search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
347 stars 172 forks source link

Partial XPath support no longer supported in PAN-OS 11.0 #570

Open stealthllama opened 4 months ago

stealthllama commented 4 months ago

Describe the bug

Partial XPath support was dropped in PAN-OS 11.0. The create() function in pan-os-python issues set commands with a partial XPath value for the newly created configuration object. This results in inconsistencies when performing partial commits on Panorama. Changes made by specific administrators are not pushed to the managed firewalls when a partial commit is performed.

Expected behavior

The set commands generated from the create() function should include the object entry on the XPath string.

Example:

<request cmd='set' obj="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Lab Testing']/address/entry[@name='Address A']" cookie='1357220402109258' client='xmlapi' refresh='no'><ip-netmask>192.168.200.10/32</ip-netmask><description>Address A added by notbob from Postman</description></request>

Current behavior

The set commands generated from the create() function strip out the object entry suffix on the XPath string. A xpath_short() function is called to perform this truncation.

Example:

 <request cmd='set' obj="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Lab Testing']/address" cookie='4859959213841190' client='xmlapi' refresh='no'><entry name="Address B"><ip-netmask>192.168.120.8/32</ip-netmask><description>Address B added by bob from Ansible</description></entry></request>

Possible solution

The create() function must specific the complete XPath with entry suffix in all set commands.

Steps to reproduce

  1. Create a new address object via the create() function against Panorama 11.0.3-h3 or later.
  2. Commit and push changes made by the specific administrator,
  3. The newly created object does not appear on the managed firewall.

Context

This issue impacts all users of the Ansible collection for PAN-OS.

Your Environment

stealthllama commented 4 months ago

The xpath_short() function that is being called by create():

https://github.com/PaloAltoNetworks/pan-os-python/blob/62bcff3bca86a5ff745eae3e92635d109673963a/panos/base.py#L382

keithcampbelljr commented 3 months ago

@stealthllama I'm currently working on this as it seemed straight forward. Does this issue only have an impact on AddressObject? Or does this need to impact other object types as well? I need to test this to see the xml output but I was looking at something like: self._xpaths.add_profile(value="/address/entry[@name='{name}']")