Identifying which zone a subnet is in on a Palo Alto firewall – Script

One of the challenges with managing any zone based firewall on a large scale is knowing which zone everything is in. We all know that the network should be well documented, but we also know that routing tables get unwieldy, and it’s not uncommon when adding a firewall rule to be wondering exactly which zone that source or destination is in.

There are three ways to find the zone:

The GUI Way

Logging in to the web interface of the gateway – either by changing contexts from Panorama or going direct, you can navigate to Network -> Virtual Routers. From this page select the relevant virtual router and click “More Runtime Stats”. Find a route matching the destination, and look up what the egress interface is. Close this window, and navigate to Network -> Interfaces. Find the egress interface you just noted down, and view what zone it is in.

The CLI Way

It can be slightly quicker (if you remember the commands) to SSH to the gateway and run a test against the routing table. This can be easier, because in the GUI you have to find yourself the matching route – with the test, it will tell you which route it matches.

The commands are:

test routing fib-lookup virtual-router <virtualrouter> ip <IP>

This will give you an output like this:

admin@PA-VM> test routing fib-lookup virtual-router default ip 1.2.3.4
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: default
destination: 1.2.3.4
result: 
via 10.152.1.5 interface ethernet1/24.20, source 10.152.1.6, metric 65434
--------------------------------------------------------------------------------

This clearly tells you the exit interface for the route – you then run a show interfaces command to see the zone for the route:

admin@PA-VM> show interface ethernet1/24.20 | match Zone
Zone: outside, virtual system: vsys1

So now I know the correct zone for that rule is “outside”. And it doesn’t matter whether that’s source or destination – as long as your routing is synchronous it’s the same procedure for identifying a source zone, you just look at how you’d get back to the source to figure out where it comes from.

Using the API

Following exactly the same procedure as the CLI, the same result can be achieved using the XML API.

You have to send these two requests:

https://paloIP/api/?type=op&cmd=<test><routing><fib-lookup><virtual-router>default</virtual-router><ip>1.2.3.4</ip></fib-lookup></routing></test>&key=YOURAPIKEY
https://paloIP/api/?type=op&cmd=<show><interface>ethernet1/24.20</interface></show>&key=YOURAPIKEY

And…..who wants to remember all that?

But using the API means we can script it – so here it is.

Take a look at findzone.py here: https://gitlab.com/geekynick/palo-alto-scripts/tree/master/api

This little script runs on python and takes 3 inputs:

  1. virtualrouter – the name of the virtual router you want to do the routing lookup in
  2. ipaddr – the IP address you want to look up
  3. credentialfile – the credential file.

The credential file is simply a text file with the device name or IP on line 1, and the API key on line 2. There’s another script in the same repo called “creds.py” which will create that for you interactively.

I often put handy little scripts like this on a central VM somewhere, somewhere that the whole team can use it to make their lives just that little bit more simple.

Posted in Palo Alto, Scripting and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.