand Down
97 changes: 91 additions & 6 deletions readme_source.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,13 +172,98 @@ __________________________________
</details>

<details>
<summary>API User Setup Permissions in Panorama or Firewall Required</summary>
<summary>API User Setup Permissions in Panorama Required</summary>

# API Access Configuration for KeyfactorAPI Profile

| **Category** | **Feature/Permission** | **Access Level** |
|------------------------|-------------------------------------------|------------------|
| **Web UI** | Dashboard | Disabled |
| | ACC | Disabled |
| | Monitor | Disabled |
| | Policies | Disabled |
| | Objects | Disabled |
| | Network | Disabled |
| | Device | Disabled |
| | Panorama | Disabled |
| | Privacy | Disabled |
| | Validate | Disabled |
| | Save | Disabled |
| | Push All Changes | Disabled |
| | Commit | Disabled |
| | Tasks | Disabled |
| | Global | Disabled |
| **XML API** | Report | Disabled |
| | Log | Disabled |
| | Configuration | read/write |
| | Operational Requests | Disabled |
| | Commit | read/write |
| | User-ID Agent | Disabled |
| | IoT Agent | Disabled |
| | Export | read/write |
| | Import | read/write |
| **REST API** | Objects | Disabled |
| | Policies | Disabled |
| | Network | Disabled |
| | Log Interface Setting | Disabled |
| | SNMP Trap Server Profiles | Disabled |
| | Syslog Server Profiles | Disabled |
| | Email Server Profiles | Disabled |
| | HTTP Server Profiles | Disabled |
| | LDAP Server Profiles | Disabled |
| | Virtual Systems | read/write |
| | Setup Log Setting | read/write |
| | Scheduled Config Push Profiles | read/write |
| | Templates | read/write |
| | Template Stacks | read/write |
| | Device Groups | read/write |
| | Device Registration Auth Keys | Disabled |
| | Configuration | read/write |
| **Plugins** | Plugins | Disabled |

</details>

<details>
<summary>API User Setup Permissions in Firewall Required</summary>

# API Access Configuration for KeyfactorAPI Profile

# Firewall Permissions for APIUser

| **Category** | **Feature/Permission** | **Access Level** |
|------------------------|-------------------------------------------|------------------|
| **Web UI** | Dashboard | Disabled |
| | ACC | Disabled |
| | Monitor | Disabled |
| | Policies | Disabled |
| | Objects | Disabled |
| | Network | Disabled |
| | Device | Disabled |
| | Operations | Disabled |
| | Privacy | Disabled |
| | Validate | Disabled |
| | Save | Disabled |
| | Commit | Disabled |
| | Tasks | Disabled |
| | Global | Disabled |
| **XML API** | Report | Disabled |
| | Log | Disabled |
| | Configuration | read/write |
| | Operational Requests | Disabled |
| | Commit | read/write |
| | User-ID Agent | Disabled |
| | IoT Agent | Disabled |
| | Export | read/write |
| | Import | read/write |
| **Command Line** | None | Disabled |
| **REST API** | Objects | Disabled |
| | Policies | Disabled |
| | Network | Disabled |
| | Log Interface Setting (Device) | Disabled |
| | Virtual Systems (Device) | read/write |
| | Configuration (System) | read/write |


Tab | Security Items
--------------|--------------------------
Xml Api |Report,Log,Configuration,Operational Requests,Commit,Export,Import
Rest Api |Objects/Devices,Panorama/Scheduled Config Push,Panorama/Templates,Panorama/Template Stacks,Panorama/Device Groups,System/Configuration,Plugins/Plugins
***

</details>

Expand Down

0 comments on commit 90fadcb

Please sign in to comment.