add support for hit count in Panorama Object

[devbollinger]

Is your feature request related to a problem?

I would like to gather hit_count for security rules from Panorama. I've seen this feature implemented with the Firawall object and I was wondering if we could do the same for the Panoram object. Unless I missed something it seems that there is nothing similar for panorama.

Describe the solution you'd like

Something similar to this commit: https://github.com/PaloAltoNetworks/pan-os-python/commit/7a2e95b3746faeb386c58dedbb40b71d81a5cff0

Describe alternatives you've considered

I could pass an xml to Panorama.op but I rather work with object.

I see a panos.policies.RulebaseOpState imbricated in SecurityRule response and I trying to leverage this with no success. I want to be able to retrieve security rules and their associated hit_count. If a process already exist please let me know how to do it.

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[shinmog]

This is present already, docs need to be clarified about opstate stuff. Say you want hit count info for all pre-rulebase security rules in device group "myDg":

from panos.panorama import Panorama, DeviceGroup
from panos.policies import PreRulebase, SecurityRule

pano = Panorama(....)

dg = DeviceGroup("myDg")
pano.add(dg)

base = PreRulebase()
dg.add(base)

info = dg.opstate.hit_count.refresh("security", all_rules=True)

If you just want hit count info for a specific rule, then use the opstate.hit_count on the object of that specific rule.

[devbollinger]

Hello @shinmog
So I tried your code and I got an exception:

  File "api.py", line 19, in <module>
    info = device_group.opstate.hit_count.refresh("security", all_rules=True)
AttributeError: 'DeviceGroupOpState' object has no attribute 'hit_count'

Here is my full code:

from panos.policies import PostRulebase

pan = Panorama("hostname", "username", "pwd")

device_group = DeviceGroup("device group")
pan.add(device_group)

post_rule = PostRulebase()
device_group.add(post_rule)

info = device_group.opstate.hit_count.refresh("security", all_rules=True)

using pan-os-python==1.6.0

[shinmog]

My bad. Looks like device groups don't have a hit count op state; individual rules do, and the rulebases do (policies.PreRulebase, policies.Rulebase, policies.PostRulebase).

[AnthoBalitrand]

Same here, would really help to be able to get hit counts for rules from Panorama. Actually only managed to do that by grabbing it from each Firewall individually (with direct connection, not working when connecting via Panorama)

[rebelfish]

I tried the following and received an error:

pano = Panorama(hn, un, pw)
dg = pano.add(DeviceGroup('myDG'))
rb = dg.add(PreRulebase())
hc = rb.opstate.hit_count.refresh(rules='security', all_rules=True)

Traceback (most recent call last):
  File "...\Python\Python39\site-packages\panos\base.py", line 3661, in method
    super_method(self, *args, **kwargs)
  File "...\Python\Python39\site-packages\pan\xapi.py", line 951, in op
    self.__type_op(cmd, vsys, extra_qs)
  File "...\Python\Python39\site-packages\pan\xapi.py", line 974, in __type_op
    raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError:  show -> rule-hit-count -> vsys unexpected here
 show -> rule-hit-count  is unexpected 
 show  is unexpected 

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#14>", line 1, in <module>
    hc = rb.opstate.hit_count.refresh("security", all_rules=True)
  File "...\Python\Python39\site-packages\panos\policies.py", line 1020, in refresh
    res = dev.op(ET.tostring(cmd, encoding="utf-8"), cmd_xml=False)
  File "...\Python\Python39\site-packages\panos\panorama.py", line 441, in op
    return super(Panorama, self).op(
  File "...\Python\Python39\site-packages\panos\base.py", line 3822, in op
    element = self.xapi.op(
  File "...\Python\Python39\site-packages\panos\base.py", line 3682, in method
    raise the_exception
panos.errors.PanDeviceXapiError:  show -> rule-hit-count -> vsys unexpected here
 show -> rule-hit-count  is unexpected 
 show  is unexpected 

[github-actions[bot]]

:tada: This issue has been resolved in version 1.7.0 :tada:

The release is available on PyPI and GitHub release

Posted by semantic-release bot

[ajmartins]

Hi @shinmog, just following up on this. It appears I'm unable to get the hitcounts (updated version to 1.7.2).

I tried the following but it returns an empty dictionary:

`from panos.panorama import Panorama, DeviceGroup from panos.policies import PostRulebase, SecurityRule

us = "xxx" pw = "xxx" hn = "xxx" pano = Panorama(hostname=hn, api_username=us, api_password=pw)

dg = DeviceGroup("my-DG") pano.add(dg)

rb = PostRulebase() pano.add(rb)

hc = rb.opstate.hit_count.refresh("security", all_rules=True) print(hc.items())`

[AnthoBalitrand]

@ajmartins replace the following :

pano.add(rb)

by

dg.add(rb)

And it should help.

However, please not that you'll get the "rule_creation_timestamp" and "rule_modification_timestamp", but not the "hit_count", "last_hit_timestamp", or "last_reset_timestamp" are those are not tracked by Panorama. You need to connect directly to the appliance (using a Firewall() instance) to get it.

[kevinhuy]

hello @AnthoBalitrand

the hit count seems to be track in rule usage in panorama.
when you click on "used" , it will show the hit count by firewall.

[Wyko]

Any update on this? It's clearly possible to see hit counts via Panorama. If you log into it via CLI, and run this command, you can see the same data: show rule-hit-count device-group eagn.... post-rulebase security rules rule-name "MD..."

But there isn't an obvious way to get this data via the API.