topic Pan-os-python with Panorama in Automation/API Discussions

Pan-os-python with Panorama

mseiler — Wed, 13 Jan 2021 14:44:45 GMT

Hello,

I'm using the following code to check and create rules on my test-palo device:

This is more or less just the example from the github page and it's working fine.

I check the current Rules on the firewall before I start adding rules.

fw = panos.firewall.Firewall(HOSTNAME, USERNAME, PASSWORD)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(rulebase)
print("Current security rule(s) ({0} found):".format(len(current_security_rules)))

So now I need the same with panorama and a particular device group:

It have started with conneting to panorama, create a device group and add an object into it.

pano = panos.panorama.Panorama(HOSTNAME, USERNAME, PASSWORD )
pano.add(panos.panorama.DeviceGroup("DG-VWire")).create()
pano.add(panos.objects.AddressObject("Server3", "1.2.3.4")).create()

I will later find out that the object is not just present on the device-group but on any groups.

And here is the part I don't understand:

I'm using only post rules on panorama and there are 6 rules in my rulebase

rulebase = panos.policies.PostRulebase()
pano.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(rulebase)
print("Current security rule(s) ({0} found):".format(len(current_security_rules)))

But there a no rules found. Can someone please explain what I am doing wrong?

I can only guess that I'm not in the expected device-group and there are no rules?

Regards

Michael

Re: Pan-os-python with Panorama

gfreeman — Wed, 13 Jan 2021 17:12:35 GMT

pan-os-python uses an object hierarchy. You have part of this correct, but part of it is wrong, and that's why you're not getting the results you expect. You want your object hierarchy to look like Panorama > DeviceGroup > AddressObject, but your first chunk is actually setting up the hierarchy as a Panorama object with two children, a DeviceGroup and an AddressObject. Invoking the create() function on the AddressObject with your hierarchy like this should put the address object in the shared scope instead of the device group. So your code should look something like this instead:

from panos.panorama import Panorama, DeviceGroup from panos.objects import AddressObject pano = Panorama(HOSTNAME, USERNAME, PASSWORD) dg = DeviceGroup("DG-VWire") pano.add(dg) dg.create() obj = AddressObject("Server3", "1.2.3.4") dg.add(obj) obj.create()

For your security rules one, I'm guessing you're wanting to get the rules that are in a specific device group..? I don't see a device group reflected in your code. So you'd want something like this:

from panos.panorama import Panorama, DeviceGroup from panos.policies import SecurityRule, PostRulebase pano = Panorama(HOSTNAME, USERNAME, PASSWORD) dg = DeviceGroup("my group") pano.add(dg) rulebase = PostRulebase() dg.add(rulebase) rules = SecurityRule.refreshall(rulebase) print("Current security rules ({0} found):".format(len(rules)))

Hope that helps!

Re: Pan-os-python with Panorama

mseiler — Thu, 14 Jan 2021 14:48:09 GMT

Yeah,

that helped me a lot. I'm now able to read and create rules in the Postrulebase in that DeviceGroup.

Thank you very much.

Regards

Michael