How to automate and schedule periodic Cloud Discovery Scans in Windows 7 (eg. Palo Alto Firewall logs)?


Running Cloud Discovery scans interactively using GUI is very easy. In many enterprises, this process needs to be scripted and automated to be run periodically to generate Cloud Discovery reports. This can be achieved running the tool on command line and writing a small wrapper around it.  Please note that option of running the tool in command line is available only in Cloud Discovery Enterprise Edition, not in Free version.

There are three major steps to automate and schedule periodic Cloud Discovery Scans. (This article uses Palo Alto Firewall logs as an example.  It also  includes helpful scripts/files (cloudcli.bat and LF) attached for quicker reference)

  1. Schedule export of logs from proxy or firewalls
  2. Configure the tool to run in command line
  3. Schedule run of the tool using Task Scheduler in Windows
  1. Schedule export of logs from proxy/firewalls/SIEM:

Please contact your system/network administrator to export logs periodically and store on a windows server or storage accessible for Cloud Discovery Tool.

Cloud Discovery tool can read from single, multiple files or all files within a folder in one scan, so it is easy to push all logs from proxy or firewalls or SIEM to a folder or in a single rotating file or one file a day stored in a folder.

Here are step by step instructions to schedule export of logs from Palo Alto firewall.

    • Please login to the panorama or the local firewall.
    • Click on the “Device” tap at the top right corner. 
    • Click on the “Scheduled Log Export” on the left bottom corner
    • Click on “add” on the left bottom corner 
    • Fill in the needed details 
    • Commit the change to the firewalls/panorama.

2. Configure the tool to run in command line

    • Create and configure a scan definition file

A .scan XML files is used by the Cloud Discovery Tool in order to determine the type of log and its location on the hard drive.

The XML should be in the following format:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<lastOutputPathname> </lastOutputPathname>
<logFormatName>Palo Alto Networks</logFormatName>
<pathname> C:\MyPath\MyLog.csv </pathname>

lastOutputPathname: Specifies the path of the tool’s last run. Should remain empty when using the CLI.
name: Specify the name of your scan.
logFormatName: Specify the type of log to be scanned. Note: The name should correspond with one of the
available log types as they appear in the Cloud Discovery Tool UI.

pathname: Specify the path to the file or directory in which the log files reside.
NOTE: Make sure there are no spaces between the xml tags, eg.,
<pathname> C:\MyPath\MyLog.csv </pathname>, use
<pathname> C:\MyPath\MyLog.csv</pathname>
    • You can also use a scan file created from running the tool interactively using GUI.  By default .scan files are stored under My Documents folder of the user. eg. "C:\Users\abc\Documents"
    • Open/Run Command Prompt (All programs -> Accessories -> Command Prompt -> Right Click -> Run as Administrator)
    • Change directory to <Cloud Discovery Installation Path>
    • cloudDiscoveryCLI.bat –s “[Path to .scan file]” –d “[Path where output results are saved]” 

"C:\Program Files (x86)\CloudDiscovery\cloudDiscoveryCLI.bat"
-s "C:\Users\abc\Documents\websense.scan"
-d "C:\Users\abc\Documents\CloudDiscovery\results"

For more details about running Cloud Discovery command line options to install license and other details, please read article What are available CLI options for Cloud Discovery?

       3. Schedule run of Cloud Discovery CLI tool using Task Scheduler in Windows

    • Create a small batch file with contents like shown here and save.  Sample batch file is attached here.
cd c:\Program Files (x86)\CloudDiscovery
"c:\Program Files (x86)\CloudDiscovery\cloudDiscoveryCLI.bat"
-s "C:\Users\nattu\Documents\websense.scan"
-d "C:\Users\nattu\Documents\CloudDiscovery\results" <
"c:\Program Files (x86)\CloudDiscovery\LF"
"c:\Program Files (x86)\CloudDiscovery\LF" 
- This is a file which contains single line feed character
which is input to batch file which is run to avoid prompt
caused by Cloud Discovery CLI tool java program. This will
be corrected in future versions and may not be needed to be used.

    • Run batch file in a command prompt to make sure it runs and creates results.  Sample output shown below.
C:\Windows\system32>"C:\Program Files (x86)\CloudDiscovery\cloudcli.bat"

C:\Windows\system32>cd C:\Program Files (x86)\CloudDiscovery

C:\Program Files (x86)\CloudDiscovery>"c:\Program Files (x86)\CloudDiscovery\cloudDiscoveryCLI.bat"
-s "C:\Users\nattu\Documents\websense.scan"
-d "C:\Users\nattu\Documents\CloudDiscovery\results" 0 <
"c:\Program Files (x86)\CloudDiscovery\LF"

C:\Program Files (x86)\CloudDiscovery>"C:\Program Files (x86)\Java\jre7\bin\java" -cp *
-Xverify:none com.skyfence.skyware.CloudDiscoveryToolCLI
-s "C:\Users\nattu\Documents\websense.scan"
-d "C:\Users\nattu\Documents\CloudDiscovery\results"
Scan started
[100%] 0 records analyzed
Scan done
Time: 37ms.
Sending scan results to your Skyfence Cloud Gateway
.......Upload done
Cloud Discovery tool finished analyzing your scan, websense
The reports can be found under: C:\Users\nattu\Documents\CloudDiscovery\results\
2014-09-13 websense (15)
Analysis summary
Total number of services found: 1
Total number of users: 1
Total number activities analyzed: 1
Press [Enter] key to exit...

C:\Program Files (x86)\CloudDiscovery>

    • Create a scheduled task using Task Scheduler to run it with a desired schedule
      • You can use AT command from Command Prompt to create a schedule task.

For eg. To run it every day at 12:35 PM, run as:

C:\Program Files (x86)\CloudDiscovery>at 12:35 /every:M,T,W,Th,F,S,Su cmd /c 
"c:\Program Files (x86)\CloudDiscovery\cloudcli.bat"

Make sure the permissions to run as current user is configured in Task Scheduler for the task which was just created.

      • Go to Control Panel -> Administrative Tools -> Task Scheduler -> Double Click desired Task from Task Scheduler Library -> Edit the job as below to run it with current user -> Choose "Configure for Windows Vista, Windows Server 2008"
Have more questions? Submit a request


Powered by Zendesk