The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
BGP configuration against existing Virtual Router fails when the VR contains a BGP import rule with "Append Community" configu
Expected behavior
It should be possible to modify the BGP object even when import rules exist with append community.
Current behavior
When trying to configure an existing virtual router with existing BGP configuration, where a BGP import or export rule is present with the "append community" action selected, it fails with the following error;
panos.errors.PanDeviceXapiError: bgp -> policy -> import -> rules -> with_community_append_value -> action -> allow -> update -> community -> append constraints failed : must also specify community value to be added
Steps to reproduce
Configure a Virtual Router
Enable BGP
Configure an import rule as such:
Close all the VR windows by hitting OK (ensuring that the VR is actually in the config)
Then, attempt to modify some attribute of the BGP config, like Router ID. The following script shows an example;
import os
import sys
from getpass import getpass
from panos.panorama import Panorama
from panos.panorama import DeviceGroup, Template, TemplateStack
from panos.network import Bgp, BgpRoutingOptions, VirtualRouter
VR_NAME = "test_vr"
TEMPLATE_NAME = "TEST_TEMPLATE"
def main():
pw = os.getenv("PAN_PASSWORD")
if not pw:
pw = getpass()
p = Panorama(sys.argv[1], sys.argv[2], pw)
template = Template(TEMPLATE_NAME)
p.add(template)
vr = VirtualRouter(VR_NAME)
template.add(vr)
vr.refresh()
parent = vr
existing_bgp = parent.findall(Bgp)[0]
# Arbitarily change the routing id
existing_bgp.router_id = "1.1.1.2"
# Try to apply; fails if Community exists in import rule, otherwise, it succeeds.
existing_bgp.apply()
if __name__ == '__main__':
print("usage: python script.py <pan_ip> <username>")
main()
Context
Customer is using pan-os-ansible to configure their BGP environment and is unable to use it to configure existing VR.
Describe the bug
BGP configuration against existing Virtual Router fails when the VR contains a BGP import rule with "Append Community" configu
Expected behavior
It should be possible to modify the BGP object even when import rules exist with append community.
Current behavior
When trying to configure an existing virtual router with existing BGP configuration, where a BGP import or export rule is present with the "append community" action selected, it fails with the following error;
Steps to reproduce
Then, attempt to modify some attribute of the BGP config, like Router ID. The following script shows an example;
Context
Customer is using pan-os-ansible to configure their BGP environment and is unable to use it to configure existing VR.
Your Environment