Policy Inspector Documentation¶
Policy Inspector for Palo Alto Networks - Analyze firewall security policies and detect shadowed rules.
Policy Inspector is a command-line tool that connects directly to your Palo Alto Panorama to analyze firewall security policies in real-time. It identifies shadowed rules, validates configurations, and provides comprehensive security policy insights.
Key Features¶
🔍 Shadowing Detection: Identifies rules that will never trigger due to preceding rules
🌐 Direct API Integration: Connects to Panorama via REST API - no manual exports needed
🔧 Multi-Device Group Support: Analyze multiple device groups simultaneously
📊 Advanced Analysis: Resolves IP addresses for precise shadowing detection
📈 Multiple Output Formats: Text, HTML, JSON, and CSV reporting
🔌 Extensible Framework: Easy to add custom scenarios and checks
Documentation Contents¶
User Guide
API Reference
Development
Quick Start¶
Install Policy Inspector using pip:
pip install policy-inspector
Basic usage:
# List available scenarios
pins list
# Try the demo with sample data
pins run example shadowing-basic
# Analyze a device group for shadowed rules
pins run shadowing --panorama-hostname your-panorama.company.com \
--panorama-username admin \
--device-groups "Production"
# Export results to HTML report
pins run shadowing --panorama-hostname your-panorama.company.com \
--panorama-username admin \
--device-groups "Production" \
--export html --export-dir ./reports