Using Python to perform a Commit/Commit-all on Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using Python to perform a Commit/Commit-all on Panorama

L1 Bithead

I am trying to use a Python AWS Lamdba function to commit/commit-all changes after the lambda function has made the appropriate updates to the Panorama.  My problem is that the commit-all API call happens too soon after the commit API call and the commit-all does not have any committed changes to process.

 

How can I wait for the commit job to complete prior to issuing the commit-all API?

 

Code I am using....

 

import panos
from panos import panorama
from panos.panorama import Panorama
from panos import objects
 
pano = panorama.Panorama.create_from_device(pan_ip_addr, pan_username, pan_password)
 
< Python makes changes to shared objects>
 
#
# Commit changes for my user only
#
pan_admin_list = [pan_username]
pano2 = panorama.PanoramaCommit("Automated Commit", pan_admin_list)
job_id = pano.commit(cmd=pano2)
print('[INFO] Commit JobID is %s' % job_id)
#
# PUSH the changes to the firewalls
#
pano2 = panorama.PanoramaCommitAll("device group","dg_awseuwestinspeat")
job_id = pano.commit(cmd=pano2)
print('[INFO] Commit JobID is %s' % job_id)
pano2 = panorama.PanoramaCommitAll("device group","dg_awsuseastinspeat")
job_id = pano.commit(cmd=pano2)
print('[INFO] Commit JobID is %s' % job_id)
 
 
What happens in the Panorama System log is this...
  • Commit Job Enqueued JobId=206
  • Partial Commit JobId=206
  • Commit Job Started Processing JobId=206
  • CommitAll Job Enqueued JobId=207
  • CommitAll Job Started JobId=207
  • CommitAll Job Successed JobId 207
  • Commit Job Successful JobId 206

How do I tell the Python API to wait on the successful COMMIT prior to executing the CommitAll?

 

Thanks, Bobby

 
 
 
1 accepted solution

Accepted Solutions

Thanks.  My Palo Alto SE was able to point me in the right direction to use the PanDevice Operations framework to accomplish this check as well.  Here is a working snippet of code for future reference.  If you do not put the double-quotes around the job-id number you will get a 400 error, invalid request.

 

if commit_needed:
  pan_admin_list = [pan_username]
  pano2 = panorama.PanoramaCommit("Automated Commit", pan_admin_list)
  job_id = pano.commit(cmd=pano2)
  print('[INFO] Commit JobID is %s' % job_id)

  pano_job_cmd = 'show jobs id "' + job_id + '"'
  job_complete = False
  while not job_complete:
    response = pano.op(cmd=pano_job_cmd, xml=True)
    job_as_xml = ElementTree.XML(response)
    job_as_dict = XmlDictConfig(job_as_xml)
    job = job_as_dict['result']['job']
    if job['id'] == str(job_id):
      print('[DEBUG] Found correct job ID')
      if job['type'] == "Commit":
        print('[DEBUG] It is a COMMIT job... thats good')
        if job['progress'] == '100':
          print('[DEBUG] Job Finished, 100%')
            if job['status'] == 'FIN':
              print('[DEBUG] Job Finished')
                if job['result'] == 'OK':
                  print('[DEBUG] Job Finished, 100 Percent and Results are OK')
                  job_complete = True
                  break
                else:
                  print('[DEBUG] Job Finished, 100 Percent and Results are not OK: %s ' % job['result'])
             else:
               print('[DEBUG] Job progress is 100 Percent but status is not FIN: %s ' % job['status'])
          else:
            print('[DEBUG] Job progress is not 100 Percent yet ... %s ' % job['progress'])
       else:
         print('[DEBUG] Job is not a COMMIT job : %s ' % job['type'])
  if not job_complete:
     time.sleep(5)

#
# At this point the COMMIT job is complete. If it fails to complete, the Lambda will time out as we will never hit this code
#

#
# PUSH the changes to the firewalls by Device Group
#
#
print('[INFO] Pushing changes to Device Groups')
#
# ******* Need to come up with a way to process the different device groups without hardcoding them.
#
for dg in ["dg_1","dg_2"]:
  pano2 = panorama.PanoramaCommitAll("device group", dg)
  job_id = pano.commit(cmd=pano2)
  print('[INFO] Commit JobID is %s' % job_id)

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@BobbyWilloughby,

All you have to do is check the status of the job ID that you are getting as part of your Python script. I do all of that directly through the XMLAPI and not through pandevice, so I can't tell you if pandevice supports checking the job status or not. If it doesn't, that's a really easy thing to do directly through the API without any issue. 

Thanks.  My Palo Alto SE was able to point me in the right direction to use the PanDevice Operations framework to accomplish this check as well.  Here is a working snippet of code for future reference.  If you do not put the double-quotes around the job-id number you will get a 400 error, invalid request.

 

if commit_needed:
  pan_admin_list = [pan_username]
  pano2 = panorama.PanoramaCommit("Automated Commit", pan_admin_list)
  job_id = pano.commit(cmd=pano2)
  print('[INFO] Commit JobID is %s' % job_id)

  pano_job_cmd = 'show jobs id "' + job_id + '"'
  job_complete = False
  while not job_complete:
    response = pano.op(cmd=pano_job_cmd, xml=True)
    job_as_xml = ElementTree.XML(response)
    job_as_dict = XmlDictConfig(job_as_xml)
    job = job_as_dict['result']['job']
    if job['id'] == str(job_id):
      print('[DEBUG] Found correct job ID')
      if job['type'] == "Commit":
        print('[DEBUG] It is a COMMIT job... thats good')
        if job['progress'] == '100':
          print('[DEBUG] Job Finished, 100%')
            if job['status'] == 'FIN':
              print('[DEBUG] Job Finished')
                if job['result'] == 'OK':
                  print('[DEBUG] Job Finished, 100 Percent and Results are OK')
                  job_complete = True
                  break
                else:
                  print('[DEBUG] Job Finished, 100 Percent and Results are not OK: %s ' % job['result'])
             else:
               print('[DEBUG] Job progress is 100 Percent but status is not FIN: %s ' % job['status'])
          else:
            print('[DEBUG] Job progress is not 100 Percent yet ... %s ' % job['progress'])
       else:
         print('[DEBUG] Job is not a COMMIT job : %s ' % job['type'])
  if not job_complete:
     time.sleep(5)

#
# At this point the COMMIT job is complete. If it fails to complete, the Lambda will time out as we will never hit this code
#

#
# PUSH the changes to the firewalls by Device Group
#
#
print('[INFO] Pushing changes to Device Groups')
#
# ******* Need to come up with a way to process the different device groups without hardcoding them.
#
for dg in ["dg_1","dg_2"]:
  pano2 = panorama.PanoramaCommitAll("device group", dg)
  job_id = pano.commit(cmd=pano2)
  print('[INFO] Commit JobID is %s' % job_id)
  • 1 accepted solution
  • 4597 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!