Automating Multi-Vendor Firewall Audits with Python Netmiko & Paramiko
How we replaced manual SSH login sessions across 200+ multi-vendor firewalls with custom Python Netmiko scripts to audit stale rules and enforce compliance.
βLogging into 200 individual firewall CLI sessions manually to check for un-used permit rules is not engineering β itβs manual labor that invites human error.β
The Setup
In February 2017 at Wipro, we managed a sprawling multi-vendor security perimeter for a global healthcare client. The firewall estate comprised 200+ Cisco ASA, Checkpoint, and Palo Alto appliances.
During a strict ISO-27001 compliance audit, auditors required a comprehensive list of all active permit ANY rules, un-used ACL stanzas, and outdated NAT objects across every firewall.
The Mess
Manually logging into 200 devices over SSH, running vendor-specific CLI commands (show run access-list, show config), and pasting text files into spreadsheets was estimated to take 160 engineering hours.
During early manual checks, an engineer accidentally executed clear ip access-list on a live core Cisco ASA, causing a 12-minute outage:
[CRITICAL] 2017-02-10 14:15:02 IST - Cisco ASA 5550 Console Log
ciscoasa# clear ip access-list OUTSIDE_ACL_IN
Result: Access-List OUTSIDE_ACL_IN Cleared (0 rules remaining).
System Impact: 100% of inbound internet traffic dropped on interface outside.
Audit Failure: 45 firewalls audited manually, 155 firewalls remaining.
Manual auditing was slow, risky, and incapable of detecting real-time configuration drift.
The Solution
I wrote a modular Python Netmiko & Paramiko Automation Framework that executed read-only CLI commands across multi-vendor firewalls in parallel threads:
- Multi-Threaded SSH Execution: Utilized Python
concurrent.futuresto query 50 firewalls simultaneously using Netmiko drivers. - Regex Parsing & Normalization: Standardized vendor-specific rule formats into a unified JSON compliance report.
- Read-Only SSH Credentials: Enforced read-only TACACS+ accounts to prevent accidental CLI state changes.
# audit_firewalls.py - Python Netmiko Multi-Vendor Audit Engine
import concurrent.futures
from netmiko import ConnectHandler
import json
devices = [
{"device_type": "cisco_asa", "host": "192.168.1.10", "username": "audit_user", "password": "SecretPassword123"},
{"device_type": "paloalto_panos", "host": "192.168.1.20", "username": "audit_user", "password": "SecretPassword123"},
]
def audit_device(device):
try:
net_connect = ConnectHandler(**device)
if device['device_type'] == 'cisco_asa':
output = net_connect.send_command("show access-list | include permit")
elif device['device_type'] == 'paloalto_panos':
output = net_connect.send_command("show config running rulebase security")
net_connect.disconnect()
return {"host": device['host'], "status": "SUCCESS", "rules": output.splitlines()}
except Exception as e:
return {"host": device['host'], "status": "FAILED", "error": str(e)}
with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
results = list(executor.map(audit_device, devices))
print(json.dumps(results, indent=2))
# Python Netmiko Audit Summary Output
[NETMIKO AUDIT SUMMARY] 2017-02-18 10:00:00 IST
Total Devices Audited: 200 / 200 (100% COMPLETE)
Execution Time: 3 minutes 12 seconds (vs 160 hours manual)
Stale Rules Flagged (>90 days inactive): 1,420 ACL stanzas
Compliance Violations (Any/Any Ingress): 12 rules flagged for immediate cleanup
The Results
The Python Netmiko audit script completely transformed our security operations:
- Audit Runtime: Reduced from 160 manual hours to 3 minutes 12 seconds.
- Human Errors: 0 outages during automated read-only scans.
- Security Stance: Identified and pruned 1,420 stale ACL rules across 200 firewalls.
Key Takeaway
Never audit network infrastructure manually. Building lightweight Python Netmiko automation scripts with read-only credentials guarantees fast, non-disruptive, and 100% accurate compliance reporting.
Architecture and decisions: mine. Python code and CLI automation: mine. AI assistance: structure, syntax, first draft. β Sachin
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.
π‘ Related Engineering Articles
Day-0 Firewall Rules: Automating Security Baseline Insertion
How we eliminated the manual ticket bottleneck by injecting security baselines directly into the provisioning pipeline of NSX-T logical segments.
The Pivot: Transitioning from Manual CLI Engineer to Python Automation
The moment I realized typing 'configure terminal' on 50 switches manually was data entry, and how learning Python Netmiko transformed my engineering career.
Zero-Trust Polyglot Firewall Management: Unifying Palo Alto, Checkpoint & Cisco Rules
How we normalized multi-vendor security rules across Palo Alto App-ID, Checkpoint SmartConsole, and Cisco Firepower FTD into a single Zero-Trust policy model.
π¬ Stay Updated on Tech Releases
Sign up to get notified when I publish new production war stories, agentic AI architecture blueprints, or open-source infrastructure tools.