Please note that orangengine is still considered pre alpha and has not made a public release yet. Soon...
Firewall Policy Automation Engine
Orangengine is a netmiko/napalm like library for working with network firewall policy.
Currently we support these platforms:
- Juniper SRX
- Palo Alto Networks - Panorama Device Groups
- VMware NSX DFW (road map)
Orangengine works by connecting to a device and parsing its policy into a common data model. This allows us to interact with the policy in an abstracted, vendor neutral manner. Here is a simple example of a policy representation in orangengine:
my_policy = {
'source_addresses': ['10.0.0.1/32', '10.20.0.2/32'],
'destination_addresses': ['10.50.0.1/32'],
'services': [('tcp', '443'), ('tcp', '22')],
'action': 'permit'
}
First we will need to define the parameters needed to make a device connection.
device_params = {
'device_type': 'juniper_srx',
'ip': '192.168.188.2',
'username': 'admin',
'password': 'admin',
}
device_type
defines what kind of device we are connecting to so we use the
appropriate driver. Generally there is a common set of params among the device drivers
such as username
, password
, etc. Some drivers have support for other parameters,
for example you can connect to a Palo Alto Networks device using an api_key
.
Now we can dispatch our device connection using our parameter dictionary.
device = orangengine.dispatch(**device_params)
This will return us an instance of our device object using the given driver and by default will open a connection to the device and parse the entire policy base.
At this point with a fully parsed policy, we can do a number things like search the policy base or request a candidate for a new policy or policy addition. Let's look at a simple policy search (called a policy match) example.
Using the policy model described above, lets find all policies that have 10.0.0.1/32
as a destination with an action of permit.
match_criteria = {
'destination_addresses': ['10.0.0.1/32'],
'action': 'permit',
}
Now we use the most basic matching function to search the policy base and return a list of matched policies.
matched_policies = device.policy_match(match_criteria, match_containing_networks=False)
As you can see, by default policy_match()
will search contianing networks. Meaning in this example,
we would have gotten result for polciies containing 10.0.0.0/24
if match_containing_networks
was true.
Finally, we can simply print the matched policy names.
for p in matched_policies:
print p.name