search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
339 stars 166 forks source link

Log forwarding profile cannot be specified on decryption rules #524

Open nikolay-matveev-kkr opened 10 months ago

nikolay-matveev-kkr commented 10 months ago

Describe the bug

panos.policies.DecryptionRule class has forwarding_profile parameter to specify a Log Forwarding Profile however it does not work.

Expected behavior

When a string with log forwarding profile name is specified as a value of this paramater the resultant decryption rule should be created with the specified profile.

Current behavior

I am getting the error "panos.errors.PanDeviceXapiError: pre-rulebase -> decryption -> rules -> [my rule name] -> forwarding-profile unexpected here".

Possible solution

Steps to reproduce

Create a decryption rule referencing a log forwarding profile. My script goes along these lines:

...
new_ruleset.append(panos.policies.DecryptionRule(name='default-decryption',
                                                     source_users='any',  source_zones=['INSIDE'], source_addresses='any',
                                                     destination_zones=['INET'], destination_addresses='any', services='service-https',
                                                     url_categories=['any'],
                                                     forwarding_profile='default',
                                                     log_failed_tls_handshakes=True,
                                                     action='decrypt', decryption_type='ssl-forward-proxy', decryption_profile='default-profile')) 
...
...
rulebase_post.apply()

Screenshots

image

Context

Currently the log forwarding profile has to be specified manually, after the policy has been created by the script.

Your Environment

This is on Panorama PAN-OS 10.2.5 and SDK version 1.11.0. The same behaviour was observed on 10.1. and 9.1. and previous versions of the SDK. Python 3.9 on Windows 10.