About SimonT

old thread but just had same on 10.2.4. disk was full. show system disk-space. then clear log <> ... View more

I had this and it was /opt/panlogs full:   admin@panorama> show system disk-space Filesystem Size Used Avail Use% Mounted on /dev/sda8 91G 91G 0 100% /opt/panlogs   Emptied some logs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSjCAK ... View more

this is the diff: < path="type/{decryption_type}/certificates/", --- > path="type/{decryption_type}", ... View more

give this a go:   import json from pandas import * data = read_csv("groups.csv") member_list = data['members'].tolist() member_set = set(member_list) unique_member_list = list(member_set) body = json.dumps( { "entry": { "@name": "TEST-GRP", "members": { "member" : unique_member_list } } } ) print(body)   Outputs: {"entry": {"@name": "TEST-GRP", "members": {"member": ["service-http", "service-https"]}}}   tip: conversion from list to set and back is  to remove any duplicates ... View more

hi @kenchung  have a look at the reference documentation:   https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_security_rule_module.html. https://ansible-pan.readthedocs.io/en/latest/modules/panos_security_rule_module.html   "log_setting" is a string but you put it in brackets which converts it to a list: log_setting: ['syslog profile'].    you want: log_setting: 'syslog profile'    Same for group profile.   Unsure about the hip profile. There is a note in the documention saying not to use it. Maybe if you set gather facts to yes then version will correct that? ... View more

There are a few ways you can do this. 1) Under Panorama > device deployment > dynamic updates > schedule. 2) in a Panorama template setting under Device > Dynamic Updates.   As I recall for new build firewalls you need to log in to both HA members and run "check now" just once. Also if using the template be mindful that the local firewall takes precedence. Log into both HA members and under the dynamic updates section ensure the template settings take precedent with green cog for each entry. You have to click open each db applet to confirm.   If the schedule is not working perhaps there is communication issue?  ... View more

Seems the issue is in https://github.com/PaloAltoNetworks/pan-os-python/blob/develop/panos/policies.py   I edited my local copy with the following and it now works: params.append( VersionedParamPath( "ssl_certificate", vartype="member", path="type/{decryption_type}/certificates/", condition={"decryption_type": "ssl-inbound-inspection",}, ) )     ... View more

A lot of functionality is provided by ansible-pan so its just a case of mapping your requirements to your own playbook (which you can build by cribbing the examples). Start basic. Any data integrity checking can all be done using Ansible built-in modules. Its 100% real world. Perhaps start with a CLI based tool and develop a front end solution later. If you are focusing on configuration management one option might be to store your "standard configuration" as YAML/Jinja2 format in a GitHub repository (you get free version control) and have your tool draw down from that to compare with your actual configurations. Then act on any deficiencies and email a status report. Having said that, check out AIOps https://www.paloaltonetworks.com/network-security/aiops-for-ngfw. It might do some of what you need.   ... View more

I'm sure you read the documentation (https://github.com/PaloAltoNetworks/pan-os-ansible) but in case not there are links to sample playbooks https://github.com/PaloAltoNetworks/ansible-playbooks   ... View more

Having successfully used direct API, pandevice and pan-os python modules for some years I would in your case recommend the pan-ansible modules: https://ansible-pan.readthedocs.io/en/latest/ Ansible itself handles any workflow and the modules handle all the parsing etc. Does exactly what you need.  ... View more

