I cannot find a way to do this? Can someone point me in the right direction?

pandevice.errors.PanDeviceXapiError:  dev -> settings -> default-vsys 'vsys1' is not a valid reference
 dev -> settings -> default-vsys is invalid

Description

Adding RIP configuration objects to be added to panos.network.VirtualRouter instance.

The following classes have been added to enable this functionality:

• Rip
• RipInterface
• RipAuthProfile
• RipAuthProfileMd5
• RipExportRules

Added Unit tests to cover the additional classes

• TestRip
• TestRipAuthProfile
• TestRipAuthProfileMd5
• TestRipInterface
• TestRipExportRules

Feature enhancement #329

Motivation and Context

Current network design requires RIP routing configuration on VirtualRouter objects.

How Has This Been Tested?

pylint pass flake8 pass pytest live tests pass

Functionality tested with the following driver script:

import os

from panos.firewall import Firewall
from panos.network import (
    RedistributionProfile,
    Rip,
    RipAuthProfile,
    RipAuthProfileMd5,
    RipExportRules,
    RipInterface,
    VirtualRouter,
)

HOSTNAME = os.environ["PAN_HOSTNAME"]
USERNAME = os.environ["PAN_USERNAME"]
PASSWORD = os.environ["PAN_PASSWORD"]

VR_NAME = "vr_1"
REDIST_NAME = "redist_1"
VR_INTERFACES = ["ethernet1/1"]
REDIST_INTERFACE = "ethernet1/1"


fw = Firewall(HOSTNAME, USERNAME, PASSWORD)

# find or create a virtual router
vr = fw.find_or_create(VR_NAME, VirtualRouter, interface=VR_INTERFACES)

# create redist profile
redist_profile = RedistributionProfile(
    name=REDIST_NAME, priority=1, action="redist"
)
vr.add(redist_profile)

rip_spec = {
    "enable": True,
    "reject_default_route": True,
    "allow_redist_default_route": True,
    "delete_intervals": 121,
    "expire_intervals": 181,
    "interval_seconds": 2,
    "update_intervals": 31,
}
rip = Rip(**rip_spec)

# add rip auth (password)
rip_auth = RipAuthProfile(
    name="rip_profile_1", auth_type="password", password="#Password1"
)
rip.add(rip_auth)

# add rip auth (md5)
rip_auth = RipAuthProfile(name="rip_profile_2", auth_type="md5")
md5 = RipAuthProfileMd5(keyid=1, key="#Password1", preferred=True)
rip_auth.add(md5)
rip.add(rip_auth)

# add rip export rules
rip_export = RipExportRule(name=REDIST_NAME, metric=10)
rip.add(rip_export)

# add rip interfaces
rip_interface_spec = {
    "name": REDIST_INTERFACE,
    "enable": True,
    "advertise_default_route": "advertise",
    "metric": 11,
    "auth_profile": "rip_profile_1",
    "mode": "passive",
}
rip_interface = RipInterface(**rip_interface_spec)
rip.add(rip_interface)

# add rip config to virtual router and apply changes
vr.add(rip)
vr.apply()

Result

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist

• [x] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [x] I have added tests to cover my changes if appropriate.
• [x] All new and existing tests passed.

Is your feature request related to a problem?

I would like to gather hit_count for security rules from Panorama. I've seen this feature implemented with the Firawall object and I was wondering if we could do the same for the Panoram object. Unless I missed something it seems that there is nothing similar for panorama.

Describe the solution you'd like

Something similar to this commit: https://github.com/PaloAltoNetworks/pan-os-python/commit/7a2e95b3746faeb386c58dedbb40b71d81a5cff0

Describe alternatives you've considered

I could pass an xml to Panorama.op but I rather work with object.

I see a panos.policies.RulebaseOpState imbricated in SecurityRule response and I trying to leverage this with no success. I want to be able to retrieve security rules and their associated hit_count. If a process already exist please let me know how to do it.

I've added support for basic BGP configuration of a VirtualRouter, including peer groups and peers. I'm planning to complete the policy and advanced options but I thought I would submit the progress thus far.

Any feedback is appreciated.

