v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →

turbot/panos

Overview

4Tables

Versions

GitHub

steampipe plugin install panossteampipe plugin install panos

panos_address_object panos_administrative_tag panos_nat_rule panos_security_rule

Table: panos_nat_rule - Query Palo Alto Networks NAT Rules using SQL

A Network Address Translation (NAT) Rule in Palo Alto Networks is a policy that specifies how to translate the source and destination IP addresses of packets as they traverse through a device. These rules are essential for directing traffic correctly through firewalls and other network devices. They provide a means of modifying network address information in packet headers while in transit across a traffic routing device.

Table Usage Guide

The panos_nat_rule table provides insights into NAT rules within Palo Alto Networks. As a network administrator, explore rule-specific details through this table, including source and destination interfaces, translation types, and associated metadata. Utilize it to gain a comprehensive understanding of your network's traffic routing and to ensure the correct configuration of your NAT rules.

Examples

List disabled NAT rules

Discover the segments that consist of disabled NAT rules. This can help you identify potential security loopholes in your network, thereby enhancing its safety and efficiency.

select
  name,
  uuid,
  type
from
  panos_nat_rule
where
  disabled;

select
  name,
  uuid,
  type
from
  panos_nat_rule
where
  disabled = 1;

List NAT rules for a specific `vsys`

Explore the configuration of Network Address Translation (NAT) rules for a specific virtual system. This would be particularly useful for network administrators seeking to understand and manage the routing of network traffic within their system.

select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  vsys = 'vsys1';

select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  vsys = 'vsys1';

List NAT rules for a Panorama device group

Explore which NAT rules are active for a particular device group in a Panorama setup. This can help in identifying potential security risks or troubleshooting network issues.

select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  device_group = 'group1';

select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  device_group = 'group1';

Get count of NAT rules by distinct `group tag`

Identify the number of Network Address Translation (NAT) rules associated with each unique group tag. This can be useful for monitoring and managing network traffic routing configurations.

select
  case
    when group_tag is null then 'none'
    else group_tag
  end as group_tag,
  count(*) as count
from
  panos_nat_rule
group by
  group_tag;

select
  case
    when group_tag is null then 'none'
    else group_tag
  end as group_tag,
  count(*) as count
from
  panos_nat_rule
group by
  group_tag;

List NAT rules which contain any administrative tag with color yellow

Explore which NAT rules are tagged with an administrative marker of yellow color. This is useful for identifying specific configurations that may require attention or follow a certain administrative pattern.

with yellow_tags as (
  select
    name
  from
    panos_administrative_tag
  where
    color = 'color4' -- color4 :: Yellow
)
select
  panos_nat_rule.name,
  panos_nat_rule.type,
  panos_nat_rule.description
from
  panos_nat_rule
  join yellow_tags on panos_nat_rule.tags ? yellow_tags.name;

select
  panos_nat_rule.name,
  panos_nat_rule.type,
  panos_nat_rule.description
from
  panos_nat_rule
  join (
    select
      name
    from
      panos_administrative_tag
    where
      color = 'color4' -- color4 :: Yellow
  ) as yellow_tags on json_extract(panos_nat_rule.tags, yellow_tags.name) is not null;

List NAT rules which move packets between different zones

Uncover the details of NAT rules that facilitate packet transitions between distinct zones. This is useful in network management to identify potential areas of data flow and troubleshoot connectivity issues.

select
  name,
  source_zones,
  destination_zone
from
  panos_nat_rule
where
  not (source_zones ? destination_zone);

Error: SQLite does not support the '?'' operator used in PostgreSQL for checking if a value exists in an array.

List NAT rules which translate to unknown addresses

Determine the areas in which Network Address Translation (NAT) rules are translating to unidentified addresses. This is useful for identifying potential misconfigurations or security risks within your network infrastructure.

select
  name,
  dat_address
from
  panos_nat_rule
where
  dat_address not in (
    select
      name
    from
      panos_address_object
  );

select
  name,
  dat_address
from
  panos_nat_rule
where
  dat_address not in (
    select
      name
    from
      panos_address_object
  );

Schema for panos_nat_rule

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
dat_address	text		Specifies destination address translation's address. Possible values are: static or dynamic.
dat_dynamic_distribution	text		Specifies the distribution algorithm for destination address pool.
dat_port	bigint		Specifies the destination address port.
dat_type	text		Specifies the destination address translation type. Values can be either static or dynamic. The dynamic option is only available on PAN-OS 8.1+.
description	text		The NAT rule's description.
destination_addresses	jsonb		A list of destination address.
destination_zone	text		The NAT rule's destination zone.
device_group	text	=	[Panorama] The device group location (default: shared).
disabled	boolean		Indicates if a rule is disabled, or not.
group_tag	text		The NAT rule's group tag.
name	text	=	The NAT rule's name.
negate_target	boolean		Indicates if instead of applying the rule for the given serial numbers, it is applied to everything except them.
rule_base	text	=	[Panorama] The rulebase. For firewalls, there is only the rulebase value (default), but on Panorama, there is also pre-rulebase and post-rulebase.
sat_address_type	text		Source address translation address type. Possible values are: interface-address or translated-address.
sat_fallback_interface	text		Specifies source address translation interface.
sat_fallback_ip_address	text		Specifies the source address translation fallback IP address.
sat_fallback_ip_type	text		Specifies source address translation IP type. Possible values are: ip or floating.
sat_fallback_translated_addresses	jsonb		A list of source address translation fallback translated address.
sat_fallback_type	text		Specifies source address translation fallback type. Possible values are: none, interface-address, or translated-address.
sat_interface	text		Describes the source address translation interface.
sat_ip_address	text		Describes source address translation IP address.
sat_static_bi_directional	boolean		Indicates whether bi-directional source address translation is enabled, or not.
sat_static_translated_address	text		Specifies the statically translated source address.
sat_translated_addresses	jsonb		A list of translated address.
sat_type	text		Specifies the type of source address translation. Possible values are: none (default), dynamic-ip-and-port, dynamic-ip, or static-ip.
service	text		Specifies the service (default: any).
source_addresses	jsonb		A list of source addresses.
source_zones	jsonb		A list of source zone(s).
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A list of administrative tags assigned to the rule.
targets	jsonb		A dictionary of target definitions.
to_interface	text		Egress interface from route lookup (default: any).
type	text		The type of NAT rule. Possible values are: ipv4 (default), nat64, or nptv6.
uuid	text		The PAN-OS UUID.
vsys	text	=	[NGFW] The vsys to put the NAT rule into (default: vsys1).

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- panos

You can pass the configuration to the command with the --config argument:

steampipe_export_panos --config '<your_config>' panos_nat_rule