Rename zone in security policy through xml api

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Rename zone in security policy through xml api

L2 Linker

Hi all,

 

I'm trying to programatically rename security zone via xml api. 

 

Here's a scenario:

1. Device currently has 5 zones: trust, untrust, dmz, lvl1, lvl2

2. There are 500+ policies where <<trust>> appears as source zone member or destination zone member (there can be multiple src or dst zone members as well, e.g: from: trust, lvl2, to: dmz, lvl1, trust, and so on)

3. We want to rename zone trust into trust_old. We will keep zone trust for now, but what we need to do is to ensure each security rule that had zone "trust" now has renamed zone "trust_old". So the idea is to introduce a new zone, rename all security policies that use that zone and then remove zone at the end.

 

I'm trying to figure out how to achieve this with xml api.

 

This would be an example of my rule as it sits on panorama. We need to do everything directly on panorama because we manage all config on panorama directly:

 

xpath="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Firewall Lab']/pre-rulebase/security/rules/entry[@name='test-block-milos1']"

 

(python requests module, querytype_show = '?type=config&action=show&'

>>> result = s.get(panorama + querytype_show + urlencode({"xpath": xpath}) + key, verify=False)

 

u'<response status="success"><result><entry name="test-block-milos1">\n <target>\n <negate>no</negate>\n </target>\n <to>\n <member>untrust</member>\n </to>\n <from>\n <member>trust</member>\n </from>\n <source>\n <member>milos-test1</member>\n </source>\n <destination>\n <member>milos-test2</member>\n </destination>\n <source-user>\n <member>any</member>\n </source-user>\n <category>\n <member>any</member>\n </category>\n <application>\n <member>icmp</member>\n <member>oracle</member>\n </application>\n <service>\n <member>application-default</member>\n </service>\n <hip-profiles>\n <member>any</member>\n </hip-profiles>\n <action>deny</action>\n <log-setting>LOG</log-setting>\n <description>rule 42479</description>\n</entry>\n</result></response>'

 

How would I select this rule and rename "from trust" to "from trust_old" ?

 

Thanks for any tips provided

 

Milos

5 REPLIES 5

L1 Bithead

Milos, you are going to need to alter your action from 'action=show' to 'action=set' to get it to add in the new zone and then an 'action=delete' in order to remove the old zone.  You should be able to do this programatically through some offbox scripting as well.  I've automated changes like this before and broke them down in 3 discrete stages.

 

1.  Discovery - Pull down the configuration from Panorama then roll through the XML using something like Element Tree in order to find all the rules that match the source zone or whatever XML tag I am looking for and create a list to be used.

2.  Addition - With the created list, sequentially roll through the rules creating targeted additions to the rules with the 'action=set' as part of the URI.  Monitor for any errors at this stage, if you catch anything other than HTTP 200 responses, stop the entire process and take a look at what is going on.

3.  Clean Up - With the same list we used in Addition, go through and with an 'action=delete' removing your old source zone or tag.

 

At this point you have a candidate configuration and will need to commit it in order to complete your change.  This is a good time to run a config diff between your candidate and running configuration to make sure that you are visually seeing the changes that you want to see.  If you are good with it, go ahead with the commit.  Once you are comfortable with the actions in your script, you can automate the commit process as well, but it is something I typically leave for the end game of the development process given the potential for issues while creating this process.

Hi,


Thanks for your reply. I was using action show to just show example of a single rule.

 

Do I have to do set + delete or is there any way to use action=rename or action=edit? I was kind of hoping that I can just do a simple rename or edit, not to have to set and delete.

 

I use Python quite a lot and automated bunch of things so far to pull panorama config to discover rules for various purposes so this is not going to be a problem.

 

I am just trying to figure out if Addition + Cleanup is absolutely necessary as per your suggestion or if we can do immediate edit or rename

 

Cheers,

Milos

Ahhh, that works.  No worries.

 

Edit will replace everything at that element/tag with whatever you input.  So if you have multiple zones in the Source Zone and do an edit, it will nuke everything and drop your new zone in leaving you with an odd configuration.  If you've only got single zones in your rule, this shouldn't be too much of an issue, but it is something akin to using a chainsaw to perform leg surgery.

 

Rename is to do just that, rename an object.  Instead of objectA you want to name it ObjectA, you would use rename to get it done.  You wouldn't be renaming an object, unless you simply wanted to take ZoneA and rename it to ZoneA_old.  In that case, you would be on track with the rename action.

 

Otherwise the Add/Remove process is what you are going to be looking for, it'll allow you to carve out and readd what you are looking for in process.

Thanks,

 

So that's exactly where I am stuck at the moment. Example on how to use action=edit and action=rename on zone object. I tried but I am constantly failing. I think i am not doing a correct xpath to select the object before I rename it.

 

And this is exactly why I came to this forum to ask if someone has a working example on how to edit or rename "FROM" and "TO" fields in the security policy on Panorama that would effectively change security zone on my security policy on device group that Panorama is currently managing.

 

Any help on this is greatly appreciated.

 

Milos

I actually figured one way to solve my problem and I'm happy to share python code that I am using in particular. Some of you might find it useful

 

I am relying on pan.xapi (pan-python) library but you can use normal requests for this as well and do everything manually

 

Let's say this is your problem: You have a security policy internet-access-1 that's build with source zone trust+dmz and destination zone untrust. You want to rename source zone trust to be internal (so the policy is from zone: internal, dmz -> to zone: untrust).

 

Here's the solution that I came up with:

# Using the following python libraries
import pan.xapi
import xmltodict

# Create pan.xapi object
xapi = pan.xapi.PanXapi(hostname=panorama, api_username=user, api_key=key)

# Set the correct xpath to grab the FROM as we are changing source zone. 
# We would use "to" if we wanted to change destination zone
# As I am using panorama, I am changing the security rulebase on the device-group that my panorama is managing xpath = "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='firewalls1']/pre-rulebase/security/rules/entry[@name='internet-access-1']/from" # element_xml needs to be <from><member>internal</member><member>dmz</member></from> # I am using xmltodict.unparse to help with this because it is flexible and very useful if you have multiple objects that you want to auto generate XML for. xmltodict is a fantastic library element_xml = xmltodict.unparse({"from": {"member": ["internal", "dmz"] }} ) # Do the edit xapi.edit(xpath=xpath, element=element_xml)

# Check the result (to show success or fail)
print(xapi.xml_document)

I hope you will find  this useful

 

Cheers,

Milos

  • 3539 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!