Hi

For example, Lets have Devicegroup hierarchy level in Panorama are as below,

-- Base ----childbase1 ------childbase2

When I try to refreshall objects from childbase2, it should return objects from Base, childbase1, childbase2 (maybe shared as well).

I kinda stuck in this stage, How can it be achieved through panospython ?

We create object with uppercase and when we use create_security_rule we obtains error from pandevice.policies

[2018-03-13 16:52:37,596] {#flaskit/resource.py:232} 100a688b ERROR - datacenter -> pre-rulebase -> security -> rules -> Test1 -> source '['PHMBUPIAPIA']' is not an allowed keyword datacenter -> pre-rulebase -> security -> rules -> Test1 -> source ['PHMBUPIAPIA'] is an invalid ipv4/v6 address datacenter -> pre-rulebase -> security -> rules -> Test1 -> source '['PHMBUPIAPIA']' is not a valid reference datacenter -> pre-rulebase -> security -> rules -> Test1 -> source ['PHMBUPIAPIA'] range separator('-') not found datacenter -> pre-rulebase -> security -> rules -> Test1 -> source is invalid Traceback (most recent call last):

Per conversation in previous FR, I am opening this issue to formally request this functionality.

Again, the wish is to pull in the predefined objects that exist in firewall. Perhaps as an optional parameter "include_predefined" in the refresh methods?

Hi I am trying to tag existing IP 10.34.20.94 on firewall 10.34.2.21 (PANOS 7.1.7 - model 5060 multi vsys) with tag General , getting error below:

$ python dyn_address_group.py 10.34.2.21 admin 'password' 10.34.20.94 General
usage: dyn_address_group.py [-h] [-v] [-q] [-r REGISTER] [-u UNREGISTER] [-l]
                            [-c]
                            hostname username password ip
dyn_address_group.py: error: unrecognized arguments: General

I am using pandevice (0.3.5)

policies.SecurityRule has certain attributes that default to the string value 'any'. However when a SecurityRule is created from a live device and that rule has attributes actually set to 'any' the value is represented as a list ['any']. This is inconsistent behavior and leads the developer to add extra checks to deal with these attributes when their value is actually set to 'any'.

I got SyntaxError: invalid syntax for 'from pandevice import firewall'

$ python
Python 2.6.6 (r266:84292, May 22 2015, 08:34:51) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-15)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pandevice

>>> from pandevice import firewall
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.6/site-packages/pandevice/firewall.py", line 32, in <module>
    from pandevice import device
  File "/usr/lib/python2.6/site-packages/pandevice/device.py", line 22, in <module>
    from base import PanObject, Root, MEMBER, ENTRY
  File "/usr/lib/python2.6/site-packages/pandevice/base.py", line 1095
    option_paths = {opt: re.sub(r"\([\w\d|-]*\)", opt, path) for opt in options}
                                                               ^
SyntaxError: invalid syntax

Description

Ben Parker 2:39 PM

So this call should actaully support another argument https://pan-os-python.readthedocs.io/en/latest/module-userid.html#panos.userid.UserId.audit_registered_ip

the timeout like argument like https://pan-os-python.readthedocs.io/en/latest/module-userid.html#panos.userid.UserId.audit_registered_ip

Ben Parker 2:40 PM Here is what the whole API call looks like

https://{{host}}/api?key={{key}}&type=user-id&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="{{tagged-ip}}"><tag><member timeout="60">{{tag}}</member></tag></entry></register></payload></uid-message>

Motivation and Context

Need update to XML API call

How Has This Been Tested?

New unit test cases included

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist

• [x] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [x] I have added tests to cover my changes if appropriate.
• [x] All new and existing tests passed.

Description

Adding support for the PAN-OS 10.2 feature of Administrator-Level Push from Panorama to Managed Devices

Motivation and Context

Motivation is adding support for a new PAN-OS feature, and also to support adding this feature in pan-os-ansible (ref)

How Has This Been Tested?

