About JohnCrubaugh

There may be a few pieces still in that code that im not using, but since it was my first ever script i wrote, I just left a few items in there with notes what it was for... figured at some point i should get the time to go back and make it more effieienct and actually look for the commit job ID and status it before saying it is done..but again..this works for me 100% of the time to add a single object with a tag that gets sucked into a Dynamic Address group which uses that Tag. You shoul be able to add multiple tags pretty easy with this code as a starter  ... View more

#!/usr/bin/env python3 import pandevice import requests import json import urllib3 import time import sys import ipaddress import xml.etree.ElementTree as ET from requests.exceptions import HTTPError from pandevice import panorama from pandevice import objects from pandevice import policies from pandevice.base import PanObject from pandevice.panorama import Panorama # This ensures you wont see an error about certificate validation for SSL verify = False if not verify: from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # this defines the api calls necessary to perform Palo Alto commits # palo alto has a two step commit process. The first step is to commit to panorama commit_panorama_api = "https://<panorama URL>/api/?type=commit&cmd=<commit></commit>&key=<your api key>" # the second step is to commit the specific device group, in this instance we only plan to commit to Production, so you can commit any enviornment by updating the name production with whatever device group your working wiht. commit_production_api = "https://<panorama URL>/api/?type=commit&action=all&cmd=<commit-all><shared-policy><device-group><entry%20name=\"Production\"/></device-group></shared-policy></commit-all>&key=<your api key>" # this defines the current list of address objects. This will be used to populate the current list of static address # objects, so we can check the user entry to verify it will NOT be a duplicate. # This defines the panorama device interface to connect to and the DeviceGroup device = "x.x.x.x" devicegroup = "Production" auth_key = "<Your API KEY>" # This defines how we will connect to panorama pano = panorama.Panorama(device, api_key=auth_key) # This defines the device group we wil be connecting to palo_device_group = panorama.DeviceGroup(devicegroup) pano.add(palo_device_group) # This will set the IP address of the SFTP source to add to the Production Firewall DeviceGroup ip_address = input('Please enter the ip address you wish to add to the SFTP whitelist, (example: x.x.x.x): ') #this will validate the user entered a valid IPv4 address or network statement try: ip_addr = ipaddress.IPv4Network(ip_address) except ValueError: print("this address is not a valid IPv4 address: ", ip_address) sys.exit() # This will set the description of the node to the Release Ticket number description = input('Please enter the release ticket number(just the numbers): ') # this is the api call to make to get the current list of address objects: get_address_objects_api = 'https://<panorama URL>/restapi/9.0/Objects/Addresses?location=device-group&device-group=Production&key=<yourapikey>' try: current_address_objects_response = requests.get(get_address_objects_api, verify=False) # if the response was successful, no Exception will be raised current_address_objects_response.raise_for_status() except HTTPError as http_err: print(f'HTTP error occurred: {http_err}') except Exception as err: print(f'Other error occurred: {err}') else: print("Please wait while your Address Object query processes!") time.sleep(5) address_todos_dict = json.loads(current_address_objects_response.text) # establish the length of the dictionary to loop through i = 0 length = len(address_todos_dict['result']['entry']) #validate that the value i am using to key on exists in the data set, if it does execute the lookups and validation #to see if the IP address is already in the SFTP list. while i < length: k = 'ip-netmask' if k in address_todos_dict['result']['entry'][i].keys(): temp_ip = address_todos_dict['result']['entry'][i]['ip-netmask'] if temp_ip == ip_address: print("Your address already exists in the SFTP whitelist") i = length sys.exit() i += 1 # This formats the name to match the existing standards in the firewall name = ("N-" + ip_address) full_description = ("NETENG-" + description) # declares an address object to create with the tag SFTP which will automatically put it in the dynamic addrss group # for SFTP services sftp_server = pandevice.objects.AddressObject(name=name, value=ip_address, description=full_description, tag="SFTP") palo_device_group.add(sftp_server) sftp_server.create() # this next piece will commit the change to panorama try: panorama_commit_response = requests.get(commit_panorama_api, verify=False) # if the response was successful, no Exception will be raised panorama_commit_response.raise_for_status() except HTTPError as http_err: print(f'HTTP error occurred: {http_err}') except Exception as err: print(f'Other error occurred: {err}') else: print("Please wait while your panorama commit processes!") time.sleep(30) print('Your panorama commit was successful') # this piece will do the device commit to the production device group try: device_commit_response = requests.get(commit_production_api, verify=False) # if the response was successful, no Exception will be raised device_commit_response.raise_for_status() except HTTPError as http_err: print(f'HTTP error occurred: {http_err}') except Exception as err: print(f'Other error occurred: {err}') else: print("Please wait while the Production Device group commits!")### i should be checking panorama for job status but i didnt know how when i write this, so i just did a sleep #### time.sleep(60) print('Your IP address was successfully added to the Production Firewall and the Device commit was successful') ... View more

I did i have a script that today will add a address object, tag it, put a ticket number as the description ( for audit purposes ) and then perform both a panorama commit and device group commit.  let me pull out any private info and i can post it.... ... View more

thank you for the additional guidance.. ill work on this more today and let you know my outcome. ... View more

import sys import io import json import pandevice from pandevice import base from pandevice import firewall from pandevice import panorama from pandevice import objects from pandevice import policies from pandevice.panorama import Panorama devices = [ device1, device2, device3 ] templates = [Temp1, Temp2, Temp3, Temp4] auth_key = "mykey" fw = firewall.Firewall() #to define which panorama you will connect to for device in devices: pano = panorama.Panorama(device, api_key=auth_key) # when you need to fetch objects in the Device Group for temp in templates: tempgrp = pandevice.panorama.Template(temp) pano.add(tempgrp) ipsecgrp = pandevice.network.IpsecTunnel.refreshall(panogrp) pano.add(ipsecgrp) objects_list = [] for object_element in ipsec_object_list: obj = { 'name': object_element.name, 'tunnel_interface': object_element.tunnel_interface, 'type': object_element.type, } objects_list.append(obj) for object in objects_list: print (object) print() ... View more

thank you, i am still learning how this all works, but that makes sense. I apprecaite the guidance. Ill let you know my outcome once i get this going.   my next goal is doing the commit to panorama and the device group push.   Thank You again!! ... View more