Pan-os-python with Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pan-os-python with Panorama

L1 Bithead

Hello,

 

I'm using the following code to check and create rules on my test-palo device:

 

This is more or less just the example from the github page and it's working fine.

I check the current Rules on the firewall before I start adding rules.

 

fw = panos.firewall.Firewall(HOSTNAME, USERNAME, PASSWORD)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(rulebase)
print("Current security rule(s) ({0} found):".format(len(current_security_rules)))

 So now I need the same with panorama and a particular device group:

 

It have started with conneting to panorama, create a device group and add an object into it.

 

pano = panos.panorama.Panorama(HOSTNAME, USERNAME, PASSWORD )
pano.add(panos.panorama.DeviceGroup("DG-VWire")).create()
pano.add(panos.objects.AddressObject("Server3", "1.2.3.4")).create() 

 I will later find out that the object is not just present on the device-group but on any groups.

 

And here is the part I don't understand:

 

I'm using only post rules on panorama and there are 6 rules in my rulebase

 

rulebase = panos.policies.PostRulebase()
pano.add(rulebase)
current_security_rules = panos.policies.SecurityRule.refreshall(rulebase)
print("Current security rule(s) ({0} found):".format(len(current_security_rules)))

 

But there a no rules found. Can someone please explain what I am doing wrong? 

I can only guess that I'm not in the expected device-group and there are no rules? 

 

Regards

 

Michael

 

 

 

1 accepted solution

Accepted Solutions

L5 Sessionator

pan-os-python uses an object hierarchy.  You have part of this correct, but part of it is wrong, and that's why you're not getting the results you expect.  You want your object hierarchy to look like Panorama > DeviceGroup > AddressObject, but your first chunk is actually setting up the hierarchy as a Panorama object with two children, a DeviceGroup and an AddressObject.  Invoking the create() function on the AddressObject with your hierarchy like this should put the address object in the shared scope instead of the device group.  So your code should look something like this instead:

 

from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject

pano = Panorama(HOSTNAME, USERNAME, PASSWORD)

dg = DeviceGroup("DG-VWire")
pano.add(dg)
dg.create()

obj = AddressObject("Server3", "1.2.3.4")
dg.add(obj)
obj.create()

 

For your security rules one, I'm guessing you're wanting to get the rules that are in a specific device group..?  I don't see a device group reflected in your code.  So you'd want something like this:

 

from panos.panorama import Panorama, DeviceGroup
from panos.policies import SecurityRule, PostRulebase

pano = Panorama(HOSTNAME, USERNAME, PASSWORD)

dg = DeviceGroup("my group")
pano.add(dg)

rulebase = PostRulebase()
dg.add(rulebase)

rules = SecurityRule.refreshall(rulebase)
print("Current security rules ({0} found):".format(len(rules)))

 

Hope that helps!

View solution in original post

2 REPLIES 2

L5 Sessionator

pan-os-python uses an object hierarchy.  You have part of this correct, but part of it is wrong, and that's why you're not getting the results you expect.  You want your object hierarchy to look like Panorama > DeviceGroup > AddressObject, but your first chunk is actually setting up the hierarchy as a Panorama object with two children, a DeviceGroup and an AddressObject.  Invoking the create() function on the AddressObject with your hierarchy like this should put the address object in the shared scope instead of the device group.  So your code should look something like this instead:

 

from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject

pano = Panorama(HOSTNAME, USERNAME, PASSWORD)

dg = DeviceGroup("DG-VWire")
pano.add(dg)
dg.create()

obj = AddressObject("Server3", "1.2.3.4")
dg.add(obj)
obj.create()

 

For your security rules one, I'm guessing you're wanting to get the rules that are in a specific device group..?  I don't see a device group reflected in your code.  So you'd want something like this:

 

from panos.panorama import Panorama, DeviceGroup
from panos.policies import SecurityRule, PostRulebase

pano = Panorama(HOSTNAME, USERNAME, PASSWORD)

dg = DeviceGroup("my group")
pano.add(dg)

rulebase = PostRulebase()
dg.add(rulebase)

rules = SecurityRule.refreshall(rulebase)
print("Current security rules ({0} found):".format(len(rules)))

 

Hope that helps!

Yeah, 

 

that helped me a lot. I'm now able to read and create rules in the Postrulebase in that DeviceGroup.

 

Thank you very much.

 

Regards

 

Michael 

  • 1 accepted solution
  • 6192 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!