Tested locally, with Panorama 11.0.0 and managed firewall 10.2.3

    panorama = Panorama(HOSTNAME, USERNAME, PASSWORD)

    cmd = PanoramaCommitAll(
        style="device group",
        name="poc-dg",
        include_template=False,
        force_template_values=False,
        admins=["other"],
    )

    sync = False
    sync_all = True

    result = panorama.commit(cmd=cmd, sync=sync, sync_all=sync_all)

Screenshots (if appropriate)

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist

• [x] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [ ] I have added tests to cover my changes if appropriate.
• [x] All new and existing tests passed.

Describe the bug

Unable to receive the vsys of a SecurityRule, device group is being returned.

Expected behavior

rules = SecurityRule.refreshall(rb)
rule = rules[0]
rule.vsys
'policy-targetted-vsys-name-here'

Current behavior

rules = SecurityRule.refreshall(rb)
rule = rules[0]
rule.vsys
'policy-targetted-device-group-name-here'

It does not look like vsys is a captured value.

pprint.pprint(vars(rule))
{'_params': (<VersionedParamPath fromzone=['any'] default=['any'] 0x7ff31e8d66a0>,
             <VersionedParamPath tozone=['any'] default=['any'] 0x7ff31e8d6430>,
             <VersionedParamPath source=['TEST_DMZ'] default=['any'] 0x7ff31e8d6640>,
             <VersionedParamPath source_user=['any'] default=['any'] 0x7ff31e8d67f0>,
             <VersionedParamPath hip_profiles=None default=['any'] 0x7ff31e8d66d0>,
             <VersionedParamPath destination=['TEST_K8S'] default=['any'] 0x7ff31e8d65b0>,
             <VersionedParamPath application=['any'] default=['any'] 0x7ff31e8d6220>,
             <VersionedParamPath service=['K8S_OVERLAY'] default=application-default 0x7ff31e8d63a0>,
             <VersionedParamPath category=['any'] default=['any'] 0x7ff31e8d6d00>,
             <VersionedParamPath action=allow default=None 0x7ff31e8d6d60>,
             <VersionedParamPath log_setting=None default=None 0x7ff31e8d62e0>,
             <VersionedParamPath log_start=None default=None 0x7ff31e8d6820>,
             <VersionedParamPath log_end=None default=None 0x7ff31e8d6880>,
             <VersionedParamPath description=Test rule to allow traffic towards k8s cluster default=None 0x7ff31e8d6280>,
             <VersionedParamPath type=universal default=universal 0x7ff31e8d6970>,
             <VersionedParamPath tag=None default=None 0x7ff31e8d6dc0>,
             <VersionedParamPath negate_source=None default=None 0x7ff31e8d6550>,
             <VersionedParamPath negate_destination=None default=None 0x7ff31e8d61f0>,
             <VersionedParamPath disabled=None default=None 0x7ff31e8d6ca0>,
             <VersionedParamPath schedule=None default=None 0x7ff31e8d60d0>,
             <VersionedParamPath icmp_unreachable=None default=None 0x7ff31e8d65e0>,
             <VersionedParamPath disable_server_response_inspection=None default=None 0x7ff31e8d6760>,
             <VersionedParamPath group=None default=None 0x7ff31e8d6070>,
             <VersionedParamPath negate_target=False default=None 0x7ff31e8d6100>,
             <VersionedParamPath target=['123456789011', '123456789012'] default=None 0x7ff31e8d68e0>,
             <VersionedParamPath virus=None default=None 0x7ff31e8d6400>,
             <VersionedParamPath spyware=None default=None 0x7ff31e8d6460>,
             <VersionedParamPath vulnerability=None default=None 0x7ff31e8d68b0>,
             <VersionedParamPath url_filtering=None default=None 0x7ff31e8d6c40>,
             <VersionedParamPath file_blocking=None default=None 0x7ff31e8d6a60>,
             <VersionedParamPath wildfire_analysis=None default=None 0x7ff31e8d6b80>,
             <VersionedParamPath data_filtering=None default=None 0x7ff31e8d6b20>,
             <VersionedParamPath uuid=12345678-1234-1234-1234-123456789011 default=None 0x7ff31e8d6a00>,
             <VersionedParamPath source_devices=['any'] default=['any'] 0x7ff31e8c4df0>,
             <VersionedParamPath destination_devices=['any'] default=['any'] 0x7ff31e8c44c0>,
             <VersionedParamPath group_tag=None default=None 0x7ff31e8c4730>),
'_stubs': <panos.base.VersionedStubs object at 0x7ff31e8d62b0>,
'_xpaths': <panos.base.ParentAwareXpath object at 0x7ff31e8d6df0>,
'children': [],
'name': 'Test rule to allow traffic towards k8s cluster',
'opstate': <panos.base.OpStateContainer object at 0x7ff31e8c4550>,

