search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
340 stars 168 forks source link

Commit Lock / Configuration Lock not documented #495

Open numberstwo opened 1 year ago

numberstwo commented 1 year ago

Documentation link

https://pan-os-python.readthedocs.io/en/latest/search.html?q=lock&check_keywords=yes&area=default#

Describe the problem

The pan-os-python code includes Configuration Lock and Commit Lock features, however I cannot find any documentation on them. I am not sure if this is just documentation not being up to date, or there is some other reason (i.e. features not working across different PAN-OS versions or something like that)?

Suggested fix

Add documentation regarding the Configuration Lock and Commit Lock features.

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

joepitt91 commented 8 months ago

I cannot work out how to check for locks either.

This seems like it should work:

config = ConfigParser()
config.read("config.ini")

firewall = Firewall(
    config.get("default", "hostname"),
    api_username=config.get("default", "username", fallback="admin"),
    api_password=config.get("default", "password"),
    vsys=config.get("default", "vsys", fallback="vsys1"),
)

firewall.refresh_system_info()
print(
    "Connected to {} a {} (Serial: {}) running PanOS v{}".format(
        firewall.hostname, firewall.platform, firewall.serial, firewall.version
    )
)

if firewall.check_commit_locks() or firewall.check_config_locks():
    print("lock in place - will not continue")
    exit()

But instead it gives:

Traceback (most recent call last):
  File "C:\path\to\venv\Lib\site-packages\panos\base.py", line 3878, in method
    super_method(self, *args, **kwargs)
  File "C:\path\to\venv\Lib\site-packages\pan\xapi.py", line 951, in op
    self.__type_op(cmd, vsys, extra_qs)
  File "C:\path\to\venv\Lib\site-packages\pan\xapi.py", line 974, in __type_op
    raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: Failed to list config locks. vsys not provided

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\path\to\script.py", line 261, in <module>
    if firewall.check_commit_locks() or firewall.check_config_locks():
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\path\to\venv\Lib\site-packages\panos\base.py", line 4495, in check_commit_locks
    self.xapi.op("show commit-locks", cmd_xml=True, retry_on_peer=retry_on_peer)
  File "C:\path\to\venv\Lib\site-packages\panos\base.py", line 3899, in method
    raise the_exception
panos.errors.PanDeviceXapiError: Failed to list config locks. vsys not provided

and changing my test to:

if firewall.commit_locked or firewall.config_locked:
    print("lock in place - will not continue")
    exit()

Fails to detect active config and commit locks.

Any pointers on how to detect active locks would be really useful.