search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
340 stars 168 forks source link

support for hip-profiles has been removed in 10.1.5 and 10.2.x, but panos still tries to put the `hip-profiles` in security rules #441

Closed 2ps closed 2 years ago

2ps commented 2 years ago

Describe the bug

When using ansible or the panos python sdk to create security rules, the panos python sdk will add a default element of hip-profiles with the value of Any into the request xml. Such requests will fail on 10.1.5 and 10.2.x because support for the hip-profiles element in security policies has been removed. This breaks all ansible playbooks that manage security policies on newer versions of panos. Yuck!

Expected behavior

Security policies creation or updates should succeed without failure.

Current behavior

security policy creation and commits fail because of extraneous hip-profiles elements in the request xml.

Possible solution

Modify versioning so that on version 10.1.5 and 10.2.x, hip-profiles elements are not submitted.

Steps to reproduce

  1. Start with a firewall running panos 10.1.5
  2. Try to create any security policy using the panos python sdk
  3. Cry as you realize that you can no longer do so, and find a dark quiet corner in which to be alone with your thoughts.
  4. Grab kleenex to wipe away the tears as you realize that your automation stacks no longer work.

Your Environment

AWS vm-series firewall running PanOS 10.1.5 (we were afraid to upgrade to 10.2.0 because of the whole "you might lose your ip addresses from time-to-time" issue.

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

chasingmonkeys commented 2 years ago

PAN-OS 10.1.5-h1 pan-os-python 1.7.1

Expected: source-hip or destination-hip

Observed: hip-profiles

Msg: hip-profiles unexpected here

shinmog commented 2 years ago

This is fixed in 1.7.2

mvfcva commented 2 years ago

Patch in SDK 1.7.2 fixes the issue for PAN-OS 10.1.5+ Same issue is also affecting PAN-OS 10.0.9, can you please also apply same patch to that release ?

niket-shah-zocdoc commented 1 year ago

Hi, the above issue was also observed on 11.0.2. how can we go ahead for resolution?

pengw00 commented 7 months ago

Patch in SDK 1.7.2 fixes the issue for PAN-OS 10.1.5+ Same issue is also affecting PAN-OS 10.0.9, can you please also apply same patch to that release ?

How can I do a patch in SDK 1.7.2? do I have to replace the SDK version?