Example Complex Validation Skillet

This is a more complex example showing how to validate a portion of a PAN-OS configuration. Often times, you need to check for specific values or apply some simple logic to a portion of the config to determine if it is considered compliant or not. Skillets of type pan_validation allow you to do just that.

By default, Panhandler will always supply a variable called ‘config’ that contains the NGFW running config. The parse cmd can be used to pull out and capture specific parts of that config. In this example, we use an advanced xpath query to return a variable containing a list of all file-blocking profiles that have either the desired ‘file type’ or ‘any’ in the member list. We then use the ‘filter_items’ attribute to further filter the list to only include those items that have an ‘action’ of block. In this way, you can find objects in the configuration without knowing the full XPATH.

The snippets with a cmd type of validate is where the actual compliance checks are performed. The test attribute will be evaluated as a jinja boolean expression. True values are considered to have ‘passed’ this test.

name: complex_validation_323E38BD-D5E0-4ED2-8F39-3AE283B899AD

label: Complex Validation Example - File Blocking Profiles

description: |
  This skillet checks the running config to ensure at least one file-blocking profile exists with the desired
  file type and has an action of 'block'.

type: pan_validation

labels:
  collection:
    - Example Skillets

variables:
  - name: file_type
    description: File Type to Check
    default: torrent
    type_hint: text
    help_text: Which type of file to check to ensure it is being blocked correctly

snippets:
  - name: profile_objects
    cmd: parse
    variable: config
    outputs:
      # This example uses a complex XPATH query to find a list of all file-blocking profile entries that have
      # either the desired file-type as a member or 'any'
      - name: fb_profiles
        capture_list: |
          /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/profiles/file-blocking//
          entry/rules/entry/file-type/member[text()="{{ file_type }}" or text()="any"]/../..
        # This further filters the list to *only* include those items that have an action of 'block'
        filter_items: item | element_value('entry.action') == 'block'

  - name: file_blocking_check
    label: Ensure at least one file blocking profile is blocking {{ file_type }}
    test: |
      (
      fb_profiles | length
      )
    documentation_link: https://ironscotch.readthedocs.io/en/docs_dev/viz_guide_panos.html#object-security-profiles-antivirus-blocking