welcome-to-palo-alto-networks[bot]
commented
2 years ago :tada: Thanks for opening your first issue here! Welcome to the community!
Open erniedavisAA opened 2 years ago
welcome-to-palo-alto-networks[bot]
commented
2 years ago :tada: Thanks for opening your first issue here! Welcome to the community!
shinmog
commented
2 years ago Let me confirm I have the details of the ask correct:
You want to figure out if a specific address object already exists or not. However your match criteria is type=FQDN and value=(VALUE_HERE), not the address object's name, is that right..?
erniedavisAA
commented
2 years ago That is Correct
shinmog
commented
2 years ago If you just want to see if something exists or not, you'll have to use raw XPATH to get that answer, but it should be clear that doing it this way you are leaving the safety area that pan-os-python creates for you to protect against versioning changes with PAN-OS itself:
from panos.firewall import Firewall
fw = Firewall(........)
# Just check vsys1 for FQDN address objects where the value is example.com
fw.xapi.get("/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address/entry/fqdn[text()='example.com']")
# Check all vsys for a FQDN address object where the value is foobar.net
fw.xapi.get("config/devices/entry[@name='localhost.localdomain']/vsys/entry/address/entry/fqdn[text()='foobar.net']")You'll note that doing it the above way, you get an answer to if something exists or not, but you don't know the name of the address object or its location.
If you do not want to leave the guard railed area of pan-os-python to get the answer, then I think adopting a naming convention where the FQDN translates to the object name could work, then you could look for the existance of a single address object and not have to pull down every single address object to get the answer:
from panos.firewall import Firewall
from panos.objects import AddressObject
from panos.errors import PanObjectMissing
fw = Firewall(........)
# Check FQDN_example.com
obj = AddressObject("FQDN_example.com")
fw.add(obj)
try:
obj.refresh()
except PanObjectMissing:
print("Object doesn't exist")
else:
# No error, so can create it and other stuff here
passBut depending on your specific situation, doing a full scan might be necessary and/or the safest thing to do. But I also don't know how much time is spent iterating over address objects pulled down. I also don't know the optimization that you need. Is it the API call to PAN-OS itself that is taking the longest? Or is it iterating over the results? Something else...? Carefully profiling the execution of your system overall will be key in understanding what needs attention / improvement.
Is your feature request related to a problem?
Currently have to retrieve the entire scope of AddressObjects on each device (Pano/Palo FW) which costs time for an inline API request to validate DNS Host record deletion through automation.
Describe the solution you'd like
extend the current AddressObject API to retrieve a specific object / objecttype (FQDN specifically)
pass device/dg connection to api call with addressobject type FQDN and value (not name)
Describe alternatives you've considered
the cost of the entire pull is the issue, as we have to traverse several devices for absolute confirmation... causing an undesired user experience. that we know of, there are no alternatives.
we do have a working model, however; it pulls the entire addressobject object to search for a specific value
Additional context
when a user tries to delete a DNS record from our DNS control system, we need to verify that the record is not used in an existing firewall rule... this would cause the rule to break (not function).