fbpx
signpost

One of the challenges with managing any zone based firewall on a large scale is knowing which zone everything is in. We all know that the network should be well documented, but we also know that routing tables get unwieldy, and it’s not uncommon when adding a firewall rule to be wondering exactly which zone that source or destination is in.

There are three ways to find the zone:

The GUI Way

Logging in to the web interface of the gateway – either by changing contexts from Panorama or going direct, you can navigate to Network -> Virtual Routers. From this page select the relevant virtual router and click “More Runtime Stats”. Find a route matching the destination, and look up what the egress interface is. Close this window, and navigate to Network -> Interfaces. Find the egress interface you just noted down, and view what zone it is in.

The CLI Way

It can be slightly quicker (if you remember the commands) to SSH to the gateway and run a test against the routing table. This can be easier, because in the GUI you have to find yourself the matching route – with the test, it will tell you which route it matches.

The commands are:

`test routing fib-lookup virtual-router <virtualrouter> ip <IP>`

This will give you an output like this:

    admin@PA-VM> test routing fib-lookup virtual-router default ip 1.2.3.4
    --------------------------------------------------------------------------------
    runtime route lookup
    --------------------------------------------------------------------------------
    virtual-router: default
    destination: 1.2.3.4
    result: 
    via 10.152.1.5 interface ethernet1/24.20, source 10.152.1.6, metric 65434
    --------------------------------------------------------------------------------

This clearly tells you the exit interface for the route – you then run a show interfaces command to see the zone for the route:

    admin@PA-VM> show interface ethernet1/24.20 | match Zone
    Zone: outside, virtual system: vsys1

So now I know the correct zone for that rule is “outside”. And it doesn’t matter whether that’s source or destination – as long as your routing is synchronous it’s the same procedure for identifying a source zone, you just look at how you’d get back to the source to figure out where it comes from.

Using the API

Following exactly the same procedure as the CLI, the same result can be achieved using the XML API.

You have to send these two requests:

`https://paloIP/api/?type=op&cmd=<test><routing><fib-lookup><virtual-router>default</virtual-router><ip>1.2.3.4</ip></fib-lookup></routing></test>&key=YOURAPIKEY`
`https://paloIP/api/?type=op&cmd=<show><interface>ethernet1/24.20</interface></show>&key=YOURAPIKEY`

And…..who wants to remember all that?

But using the API means we can script it – so here it is.

Take a look at findzone.py here: https://gitlab.com/geekynick/palo-alto-scripts/tree/master/api

This little script runs on python and takes 3 inputs:

  1. virtualrouter – the name of the virtual router you want to do the routing lookup in
  2. ipaddr – the IP address you want to look up
  3. credentialfile – the credential file.

The credential file is simply a text file with the device name or IP on line 1, and the API key on line 2. There’s another script in the same repo called “creds.py” which will create that for you interactively.

I often put handy little scripts like this on a central VM somewhere, somewhere that the whole team can use it to make their lives just that little bit more simple.

We know technology can be a bother, and that’s why we are here to help with all your IT needs, no matter how big or small.

Our goal is to make sure that your business has a reliable infrastructure in place so you can focus on what matters most – running your company! 

So if you need any help at all, book a 15 minute discovery call with one of our experts today. We’ll be happy to lend a hand! 

Select Service

Discovery Call 15 minutes
Free

Select time

Select a service and date to see available times.

Tell us who we are meeting

Can we have a heads up on roughly what you want to talk about please?

Initial consult

Duration: 1 hour
Not sure what you need? Grab 60 minutes with us and we will work with you to understand your goals, and to develop a proposal and price estimate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Design

NAT: Demystified

What is NAT? NAT stands for Network Address Translation. It’s a method used for changing addresses in transit. Before we get too far into that,

Read More »