panos remove address object script messes up the device group setup.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

panos remove address object script messes up the device group setup.

L1 Bithead

Hi All,

So far I'm getting the hang of python panos, which allows me to connect via panorama to make changes and push to firewalls. I've been able to create address objects and modify contents of address groups and security rules with no issues.


Recently I'm trying to create a script that would delete an address object using python panos. What happens when I run the script is panorama removes my firewalls in the device group, which is weird. I need to manually add the devices and template stack again to the device group in order to restore it.

 

Initially I tried to use dg.delete() but it did not work for me. I replaced it with dg.remove() but the same thing happens. Maybe I'm messing up the configuration tree but I do not know which part of my code does that.

 

Panorama version: 10.2.3
pan-os-python version: 1.8.1

 

Below are some snippets from my code:

 
from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject

pano = Panorama(panorama, username, password)

target_dg = "test_dg_1"

dg = DeviceGroup(target_dg)
pano.add(dg)

#Find the address object within the device group
obj = dg.find("Sample_Address_Object", class_type=AddressObject)

# Remove the address object
dg.remove(obj)
dg.apply()

pano.commit(cmd = commitMesg, sync=True)
pano.commit_all(sync_all=True, devicegroup=target_dg)

 

Any help would be appreciated. Thank you!

1 accepted solution

Accepted Solutions

L1 Bithead

It took me some time to apply some trial and error and reading through the docs. What I've been doing in the line with dg.apply() seems to be the cause on why the device group members are gone on panorama after running the code. Do not try dg.apply() in production as it seems to be destructive based on the documentation.

Here is an updated snippet to achieve the deletion of a single address object via panorama:

 

 

 

from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject

username = "Your_Panorama_Username"
password = "Your_Panorama_Pw"
pano = Panorama(panorama, username, password)

target_dg = "test_dg_1"
addrObjName = "Sample_Address_Object"

dg = DeviceGroup(target_dg)
pano.add(dg)

# Get the address objects list.
addressObjects = AddressObject.refreshall(dg)

# Loop over the address objects to find out if the object exists or not.
# No action if the object does not exist in the current address object list.
for o in addressObjects:
    if addrObjName == o.name:

        print(f'Found {addrObjName}. Removing...')
        o.delete()

        # Perform commit and push
        pano.commit(cmd = commitMesg, sync=True)
        pano.commit_all(sync_all=True, devicegroup=target_dg)

        # Exit script after deletion of address object & commit + push.
        exit()

print(f'Unable to match address object {addrObjName}. No changes were made.')

 

 

 



Useful methods documentation:
https://pan-os-python.readthedocs.io/en/latest/useful-methods.html

View solution in original post

1 REPLY 1

L1 Bithead

It took me some time to apply some trial and error and reading through the docs. What I've been doing in the line with dg.apply() seems to be the cause on why the device group members are gone on panorama after running the code. Do not try dg.apply() in production as it seems to be destructive based on the documentation.

Here is an updated snippet to achieve the deletion of a single address object via panorama:

 

 

 

from panos.panorama import Panorama, DeviceGroup
from panos.objects import AddressObject

username = "Your_Panorama_Username"
password = "Your_Panorama_Pw"
pano = Panorama(panorama, username, password)

target_dg = "test_dg_1"
addrObjName = "Sample_Address_Object"

dg = DeviceGroup(target_dg)
pano.add(dg)

# Get the address objects list.
addressObjects = AddressObject.refreshall(dg)

# Loop over the address objects to find out if the object exists or not.
# No action if the object does not exist in the current address object list.
for o in addressObjects:
    if addrObjName == o.name:

        print(f'Found {addrObjName}. Removing...')
        o.delete()

        # Perform commit and push
        pano.commit(cmd = commitMesg, sync=True)
        pano.commit_all(sync_all=True, devicegroup=target_dg)

        # Exit script after deletion of address object & commit + push.
        exit()

print(f'Unable to match address object {addrObjName}. No changes were made.')

 

 

 



Useful methods documentation:
https://pan-os-python.readthedocs.io/en/latest/useful-methods.html

  • 1 accepted solution
  • 1633 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!