Enterasys | RBTSA-AA | • PANOS APIs

•
PANOS APIs
April 2011
Marc Benoit
•What is an API?
API, an abbreviation of Application Programming Interface,
is a set of routines, protocols and tools for building software
applications.
Good API’s should provide all the building blocks required
for a programmer to assemble them into useful applications
(….including documentation!)
Page 2
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Why should I care?
SE’s face a myriad of technical sales objections during sales cycle
API’s can be leveraged to solve complex integration questions
Be aware of what is available and what is coming…
Don’t be afraid to demonstrate API’s
●
You DON’T need to be a programmer or an expert
●
You DO need to be able to leverage tools and be familiar with concepts
API’s can help you close deals
●
Sell around objections
–
Usually just demonstrating our API’s puts prospects at ease regarding integration
–
Other vendors have been promising flexible API’s for years and haven’t delivered
Clear differentiator
Don’t paint yourself into a corner
●
●
–
Page 3
|
Don’t volunteer to write scripts or solve all of a prospects problems!
© 2011 Palo Alto Networks. Proprietary and Confidential.
•PANOS provides 2 APIs for external system
REST API
External system can manage device from remote
Can show/set/edit/delete the device config
Can poll ACC/Pre-defined/Custom report from the device
User-ID API
User-ID integration with external system
Can add/delete ip-username mapping info against UIA
•REST API details
External system can connect to the device mgmt interface over SSL
External system can use REST API to see/change device config AND/OR
get report data in XML format
API communication requires a key generated with admin ID and
password info
SSL connection from external system is treated as general admin web
access, so same source address restriction and timeout setting would be
applied
•Device Config
•ACC/Report data
•REST API
over SSL
•External System
•REST API samples
• Step 1 : generate Key for API communication
•Key generation request example:
•https://hostname/esp/restapi.esp?type=keygen&user=username&password=password
•Key generation response example:
•<response status="success">
•
•
•
<result>
<key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
</result>
•</response>
• Step
2 : specify the type [config | report]
•REST API samples – cont.
• type = config (NOTE: REQUIRES SU ACCESS!)
• Specify the action [show | set | edit | delete]
• Set each config item in xpath
•Xpath example
•xpath=devices/entry/vsys/entry/rulebase/security
•Example: Get security rulebase info from device config
•https://hostname/esp/restapi.esp?type=config&action=show&key=keyvalue&
xpath=devices/entry/vsys/entry/rulebase/security
•Example: Add config to device
•https://hostname/esp/restapi.esp?type=config&action=set&key=keyvalue&xpath=xpathvalue&element=element-value
•REST API samples – cont.
• type = report
• Specify the reporttype [dynamic | predefined | custom ]
• Specify reportname
• Can specify the period OR starttime & endtime *optional
•Example : Get Application Top 5 data from ACC
•https://hostname/esp/restapi.esp?type=report&reporttype=dynamic&
reportname=top-app-summary&period=last-hour&topn=5&key=keyvalue
•Example : Get the “top-attackers-summary” data from pre-defined report
•https://hostname/esp/restapi.esp?type=report&reporttype=predefined&
reportname=top-attackers-summary&key=keyvalue
•REST API samples – cont.
How can I demonstrate the API?
Leverage simple examples in a web browser
Get a key:
https://10.xx.10.50/esp/restapi.esp?
type=keygen&user=admin&password=admin
Backup your config:
https://10.xx.10.50/esp/restapi.esp?
type=config&action=show&key=0RgWc42Oi0vDx2WRUIUM6A=
Generate a report:
https://10.xx.10.50/esp/restapi.esp?
type=report&reporttype=dynamic&reportname=top-appsummary&period=lasthour&topn=5&key=0RgWc42Oi0vDx2WRUIUM6A=
Don’t sell past the close…..
Page 9
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•User-ID API details
External system uses SSL/TLS to connect to User-ID Agent
External system can send user login/logout event info to Agent in XML
Agent sends response back in XML
External system can keep connection up to send continuous data OR it
can close the connection as necessary
Each User-ID Agent can have up to 100 connections simultaneously
If there’s no traffic for 10min, Agent would close the connection
automatically
To keep connection up, external system can send keepalive packet
•User & Group Info
•User-to-IP Mapping
•User-ID API
•SSL/TLS
•User-ID Agent
•External
•User-ID API samples - XML Request
•<uid-message>
•
<version>1.0</version>
•<type>update</type>
•
<payload>
•
<login>
•
<entry name=”domain\uid1”
•
<entry name=”domain\uid2”
•
<entry name=”domain\uid3”
•
</login>
•
<logout>
•
<entry name=”domain\uid4”
•
</logout>
•</payload>
•</uid-message>
ip=”10.1.1.1”>
ip=”10.1.1.2”>
ip=”10.1.1.3”>
ip=”10.1.1.4”>
•User-ID API samples
Leverage what already exists
MAC logon script pack
●
Contains PAN::API.pm
New version on the way with error checking etc from Martin
Great example program for how to interact with User-ID API
Some additional samples…..
