topic Re: Rename zone in security policy through xml api in Automation/API Discussions

Rename zone in security policy through xml api

KostiM — Tue, 30 Jan 2018 04:55:49 GMT

Hi all,

I'm trying to programatically rename security zone via xml api.

Here's a scenario:

1. Device currently has 5 zones: trust, untrust, dmz, lvl1, lvl2

2. There are 500+ policies where <<trust>> appears as source zone member or destination zone member (there can be multiple src or dst zone members as well, e.g: from: trust, lvl2, to: dmz, lvl1, trust, and so on)

3. We want to rename zone trust into trust_old. We will keep zone trust for now, but what we need to do is to ensure each security rule that had zone "trust" now has renamed zone "trust_old". So the idea is to introduce a new zone, rename all security policies that use that zone and then remove zone at the end.

I'm trying to figure out how to achieve this with xml api.

This would be an example of my rule as it sits on panorama. We need to do everything directly on panorama because we manage all config on panorama directly:

xpath="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Firewall Lab']/pre-rulebase/security/rules/entry[@name='test-block-milos1']"

(python requests module, querytype_show = '?type=config&action=show&'

>>> result = s.get(panorama + querytype_show + urlencode({"xpath": xpath}) + key, verify=False)

u'<response status="success"><result><entry name="test-block-milos1">\n <target>\n <negate>no</negate>\n </target>\n <to>\n <member>untrust</member>\n </to>\n <from>\n <member>trust</member>\n </from>\n <source>\n <member>milos-test1</member>\n </source>\n <destination>\n <member>milos-test2</member>\n </destination>\n <source-user>\n <member>any</member>\n </source-user>\n <category>\n <member>any</member>\n </category>\n <application>\n <member>icmp</member>\n <member>oracle</member>\n </application>\n <service>\n <member>application-default</member>\n </service>\n <hip-profiles>\n <member>any</member>\n </hip-profiles>\n <action>deny</action>\n <log-setting>LOG</log-setting>\n <description>rule 42479</description>\n</entry>\n</result></response>'

How would I select this rule and rename "from trust" to "from trust_old" ?

Thanks for any tips provided

Milos

Re: Rename zone in security policy through xml api

tschlottog — Tue, 30 Jan 2018 18:43:47 GMT

Milos, you are going to need to alter your action from 'action=show' to 'action=set' to get it to add in the new zone and then an 'action=delete' in order to remove the old zone. You should be able to do this programatically through some offbox scripting as well. I've automated changes like this before and broke them down in 3 discrete stages.

1. Discovery - Pull down the configuration from Panorama then roll through the XML using something like Element Tree in order to find all the rules that match the source zone or whatever XML tag I am looking for and create a list to be used.

2. Addition - With the created list, sequentially roll through the rules creating targeted additions to the rules with the 'action=set' as part of the URI. Monitor for any errors at this stage, if you catch anything other than HTTP 200 responses, stop the entire process and take a look at what is going on.

3. Clean Up - With the same list we used in Addition, go through and with an 'action=delete' removing your old source zone or tag.

At this point you have a candidate configuration and will need to commit it in order to complete your change. This is a good time to run a config diff between your candidate and running configuration to make sure that you are visually seeing the changes that you want to see. If you are good with it, go ahead with the commit. Once you are comfortable with the actions in your script, you can automate the commit process as well, but it is something I typically leave for the end game of the development process given the potential for issues while creating this process.

Re: Rename zone in security policy through xml api

KostiM — Wed, 31 Jan 2018 01:49:03 GMT

Hi,

Thanks for your reply. I was using action show to just show example of a single rule.

Do I have to do set + delete or is there any way to use action=rename or action=edit? I was kind of hoping that I can just do a simple rename or edit, not to have to set and delete.

I use Python quite a lot and automated bunch of things so far to pull panorama config to discover rules for various purposes so this is not going to be a problem.

I am just trying to figure out if Addition + Cleanup is absolutely necessary as per your suggestion or if we can do immediate edit or rename

Cheers,

Milos

Re: Rename zone in security policy through xml api

tschlottog — Wed, 31 Jan 2018 02:11:55 GMT

Ahhh, that works. No worries.

Edit will replace everything at that element/tag with whatever you input. So if you have multiple zones in the Source Zone and do an edit, it will nuke everything and drop your new zone in leaving you with an odd configuration. If you've only got single zones in your rule, this shouldn't be too much of an issue, but it is something akin to using a chainsaw to perform leg surgery.

Rename is to do just that, rename an object. Instead of objectA you want to name it ObjectA, you would use rename to get it done. You wouldn't be renaming an object, unless you simply wanted to take ZoneA and rename it to ZoneA_old. In that case, you would be on track with the rename action.

Otherwise the Add/Remove process is what you are going to be looking for, it'll allow you to carve out and readd what you are looking for in process.

Re: Rename zone in security policy through xml api

KostiM — Wed, 31 Jan 2018 02:34:32 GMT

Thanks,

So that's exactly where I am stuck at the moment. Example on how to use action=edit and action=rename on zone object. I tried but I am constantly failing. I think i am not doing a correct xpath to select the object before I rename it.

And this is exactly why I came to this forum to ask if someone has a working example on how to edit or rename "FROM" and "TO" fields in the security policy on Panorama that would effectively change security zone on my security policy on device group that Panorama is currently managing.

Any help on this is greatly appreciated.

Milos

Re: Rename zone in security policy through xml api

KostiM — Fri, 09 Feb 2018 03:26:24 GMT

I actually figured one way to solve my problem and I'm happy to share python code that I am using in particular. Some of you might find it useful

I am relying on pan.xapi (pan-python) library but you can use normal requests for this as well and do everything manually

Let's say this is your problem: You have a security policy internet-access-1 that's build with source zone trust+dmz and destination zone untrust. You want to rename source zone trust to be internal (so the policy is from zone: internal, dmz -> to zone: untrust).

Here's the solution that I came up with:

# Using the following python libraries
import pan.xapi
import xmltodict

# Create pan.xapi object
xapi = pan.xapi.PanXapi(hostname=panorama, api_username=user, api_key=key)

# Set the correct xpath to grab the FROM as we are changing source zone. 
# We would use "to" if we wanted to change destination zone
# As I am using panorama, I am changing the security rulebase on the device-group that my panorama is managing
xpath = "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='firewalls1']/pre-rulebase/security/rules/entry[@name='internet-access-1']/from"

# element_xml needs to be <from><member>internal</member><member>dmz</member></from>
# I am using xmltodict.unparse to help with this because it is flexible and very useful if you have multiple objects that you want to auto generate XML for. xmltodict is a fantastic library
element_xml = xmltodict.unparse({"from": {"member": ["internal", "dmz"] }} )

# Do the edit
xapi.edit(xpath=xpath, element=element_xml)

# Check the result (to show success or fail)
print(xapi.xml_document)

I hope you will find this useful

Cheers,

Milos