Panorama skillets

Reply
Highlighted
L2 Linker

Panorama skillets

Most of the existing skillets seem to apply to a firewall and only very few are for use stati input of a single Device Group or Template. In my experience most of the customers have Panorama and most of the Panorama tasks require interaction with multiple Device Groups/Templates.

 

Can you please share your ideas for how to deal with multiple templates?

 As an example I use the code below, which requires manually input, but at can apply the config (in this case syslog server profile) to multiple templates.

Is this the best way to achieve that and can you suggest a way to select templates more dynamically, based on name matching a regex pattern?

 

variables:
  - name: profile_name
    description: Syslog Profile Name
    type_hint: text
  - name: templates_name
    description: Tempalate to config
    type_hint: list

snippets:
  - name: syslog_profile
    xpath: /config/devices/entry[@name='localhost.localdomain']/template
    element: |-
        {% for tempate in templates_name %}
        <entry name="{{tempate}}">
          <config>
            <shared>
              <log-settings>
                <syslog>
                  <entry name="{{profile_name}}">
                        ### Element config ###
                  </entry>
                </syslog>
            </log-settings>
          </shared>
        </config>
        </entry>
        {%  endfor %}

 

 


Accepted Solutions
Highlighted
L2 Linker

Re: Panorama skillets

This is an interesting use case. Here is an example of how to capture the current template names in a list, then filter them based on a regex supplied from the user.

 

name: template_stack_selector
label: Example to apply config to multiple templates
description: Uses a couple of features to apply config to multiple templates
type: panorama
labels:
  collection: Example Skillets
variables:
- name: template_regex
  type_hint: text
  description: Filter Templates by Regex
  default: '.*Template'
snippets:
- name: get_templates
  cmd: get
  xpath: /config/devices/entry[@name='localhost.localdomain']/template
  output_type: xml
  outputs:
  - name: template_names
    capture_list: ./entry/@name
  - name: filtered_names
    capture_list: ./entry/@name
    filter_items: item | regex_search("{{ template_regex }}")

 

Here is an example debug output from the above skillet:

 

{
  "output": {
    "snippets": {
      "get_templates": {
        "results": "success",
        "changed": false
      }
    },
    "outputs": {
      "template_names": [
        "Service_Conn_Template",
        "Remote_Network_Template",
        "Mobile_User_Template",
        "VM-300-TEMP",
        "staging-template"
      ],
      "filtered_names": [
        "Service_Conn_Template",
        "Remote_Network_Template",
        "Mobile_User_Template"
      ]
    },
    "result": "success",
    "changed": false
  },
  "context": {
    "ip_address": "x",
    "username": "x",
    "password": "x",
    "template_regex": ".*Template",
    "get_templates": {
      "results": "success",
      "changed": false
    },
    "template_names": [
      "Service_Conn_Template",
      "Remote_Network_Template",
      "Mobile_User_Template",
      "VM-300-TEMP",
      "staging-template"
    ],
    "filtered_names": [
      "Service_Conn_Template",
      "Remote_Network_Template",
      "Mobile_User_Template"
    ]
  }
}

 

This uses capture_list along with filter_items and a regex_search jinja2 filter to get only the items you want. I noticed that we were not rendering jinja2 expressions in filter_items, so that was fixed this morning, which means you'll need to pull the latest panhandler as of today for this skillet to work for you.

 

HTH,

Nate

View solution in original post


All Replies
Highlighted
L2 Linker

Re: Panorama skillets

This is an interesting use case. Here is an example of how to capture the current template names in a list, then filter them based on a regex supplied from the user.

 

name: template_stack_selector
label: Example to apply config to multiple templates
description: Uses a couple of features to apply config to multiple templates
type: panorama
labels:
  collection: Example Skillets
variables:
- name: template_regex
  type_hint: text
  description: Filter Templates by Regex
  default: '.*Template'
snippets:
- name: get_templates
  cmd: get
  xpath: /config/devices/entry[@name='localhost.localdomain']/template
  output_type: xml
  outputs:
  - name: template_names
    capture_list: ./entry/@name
  - name: filtered_names
    capture_list: ./entry/@name
    filter_items: item | regex_search("{{ template_regex }}")

 

Here is an example debug output from the above skillet:

 

{
  "output": {
    "snippets": {
      "get_templates": {
        "results": "success",
        "changed": false
      }
    },
    "outputs": {
      "template_names": [
        "Service_Conn_Template",
        "Remote_Network_Template",
        "Mobile_User_Template",
        "VM-300-TEMP",
        "staging-template"
      ],
      "filtered_names": [
        "Service_Conn_Template",
        "Remote_Network_Template",
        "Mobile_User_Template"
      ]
    },
    "result": "success",
    "changed": false
  },
  "context": {
    "ip_address": "x",
    "username": "x",
    "password": "x",
    "template_regex": ".*Template",
    "get_templates": {
      "results": "success",
      "changed": false
    },
    "template_names": [
      "Service_Conn_Template",
      "Remote_Network_Template",
      "Mobile_User_Template",
      "VM-300-TEMP",
      "staging-template"
    ],
    "filtered_names": [
      "Service_Conn_Template",
      "Remote_Network_Template",
      "Mobile_User_Template"
    ]
  }
}

 

This uses capture_list along with filter_items and a regex_search jinja2 filter to get only the items you want. I noticed that we were not rendering jinja2 expressions in filter_items, so that was fixed this morning, which means you'll need to pull the latest panhandler as of today for this skillet to work for you.

 

HTH,

Nate

View solution in original post

Highlighted
L4 Transporter

Re: Panorama skillets

You can also apply the output in the example given as a list input to a 2nd skillet using 'source' and the list variable name

https://skilletbuilder.readthedocs.io/en/latest/reference_examples/variables.html#source

 

- name: template_selection
  description: list of templates available for configuration update
  default:
  type_hint: checkbox
  source: template_names

 

create the source list and then use the same snippet example with a jinja for loop to iterate over the selected template or device-group names. Key is to set the xpath as you did so that the template name shows up in the xml config element.

 

 

{% for tempate in templates_name %}

 

 

 

This will require 2 skillets: first to create the selection list and second to allow user template section to drive the xml iteration.

 

You can validate that the variable has values using the Context menu in panHandler:

https://skilletbuilder.readthedocs.io/en/latest/getting_started/panhandler.html#checking-variable-va...

 

 

HomeSkillet uses a similar model for interface and zone selection with dropdown menus instead of checkbox where a REST skillet is used to get the source interface list. The REST API call is similar to the ? complete action showing available options.

 

REST skillet to capture a list of interface names:

https://github.com/PaloAltoNetworks/HomeSkillet/blob/master/rest_get_interface_name/.meta-cnc.yaml

 

Associated configuration skillet where the variable uses source:

https://github.com/PaloAltoNetworks/HomeSkillet/blob/1741dbd2fd5f77d390b247cc95fd01c55684b0c5/panos_...

 

NOTE: REST is a general purpose skillet type that can interaction with any supported API, NGFW or Panorama in this case. Because of this generic nature, it won't ask about Commit options and config backup as the Panorama type will. Either option is valid, just noting the difference in how handled in panHandler.

 

 

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!