In this article we will explore the various methods used for authenticating against Palo Alto's PANOS API which allows administrators to programmatically interface with Palo Alto firewalls and Panorama appliances. The methods discussed cover both the XML and REST API's. There are a few considerations to make when deciding how to configure your appliances to authenticate API requests as well as how to handle API authentication in code.
After using SNMP to query a remote device for a particular ObjectType and getting the response ObjectType (which includes the MIB identity and the corresponding value), it is useful to be able to programmatically parse the PySNMP ObjectIdentity. This allows you to read the OID hierarchy and get a list human-readable MIB variable names for each node in the list.
The information obtained with SNMP from network devices ranges from being simple timeseries type data like interface metrics to complex and sensitive status information about the features and protocols that the device is running. It is critical to protect this information when in transit between an SNMP agent and manager by utilizing SNMPv3. Sensitive data from network devices being sent in SNMP responses can be used by malicious parties to perform reconnaissance about your environment, learn which protocols and features you utilize, and prepare for a more specific attack based on the information that is learned.
Up until now my articles (PySNMP HLAPI, Compiling MIB's for PySNMP) have focused on using simple SNMP GET requests with PySNMP's getCmd. This works great for simple SNMP queries where you only need one piece of information. When performing gathering of larger data sets with SNMP, issuing single SNMP GET requests for each data point can be very inefficient. Often times you are limited by the latency that exists between the SNMP manager (your script/code) and the SNMP agent running on a network device. In this article we will explore PySNMP's implementation of SNMP GET NEXT and GET BULK using the nextCmd and bulkCmd command generators and how to retrieve the ifTable table of data from an SNMP agent.
The ability to refer to a SNMP MIB variable by name is an important aspect for increasing readability and understanding of your Python scripts. PySNMP comes with several common pre-compiled MIB's in a format that its capable of using, but if you need to query a MIB variable it doesn't ship with, you're left refering to the variable as an SNMP OID. Having to remember what a particular OID is for, or creating a mapping table between a MIB variable name and its OID (such as a Python dictionary), can become tedious. Additionally, parsing a PySNMP ObjectType class instance that isn't fully translated to the MIB variable name can make things more complicated.
I've previously written about PySNMP's simpler SNMP query using one-liner command generator as a method to send SNMP queries using an OID. That method allows you to avoid having to compile MIB's that do not come as a default in the PySNMP library. In the next few posts I want to outline how to use PySNMP's high-level API (hlapi) and how to complie any MIB's that may be missing. This will help you use PySNMP in its intended fashion, and using the name of the OID which provides for better readability.
Within this article I will explore PySNMP's hlapi by breaking down it's own quick start 'fetch SNMP variable example. The hlapi was designed to be an easy to use API for as close to a 'one-liner' SNMP query as you can get. The examples in this guide will focus on the synchronous implementation (performing one SNMP task at a time), but there is the capability to implement PySNMP asynchronously if you are looking for increased speed and scalability.
December 9th, 2021 rocked the world for a significant number of IT professionals responsible for building and protecting applications their organizations create/deploy. Apache announced CVE-2021-44228, commonly referred to as log4Shell, a zero-day vulnerability affecting their log4j logging software. Due to the severity of the vulnerability and the relative ease at which to exploit it, it is critical to ensure that affected assets are protected. This article aims to highlight how the network plays a critical role in the protection of assets and detection of vulnerabilities like log4shell.
If you have ever read through Cisco ISE 3.0 Upgrade Guide you know that it involves a lot of decision points and having to reference many other Cisco reference documents just to build a complete implementation plan for upgrading Cisco ISE from 2.x to 3.x. It is a complicated process if you have never been through it before, and often times you're left with more questions than answers when researching how to proceed. This usually involves engaging Cisco TAC to help clarify points that aren't necessarily obvious in their documentation. Having gone through this upgrade path this past year, I thought that documenting the procedures that I followed may help others gain success in their own upgrades. Understand that all implementations are different, so use this as another piece of information as you research how to perform this upgrade.
Earlier this week Cisco announced in its semiannual Cisco IOS and IOS XE bundled software security advisory publication some very concerning security advisories (3 critical, 11 high and 11 medium severity), one of which allows an attacker to bypass authentication on devices configured for netconf or restconf. After an attacker has bypassed authentication, they can install, manipulate, or delete your Cisco IOS XE devices configuration or cause a memory corruption that results in a denial of service (DoS) condition.
Ansible can be a very powerful automation tool, allowing you to interact with hundreds or thousands of network devices at once. The automation is defined through a combination of inventory files, variable files, and playbooks (with optional task files and roles). The combination of these features makes a very powerful automation tool, but with that comes a high-level of risk. In this guide I highlight a few best practices to follow when executing Ansible playbooks. By following these best practices you will have increased confidence that you are implementing the correct tasks against the correct set of devices, and avoid any surprises!