search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
344 stars 170 forks source link

Delete_similar() not working in 10.1.X #510

Open rebelfish opened 1 year ago

rebelfish commented 1 year ago

Describe the bug

A script using .delete_similar() worked against 9.1.X but was recently discovered to not be working against 10.1.7. The script has not changed. Only the PAN-OS upgrade.

Expected behavior

Cycling through a dict of DeviceGroups as keys and a list of SecurityRule objects as the value:

for dg in dictRules:
    dictRules[dg][0].delete_similar()

This would do an atomic delete per Device Group

Current behavior

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/panos/base.py", line 3878, in method
    super_method(self, *args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/pan/xapi.py", line 733, in delete
    self.__type_config('delete', query, extra_qs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/pan/xapi.py", line 805, in __type_config
    raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: The request could not be handled

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#54>", line 2, in <module>
    dictDisabled[dg][0].delete_similar()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/panos/base.py", line 1993, in delete_similar
    dev.xapi.delete(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/panos/base.py", line 3899, in method
    raise the_exception
panos.errors.PanDeviceXapiError: The request could not be handled

Possible solution

Steps to reproduce

Screenshots

Context

This is part of an automation script that is used to disable a csv list of rules and then on a designated day of the month, the script is used to delete those rules if still disabled

Your Environment

Tested with multiple versions of lxml, pan-os-python, and pan-python (0.16.0, 0.17.0).

scubar commented 1 year ago

I am seeing this same issue on 10.1.10.

Reverting back to using the standard delete() on each rule still works, albeit it is much slower than using delete_similar().

AnthoBalitrand commented 1 year ago

This is not linked to pan-os-python but to PAN-OS itself. After getting some feedback from the TAC, the bulk delete XML API calls have been removed voluntarily starting 10.X because of some wrong behaviour on some objects caches. It seems it has been restored (PAN-179059) on the following releases :

Tested on my side on 10.1.9, and it seems it's still not working... Trying to get more inputs.

scubar commented 1 year ago

I can confirm that .delete_simillar() works as expected on 10.2.4-h3.

scubar commented 10 months ago

delete_simillar has stopped working again on 10.2.5 and greater in the 10.x.x release train. It also does not work on 11.0.3.

scubar commented 9 months ago

I got this feedback from Palo Alto support.

"The support for XML API requests to delete multiple security policies at one shot by, passing the policy names separated by the 'or' operator in the x-path is no longer available."