XML API for Palo Alto Firewall’s debug commands.

Recently I came across a scenario where the requirement was to have an XML API for debug commands in Palo Alto firewalls. Unfortunately, the Rest API does not work for debug command, so alternatively, I wrote a script to login i.e ssh into the firewall and issue the debug commands.

I have written a very basic python script (for reference to SSH into the firewall and trigger the command.

#|*********************************************************************
# Project : SSH into the PA firewall and execute commands.
#
# Program name : PADebugCmd.py
#
# Author : Anil Kumar | Palo Alto Networks
#
# Date created : 26th Jan 2017
#
# Purpose : Workaround for a case.
#
#|*********************************************************************

import paramiko
import time

HOSTNAME = '10.10.10.1'  #Firewalls IP
PORT = 22 

def ssh_command(username, password, cmd, hostname=HOSTNAME, port=PORT):
    ssh_client = paramiko.SSHClient()
    ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh_client.load_system_host_keys()
    ssh_client.connect(hostname, port, username=username, password=password)
    remote_conn = ssh_client.invoke_shell()
    print "Interactive SSH session established"
    remote_conn.send("set cli pager off\n")
    remote_conn.send(""+cmd+"\n")
    time.sleep(8)
    buff = ''
    while not buff.endswith('>'):
        resp = remote_conn.recv(15000)
        buff += resp
        print(resp)

if __name__ == '__main__':
    username = input("Enter username: ")
    password = input("Enter password: ")  
    cmd = 'debug log-receiver statistics'
    ssh_command(username, password, cmd)

NOTE :

1. You may tweak the script as per your requirements.
2. I tried using exec_command(), but the SSH client gets stuck at execute command. I think I did hit a bug with python paramiko. As a work around I used send() and recv() methods of the paramiko channel class. This worked absolutely fine for me.
3. You may disable echo for password using getpass().