How To: Automate conversion of firewall rules from PaloAlto to OCI Network Firewall
Oracle Cloud Infrastructure Network Firewall is a next-generation managed network firewall and intrusion detection and prevention service for Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN), powered by Palo Alto Networks.
If you have been using PaloAlto firewalls and are planning to migrate to Oracle Cloud Infrastructure (OCI) Network Firewall, you will need to convert your existing firewall rules to OCI Network Firewall policies. In this article, I will explain how to use my automation tool that converts the firewall rules from a PaloAlto firewall to an OCI Network Firewall.
Prerequisites to use this tool:
- Python: You should have Python 3 installed on your system.
Refer this link for installing python on your workstation.
2. Required packages: The code requires several Python packages to run. Make sure you have them installed by running the following command in your terminal:
pip install pandas xml ipaddress3. Palo Alto Configuration file: The script expects a Palo Alto configuration file named config.xml to be present in the same directory as the script. Make sure that you have the file in the correct location.
Refer this link, to export a running-config.xml from the firewall.
4. Access to OCI Firewall service: You should have access to the OCI Firewall service, and you should have the necessary permissions to create IP addresses, IP address lists, and application lists.
Refer this link, to know required IAM policies to access — OCI Network firewall.
(Optional)
5. OCI API key: You will need to have an OCI API key to access the OCI API. You can generate an API key pair from the OCI console.
6. OCI configuration file: You will need to have an OCI configuration file that contains your tenancy OCID, user OCID, and the location of your API key. You can create a configuration file by following the instructions in the OCI documentation.
7. OCI SDK: You should have the OCI SDK installed on your system. You can install the SDK by running the following command in your terminal:
pip install ociFor detailed instructions on OCI CLI installation for different OS, please watch the following videos:
Note: If OCI CLI is not installed the JSON files created by the tool can be copied to OCI Web CLI (Available in your OCI console), then execute OCI CLI commands to update the firewall policies.
Below are the commands to update the IP-Address list followed by the application list and security rules.
oci network-firewall network-firewall-policy update --network-firewall-policy-id <ocid1.networkfirewallpolicy.oc1.ap-mumbai-1.xxxx> --ip-address-lists file://IP-Address-List.json
oci network-firewall network-firewall-policy update --network-firewall-policy-id <ocid1.networkfirewallpolicy.oc1.ap-mumbai-1.xxxx> --application-lists file://Application-List.json
oci network-firewall network-firewall-policy update --network-firewall-policy-id <ocid1.networkfirewallpolicy.oc1.ap-mumbai-1.xxxx> --security-rules file://security_rules_v2.json Usage:
To convert PaloAlto Firewall policies using the “PaloAlto-Migration.py” script, follow the steps below:
- Open the terminal or command prompt on your Mac or Windows computer.
- Navigate to the directory where the “PaloAlto-Migration.py” script is located using the “cd” command.
- Move the PaloAlto firewall backup (running-config.xml) file to the same folder as the script, rename the file to config.xml. Then in your cmd line / terminal , navigate to that folder using the “cd” command.
- Type “python3 PaloAlto-Migration.py” in the terminal or command prompt and press Enter.
Python3 PaloAlto-Migration.py5. The script will provide options to convert or install the firewall rules or exit the script.
Choose the appropriate option to convert the PaloAlto Firewall policies.
Please use this tool to convert - Palo Alto Firewall rules to OCI Network Firewall rules
Select an option:
1. Convert rules
2. Install rules to OCI Firewall
3. ExitWhen the script is executed for the first time, choose option 1. Then output should look like below.
Enter option number: 1
Executing Python script A to convert rules...
Coversion Done!! Review the missing_items.xlsx , update the IP-Address or Service columns without fail!a) The PaloAlto firewall allows administrators to enter IP addresses in security rules without having to create an IP address object. However, for the OCI firewall, these objects need to be created before they can be used in security rules.
b) In addition, the PaloAlto firewall lets administrators use App-ID in security rules. However, if such App-IDs are being used, they will not be added to the OCI Application-List.json automatically.
Therefore, the script generates an Excel sheet called “missing_items.xlsx” that requires administrators to manually enter the details of missing objects.
Refer the demo video below to understand how to run this tool!
Once the “missing_items.xlsx” sheet has been validated and the required details have been entered, proceed with Option 2. The output will look like the example below:
Enter option number: 2
Executing Python script B to install rules to OCI Firewall...