@GFRDA thanks a lot. I cribbed this to edit a rule (removing an object from destination field) and its works a charm!   For anyone else here is my playbook:     - name: Network Playbook hosts: panorama connection: local gather_facts: false vars: rmadr: 'simon-test-address2' myrule: 'REQ0001-RITM00009' roles: - role: PaloAltoNetworks.paloaltonetworks tasks: - name: Get auth creds include_vars: 'vars.yml' #no_log: 'yes' - name: Get the definition for rule '{{ myrule }}' paloaltonetworks.panos.panos_security_rule_facts: provider: '{{ lab_provider }}' device_group: 'LAB-VM-virtual-FW-DG' rule_name: '{{ myrule | quote }}' register: result - debug: msg: '{{ result }}' - name: edit destination for rule '{{ myrule }}' paloaltonetworks.panos.panos_security_rule: provider: '{{ lab_provider }}' device_group: 'LAB-VM-virtual-FW-DG' rule_name: '{{ item.rule_name }}' action: '{{ item.action }}' source_zone: '{{ item.source_zone | default(omit, true) }}' destination_zone: '{{ item.destintaion_zone | default(omit, true) }}' log_start: 'false' log_end: 'true' application: '{{ item.application | default(omit, true) }}' category: '{{ item.category | default(omit, true) }}' description: '{{ item.description | default(omit, true) }}' destination_ip: '{{ item.destination_ip | difference([rmadr]) }}' disabled: '{{ item.disabled }}' source_ip: '{{ item.source_ip | default(omit, true) }}' service: '{{ item.service | default(omit, true) }}' tag_name: '{{ item.tag | default(omit, true) }}' commit: false loop: '{{ result.rule_details }}' loop_control: label: '{{ item.rule_name }}' - name: Get the new definition for rule '{{ myrule }}' paloaltonetworks.panos.panos_security_rule_facts: provider: '{{ lab_provider }}' device_group: 'LAB-VM-virtual-FW-DG' rule_name: '{{ myrule | quote }}' register: new_result - debug: msg: '{{ new_result }}'     Note that "destintaion_zone" is a typo in the tool.   And the output when run - I get the rule twice so you can see the difference:     (python3_9) [admin@host]$ ansible-playbook -i inventory -v remove_address_object_from_source.yml No config file found; using defaults PLAY [Network Playbook] ************************************************************************************************************************************************************* TASK [Get auth creds] *************************************************************************************************************************************************************** ok: [panorama] => {"ansible_facts": {} TASK [Get the definition for rule 'REQ0001-RITM00009'] ****************************************************************************************************************************** [DEPRECATION WARNING]: Deprecated; use panos_security_rule with state=gathered instead. This feature will be removed from paloaltonetworks.panos in version 3.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Please use the names parameter instead of rule_name. This feature will be removed from paloaltonetworks.panos in version 3.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. ok: [panorama] => {"changed": false, "rule_details": [{"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32", "simon-test-address2"], "destintaion_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}]} TASK [debug] ************************************************************************************************************************************************************************ ok: [panorama] => { "msg": { "changed": false, "deprecations": [ { "collection_name": "paloaltonetworks.panos", "msg": "Deprecated; use panos_security_rule with state=gathered instead", "version": "3.0.0" }, { "collection_name": "paloaltonetworks.panos", "msg": "Please use the names parameter instead of rule_name.", "version": "3.0.0" } ], "failed": false, "rule_details": [ { "action": "allow", "antivirus": null, "application": [ "any" ], "category": [ "any" ], "data_filtering": null, "description": "REQ0001", "destination_devices": [ "any" ], "destination_ip": [ "H-192.168.52.1-32", "simon-test-address2" ], "destintaion_zone": [ "pubinternet" ], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": [ "tcp_443" ], "source_devices": [ "any" ], "source_ip": [ "H-8.8.8.8-32" ], "source_user": [ "any" ], "source_zone": [ "UNDEFINED" ], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null } ] } } TASK [edit destination for rule 'REQ0001-RITM00009'] ******************************************************************************************************************************** changed: [panorama] => (item=REQ0001-RITM00009) => {"after": {"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32"], "destination_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}, "ansible_loop_var": "item", "before": {"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32", "simon-test-address2"], "destination_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}, "changed": true, "item": {"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32", "simon-test-address2"], "destintaion_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}} TASK [Get the new definition for rule 'REQ0001-RITM00009'] ************************************************************************************************************************** ok: [panorama] => {"changed": false, "rule_details": [{"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32"], "destintaion_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}]} TASK [debug] ************************************************************************************************************************************************************************ ok: [panorama] => { "msg": { "changed": false, "deprecations": [ { "collection_name": "paloaltonetworks.panos", "msg": "Deprecated; use panos_security_rule with state=gathered instead", "version": "3.0.0" }, { "collection_name": "paloaltonetworks.panos", "msg": "Please use the names parameter instead of rule_name.", "version": "3.0.0" } ], "failed": false, "rule_details": [ { "action": "allow", "antivirus": null, "application": [ "any" ], "category": [ "any" ], "data_filtering": null, "description": "REQ0001", "destination_devices": [ "any" ], "destination_ip": [ "H-192.168.52.1-32" ], "destintaion_zone": [ "pubinternet" ], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": [ "tcp_443" ], "source_devices": [ "any" ], "source_ip": [ "H-8.8.8.8-32" ], "source_user": [ "any" ], "source_zone": [ "UNDEFINED" ], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null } ] } } PLAY RECAP ************************************************************************************************************************************************************************** panorama : ok=6 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 (python3_9) [admin@host]$     ... View more