Architecture

Architecture#

This section provides a very high-level overview of the project architecture, explaining how the different components work together to generate and deploy a firewall policy.

Component Diagram#

The project consists of several key components:

  1. Static Policy Rules - Definitions for static policy rules (these rules are placed at the beginning of the rulebase; in Panorama-based deployments this corresponds to the PRE section of the target device group)

  2. Dynamic Policy Rules - Prescribed via CSV files that define policy behaviour for standard App-ID and URL categories (these rules are placed at the bottom of the rulebase; in Panorama-based deployments this corresponds to the POST section of the target device group)

  3. Policy Targets - JSON file that defines possible targets for policy deployment. A target can be either:

    • a combination of a standalone firewall address, VSYS name, and a deployment type OR

    • a combination of a Panorama address, device group, template, and a deployment type

  4. Object Definitions - CSV/JSON/YAML/XML files that define all objects referenced in the policy rules (address objects, service objects, etc.)

  5. Deployment Engine - Handles the communication with Palo Alto Networks devices

  6. Auxiliary Functions - Helper functions for various tasks

digraph G { rankdir=LR; node [shape=Mrecord, fontname="Segoe UI Emoji", style=filled, fillcolor=lightgrey, fontsize=14]; // Node definitions with custom tooltips fw1 [label="🧱\nPanorama-managed\nfirewall(s)", tooltip="Next-generation firewalls managed centrally through Panorama platform for unified policy deployment and monitoring"]; fw2 [label="🧱\nStandalone\nfirewall(s)", tooltip="Individual standalone firewalls configured directly without central management - require separate policy deployment"]; panorama [label="📡\nPanorama", tooltip="Palo Alto Networks centralized management platform for firewall orchestration, policy distribution, and monitoring"]; targets [label=<🎯Deployment targets:<BR/><B><FONT FACE="Courier New">requirements/policy_targets.json</FONT></B>>, tooltip="JSON configuration file defining which firewalls and device groups should receive policy deployments"]; script [label=<🤖<BR/>Deployment<BR/>script:<BR/><B><FONT FACE="Courier New">main.py</FONT></B>>, tooltip="Main Python automation script that orchestrates the entire policy deployment process across all firewall targets"]; csv [label=< <TABLE BORDER="0" CELLBORDER="0" CELLSPACING="0"> <TR><TD ALIGN="CENTER">📊 Dynamic policy rules for</TD></TR> <TR><TD ALIGN="CENTER">generic URL/App-ID categories</TD></TR> <TR><TD ALIGN="LEFT"><B><FONT FACE="Courier New">requirements/categories_app.csv</FONT></B></TD></TR> <TR><TD ALIGN="LEFT"><B><FONT FACE="Courier New">requirements/categories_url.csv</FONT></B></TD></TR> </TABLE> >, tooltip="CSV files containing application and URL category definitions used to dynamically generate firewall security policies"]; config [label=<🛠️<BR/>Configuration<BR/>module:<BR/><B><FONT FACE="Courier New">settings.py</FONT></B>>, tooltip="Python configuration module containing API credentials, server URLs, deployment settings, and operational parameters"]; objects [label=<🧾Profiles, addresses,<BR/>services, tags, and<BR/>other objects:<BR/><B><FONT FACE="Courier New">ngfw/objects/</FONT></B>>, tooltip="Directory containing firewall object definitions including security profiles, addresses and address groups, service objects and groups, EDLs, tags, custom signatures, data patterns, URL categories, decryption profiles etc."]; static_policies [label=<🧾Static policy rules:<BR/><B><FONT FACE="Courier New">ngfw/policies/</FONT></B>>, tooltip="Directory containing predefined static firewall policy rules that remain constant across deployments"]; // Diagram: static_policies -> script; csv -> script -> panorama -> fw1; targets -> script; script -> fw2 config -> script; objects -> script; }

Policy formation#

The resulting security policy is formed as follows:

digraph G { rankdir=LR; node [shape=Mrecord, fontname="Segoe UI Emoji", style=filled, fillcolor=lightgrey, fontsize=14]; // Node definitions with custom tooltips static_policies [label=<🛡️<BR/>Static policies<BR/><B><FONT FACE="Courier New">ngfw/policies/security/pre</FONT></B>>, tooltip="Static security policy rules"]; dg_pre [label="📋\nPanorama\nDevice Group\nPRE section", tooltip="Device Group PRE rulebase section in Panorama for policy deployment before local rules"]; dg_post [label="📋\nPanorama\nDevice Group\nPOST section", tooltip="Device Group POST rulebase section in Panorama for policy deployment after local rules"]; requirements [label=<<TABLE BORDER="0" CELLBORDER="0" CELLSPACING="0"><TR><TD ALIGN="CENTER">📊 Dynamic policy rules for</TD></TR><TR><TD ALIGN="CENTER">generic URL/App-ID categories</TD></TR><TR><TD ALIGN="LEFT"><B><FONT FACE="Courier New">requirements/categories_app.csv</FONT></B></TD></TR><TR><TD ALIGN="LEFT"><B><FONT FACE="Courier New">requirements/categories_url.csv</FONT></B></TD></TR></TABLE>>, tooltip="CSV files containing application and URL category definitions used to dynamically generate firewall security policies"]; firewall [label="🧱\nPanorama-managed\nfirewall", tooltip="Next-generation firewall managed centrally through Panorama"]; // Diagram flows: static_policies -> dg_pre -> firewall; requirements -> dg_post -> firewall; }

The resulting decryption policy is formed as follows:

digraph G { rankdir=LR; node [shape=Mrecord, fontname="Segoe UI Emoji", style=filled, fillcolor=lightgrey, fontsize=14]; // Node definitions with custom tooltips static_policies_pre [label=<🛡️<BR/>Static policies<BR/><B><FONT FACE="Courier New">ngfw/policies/decryption/pre</FONT></B>>, tooltip="Static decryption policy rules for the pre-rulebase section"]; static_policies_post [label=<🛡️<BR/>Static policies<BR/><B><FONT FACE="Courier New">ngfw/policies/decryption/post</FONT></B>>, tooltip="Static decryption policy rules for the post-rulebase section"]; dg_pre [label="📋\nPanorama\nDevice Group\nPRE section", tooltip="Device Group PRE rulebase section in Panorama for policy deployment before local rules"]; dg_post [label="📋\nPanorama\nDevice Group\nPOST section", tooltip="Device Group POST rulebase section in Panorama for policy deployment after local rules"]; firewall [label="🧱\nPanorama-managed\nfirewall", tooltip="Next-generation firewall managed centrally through Panorama"]; // Diagram flows: static_policies_pre -> dg_pre -> firewall; static_policies_post -> dg_post -> firewall; }

Note

When the policy is deployed directly to a firewall, its structure mirrors a Panorama deployment. Rules that would normally go into the `PRE` section of a Panorama device group are placed at the top of the firewall policy, while rules from the `POST` section are placed at the bottom of the firewall policy.

Contents