topic Re: panos remove address object script messes up the device group setup. in Automation/API Discussions

panos remove address object script messes up the device group setup.

Asurion_NetOps — Thu, 01 Jun 2023 08:59:59 GMT

Hi All,

So far I'm getting the hang of python panos, which allows me to connect via panorama to make changes and push to firewalls. I've been able to create address objects and modify contents of address groups and security rules with no issues.

Recently I'm trying to create a script that would delete an address object using python panos. What happens when I run the script is panorama removes my firewalls in the device group, which is weird. I need to manually add the devices and template stack again to the device group in order to restore it.

Initially I tried to use dg.delete() but it did not work for me. I replaced it with dg.remove() but the same thing happens. Maybe I'm messing up the configuration tree but I do not know which part of my code does that.

Panorama version: 10.2.3
pan-os-python version: 1.8.1

Below are some snippets from my code:

from panos.panorama import Panorama, DeviceGroup from panos.objects import AddressObject pano = Panorama(panorama, username, password) target_dg = "test_dg_1" dg = DeviceGroup(target_dg) pano.add(dg) #Find the address object within the device group obj = dg.find("Sample_Address_Object", class_type=AddressObject) # Remove the address object dg.remove(obj) dg.apply() pano.commit(cmd = commitMesg, sync=True) pano.commit_all(sync_all=True, devicegroup=target_dg)

Any help would be appreciated. Thank you!

Re: panos remove address object script messes up the device group setup.

Asurion_NetOps — Thu, 01 Jun 2023 09:24:32 GMT

It took me some time to apply some trial and error and reading through the docs. What I've been doing in the line with dg.apply() seems to be the cause on why the device group members are gone on panorama after running the code. Do not try dg.apply() in production as it seems to be destructive based on the documentation.

Here is an updated snippet to achieve the deletion of a single address object via panorama:

from panos.panorama import Panorama, DeviceGroup from panos.objects import AddressObject username = "Your_Panorama_Username" password = "Your_Panorama_Pw" pano = Panorama(panorama, username, password) target_dg = "test_dg_1" addrObjName = "Sample_Address_Object" dg = DeviceGroup(target_dg) pano.add(dg) # Get the address objects list. addressObjects = AddressObject.refreshall(dg) # Loop over the address objects to find out if the object exists or not. # No action if the object does not exist in the current address object list. for o in addressObjects: if addrObjName == o.name: print(f'Found {addrObjName}. Removing...') o.delete() # Perform commit and push pano.commit(cmd = commitMesg, sync=True) pano.commit_all(sync_all=True, devicegroup=target_dg) # Exit script after deletion of address object & commit + push. exit() print(f'Unable to match address object {addrObjName}. No changes were made.')

Useful methods documentation:
https://pan-os-python.readthedocs.io/en/latest/useful-methods.html