- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-31-2023 09:23 PM - edited 06-01-2023 01:59 AM
Hi All,
So far I'm getting the hang of python panos, which allows me to connect via panorama to make changes and push to firewalls. I've been able to create address objects and modify contents of address groups and security rules with no issues.
Recently I'm trying to create a script that would delete an address object using python panos. What happens when I run the script is panorama removes my firewalls in the device group, which is weird. I need to manually add the devices and template stack again to the device group in order to restore it.
Initially I tried to use dg.delete() but it did not work for me. I replaced it with dg.remove() but the same thing happens. Maybe I'm messing up the configuration tree but I do not know which part of my code does that.
Panorama version: 10.2.3
pan-os-python version: 1.8.1
Below are some snippets from my code:
from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject
pano = Panorama(panorama, username, password)
target_dg = "test_dg_1"
dg = DeviceGroup(target_dg)
pano.add(dg)
#Find the address object within the device group
obj = dg.find("Sample_Address_Object", class_type=AddressObject)
# Remove the address object
dg.remove(obj)
dg.apply()
pano.commit(cmd = commitMesg, sync=True)
pano.commit_all(sync_all=True, devicegroup=target_dg)
Any help would be appreciated. Thank you!
06-01-2023 01:56 AM - edited 06-01-2023 02:24 AM
It took me some time to apply some trial and error and reading through the docs. What I've been doing in the line with dg.apply() seems to be the cause on why the device group members are gone on panorama after running the code. Do not try dg.apply() in production as it seems to be destructive based on the documentation.
Here is an updated snippet to achieve the deletion of a single address object via panorama:
from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject
username = "Your_Panorama_Username"
password = "Your_Panorama_Pw"
pano = Panorama(panorama, username, password)
target_dg = "test_dg_1"
addrObjName = "Sample_Address_Object"
dg = DeviceGroup(target_dg)
pano.add(dg)
# Get the address objects list.
addressObjects = AddressObject.refreshall(dg)
# Loop over the address objects to find out if the object exists or not.
# No action if the object does not exist in the current address object list.
for o in addressObjects:
if addrObjName == o.name:
print(f'Found {addrObjName}. Removing...')
o.delete()
# Perform commit and push
pano.commit(cmd = commitMesg, sync=True)
pano.commit_all(sync_all=True, devicegroup=target_dg)
# Exit script after deletion of address object & commit + push.
exit()
print(f'Unable to match address object {addrObjName}. No changes were made.')
Useful methods documentation:
https://pan-os-python.readthedocs.io/en/latest/useful-methods.html
06-01-2023 01:56 AM - edited 06-01-2023 02:24 AM
It took me some time to apply some trial and error and reading through the docs. What I've been doing in the line with dg.apply() seems to be the cause on why the device group members are gone on panorama after running the code. Do not try dg.apply() in production as it seems to be destructive based on the documentation.
Here is an updated snippet to achieve the deletion of a single address object via panorama:
from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject
username = "Your_Panorama_Username"
password = "Your_Panorama_Pw"
pano = Panorama(panorama, username, password)
target_dg = "test_dg_1"
addrObjName = "Sample_Address_Object"
dg = DeviceGroup(target_dg)
pano.add(dg)
# Get the address objects list.
addressObjects = AddressObject.refreshall(dg)
# Loop over the address objects to find out if the object exists or not.
# No action if the object does not exist in the current address object list.
for o in addressObjects:
if addrObjName == o.name:
print(f'Found {addrObjName}. Removing...')
o.delete()
# Perform commit and push
pano.commit(cmd = commitMesg, sync=True)
pano.commit_all(sync_all=True, devicegroup=target_dg)
# Exit script after deletion of address object & commit + push.
exit()
print(f'Unable to match address object {addrObjName}. No changes were made.')
Useful methods documentation:
https://pan-os-python.readthedocs.io/en/latest/useful-methods.html
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!