search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
344 stars 170 forks source link

Panorama set_ha_peers() method not working #531

Open vsurresh opened 11 months ago

vsurresh commented 11 months ago

Describe the bug

https://pan-os-python.readthedocs.io/en/latest/howto.html > High Availability Pairs As per this guide, I can use the set_ha_peers() method directly on the Firewalls and push the configs to the currently active device. However, if I use it with Pannorama, it doesn't work.

Expected behavior

My understanding is that the method could also work with Panorama.

Current behavior

Just using this code as an example, I'm getting the below error (Same issue on Python 3.9 or 3.11)

from panos.policies import PreRulebase, SecurityRule

panorama_object = Panorama('panorama-1', 'username', 'password' )
panorama_object.set_ha_peers(Panorama('panorama-2', 'username', 'password'))
panorama_object.refresh_ha_active()

dg_object = DeviceGroup("office")
panorama_object.add(dg_object)

rules_object = dg_object.add(PreRulebase())
new_rule_object = SecurityRule(
    name='Allow DNS',
    fromzone=['any'],
    tozone=['any'],
    source=['any'],
    destination=['8.8.8.8'],
    application=['dns'],
    service=['application-default'],
    action='allow'
)

rules_object.add(new_rule_object)
new_rule_object.create()
Traceback (most recent call last):
  File "/Users/suresh/Documents/panos-python-training/panorama_rules.py", line 30, in <module>
    new_rule_object.create()
  File "/Users/suresh/Library/Python/3.9/lib/python/site-packages/panos/base.py", line 652, in create
    device.active().xapi.set(
  File "/Users/suresh/Library/Python/3.9/lib/python/site-packages/panos/base.py", line 3859, in method
    result = getattr(ha_peer.xapi, super_method_name)(*args, **kwargs)
  File "/Users/suresh/Library/Python/3.9/lib/python/site-packages/panos/base.py", line 3859, in method
    result = getattr(ha_peer.xapi, super_method_name)(*args, **kwargs)
  File "/Users/suresh/Library/Python/3.9/lib/python/site-packages/panos/base.py", line 3859, in method
    result = getattr(ha_peer.xapi, super_method_name)(*args, **kwargs)
  [Previous line repeated 994 more times]
  File "/Users/suresh/Library/Python/3.9/lib/python/site-packages/panos/base.py", line 3805, in method
    if super_method_name not in ("keygen", "op", "ad_hoc", "export")
RecursionError: maximum recursion depth exceeded in comparison

Possible solution

Can we use the same method with Panorama too? I can still call the methods such as active() or passive() after running refresh_ha_active() method. For example, panorama_object.active() will return the current active Panorama.

Steps to reproduce

I explained the issue here in detail with the sample code block - https://live.paloaltonetworks.com/t5/general-topics/pan-os-python-panorama-set-ha-peers-method-not-working/td-p/563900

Context

We have active/passive Panorama so, it would be good to get this working so, the configs are pushed to the current active device automatically.

Your Environment