search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
341 stars 170 forks source link

Unexpected source-hip here error -> While creating a security Policy on Panorama - 9.1.x #364

Open sikulkar opened 3 years ago

sikulkar commented 3 years ago

Describe the bug

While creating security policy on Panorama Panos 9.1.10, we are getting this error message :

SecurityPolicyName -> source-hip unexpected here Traceback (most recent call last): File "/home/site/wwwroot/.python_packages/lib/site-packages/panos/base.py", line 3661, in method super_method(self, *args, **kwargs) File "/home/site/wwwroot/.python_packages/lib/site-packages/pan/xapi.py", line 741, in set self.__type_config('set', query, extra_qs) File "/home/site/wwwroot/.python_packages/lib/site-packages/pan/xapi.py", line 805, in __type_config raise PanXapiError(self.status_detail) pan.xapi.PanXapiError: SecurityPolicyName-> source-hip unexpected here

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/site/wwwroot/implementation/init.py", line 77, in main new_pano = create_security_policies(preCheckInput,pano) File "/home/site/wwwroot/implementation/init.py", line 240, in create_security_policies raise err File "/home/site/wwwroot/implementation/init.py", line 235, in create_security_policies policy.create() File "/home/site/wwwroot/.python_packages/lib/site-packages/panos/base.py", line 641, in create device.active().xapi.set( File "/home/site/wwwroot/.python_packages/lib/site-packages/panos/base.py", line 3682, in method raise the_exception panos.errors.PanDeviceXapiError: SecurityPolicyName-> source-hip unexpected here

Expected behavior

The security policy should be created without any errors

Current behavior

The security policy doesn't get created and throws the above error

Possible solution

Steps to reproduce

1. 2. 3. 4.

Screenshots

Context

We are unable to proceed ahead building our service to automate creating customer policy requests/tickets

Your Environment

Using Azure Durable Functions - Python 3.9 Panorama & NGFW Version - 9.1.10

welcome-to-palo-alto-networks[bot] commented 3 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

sikulkar commented 3 years ago

@shinmog : Just wondering if you have any thoughts on this ?

Thought this was similar to this issue - https://github.com/PaloAltoNetworks/pan-os-python/issues/345

Thanks in advance !

sikulkar commented 3 years ago

I did some tests, the issue doesn't seem to happen in the previous version -> pan-os-python version 1.3.0

shinmog commented 3 years ago

I just did a quick test against a 9.1.3 firewall, and pan-os-python is not trying to add source-hip to the XML sent to PAN-OS. It seems to be doing the right thing for me. Here is my repro:

from panos.firewall import Firewall
from panos.policies import Rulebase, SecurityRule

fw = Firewall(.......)
fw.refresh_system_info()

rb = Rulebase()
fw.add(rb)

hip_value = 'foo'
o = SecurityRule('a')
o.source_devices = [hip_value, ]
rb.add(o)

print("{0}".format(hip_value in o.element_str().decode('utf-8')))

This prints False for me.

F1p commented 1 year ago

Performed the same test, returns True for me

Running 1.8.1 and Pan 9.1.10