The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
When creating Application Filters objects with "panos.objects.ApplicationFilter" class it's currently impossible to exclude individual applications from the filter. At the same time XML API does have support for this feature (see the path "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='device_group_name>']/application-filter/entry[@name='<application_filter_name']/exclude" on Panorama).
The feature is handy when there is a need to exclude an application from a filter which is otherwise impossible to do by just modifying filter selection criteria.
Describe the solution you'd like
Implement the "exclude" parameter that would take a list of application names that need to be excluded from the filter being created.
Describe alternatives you've considered
The only alternative I can think of is to modify the created filter with a direct XML API call.
Additional context
Say, you create a filter for the subcategory "internet-utility", you may want to allow pretty much all of apps in there but you want to exclude "web-browsing" because you'd normally want to treat it differently. Or, say, you want to block all apps from the "encrypted-tunnel" subcategory with an application filter, and yet you want to make an exception for "ssh" and "SSL" further below in the security policy - after the App Filter-based deny rule. The class in the SDK does not make this possible, unfortunately.
Is your feature request related to a problem?
When creating Application Filters objects with "panos.objects.ApplicationFilter" class it's currently impossible to exclude individual applications from the filter. At the same time XML API does have support for this feature (see the path "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='device_group_name>']/application-filter/entry[@name='<application_filter_name']/exclude" on Panorama).
The feature is handy when there is a need to exclude an application from a filter which is otherwise impossible to do by just modifying filter selection criteria.
Describe the solution you'd like
Implement the "exclude" parameter that would take a list of application names that need to be excluded from the filter being created.
Describe alternatives you've considered
The only alternative I can think of is to modify the created filter with a direct XML API call.
Additional context
Say, you create a filter for the subcategory "internet-utility", you may want to allow pretty much all of apps in there but you want to exclude "web-browsing" because you'd normally want to treat it differently. Or, say, you want to block all apps from the "encrypted-tunnel" subcategory with an application filter, and yet you want to make an exception for "ssh" and "SSL" further below in the security policy - after the App Filter-based deny rule. The class in the SDK does not make this possible, unfortunately.