search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
344 stars 170 forks source link

Issue when using insert command to insert rule into specific index. #516

Closed adi105 closed 1 year ago

adi105 commented 1 year ago

Describe the bug

When using the insert command to insert a rule into a PAN prerulebase, the index is ignored and the rule is inserted at the bottom of the prerulebase.

Expected behavior

When adding a new rule to the prerulebase using insert, i.e. .insert(0, rule). I expect the rule should be added at the top of the rulebase.

Current behavior

When using insert(0,rule), the rule is created on the live Pano device, however the rule is placed at the bottom of the policy.

Steps to reproduce

Using the following code will reproduce the issue:

Assuming devicegroup "DG1" with an existing prerulebase exists.

    # adding DG information and prerules
    device_group = panorama.DeviceGroup("DG1")
    pano.add(device_group)
    device_group.refresh()
    pre_rulebase = device_group.add(policies.PreRulebase())
    rules = policies.SecurityRule.refreshall(pre_rulebase)

    # create rule
    rule = policies.SecurityRule(
            name = "RULE1",
            source = "Object1",
            destination = "Object2",
            service = "service1",
            action = "allow"
    )
    # insert was not working and adding to bottom of policy regardless
    newrule = pre_rulebase.insert(0,rule).apply()

Context

I am unsure if the issue is due to a bug with my own code, or if the insert function was not working appropriately.

Your Environment

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

rebelfish commented 1 year ago

I have always used a 2 step process of first creating the rule and then moving it (rule.create()/rule.move()). From what I understand, .insert() does not modify the device but rather the local tree.

adi105 commented 1 year ago

I have discovered the issue is in the way I was using .apply(). Running

newrule = pre_rulebase.insert(0,rule).apply()

ends up running apply() on the rule itself, not the rulebase. The following code works as I intended:

newrule = pre_rulebase.insert(0,rule)
pre_rulebase.apply()