search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
345 stars 170 forks source link

Response Code Not Returned #281

Closed rebelfish closed 4 years ago

rebelfish commented 4 years ago

Describe the bug

When pulling the rule hit count, the response attribute 'code' is not returned. Using 'op' with cmd=''

Expected behavior

cURL response is as follows:

<response status="success" code="19">
    <result total-count="0" count="0"/>
        <...>
</response>

Assuming my response is held in respRHC: respRHC.attrib should return { 'status': 'success', 'code': '19'} respRHC.keys() should return ['status', 'code'] respRHC.attrib['code'] should return '19' pan_obj.xapi.status_code should return '19'

Current behavior

Only 'status' is returned and in my use case, the status is always 'success' even if I provide a rule name that does not exist. However, the code does change to indicate the rule does not exist.

Possible solution

It appears that xapi is setup to capture the code but for some reason, it is not in my use case. I'm no code ninja so I can't figure out why. Hence the bug.

Steps to reproduce

cURL (and same for GUI):

> curl -k -X GET "https://<panorama>>/api/?type=config&action=get&xpath=/config/devices/entry\[@name='localhost.localdomain'\]/device-group/entry\[@name='MyDeviceGroup'\]/pre-rulebase/security/rules/entry\[@name='MyRuleName'\]&key=<api_key>>"
<response status="success" code="19"><result total-count="0" count="0"/></response>

IDLE (Python 3.8.3 Shell):

>>> pandev = base.PanDevice.create_from_device(<panorama>, api_username=<username>, api_password=<password>)
>>> dg = 'MyDeviceGroup'
>>> rule = 'MyRuleName'
>>> cmdRHC = '<show><rule-hit-count><device-group><entry name="{0}"><pre-rulebase><entry name="security"><rules><rule-name><entry name="{1}"/></rule-name></rules></entry></pre-rulebase></entry></device-group></rule-hit-count></show>'.format(dg, rule)
>>> respRHC = pandev.op(cmd=cmdRHC, cmd_xml=False)
>>> respRHC.attrib
{'status': 'success'}
>>> respRHC.keys()
['status']
>>> pandev.xapi.status
'success'
>>> pandev.xapi.status_code
>>>
>>> ET.tostring(respRHC)
b'<response status="success"><result><rule-hit-count>...</rule-hit-count></result></response>'

Screenshots

Context

I was intending to look at the code to determine if a non-existent rule name was used which returns a 'code': '7' rather than '19'. In both cases, the 'status' returns 'success' so it is of no use.

Your Environment