[Day #70 PyATS Series] Validate Firewall Rules (Multi-Vendor Perimeter Devices) using pyATS for Cisco [Python for Network Engineer]

Introduction on the Key Points

When it comes to enterprise network security, firewalls are the first line of defense. Whether you’re running Cisco ASA/FTD, Palo Alto NGFW, FortiGate, or even Arista devices in a perimeter role, the policy rules define what traffic is allowed or denied.

The challenge is validating firewall rules consistently across multi-vendor environments. Security teams often rely on manual checks: CLI “show access-list” on Cisco, GUI exports from Palo Alto Panorama, or FortiGate firewall policy lookups. But these methods don’t scale, and manual errors creep in.

This is where pyATS automation gives us a vendor-agnostic validation framework. With pyATS, we can:

• Automatically log into perimeter firewalls.
• Extract and normalize firewall rule tables (ACLs, security policies, objects).
• Validate consistency of expected vs actual rules.
• Run end-to-end reachability checks to ensure policies are working.
• Document results with pass/fail status for auditors.

This article is a step-by-step masterclass workbook. We’ll build a pyATS workflow that checks firewall rules across Cisco ASA, Palo Alto, and FortiGate, validate them via CLI & GUI, and confirm enforcement with ping/TCP reachability.

If you’re serious about mastering Python for Network Engineer roles, this will give you a real-world automation scenario that goes beyond labs.

Topology Overview

Our multi-vendor firewall validation lab:

• Branch ASA: Enforces local branch-to-datacenter rules.
• Palo Alto: NGFW at core perimeter.
• FortiGate: Datacenter perimeter protection.

We want to ensure:

1. Branch LAN hosts can reach specific datacenter apps (TCP/443, ICMP).
2. All firewalls permit DNS traffic to external resolvers.
3. No unintended open rules exist (audit for “any-any” violations).

Topology & Communications

• Management access: SSH for Cisco ASA, FortiGate; API/XML-API for Palo Alto.
• pyATS testbed connects to each firewall.
• Communication workflow:
  1. pyATS logs in.
  2. Extracts rule tables.
  3. Normalizes them into a standard dictionary.
  4. Runs validation checks (expected vs actual).
  5. Optionally runs end-to-end ping/TCP tests between simulated endpoints.

Workflow Script

Here’s the pyATS test script (firewall_rules_check.py):

from genie.testbed import load
from pyats.aetest import Testcase, test, main
import re

EXPECTED_RULES = {
    "ASA": [
        {"src": "10.1.1.0/24", "dst": "172.16.1.0/24", "service": "tcp/443", "action": "permit"},
        {"src": "any", "dst": "8.8.8.8", "service": "udp/53", "action": "permit"},
    ],
    "PALOALTO": [
        {"src": "10.1.1.0/24", "dst": "172.16.1.0/24", "service": "tcp/443", "action": "allow"},
        {"src": "any", "dst": "8.8.8.8", "service": "udp/53", "action": "allow"},
    ],
    "FORTIGATE": [
        {"src": "10.1.1.0/24", "dst": "172.16.1.0/24", "service": "tcp/443", "action": "accept"},
        {"src": "any", "dst": "8.8.8.8", "service": "udp/53", "action": "accept"},
    ]
}

class FirewallRuleValidation(Testcase):

    @test
    def extract_rules(self, testbed):
        self.rules = {}
        for device_name, device in testbed.devices.items():
            device.connect(log_stdout=False)

            if "asa" in device.os:
                output = device.execute("show access-list")
                self.rules["ASA"] = output

            elif "panos" in device.os:
                output = device.execute("show running security-policy")
                self.rules["PALOALTO"] = output

            elif "fortinet" in device.os:
                output = device.execute("show firewall policy")
                self.rules["FORTIGATE"] = output

    @test
    def validate_rules(self):
        for fw, expected_rules in EXPECTED_RULES.items():
            print(f"\n--- Validating {fw} ---")
            actual_output = self.rules.get(fw, "")

            for exp_rule in expected_rules:
                search_pattern = f"{exp_rule['src']}.*{exp_rule['dst']}.*{exp_rule['service']}.*{exp_rule['action']}"
                if re.search(search_pattern, actual_output, re.IGNORECASE):
                    print(f"PASS: Rule {exp_rule} found on {fw}")
                else:
                    print(f"FAIL: Rule {exp_rule} NOT found on {fw}")

if __name__ == '__main__':
    main()

Explanation by Line

• EXPECTED_RULES: Defines our golden firewall policy per vendor. Notice permit/allow/accept mapped per vendor syntax.
• extract_rules(): Logs into each device and extracts firewall rules. Vendor-specific CLI is used here.
• validate_rules(): Compares expected rules with actual outputs using regex matching.
• print results: Marks PASS/FAIL for each rule.