Enter compartment OCID: ocid1.compartment.oc1..aaaaaaaa5nmydshoioxvnbqobahkt5yu7dz4hynywmea74ag4qeecydaiq6a
Enter display name: PaloAlto-demo
Enter profile name: DEFAULT
Wait while your new firewall policy is getting created :
{
"opc-work-request-id": "ocid1.networkfirewallworkrequest.oc1.ap-hyderabad-1.amaaaaaadrm45caaxmzpl6fh6pr4n5cc3rh4zr23vwiio7f2q4thdphimi3q"
}
Wait while your IP-Address-List is getting updated..
{
"opc-work-request-id": "ocid1.networkfirewallworkrequest.oc1.ap-hyderabad-1.amaaaaaadrm45caanq73khkk6sfk6zbf3ynisgx725cs5uthdhqly4j4hxqq"
}
Wait while your Application-List is getting updated..
{
"opc-work-request-id": "ocid1.networkfirewallworkrequest.oc1.ap-hyderabad-1.amaaaaaadrm45caayphi6lii7dxdbn5k36bitxciauurzpdsjs5xuqsw7nuq"
}
Wait while your Security-rules are getting updated..
Select an option:
1. Convert rules
2. Install rules to OCI Firewall
3. Exit
Enter option number: 3
Exiting...After the successful completion of running the script, we should see three JSON files (IP-Address-List.json, Applications-List.json, and Security_Rules_v2.json) created in the path where the script was run, followed by the script attempting to install the policy in your OCI firewall.
You can download the script from here.
IMPORTANT NOTE:
As of now, the OCI Network Firewall’s GUI (Graphical User Interface) restricts users from creating more than 25 objects such as IP address-lists, application-lists, and URL-lists. However, the OCI Firewall product team is working hard to remove this restriction. This script uses an API to create the additional objects required to migrate your rules. I have successfully migrated rules that contained up to 300 security rules and 600 objects, including IP addresses and applications. If your rule base is larger than that, converting them should not be a problem. However, there is a possibility of encountering errors while installing them on the OCI firewall.
In such cases, please feel free to raise a support SR for your OCI Network Firewall team.
KNOWN ISSUES:
- This tool uses an XML file from the PaloAlto firewall as input. If their XML format changes, it means that some part of this code needs to be changed.
- This version of the code focuses only on Firewall access rules. PBR(route based policy / policy based routing) is not exported as part of this code.
- You may also want to review the features used in the PaloAlto firewall and OCI Network Firewall. The native firewall of OCI is pretty lean and is not expected to behave as NAT, VPN, Proxy, or a routing device. Such capabilities, when you choose to use OCI Network Firewall, will be migrated to other native services. So those rules will not be part of this migration.
- “missing_items.xlsx” will list the IP address object names and service object names that are missing from the IP address and application list. These details must be captured manually in Excel. The code does not do any format check of the input. If you enter the IP address or service details incorrectly, the policy will fail to get installed.
CODE DESIGN:
PaloAlto-Migration.py:
- Provides three options (1. To convert the rules, 2. Install the rules, 3. Exit).
- Option 1: Executes PA-Convert.py.
- Option 2: Executes PA-Install.py.
- Option 3: Exits.
PA-Convert.py:
- A function to sanitize object names is created just the way OCI Network firewall likes.
- The Palo Alto Config.xml file is loaded.
- IP address objects, IP address groups, and IP range details from config.xml are converted to IP-Address.json.
- Service objects and service groups that have port/protocol information are converted to Apps-List.json.
- security_rules.json gets created with source, destination, and applications extracted from the config.xml (security-rules section).
- Compare the IP-Address.json and Apps-List.json with security-rules.json. Export the IP address and application that are in the security rules but not in the other two JSON files to an Excel sheet called “missing_items.xlsx.”
PA-Install.py:
- Read “missing_items.xlsx” and make corrections to App-List.json and create Application-List.json.
- Read “missing_items.xlsx” and make corrections to IP-Address.json and create IP-Address-List.json.
- Identify security rules that have a mix of ICMP and TCP/UDP based applications. Create them as separate rules, as the OCI firewall will not let you create access rules with ICMP and non-ICMP applications. Then create Security_Rules_v2.json.
- Finally, create a firewall policy in OCI and push the JSON files using the OCI CLI integration (if available!).
The firewall rules migration is usually the most time-consuming step when we are preparing to replace an existing firewall. This tool intends to fast track that phase.
Still, a firewall migration on a production network must be planned carefully. I have covered a high level approach in this blog!
Join our Oracle Developers Slack to discuss more!
