Find out which firewall security policy is being shadowed and write your own custom checks.
It is a CLI tool to run a analysis of provided firewall security policies against a predefined series of checks called Scenarios.
It started as a tool to detect shadowing firewall rules. It evolved into a small framework that allows to define different scenario very easily.
Note
As of today, pins only supports security policies from Palo Alto Firewall (and Panorama).
You can install using:
# pip
pip install pins
# poetry
poetry add pins
# pipx
pipx install pinsTo use pins with Palo Alto firewalls, you'll first
need to export security rules. The simplest way to export security
rules is using curl. First, get API key:
# Linux
API_KEY=$(curl -k -s "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>" | grep -o "<key>.*</key>" | sed -e 's/<key>//g' -e 's/<\/key>//g')
# Windows
$API_KEY = (Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>").response.result.keyThen export security rules:
# Linux
curl -k -o policies.xml "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security"
# Windows
Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security" -OutFile policies.xmlImportant
You may need to update the xpath to match your specific
environment.
Once you have your security policies file, from the same directory, run:
pins run shadowing policies.xmlOnce installed, you can run it using pins command:
pinsTo list available scenarios:
pins listTo run scenario on your own firewall rules:
pins run shadowing policies.jsonTo see how it works for yourself, run scenario on example data:
pins run example shadowing$ pins run example shadowing
Executing Shadowing scenario
Shadowed rules detection complete
Analyzing results...
[rule-example2] Rule is shadowed by: ['rule-example1']
List of currently available scenarios.
Identifies policies that will never be triggered because they're completely hidden behind earlier rules in the processing order.
It checks if all these elements are covered by a preceding rule:
- Same action (allow/deny)
- Same or broader source and destination zones
- Same or broader source and destination addresses
- Same or broader applications
- Same or broader services (ports)
When all conditions match, the later rule is flagged as shadowed.
Advanced version of Shadowing. It analyze the actual IP addresses behind Address Objects and Address Groups.
It identifies shadowing at the precise IP subnet level by resolving Address's name to actual IP address.
This scenario needs three input files:
- Security rules file
- Address groups file
- Address objects file
It's pretty straightforward.
flowchart TD
SelectScenario[Select Scenario]
SelectScenario --> LoadRules[Load Security Rules]
LoadRules --> FilterRules[Filter Security Rules]
FilterRules --> RunChecks[Run Checks for each Rule]
RunChecks --> Analyze[Analyze Results]
Analyze --> Report[Create Report]
A scenario is a set of checks that evaluate firewall rules against specific issues or configurations. Each scenario is designed to identify particular problem, such as shadowing rules, rules without logging, or other security policy issues.
A check is simply a function. It takes security policy or policies as an argument, assess whether the policies fulfill a check or not.
If you'd like to contribute, follow these steps:
git clone https://github.com/Kanguros/pins
cd pins
poetry install --with=dev
pre-commit install --install-hooks
pre-commit run --all-filesFeel free to open issues or submit pull requests!