Palo Alto Firewall Keywords

The following keywords are supported in Palo Alto audits:

Keyword	Description
type	This must always be set to AUDIT_XML or AUDIT_REPORTS.
description	This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the `description` field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field.
info	This keyword allows users to add a more detailed description to the check that is being performed. Multiple `info` fields are allowed with no preset limit. The `info` content should be enclosed in double-quotes.
api_request_type	This keyword describes the type of request. The Palo Alto API supports six types of requests: keygen, op, commit, reports, export, and config. For the purposes of this plugin, only request type op is exposed.
request	This keyword specifies the request to run on the firewall. The result of each request is cached, so subsequent requests do not result in another request. In addition, for AUDIT_REPORTS check, the default Tenable audit only includes 9 checks. To include more reports, users are encouraged to create new checks, and replace request keyword with the REST API URL after `type=report`. For example: /api/?type=report&reporttype=predefined&reportname=hruser-top-url-categories
regex	This keyword allows searching items that match a particular regex expression. If a check has `regex` keyword set, but no `expect` or `not_expect` keyword is set, then the check simply reports all lines matching the regex.

The compliance of a check can be determined by comparing the output of the check to either expect or not_expect keyword. There cannot be more than one compliance testing tag (i.e., either expect or not_expect can exist but not expect and not_expect).

Keyword	Description
expect	This keyword allows auditing the config item matched by the `regex` keyword or if the `regex` keyword is not used it looks for the `expect` string in the entire config. The check passes as long as the config line found by `regex` matches the `expect` string or in the case where `regex` is not set, it passes if the `expect` string is found in the config.
not_expect	This keyword allows searching the configuration items that should not be in the configuration. It acts as the opposite of `expect`. The check passes as long as the config line found by `regex` does not match the `not_expect` string or if the `regex` keyword is not set, it passes as long as `not_expect` string is not found in the config.