01-13-2021 06:41 AM - edited 01-13-2021 06:44 AM
Hello,
I'm using the following code to check and create rules on my test-palo device:
This is more or less just the example from the github page and it's working fine.
I check the current Rules on the firewall before I start adding rules.
fw = panos.firewall.Firewall(HOSTNAME, USERNAME, PASSWORD)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(rulebase)
print("Current security rule(s) ({0} found):".format(len(current_security_rules)))
So now I need the same with panorama and a particular device group:
It have started with conneting to panorama, create a device group and add an object into it.
pano = panos.panorama.Panorama(HOSTNAME, USERNAME, PASSWORD )
pano.add(panos.panorama.DeviceGroup("DG-VWire")).create()
pano.add(panos.objects.AddressObject("Server3", "1.2.3.4")).create()
I will later find out that the object is not just present on the device-group but on any groups.
And here is the part I don't understand:
I'm using only post rules on panorama and there are 6 rules in my rulebase
rulebase = panos.policies.PostRulebase()
pano.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(rulebase)
print("Current security rule(s) ({0} found):".format(len(current_security_rules)))
But there a no rules found. Can someone please explain what I am doing wrong?
I can only guess that I'm not in the expected device-group and there are no rules?
Regards
Michael
01-13-2021 09:12 AM
pan-os-python uses an object hierarchy. You have part of this correct, but part of it is wrong, and that's why you're not getting the results you expect. You want your object hierarchy to look like Panorama > DeviceGroup > AddressObject, but your first chunk is actually setting up the hierarchy as a Panorama object with two children, a DeviceGroup and an AddressObject. Invoking the create() function on the AddressObject with your hierarchy like this should put the address object in the shared scope instead of the device group. So your code should look something like this instead:
from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject
pano = Panorama(HOSTNAME, USERNAME, PASSWORD)
dg = DeviceGroup("DG-VWire")
pano.add(dg)
dg.create()
obj = AddressObject("Server3", "1.2.3.4")
dg.add(obj)
obj.create()
For your security rules one, I'm guessing you're wanting to get the rules that are in a specific device group..? I don't see a device group reflected in your code. So you'd want something like this:
from panos.panorama import Panorama, DeviceGroup
from panos.policies import SecurityRule, PostRulebase
pano = Panorama(HOSTNAME, USERNAME, PASSWORD)
dg = DeviceGroup("my group")
pano.add(dg)
rulebase = PostRulebase()
dg.add(rulebase)
rules = SecurityRule.refreshall(rulebase)
print("Current security rules ({0} found):".format(len(rules)))
Hope that helps!
01-13-2021 09:12 AM
pan-os-python uses an object hierarchy. You have part of this correct, but part of it is wrong, and that's why you're not getting the results you expect. You want your object hierarchy to look like Panorama > DeviceGroup > AddressObject, but your first chunk is actually setting up the hierarchy as a Panorama object with two children, a DeviceGroup and an AddressObject. Invoking the create() function on the AddressObject with your hierarchy like this should put the address object in the shared scope instead of the device group. So your code should look something like this instead:
from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject
pano = Panorama(HOSTNAME, USERNAME, PASSWORD)
dg = DeviceGroup("DG-VWire")
pano.add(dg)
dg.create()
obj = AddressObject("Server3", "1.2.3.4")
dg.add(obj)
obj.create()
For your security rules one, I'm guessing you're wanting to get the rules that are in a specific device group..? I don't see a device group reflected in your code. So you'd want something like this:
from panos.panorama import Panorama, DeviceGroup
from panos.policies import SecurityRule, PostRulebase
pano = Panorama(HOSTNAME, USERNAME, PASSWORD)
dg = DeviceGroup("my group")
pano.add(dg)
rulebase = PostRulebase()
dg.add(rulebase)
rules = SecurityRule.refreshall(rulebase)
print("Current security rules ({0} found):".format(len(rules)))
Hope that helps!
01-14-2021 06:48 AM
Yeah,
that helped me a lot. I'm now able to read and create rules in the Postrulebase in that DeviceGroup.
Thank you very much.
Regards
Michael
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
