Can LM Config Monitor and Alert on Palo Firewall Rules Changes ?
Hi ! My customer wants to be able to generatea weekly report on any changes made in the rules of their Palo Alto firewalls (hundreds) whether this is done as part of a template push or a one-off. Is this something that LM Config can provide ? Cheers, Scott H
Traceroute ConfigSources
Update: A ConfigSource, for use with LM Config, to monitor and alert on changes of route from the collector to any of a list of destinations.This isnow combined a single ConfigSource that will run for both Windows and Linux collectors: v1.1.0: JGZ7GK If you really want to have a different ConfigSource per OS, the original two OS-specificConfigSources are at:EK4HEG (Windows v1.5.0);HCPCXA (Linux v1.2.0). To use, you'll need to add a property 'traceroute.list' to the Windows or Linux collector device* you want to use to check the route from, with the value being a comma separated list of destinations, e.g. '8.8.8.8,www.logicmonitor.com' *You can modify the AppliesTo such that this datasource could apply to any device, however it will always be the collector running the script and doing the traceroute / tracert. The ConfigSource will run the trace and print a summary of the results in a way that can easily be alerted on (if you really want to) in the event of a route change, plus a full dump of the route information including hop timings for information, in a way that is excluded from alerting. Credit to @Jake Cohenfor the basis of the script these are built from. :)/emoticons/smile@2x.png 2x" title=":)" width="20">
ConfigSource to compare to a known template (PoC)
LM Config is awesome - but until now you've not been able to compare a config to a "known good" template. Now you can... Edit for v1.4.0+: Now gives a MUCH cleaner output (in my humble opinion) - see comments below for details.v1.4.0:2GTW7W If you really want the earlier version with its more expansive output,v1.3.0 as detailed in this first post is atXHDDP4 Edit for v1.3.0+: The groovy check that picks up on the change-from-template flags is now more flexible, in that it looks at each line in turn (rather than the entire config object) so you can more carefully identify matches to be alerted on. This is very much only a proof-of-concept, which will show the method to use. As written it will do nothing in your account as it looks for a couple of test files I created specifically for this in my account. Suppose you have this template file (configTestTemplate.txt) for a config: # Config test file:# Here's a config test fileSetting1=1Setting2=2Setting3=3# The above must never be changed Now, suppose the actual config (in configTestConfig.txt)is like this: # Config test file:# Here's a config test fileSetting1=1Setting2=2Setting3=4# The above must never be changed If you can't see it, 'Setting3' has been changed... This ConfigSource will read in both the config (from file in this example, but it could be from SSH, etc) and the template from file, then run through the template and compare each line to the equivalent line in the config. Where it finds a discrepancy between the two, these are listed in the output after the actual config, marked with 'DISCREPANCY', as in the screenshot below. The template used for comparison is also returned: Config Checks then pick up on changes as you'd normally expect, and also if the output contains 'DISCREPANCY'. Notes: You must have LM Config to use this The template file must contain the EXACT same text in the EXACT same format as the config will be produced, because this PoC only checks line 1 against line 1, line 2 against line 2, etc. If your template contains'DISCREPANCY' you'll have to come up with some other keyword to print and alert on, obviously.
