Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

[API]PYTHON PANDEVICE - SET SECURITY PROFILE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

[API]PYTHON PANDEVICE - SET SECURITY PROFILE

L1 Bithead

Hi all,

 

I'm using PaloAlto's API for the first time.

My idea is the following:

 

 - for each rule, I would like to apply a security profile based on the service setted.

 

Reading some docs online i wrote this pseudocode.

 

 

HOSTNAME = '192.168.55.10'
API_KEY = 'My_Api_Key'

fw = pandevice.firewall.Firewall(hostname=HOSTNAME, api_key=API_KEY)
rulebase = pandevice.policies.Rulebase()
fw.add(rulebase)
rules = pandevice.policies.SecurityRule.refreshall(rulebase)

for rule in rules:

       if (rule.service is ugual to any):

                 //set security_profile (like av,URL Filtering Profiles,Vulnerability Protection Profiles,etc...)

       rule.apply()

fw.commit(sync=True)

 

 

Do you have any ideas ? Could you help me?

Thanks in advice!

 

 

CHANGÒ
2 accepted solutions

Accepted Solutions

@BPry 

Yes i know that my script as written will not work.

I worte a pseudocode. I don't know what is the method that allows me to set the security profile. I didn't find it in the documentation.

Could you tell me what is the method?

Thanks in advice.

 

CHANGÒ

View solution in original post

L1 Bithead

Hi Changò,

 

use this:

 

for rule in rules:
    rule.virus = "my-antivirus-profile"

Regards 

CE

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@Chango,

My advice would be to really learn the api before you even attempt to do something that actually makes changes to your policy. Spend some time messing around and reading the docs before you attempt to modify your rulebase, and when you start modifing the rulebase focus on modifying a set rule instead of attempting such a brod modfication as your first script. 

@BPry 

Hi BPri, thanks for the answer.
Yes sure, i know. I will try it in a test environment.
If possible I'd like to have some advice aboute the code.

CHANGÒ

@Chango

I don't give any support for code unless I've directly supplied it to address a users issues; this is a long-standing policy I've had in this forum to avoid any potential issues due to untested code. 

The only thing I'll mention is that your script as written will 100% not work as expected, as I'm sure you are already fully aware. For starters,  where you have "if (service is equal to any):" you'll simply get a error since you've never defined 'service'. To get the service of the rule you would need to do something like the following:

for rule in rules:
    if (rule.service is equal to any):

That any statement also won't work due to how the value actually returns.

@BPry 

Yes i know that my script as written will not work.

I worte a pseudocode. I don't know what is the method that allows me to set the security profile. I didn't find it in the documentation.

Could you tell me what is the method?

Thanks in advice.

 

CHANGÒ

Hi Changò,

 

use this:

 

for rule in rules:
    rule.virus = "my-antivirus-profile"

 

 

EC

L1 Bithead

Hi Changò,

 

use this:

 

for rule in rules:
    rule.virus = "my-antivirus-profile"

Regards 

CE

What are the values that we need to set for the spyware,virus,vulnerability arguments in SecurityRule ?

I found that the values going to be default, strict,allow,drop...etc like that by referring the below link

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles

 

But also in some examples they said like this

rule.virus = "my-antivirus-profile"

Which one is right ? Either we have to specify the profile of our own and give it as values or default,strict ...those acts as values ? please help me on this 

  • 2 accepted solutions
  • 9037 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!