Recently I came across a scenario where the requirement was to have an XML API for debug commands in Palo Alto firewalls. Unfortunately, the Rest API does not work for debug command, so alternatively, I wrote a script to login i.e ssh into the firewall and issue the debug commands.
I have written a very basic python script (for reference to SSH into the firewall and trigger the command.
#|*********************************************************************
# Project : SSH into the PA firewall and execute commands.
#
# Program name : PADebugCmd.py
#
# Author : Anil Kumar | Palo Alto Networks
#
# Date created : 26th Jan 2017
#
# Purpose : Workaround for a case.
#
#|*********************************************************************
import paramiko
import time
HOSTNAME = '10.10.10.1' #Firewalls IP
PORT = 22
def ssh_command(username, password, cmd, hostname=HOSTNAME, port=PORT):
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, port, username=username, password=password)
remote_conn = ssh_client.invoke_shell()
print "Interactive SSH session established"
remote_conn.send("set cli pager off\n")
remote_conn.send(""+cmd+"\n")
time.sleep(8)
buff = ''
while not buff.endswith('>'):
resp = remote_conn.recv(15000)
buff += resp
print(resp)
if __name__ == '__main__':
username = input("Enter username: ")
password = input("Enter password: ")
cmd = 'debug log-receiver statistics'
ssh_command(username, password, cmd)
NOTE :
- You may tweak the script as per your requirements.
- I tried using exec_command(), but the SSH client gets stuck at execute command. I think I did hit a bug with python paramiko. As a work around I used send() and recv() methods of the paramiko channel class. This worked absolutely fine for me.
- You may disable echo for password using getpass().