VB scripts for windows logon script can be leveraged (Nick P)
VMWare integration for visibility
Page 12
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•User-ID XML API use case:
Virtualization Security Visibility
•The Situation Today: Islands of Management
•VM Management
•Network Management
Workloads
Networks
Gap
• No data synchronization
Policies
• No visibility across functions
• Manual, error-prone
•Security Management
•Palo Alto Networks Eliminates the Gap
•VM Management
•Network Management
Workloads
Networks
Palo Alto
Networks
VM-ID
Policies
• Cross-functional visibility & Control
• Real-time
• Fully automated
•Security Management
•VM-ID vSphere Polling
vSphere
vSpher
e
•1. User-ID Agent Polls vCenter or ESX(i)
•2. Agent Publishes VM Mapping
•3. VM Visibility in ACC
•4. Dynamic VM Adds/Moves auto-sync
•Binds VM->IP
•Report on VM and User->VM
Activity
Page 16
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
vCenter
•User-ID XML API use case:
Palo Alto Networks/Enterasys
•Use Case: User-IP Mapping at Point of Entry
User-ID requires directory data for User->Group mapping
User->IP Obtained via passive and active mechanisms
Windows Security Logs
NTLM auth/Captive Portal
WMI Scanning/Open Server Sessions
Point of Entry
Must register devices when entering/exiting the network
XML UID-API available
Mobility (Wired/Wireless)
Must trigger re-map of the user to the new network
Must automatically de-associate the user with prior IP’s
Simplify Design – no complex MS integration required
Page 18
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Use Case: User-IP Mapping at Point of Entry
User->IP mapping is critical for dynamic security policy
Mapping mechanisms need to be extended to the actual
point of entry on the network
●
Wired and Wireless network join/authentication
●
If not forcing users to auth, capture unique data (like MAC)
–
Users today have many devices: Laptops/Iphones/Tablets
–
Leading to the Consumerization of IT
●
●
●
●
Trend is becoming difficult to ignore
Users expect to use their own devices
Users expect little disruption to their usability/experience
Corporate Security policy still needs to be maintained
Joint Solution offers granular, accurate mapping of user entry and egress from network
Creates higher accuracy for dynamic policy enforcement and reporting
Page 19
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Use Case: User-Application Data feed
Page 20
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•XML API use case:
Palo Alto Networks/Enterasys
•Use Case: User-Application Data feed
Leverages XML API to extract application data per user
Publishes additional meta data to Enterasys NAC appliance
They obtain context regarding application usage to leverage
when making internal network access decisions
Integration issue: Their unique identifier is MAC address
Page 22
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Use Case: User-Application Data feed
User->App mapping is critical for posture assessment and
security compliance
Palo Alto Networks rich application data adds depth to
Enterasys NAC reporting
Critical for Endpoint Compliance/Posture Assessment
Additional Usage Data for endpoint policy/access control
Apply heuristics to determine suspicious endpoints
●
Earlier detection of malicious worms, botnet activity
Joint Solution offers unprecedented visibility and control of all enterprise managed and unmanaged
assets
Page 23
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Use Case: User-Application Data feed
Page 24
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Community Supported Tools
Business Development
•Background
Palo Alto Networks offers a rich XML API
Limited documentation and low adoption
Tremendous potential!
Emerging markets like Service Providers often have custom
data management requirements
For example, allow customers to have branded, customized
and limited interface integrated within their existing customer
portal
Automated provisioning of new customers
Current Interfaces offer little customization
Page 26
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Community Supported Tools
Provide reference implementations
Simplify XML-API use through convenience libraries
●
Like a CLI for the XML API
Scripts and examples of actual integrations
Supported by responsive online community
Distributed under the CC License
The software is provided “as is”
Permission to use, copy, modify, and/or distribute the software free of charge
Partners, resellers & SP/SI’s can modify existing reference implementation and/or build their own from
scratch
Allows partners and customers to easily extend Palo Alto Networks solutions by
developing custom tools
Increases Professional Services $$$ and possible support contracts for
integration partners
Page 27
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•WebService SDK
SDK consists of VM and Source Code Package
Includes reference implementation of an MSSP Custom
Portal
Utilizes standard LAMP stack (Linux, Apache, MySQL, PHP)
EXT.JS GUI Framework for example presentation layer
PHP Scripts for XML API Interaction
Page 28
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•WebService SDK
Server
Client
Web Server (Apache)
Ext.js
JSON
Sample Scripts
(PHP)
HTML
cron
Widget
Widget
Widget
Widget
Page 29
|
MySQL DB
Sampl
e
Script
s
(PHP)
© 2011 Palo Alto Networks. Proprietary and Confidential.
