How to use the Nipper Panorama Plugin for auditing Palo Alto Firewalls
Nipper Panorama Plugin - User Guide
Overview
With the Panorama plugin, you can remotely connect to a Panorama system to automatically collect and audit configurations from all managed firewalls.
The plugin uses the Panorama API to retrieve the configurations, meaning you no longer need to manually export configuration files from each device. Once retrieved, Nipper generates a bespoke configuration file tailored for analysis, which cannot be created manually - this file is only produced through a successful Panorama connection.
Key Features
- Remotely connect to Panorama to retrieve managed firewall configurations.
- Automatically audit all collected configurations with Nipper.
- Nipper only audits configurations from managed firewalls, not Panorama itself.
- Simplifies large-scale PanOS audits across multiple devices.
- Ensures consistency and accuracy by using live configuration data.
Prerequisites
Panorama Requirements
Ensure your Panorama device is running a supported version of PanOS. Please contact support@titania.com for the latest compatibility information.
API Access
The plugin uses Panorama's API to collect configuration data. This requires an account on the Panorama device with specific permissions.
- The user account must have XML API Access enabled.
- Ideally, the account should have Superuser privileges to ensure full access to all managed firewalls and configurations.
- Alternatively, a Device Admin account may work, but be aware this could limit access to certain configurations and result in incomplete data.
Important: It is strongly recommended to create a dedicated API user account for Nipper, with appropriate permissions based on your organization's security policies.
Networking
- Ensure Nipper can reach the Panorama over the network on the required API port (default: 443).
- Firewall rules must allow outbound HTTPS traffic from the machine running Nipper to Panorama.
Using the Panorama Plugin
Step 1: Creating a New Report
- Launch Nipper.
- Select New Report.
- Select Remote Device.
- Select Palo Alto Firewall via Panorama as the Device Type.
Step 2: Enter Connection Details
- Panorama Network Address
- Port (if different from default 443)
- API User Credentials (Username and Password)
Step 3: Retrieve Configurations
- Click "Connect".
- Nipper will authenticate via the Panorama API.
- Nipper will automatically:
- Retrieve the Panorama configuration.
- Identify all managed firewalls.
- Collect the configuration from each managed firewall.
Step 4: Audit
Once the collection is complete:
- Nipper will audit the entire set of configurations against the report type(s) selected.
- The resultant report will include findings across all managed firewalls, but will not audit Panorama itself.
Device Selection:
- By default, Nipper will audit all managed firewalls.
- You can enable a setting in Tools -> Settings -> Advanced View -> Palo Alto Firewall via Panorama -> Prompt for Device Selection. When enabled, this will show a popup during the audit, allowing you to select which firewalls to audit.
Troubleshooting
- Authentication Failed: Verify the API user's credentials and permissions. Ensure XML API access is enabled.
- Cannot Connect: Check network connectivity, firewalls, and Panorama API availability.
- Incomplete Configurations: Ensure the API user has sufficient privileges to access all devices.
Notes
- The bespoke configuration format produced from Panorama collection is unique to Nipper and cannot be created manually.
- Configuration snapshots are point-in-time; re-run the collection process to update the audit with the latest configurations.