SCM BPA Report Tool for PAN-OS TSF Uploads

Version 2.5.5 Deployed 2026-06-15 17:35:49 UTC+8
Ready

Notice

This is a personal work project written by Eric Chuang, Solutions Consultant at Palo Alto Networks.

Do not upload any customer TSF, customer document, or tenant data without explicit customer authorization. Follow company policy at all times, including the rule that customer files must not be uploaded to AI platforms.

TSG IDs and API authorization must come from legitimate approved channels. This interface only provides a UI wrapper for engineering convenience. It does not persist Client ID or Client Secret, and it does not guarantee transmission security.

Revoke or rotate Client ID and Client Secret after use to reduce security risk.

Upload

Automatic token flow

Where To Get These

Go to Palo Alto Networks Hub or Strata Cloud Manager, then open Common Services, Identity & Access, Service Accounts.

TSG ID
The 10 digit tenant ID in the service account identity email.
Client ID
Copy it from the service account client credentials.
Client Secret
Shown once when created; reset the service account secret if it was lost.

Job Status

No ID (UUID) yet
Idle 0% -
ID (UUID) -
Current Status Waiting
Uploaded -
report_url -

Log

    Response JSON

    {}

    Version History

    Newest first
    1. 2.5.3

      Hardening: HSTS + cross-origin isolation headers, download proxy no longer follows redirects, SCM upload URL is allowlist-checked, report filenames are RFC 5987 encoded, and rate limiting trusts only Cloudflare's connecting IP.

    2. 2.5.2

      Token security: upload and download tokens now use a dedicated signing key (no R2 secret reuse) and distinct HMAC context prefixes, so a token for one purpose cannot be reused for the other.

    3. 2.5.1

      Security controls now fail closed: if the rate-limit / download-token Durable Object binding is missing, the Worker returns 503 instead of silently skipping rate limiting and single-use token enforcement.

    4. 2.5.0

      Security hardening: the public Worker no longer falls back to server-side PANW credentials (closes an open-proxy risk), and the local Node dev server was removed so development and production share one code path (worker.js, run locally via wrangler dev).

    5. 2.4.2

      TSF config XML picker moved to an English modal shown after the archive scan, with found-file details in the dialog.

    6. 2.4.1

      TSF uploads: choose .merged-running-config.xml (Panorama-managed) or running-config.xml (standalone / Panorama) with guidance in the upload form.

    7. 2.4.0

      Removed browser direct upload to SCM GCS (not supported — no CORS). Production flow is browser → R2 → Worker → SCM only, avoiding orphan SCM jobs that consumed the 5 concurrent slots per TSG.

    8. 2.3.2

      SCM concurrency guidance updated: 5 active jobs per TSG, ~30 minute stuck-job timeout, required upload headers, and no cancel API.

    9. 2.3.1

      SCM active upload job limits (HTTP 429) now show a clear alert with plain-language status and log guidance.

    10. 2.3.0

      Production uploads now go browser → SCM directly (no R2 hop). If CORS or network blocks the direct PUT, the tool falls back to extracting config XML from TSF and using the R2 path.

    11. 2.2.4

      TSF uploads to SCM now stream reliably: the archive is sent with gzip transit encoding, chunked, and without re-compression.

    12. 2.2.3

      Fixed large TSF uploads dropping mid-transfer by streaming the archive to SCM without re-compressing it, which previously exhausted the worker's memory limit.

    13. 2.2.2

      Fixed TSF uploads to SCM by sending the archive with the same gzip transit encoding the direct-XML path uses, which the signed upload URL requires.

    14. 2.2.1

      Fixed large TSF uploads failing with "Network connection lost" by sending the archive to SCM with a fixed Content-Length instead of chunked streaming.

    15. 2.2.0

      TSF archives are now passed straight to SCM, which decompresses them and auto-selects the correct config (merged-running-config for Panorama-managed firewalls, running-config for standalone). This is the most accurate path and removes browser-side config guessing. Uploading a config XML directly still works.

    16. 2.1.3

      Added cache-busting for frontend assets so browsers load the latest TSF config selection fix instead of a stale cached app.js.

    17. 2.1.2

      Fixed a bug where some TSF archives uploaded the wrong config XML (for example, a small HA remote stub instead of the full merged running config). BPA jobs could complete but return incomplete report JSON. The tool now scores all XML candidates and selects the best match.

    18. 2.1.1

      Security hardening: local server binds to loopback by default, download proxy host allowlist, decompression size limits, and stronger upload-session token signing. Removed unused legacy upload code. CI now runs syntax checks before deploy.

    19. 2.1.0

      Adopted semantic versioning, added GitHub Actions deployment, and rewrote project documentation. Browser extracts config XML from TSF and uploads directly to R2 so Worker memory is not used for large archives.

    20. 2.0.x

      Introduced in-browser TSF streaming extraction, R2 direct upload, signed report download proxy, rate limiting, and automatic Bearer token flow for SCM Posture BPA.