XML API
•WebService SDK
What it’s not……
A Replacement for Panorama
A Replacement for the device GUI
An alternative GUI to address a FR
What does it address?
Environments where significant customization is required
Existing portals that need access/interface to rich data from
Palo Alto Network’s Firewalls.
Page 30
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•PAN-Perl Package
Package consists of Perl XML-API wrapper
Simplifies interactions with XML-API (command line)
Provides utility and convenience libraries for common
functions
●
PCAP export, templating, remote commit operations etc
Template for fully automated provisioning (SP customers)
●
Layer 3 vsys templates for single command automation
Many Utility functions
●
Backup FW’s/Panorama using XML API or CLI Expect
●
Threat PCAP path identification (EPOCH Time converter) and Export tools
–
Perl daemon for exporting/archiving all pcaps
●
Use to migrate objects/policies from Device to Panorama
●
Simple way to demonstrate XML API functionality and flexibility
Ongoing development to add functions and capabilities
Page 31
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•DevCenter Community
An online community of Palo Alto Networks Next Generation Firewall Users
Customers
Resellers and partners
Palo Alto Networks System Engineers and Professional Services
Palo Alto Networks Tech support
Other technical experts within the company
Exchange of ideas on how to develop, deploy and support customized, webbased applications
Forum
File sharing
Documentation
Page 32
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•DevCenter Community
Online Community for customers, partners, employees to
share and discuss custom content at:
https://live.paloaltonetworks.com/community/devcenter
What custom content?
Custom App-IDs; Custom Threats; CLI Scripts; API
integration; More…
Need support?
Use discussion threads to ask questions and discuss
Members (SE, Customer, Partner, PM) offer & receive help
from others
PM team offers documentation, guidelines, samples, etc.
Support team will focus on software features but not specific
signatures/scripts made available on DevCenter
•DevCenter Community
Click to edit Master text styles
Second level
●
Page 34
|
Third level
●
Fourth level
●
Fifth level
© 2011 Palo Alto Networks. Proprietary and Confidential.
•SDK/Tools Support Process
Customer Reports
Problem via Tech
Support
Customer Reports
Problem via
DevCenter
Open Ticket
(as usual)
Community
Diagnoses
issue
•YES
Redirect
customer to
DevCenter
Page 35
|
The DevCenter Community is the
official SDK/tools support
infrastructure
XML
API
issue?
Engage
Tech
Support
Resolve
as usual
Customers are entitled to Palo Alto
Networks technical support for the XML
API
•NO
•NO
•YES
XML
API
issue?
XML API is part of the product
Best-effort level of support
Goal of community is to be very
responsive – SLA?
Resolve
problem
(best effort)
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Community Supported Tools as a Differentiator
• Other vendors provide an API too
-
CheckPoint (OPSEC)
-
Juniper (XML)
-
Fortinet (XML)
• Only Palo Alto Networks provides integration examples
-
Automated Provisioning (PAN-Perl)
-
Customizable Interface (WebService SDK)
-
Examples provides high-level API abstraction and error handling
-
Advanced JavaScript toolkit (web 2.0) for front-end features
-
Free, online community support
Page 36
|
© 2011 Palo Alto Networks. Proprietary and Confidential.
•XML API Enhancements (4.1)
Support for Operational Commands
Setting, Showing, Clearing runtime parameters
Saving and loading configuration to/from disk
Requesting system level operations…e.g. Content upgrade
Schedule jobs
Support for additional Configuration Commands
GET, RENAME, MOVE, etc.
Support for Commit
Support for Packet Capture (PCAP) Exports
URI Change
NEW: https://hostname/api/?query
OLD: https://hostname/esp/restapi.esp?query (backward compatible)
API Browser: https://hostname/api
•XML API Browser (4.1)
Click to edit Master text styles
Second level
●
Third level
●
Fourth level
●
Fifth level
•Demo
Download PDF