Possible solution

Targeting a vsys is a common need for customers with multi-vsys systems, so there is an expectation that the vsys attribute will return the appropriate value.

vsys information is presented within the REST API for the SecurityPostRules, but it requires an addititional query.

/restapi/v10.1/Policies/SecurityPostRules?location=device-group&device-group=production&name=Test%20rule%20to%20allow%20traffic%20towards%20k8s%20cluster

{
  "@status": "success",
  "@code": "19",
  "result": {
    "@total-count": "1",
    "@count": "1",
    "entry": [
      {
        "@name": "Test rule to allow traffic towards k8s cluster",
...
        "target": {
          "devices": {
            "entry": [
              {
                "@name": "123456789011",
                "vsys": {
                  "entry": [
                    {
                      "@name": "vsys5"
                    }
                  ]
                }
              },
              {
                "@name": "123456789012",
                "vsys": {
                  "entry": [
                    {
                      "@name": "vsys5"
                    }
                  ]
                }
              }
            ]
          },
          "negate": "no"
        }
      }
    ]
  }
}

This requires making an API call to "/restapi/v10.1/Device/VirtualSystems?location=template&template=Production" and capturing the indexed fifth entry to reveal the assigned vsys.

This gives hope that the data can be captured from the XML API and could be presented through asking for the vsys attribute of a policy rule object.

Steps to reproduce

1. run the following within the repl

from panos.panorama import Panorama, DeviceGroup
from panos.policies import PostRulebase, SecurityRule

pano = Panorama("panorama", "username", "password")
dg = DeviceGroup("production")
rb = PostRulebase()
pano.add(dg)
dg.add(rb)

rules = SecurityRule.refreshall(rb)
rules[0].name
rule = rules[0]
rule.vsys

Screenshots

Context

Using diffsync library with Nautobot, this enables a workflow where security policies are defined within Nautobot's database and synced to Panorama through the pan-os-python SDK.

Your Environment

• Version used: 1.7.3
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): python 3.7
• Operating System and version (desktop or mobile): Ubuntu 20.04 (WSL2)
• Link to your project: private repository

Description

Created the following new classes for the missing log setting formats:

• class LogSettingsGlobalProtect
• class LogSettingsUserId
• class LogSettingsIpTag
• class LogSettingsHipMatch
• class LogSettingsCorrelation

Added the the new class references as CHILDTYPES parameter to the following classes:

• panos.device: class Vsys
• panos.panorama: class TemplateStack and class Template
• panos.firewall: class Firewall

Motivation and Context

We need to update log settings across multiple firewalls/Panorama Device groups, however as of now only System and Configuration log settings are supported in the SDIK. The following log settings types are missing:

• Global Protect (PanOS 9.1)
• User ID
• IP Tag (PanOS 9.0)
• HIP Match
• Correlation

How Has This Been Tested?

Tested the new classes for Log Setting retrieval and configuration against Panorama.

Screenshots (if appropriate)

NA

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist

• [x] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [x] I have added tests to cover my changes if appropriate.
• [x] All new and existing tests passed.

Describe the bug

If a static route exists on the firewall which references an interface, a full_delete() will fail on a different interface.

Expected behavior

full_delete() should complete without throwing an exception

Current behavior

A TypeError exception is thrown, such as:

File "/work/panos/network.py", line 595, in full_delete elif "__iter__" in dir(obj.interface) and self in obj.interface: TypeError: 'in ' requires string as left operand, not EthernetInterface

Possible solution

StaticRoute's interface attribute gets populated as a string, whereas the full_delete code appears to expect a list (which is the case for other objects such as VirtualRouter or Zone). Since the str type will also pass the __iter__ check, a more specific type check may be needed to avoid the