search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
339 stars 166 forks source link

Objects and Policies returning None for parameter values #517

Closed cbryant42 closed 9 months ago

cbryant42 commented 11 months ago

Describe the bug

When using the about() method on a policy or object, I am getting None values for parameters . We have 2 firewalls I am managing, a PA-3220 and a PA-850, and I observe this behavior on both models. For example, the "negate_source" parameter on one firewall will return "None" and the other firewall will return "False" on a policy or object that is configured the exact same. The firewall model does not seem to be an indicator of this bug, both will do this interchangeably, but the return values are consistent between about() calls. Ie. if I am getting "None" for a particular parameter, I will always get "None".

Is this a bug or intended behavior. Is there a different method I should be using to get the current configuration of policies and objects?

Expected behavior

I would expect to get the same parameter values if the policies/objects are configured the same.

Current behavior

The parameter values for the policy/object are different.

Possible solution

Steps to reproduce

  1. Create an instance of the firewall 1a. Firewall(hostname=host, api_user=api_user, api_key=api_key, vsys='vsys1', is_virtual=False)
  2. Add the rulebase to the firewall and refreshall for the specific policy type (any policy type or object shows this behavior) 2a. rulebase = firewall_object.add(Rulebase()) return rule_type.value.refreshall(rulebase)
  3. Check the policy parameters 3a. for param, value in policy.about():

Screenshots

These are from 2 different firewalls, but looking at a decryption rule that is configured the exact same. image image image image

Context

I am trying to determine if policies and objects are configured the same on both of our firewalls programatically.

Your Environment

welcome-to-palo-alto-networks[bot] commented 11 months ago

:tada: Thanks for opening your first issue here! Welcome to the community!

shinmog commented 9 months ago

Hi @cbryant42,

Short answer: the SDK is behaving correctly, it's PAN-OS itself that is returning different things.

The longer answer is that there are times when something is created there are times when either PAN-OS itself or pan-os-python will force a default value of some sort on a particular parameter. From that point onwards, when you perform a GET against that XPATH, it will return a value. However, if a default is never set for a particular parameter, then it may not ever show up in the returned XML that the PAN-OS XML API returns to the caller. This is exactly what's happening to your one rule which is returning None for the negate_source parameter. However, if you toggle that flag to enable source negation, then untoggle it, now when you do a GET against that rule, the XML returned from PAN-OS will now start including the negate_source data, and it will be False.

To showcase this, I created two fresh security rules, that drop traffic for source 192.168.5.5. At first, I did not configure negate_source for either security rule and this is what PAN-OS returns to me:

In [10]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[10]: [None, None]

Now, in the UI I enable negate_source for one of the rules and this is what I get next:

In [11]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[11]: [None, True]

So we see in the above that negate_source is indeed enabled. So far, so good. Now, what happens when I disable negate_source for that rule?

In [12]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[12]: [None, False]

So instead of going back to None, it's showing as False instead.

This is a quirk of PAN-OS itself and is thus something that pan-os-python cannot change.

Now, let's say you want to go back to the XML API telling you None instead of False, how do you do that? You can force the XML API to zero out that XPATH by using the update function:

In [13]: rules = policies.SecurityRule.refreshall(base)

In [14]: x = rules[1]

In [15]: x.negate_source
Out[15]: False

In [16]: x.negate_source = None

In [18]: x.update('negate_source')

In [19]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[19]: [None, None]

Hope this helps.

cbryant42 commented 9 months ago

Thank you for the thorough response, it has been quite helpful. I was able to reproduce the behavior you described above. Do you know if a ticket has been opened with Palo Alto? I think I would make the argument that, for consistency, the objects should be initialized with False values instead of None. Either way, thanks again for the response!