This script becomes a repeatable audit tool. Add rules to EXPECTED_RULES, re-run anytime.

testbed.yml Example

testbed:
  name: firewall_testbed
  credentials:
    default:
      username: admin
      password: Cisco123

devices:
  asa-fw:
    os: asa
    type: firewall
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.10

  palo-fw:
    os: panos
    type: firewall
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.20

  forti-fw:
    os: fortinet
    type: firewall
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.30

Post-validation CLI

• Cisco ASA:

ASA# show access-list
access-list outside_access_in line 1 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq 443
access-list outside_access_in line 2 extended permit udp any host 8.8.8.8 eq 53

• Palo Alto:

> show running security-policy
Rule: Branch-to-DC
 Source: 10.1.1.0/24
 Destination: 172.16.1.0/24
 Application: ssl
 Action: allow

• FortiGate:

FGT # show firewall policy
edit 1
 set srcaddr "BranchLAN"
 set dstaddr "DataCenterLAN"
 set service "HTTPS"
 set action accept
next
edit 2
 set srcaddr "all"
 set dstaddr "GoogleDNS"
 set service "DNS"
 set action accept

FAQs

Q1. Why is firewall rule validation critical in network security operations?
A1. Firewall rules control the flow of traffic between network zones and protect against unauthorized access. Validating these rules ensures they are correctly configured, prevent security gaps, and maintain compliance with security policies, reducing the risk of network breaches or service outages.

Q2. How does pyATS automate the validation of firewall rules?
A2. pyATS connects to perimeter firewalls (Cisco ASA, Palo Alto, Fortigate, etc.), runs commands like show access-list, show running policies, or leverages vendor APIs, and parses rule definitions. It then compares the rules against a predefined golden configuration or expected policy state and reports any mismatches.

Q3. Can pyATS handle multi-vendor firewall environments?
A3. Yes. pyATS supports multi-vendor environments by using custom parsers and templates for different CLI formats or REST APIs. This allows consistent validation of firewall rules across Cisco ASA, Palo Alto, Fortigate, Juniper SRX, and other popular firewall platforms.

Q4. How are discrepancies in firewall rules reported by pyATS?
A4. Discrepancies are reported in detailed structured formats (JSON, HTML). Each rule is listed along with expected vs actual configurations. If any rule is missing, altered, or has incorrect parameters (like action, source, destination, or port), it is flagged clearly with context for remediation.

Q5. Can pyATS validate both IPv4 and IPv6 firewall rules?
A5. Yes. Provided the firewall device supports IPv6 configurations, pyATS test scripts can validate IPv4 and IPv6 rules by executing appropriate commands or API calls, ensuring comprehensive rule compliance.

Q6. How does pyATS improve operational efficiency in firewall policy audits?
A6. Automating rule validation eliminates the need for manual audits, significantly speeding up the process. It reduces human error, provides consistent repeatable checks, and enables scheduled validation workflows that fit into CI/CD pipelines for continuous compliance.

Q7. Can pyATS be used to validate dynamic rule changes pushed by automation tools like Ansible?
A7. Absolutely. After Ansible playbooks or automation pipelines push new firewall rules, pyATS can immediately validate the pushed configurations to ensure they were applied correctly, with no unintended modifications or missing critical rules.

YouTube Link

Watch the Complete Python for Network Engineer: Validate Firewall Rules (Multi-Vendor Perimeter Devices) using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

Join Our Training

This was a real-world, hands-on masterclass where we automated firewall rule validation across Cisco, Palo Alto, and FortiGate. You’ve seen how pyATS simplifies multi-vendor policy enforcement, rule auditing, and compliance reporting.

Trainer Sagar Dhawan is conducting a 3-month Instructor-Led Training on Python, Ansible & APIs for Network Engineers. This course is designed to take you from basic scripting to production-grade automation, covering real-world labs across Cisco, Arista, Palo Alto, and FortiGate.

Check the full course outline here:
Python Ansible API Cisco DevNet for Network Engineers – 3-Month Training

If you want to future-proof your career and master Python for Network Engineer roles, this is your chance to learn with a structured roadmap, real projects, and guided mentorship.

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088