Closed cbryant42 closed 9 months ago
:tada: Thanks for opening your first issue here! Welcome to the community!
Hi @cbryant42,
Short answer: the SDK is behaving correctly, it's PAN-OS itself that is returning different things.
The longer answer is that there are times when something is created there are times when either PAN-OS itself or pan-os-python will force a default value of some sort on a particular parameter. From that point onwards, when you perform a GET against that XPATH, it will return a value. However, if a default is never set for a particular parameter, then it may not ever show up in the returned XML that the PAN-OS XML API returns to the caller. This is exactly what's happening to your one rule which is returning None
for the negate_source
parameter. However, if you toggle that flag to enable source negation, then untoggle it, now when you do a GET
against that rule, the XML returned from PAN-OS will now start including the negate_source
data, and it will be False
.
To showcase this, I created two fresh security rules, that drop traffic for source 192.168.5.5. At first, I did not configure negate_source
for either security rule and this is what PAN-OS returns to me:
In [10]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[10]: [None, None]
Now, in the UI I enable negate_source
for one of the rules and this is what I get next:
In [11]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[11]: [None, True]
So we see in the above that negate_source
is indeed enabled. So far, so good. Now, what happens when I disable negate_source
for that rule?
In [12]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[12]: [None, False]
So instead of going back to None
, it's showing as False
instead.
This is a quirk of PAN-OS itself and is thus something that pan-os-python cannot change.
Now, let's say you want to go back to the XML API telling you None
instead of False
, how do you do that? You can force the XML API to zero out that XPATH by using the update
function:
In [13]: rules = policies.SecurityRule.refreshall(base)
In [14]: x = rules[1]
In [15]: x.negate_source
Out[15]: False
In [16]: x.negate_source = None
In [18]: x.update('negate_source')
In [19]: [x.negate_source for x in policies.SecurityRule.refreshall(base)]
Out[19]: [None, None]
Hope this helps.
Thank you for the thorough response, it has been quite helpful. I was able to reproduce the behavior you described above. Do you know if a ticket has been opened with Palo Alto? I think I would make the argument that, for consistency, the objects should be initialized with False values instead of None. Either way, thanks again for the response!
Describe the bug
When using the about() method on a policy or object, I am getting None values for parameters . We have 2 firewalls I am managing, a PA-3220 and a PA-850, and I observe this behavior on both models. For example, the "negate_source" parameter on one firewall will return "None" and the other firewall will return "False" on a policy or object that is configured the exact same. The firewall model does not seem to be an indicator of this bug, both will do this interchangeably, but the return values are consistent between about() calls. Ie. if I am getting "None" for a particular parameter, I will always get "None".
Is this a bug or intended behavior. Is there a different method I should be using to get the current configuration of policies and objects?
Expected behavior
I would expect to get the same parameter values if the policies/objects are configured the same.
Current behavior
The parameter values for the policy/object are different.
Possible solution
Steps to reproduce
Screenshots
These are from 2 different firewalls, but looking at a decryption rule that is configured the exact same.
Context
I am trying to determine if policies and objects are configured the same on both of our firewalls programatically.
Your Environment