search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
340 stars 168 forks source link

Pulling device group security rules while taking into account inheritance from parent device groups #462

Open vladola opened 2 years ago

vladola commented 2 years ago

Hello!

I have the following usecase: I need to pull ALL the rules for a specific device group in Panorama. When I say "all" I mean also the rules inherited by the parents of this device group ( the shared dg & all the rest). At the moment it seems that the SDK allows me to pull either the shared rules or a specific device group rules, but there is no way to pull ALL the rules (both of that device group and inherited) with an API call.

What I am doing at the moment is very tiresome and time-consuming:

  1. Pull all shared rules and all device group rules
  2. Pull inheritance data of each device group by checking the hierarchy_info attribute, so I know where this device group stands in the hierarchy
  3. For every single rule, pull the target firewalls in case it's not any
  4. Combine all the above into a tree that I can traverse
  5. Implement the rule matching & inheritance mechanism to determine which rules will be inherited by each device group and in what order

The above is even harder since I don't see a way to get a rule's index (the number to the left you see in the panorama GUI), so I have to hope that the order in the list that the SDK gets back is also the order in which the rules will be applied.

Maybe there's an easy way to do this but I haven't found it, and yet this functionality seems to be very core to what the SDK should do, as I'm not sure who would only want to know about firewall rules defined ONLY in a specific device group. Once usually needs to know ALL rules that will apply to a device group, inherited or native.

I'm basically looking for a way to replicate what I already see in the panorama GUI. Whenever I check out a device group, I see in background-yellow all the inherited rules and where they come from. It would be great to be able to get this with a method call.

Thanks!

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

Hanyang-Luo commented 1 week ago

I am facing the same issue and would love to get some help on this