Clone()

[meandus]

Hi

is it possible to add clone() as move() in base.PanObject as defined in pan.xapi:

clone(xpath=None, xpath_from=None, newname=None) The clone() method performs the action=clone device configuration API request with the xpath, from (xpath_from function argument) and newname arguments.

This clones (copies) an existing node in the configuration specified by xpath. xpath_from is used to specify the source XPath and newname is used to specify the new name for the cloned node.

https://github.com/kevinsteves/pan-python/blob/master/doc/pan.xapi.rst#movexpathnone-wherenone-dstnone

Thanks in advance,

[btorresgil]

Thanks for opening this issue, happy to help. This has been a point of discussion and I'm interested in thoughts from the community.

Currently there are 2 options available to move or clone objects with pandevice:

Option 1: Use the PAN-OS API directly

clone and move are parts of the actual PAN-OS API. They are intentionally not directly represented in pandevice, but they are still accessible because every Firewall or Panorama instance has an 'xapi' attribute which can be used to issue direct raw API commands. For example:

fw = Firewall('10.0.0.1', 'admin', 'password')
fw.xapi.move('/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name="MyRule"]', where='top')

It's a bit of a pain to craft an XPath, but any PanObject can craft its own XPath for you, making this easier. For example:

rule1 = rulebase.add(SecurityRule('rule1'))
fw.xapi.move(rule1.xpath(), where='top')

One problem with using the PAN-OS API calls directly is it can put things out of sync with your pandevice configuration tree. ie. if you refresh all the rules from a firewall in pandevice into memory, then call fw.xapi.move() on one rule, then the live device and your pandevice in-memory representation are out of sync.

Option 1 advantage: Can only affect the one object specified, other objects left alone Option 1 disadvantage: pandevice and the live device get out of sync, you'll need to refreshall to get back in-sync

Option 2: Use pandevice objects

Represent a move or clone in python using pandevice itself. For example, to clone a policy rule, you could do this:

rule1  = rulebase.add(SecurityRule('rule1').refresh()
rule2 = rulebase.add(deepcopy(rule1))
rule2.name = 'rule2'
rule2.create()

Now, 'rule1' is cloned as 'rule2', and the pandevice in-memory representation is perfectly in-sync with the firewall.

A 'move' would look something like this:

SecurityRule.refreshall(rulebase)
rule1 = rulebase.find('rule1')
rule1.delete()
rulebase.insert(0, rule1) # Move the rule to the top (position 0)
rule1.apply_similar()

One think to consider with this approach is the apply_similar() method which applies all security rules, thus overwriting all the security rules with what is currently in pandevice, applying them in the new order. So, with this option, any configuration on the firewall not yet supported by pandevice is removed from the live device. There is nothing to fear if done in script that supports specific PAN-OS versions and is tested on those version, or when pandevice owns the configuration, but this can cause problems when a human admin configures something that pandevice doesn't recognize, because it would be removed from the live device.

Option 2 advantage: pandevice and the live device stay in sync Option 2 disadvantage: Configuration not yet supported by pandevice gets removed from live device

Conclusion

• We need to document this better. Please use the above as documentation until we can improve the official docs.
• Use Option 1 if you only need to move or clone a few rules, then the script ends.
• Use Option 2 if you need to do many operations on the firewall including move and clone such that pandevice needs to be in-sync with the firewall throughout the life of the script.

If the community has suggestions on another way to handle 'move' and 'clone' please add a comment below. We are very open to your ideas.

Let me know if any questions