Comparing PyATS and Nornir for Firewall Security Validation and Compliance

When it comes to network automation and security validation, two powerful Python-based tools stand out: PyATS and Nornir. While both tools have their strengths, each has a different focus when it comes to handling firewall security and compliance checks. In this article, we'll break down how these two tools compare in terms of usability, flexibility, and effectiveness for firewall security validation—specifically for FortiGate and Palo Alto firewalls. And to make things clearer, we’ll show you examples for both with code.

PyATS: Focused on Testing and Validation

PyATS is a network testing tool developed by Cisco that is built for validating network configurations and security compliance. It’s widely used for automated testing, ensuring that your devices meet security standards without requiring you to write extensive code for every task.

Real Case Example: Checking for “Any-Any” Rules on a FortiGate Firewall

One critical security validation task is ensuring there are no open "any-any" firewall rules, which allow unrestricted traffic between any source and destination. With PyATS, this check is simple to automate.

Step 1: Install PyATS

pip install pyats[full]        

Step 2: Set up the Testbed This file helps PyATS know how to connect to your firewall. Here’s an example of the testbed.yaml file:

devices:
  fortigate:
    os: fortigate
    type: firewall
    connections:
      defaults:
        class: unicon.Unicon
      cli:
        protocol: ssh
        ip: 192.168.1.100
    credentials:
      default:
        username: admin
        password: fortigate_password        

Step 3: Write a Script to Check Security Rules

from genie.testbed import load

# Load the testbed
testbed = load('testbed.yaml')

# Connect to the FortiGate firewall
device = testbed.devices['fortigate']
device.connect()

# Parse firewall policy configuration
output = device.parse('show firewall policy')

# Check for "any-any" rules
for policy in output['policy']:
    src = policy['srcaddr']
    dst = policy['dstaddr']
    action = policy['action']
    if src == 'any' and dst == 'any' and action == 'accept':
        print(f"Warning: Open 'any-any' rule found in policy {policy['policyid']}")
    else:
        print(f"Policy {policy['policyid']} is secure.")        

Why Use PyATS?

• Ease of use: PyATS makes it straightforward to validate security policies without writing a lot of custom code.
• Built-in parsers: PyATS has built-in parsers for network commands, which means you don’t need to manually process the output.
• Security testing: It’s perfect for running security checks on configurations, making sure firewalls meet compliance requirements.

Nornir: A Flexible Network Automation Framework

On the other hand, Nornir is more of a general-purpose network automation tool. While PyATS focuses on testing and validation, Nornir lets you automate network tasks with more flexibility. However, this flexibility means you need to write more custom scripts for specific tasks like security validation.

Real Case Example: Custom Firewall Rule Validation on a Palo Alto Firewall

Here’s an example of how you can use Nornir to check for unwanted open ports or weak firewall rules on a Palo Alto firewall.

Step 1: Install Nornir

pip install nornir nornir_netmiko nornir_utils        

Step 2: Set up the Configuration Files Define the Nornir configuration in config.yaml:

plugin: SimpleInventory
options:
  host_file: "hosts.yaml"
  group_file: "groups.yaml"
  defaults_file: "defaults.yaml"        

And your hosts.yaml file might look like this:

palo_alto:
  hostname: 192.168.2.1
  platform: paloalto_panos
  username: admin
  password: palo_password
  groups:
    - firewalls        

Step 3: Write a Nornir Task to Validate Firewall Rules

from nornir import InitNornir
from nornir_netmiko import netmiko_send_command

def check_firewall_rules(task):
    # Command to fetch security rules
    result = task.run(task=netmiko_send_command, command_string="show running security-policy")
    policies = result.result
    # Look for unwanted open ports or any-any rules
    if "any" in policies:
        print(f"Security Issue: Unrestricted rule found on {task.host}")
    else:
        print(f"All rules on {task.host} are secure.")

# Initialize Nornir
nr = InitNornir(config_file="config.yaml")

# Run the task
nr.run(task=check_firewall_rules)        

Why Use Nornir?

• Flexibility: You can build custom automation workflows to match your exact needs.
• Multi-vendor support: Nornir works with a variety of devices, making it a good choice for complex networks.
• Full control: Nornir offers more granular control, allowing you to specify exactly what needs to be done for security validation.

Comparison Between PyATS and Nornir

PyATS is best for:

• Security validation: If your primary goal is to check that firewall rules are secure and meet compliance, PyATS makes this easier with pre-built parsers and automated checks.
• Minimal coding: You don’t need to write as much code to get started with PyATS since it has built-in functionality for most common network tasks.

Nornir is ideal for:

• Custom workflows: If you need more flexibility in terms of network automation and want to build workflows from scratch, Nornir gives you that power.
• Advanced automation: Nornir is perfect if your goals go beyond validation and you need to automate more complex tasks.

Final Thoughts

Both PyATS and Nornir are effective tools for firewall security validation. If you’re looking for a tool that lets you quickly test and validate configurations, PyATS is the right choice. But if you need to build custom automation workflows and integrate security validation into a broader network automation strategy, then Nornir is the tool for you.

Regardless of which tool you choose, automating these checks can save you time and help prevent potential security risks from creeping into your firewall configurations. These examples are just a starting point, and both PyATS and Nornir offer a lot more flexibility as you dig deeper into automating your network tasks.