search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
338 stars 166 forks source link

vsys attribute returns Device Group #484

Open cdot65 opened 1 year ago

cdot65 commented 1 year ago

Describe the bug

Unable to receive the vsys of a SecurityRule, device group is being returned.

Expected behavior

rules = SecurityRule.refreshall(rb)
rule = rules[0]
rule.vsys
'policy-targetted-vsys-name-here'

Current behavior

rules = SecurityRule.refreshall(rb)
rule = rules[0]
rule.vsys
'policy-targetted-device-group-name-here'

It does not look like vsys is a captured value.

pprint.pprint(vars(rule))
{'_params': (<VersionedParamPath fromzone=['any'] default=['any'] 0x7ff31e8d66a0>,
             <VersionedParamPath tozone=['any'] default=['any'] 0x7ff31e8d6430>,
             <VersionedParamPath source=['TEST_DMZ'] default=['any'] 0x7ff31e8d6640>,
             <VersionedParamPath source_user=['any'] default=['any'] 0x7ff31e8d67f0>,
             <VersionedParamPath hip_profiles=None default=['any'] 0x7ff31e8d66d0>,
             <VersionedParamPath destination=['TEST_K8S'] default=['any'] 0x7ff31e8d65b0>,
             <VersionedParamPath application=['any'] default=['any'] 0x7ff31e8d6220>,
             <VersionedParamPath service=['K8S_OVERLAY'] default=application-default 0x7ff31e8d63a0>,
             <VersionedParamPath category=['any'] default=['any'] 0x7ff31e8d6d00>,
             <VersionedParamPath action=allow default=None 0x7ff31e8d6d60>,
             <VersionedParamPath log_setting=None default=None 0x7ff31e8d62e0>,
             <VersionedParamPath log_start=None default=None 0x7ff31e8d6820>,
             <VersionedParamPath log_end=None default=None 0x7ff31e8d6880>,
             <VersionedParamPath description=Test rule to allow traffic towards k8s cluster default=None 0x7ff31e8d6280>,
             <VersionedParamPath type=universal default=universal 0x7ff31e8d6970>,
             <VersionedParamPath tag=None default=None 0x7ff31e8d6dc0>,
             <VersionedParamPath negate_source=None default=None 0x7ff31e8d6550>,
             <VersionedParamPath negate_destination=None default=None 0x7ff31e8d61f0>,
             <VersionedParamPath disabled=None default=None 0x7ff31e8d6ca0>,
             <VersionedParamPath schedule=None default=None 0x7ff31e8d60d0>,
             <VersionedParamPath icmp_unreachable=None default=None 0x7ff31e8d65e0>,
             <VersionedParamPath disable_server_response_inspection=None default=None 0x7ff31e8d6760>,
             <VersionedParamPath group=None default=None 0x7ff31e8d6070>,
             <VersionedParamPath negate_target=False default=None 0x7ff31e8d6100>,
             <VersionedParamPath target=['123456789011', '123456789012'] default=None 0x7ff31e8d68e0>,
             <VersionedParamPath virus=None default=None 0x7ff31e8d6400>,
             <VersionedParamPath spyware=None default=None 0x7ff31e8d6460>,
             <VersionedParamPath vulnerability=None default=None 0x7ff31e8d68b0>,
             <VersionedParamPath url_filtering=None default=None 0x7ff31e8d6c40>,
             <VersionedParamPath file_blocking=None default=None 0x7ff31e8d6a60>,
             <VersionedParamPath wildfire_analysis=None default=None 0x7ff31e8d6b80>,
             <VersionedParamPath data_filtering=None default=None 0x7ff31e8d6b20>,
             <VersionedParamPath uuid=12345678-1234-1234-1234-123456789011 default=None 0x7ff31e8d6a00>,
             <VersionedParamPath source_devices=['any'] default=['any'] 0x7ff31e8c4df0>,
             <VersionedParamPath destination_devices=['any'] default=['any'] 0x7ff31e8c44c0>,
             <VersionedParamPath group_tag=None default=None 0x7ff31e8c4730>),
'_stubs': <panos.base.VersionedStubs object at 0x7ff31e8d62b0>,
'_xpaths': <panos.base.ParentAwareXpath object at 0x7ff31e8d6df0>,
'children': [],
'name': 'Test rule to allow traffic towards k8s cluster',
'opstate': <panos.base.OpStateContainer object at 0x7ff31e8c4550>,

Possible solution

Targeting a vsys is a common need for customers with multi-vsys systems, so there is an expectation that the vsys attribute will return the appropriate value.

vsys information is presented within the REST API for the SecurityPostRules, but it requires an addititional query.

/restapi/v10.1/Policies/SecurityPostRules?location=device-group&device-group=production&name=Test%20rule%20to%20allow%20traffic%20towards%20k8s%20cluster

{
  "@status": "success",
  "@code": "19",
  "result": {
    "@total-count": "1",
    "@count": "1",
    "entry": [
      {
        "@name": "Test rule to allow traffic towards k8s cluster",
...
        "target": {
          "devices": {
            "entry": [
              {
                "@name": "123456789011",
                "vsys": {
                  "entry": [
                    {
                      "@name": "vsys5"
                    }
                  ]
                }
              },
              {
                "@name": "123456789012",
                "vsys": {
                  "entry": [
                    {
                      "@name": "vsys5"
                    }
                  ]
                }
              }
            ]
          },
          "negate": "no"
        }
      }
    ]
  }
}

This requires making an API call to "/restapi/v10.1/Device/VirtualSystems?location=template&template=Production" and capturing the indexed fifth entry to reveal the assigned vsys.

This gives hope that the data can be captured from the XML API and could be presented through asking for the vsys attribute of a policy rule object.

Steps to reproduce

  1. run the following within the repl
from panos.panorama import Panorama, DeviceGroup
from panos.policies import PostRulebase, SecurityRule

pano = Panorama("panorama", "username", "password")
dg = DeviceGroup("production")
rb = PostRulebase()
pano.add(dg)
dg.add(rb)

rules = SecurityRule.refreshall(rb)
rules[0].name
rule = rules[0]
rule.vsys

Screenshots

2022-11-15_07-16-31

Context

Using diffsync library with Nautobot, this enables a workflow where security policies are defined within Nautobot's database and synced to Panorama through the pan-os-python SDK.

Your Environment

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!