welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
Open atav928 opened 1 year ago
welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
sarette
commented
1 year ago Opened internal engineering bug ADI-17492 for this issue:
Documentation link
https://pan.dev/access/api/prisma-access-config/get-sse-config-v-1-security-rules/
Leads to another issue in the creation: https://pan.dev/access/api/prisma-access-config/post-sse-config-v-1-security-rules/
Describe the problem
__issue type:__ inaccuracy/improvementdescription of issue:
you require a position in the argument to get a list of policies; yet when you are pulling rules from a folder that folder ignores the pre/post and provides you the full list of pre//post rules and is defined in your response with the:
response in each rule. Does that make this necessary when you are gathering the list of rules and already specifying the location if the only place pre/post really take effect is in the "shared" folder. Unless you plan on allowing pre and post rules for each folder structure like it is done in Palo Alto PanOS Device Groups?
But as it stands today. You can only add Pre or Post rules in the 'Shared' Folder. Unable to add that in any other folder which is a different format than what is accustomed to in PanOS
Additional Issues this causes
Since you require the positional argument to be passed and you only can set the positional argument in the "Shared" Folder than why do you also now have to specify it when you are creating a rule in a different folder that doesn't accept "pre"/"post"?
Lastly, your document states that it defaults to "pre". In my tests it does not and responds with:
Therefore, your documentation is also incorrect in the default value it sets if one is not supplied. As if that were the case than I would not have received an error and the backend would have supplied the 'pre' as the default value.
Suggested fix
Since 'pre' and 'post' rules technically only seem to apply to the "Shared" folder why is it required for all? Would it just make sense to do away with that requirement completely and just display all rules for each folder. Just make it a requirement for when you are adding a rule specifically to the 'Shared' Folder? As when you pull a list of rules from a specific folder besides the "Shared" Folder you return the "pre", "folder rules" and "post" rules in the response and then the user should be responsible for determining which rules are where since you already have it in your payload.
But if you do do it that way I would have a slight recommendation on how I built out my panos api module where I define json response in a hierarchy instead of inline. This maybe too much as depending on how people are using the response what I do is I take the Device Group and split it out so it looks like this:
But because you don't allow putting rules in pre/post within a folder and only inheret that from the "Shared" folder your's may look like this:
Or even like this (since you are just pulling your pre and post rules from the "Shared" folder you will always have the same and when you specify the folder itself you either want to see all them order or you just want the specific rules.
Were the above pre/post rules are really just a copy of the "Shared" rule-base.
Or just stick to the data response you are providing as when I'm adjusting the rules I'm re-organizing them anyway as this type of format makes it easier to find where a rule is how it I set up and report back the actual strture vs just a list which doesn't include a rule order location ID.
Which leads me to another issue which I'll post as a completely separate issue I will post about as a seperate issue.