Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • May 13 16:50
    BatD2 labeled #451
  • May 13 16:50
    BatD2 opened #451
  • May 12 22:45

    shinmog on develop

    chore(release): 1.7.3 ### [1.7… (compare)

  • May 12 22:43
    github-actions[bot] labeled #230
  • May 12 22:43
    github-actions[bot] labeled #437
  • May 12 22:43
    github-actions[bot] labeled #450
  • May 12 22:43
    github-actions[bot] labeled #449
  • May 12 22:42

    github-actions[bot] on v1.7.3

    (compare)

  • May 12 22:42

    github-actions[bot] on master

    chore(release): 1.7.3 ### [1.7… (compare)

  • May 12 22:40

    shinmog on master

    fix(panos.objects.ServiceObject… fix(panos.device.SystemSettings… fix(panos.policies.SecurityRule… (compare)

  • May 12 22:36

    shinmog on develop

    fix(panos.policies.SecurityRule… (compare)

  • May 12 17:29
    shinmog closed #200
  • May 11 18:59
    A-Thomas-91 reopened #443
  • May 11 18:55
    A-Thomas-91 closed #443
  • May 11 18:55
    A-Thomas-91 review_requested #443
  • May 11 18:53
    A-Thomas-91 synchronize #443
  • May 11 18:51

    shinmog on 230

    (compare)

  • May 11 18:51

    shinmog on develop

    fix(panos.device.SystemSettings… (compare)

  • May 11 18:51
    shinmog closed #450
  • May 11 18:51
    shinmog closed #230
jcrubaugh
@jcrubaugh
Is it possible to add a certificate to a template with pandevice ?
bornhorstj
@bornhorstj
All, is there a way to pull template stack variables?
bornhorstj
@bornhorstj
@ancoleman did you ever figure out how to do template variable overrides?
bornhorstj
@bornhorstj
Code for pulling template_stack Variables
'
pano = Panorama(hostname=PanoHost, api_username=args.username, api_password=args.userpass)
template_stack = TemplateStack.refreshall(pano)

print(template_stack)
for template in template_stack:
    print("start of {0}".format(template))
    print("This is the description: \n", template.description)
    print("List of Devices {0}".format(template.devices))
    print(template.templates)
    variables = TemplateVariable.refreshall(template)
    for variable in variables:
        print(variable, variable.value)
deverm12
@deverm12
Hi All , I am trying to write code for pulling Interface and zone details for an IP . My end goal is to run test_security cmd to verify rule. Currently using fw.op() i can run test_security cmd but currently pulling zone details manually
deverm12
@deverm12
just checking if anyone can guide me on this
hltclk
@hltclk

Hi All,
I am getting an Element as a response but it is empty.What am I missing here, please help.

from pandevice import panorama

pano = panorama.Panorama('hostname',api_key=api_key)
response = pano.op('show templates')

response has an attribute 'status' : 'success'
deverm12
@deverm12
@hltclk please try using : response = pano.op('show templates', xml=True)
hltclk
@hltclk
@deverm12 thank you very much, it worked
BatD2
@BatD2
Hi team, I need to copy Panorama Device Group from one panorama (pano1) to another panorama appliance (pano2). I can get the device group object from pano1, but how can I then "copy" it to pano2 ?
ikswobyd
@iks0_gitlab
@dkoych im not sure how to accomplish this with pandevice directly off the top of my head but i think using the panos_type_cmd/the panos ansible role you could try get on the origin panorama and set on the target panorama. Passing the output of the origin get as the set argument for element. I would try this in a lab first. Also I mostly leverage the repo for basic repetitive things so hopefully someone from the dev team can chime in for you.
Kanininool
@Kanininool

Hi. Is this a right place to ask questions about Ansible modules for Palo Alto?
I am trying to find the right syntax for the panos_type_cmd playbook for adding a IP_netmask address object inside a GlobalProtect gateway exclude-access-route.

The set command syntax is this
set global-protect global-protect-gateway testvpn.intuit.com remote-user-tunnel-configs corp-users split-tunneling exclude-access-route named-address-object

However, I am getting an error when I run the Ansible playbook with regards to the address object, because I have got the syntax for that wrong in the playbook.

Can someone here please help?
Or point me to the right direction where I can get help?

@shinmog May I know if you are available to help?
Kanininool
@Kanininool
This above problem is solved. I was complicating it too much. I didn't know that the syntax is as simple as the one which shows up in the xml format of running config.
Steve Krause
@steve-krause_gitlab

Hi all. I am new to using pandevice and so far it has really been just what my project needed. I have run across an issue though and I don't know if it is due to my lack of understanding, or if it may be a bug.

I am attempting to automate the adding of BGP peers to a virtual-router already setup in a Panorama Template. I start by creating a new AggregateEthernet Layer3 subinterface. Then I go to add the new subinterface to the virtual-router's interface list. The problem occurs whenever I try to do a vrouter.apply() or vrouter.create() I get an error similar to the following...

BGPPolicyImportRule_1 -> action -> allow -> update -> community -> append has unexpected text.
BGPPolicyImportRule_1 -> action -> allow -> update -> community -> append is invalid

We do already have in place two BGPPolicyImport rules with an action Community type of 'Append' the ASN '65222:1'. This was setup using the Panorama GUI and has been working properly for weeks.

When I inspect the policy object variables I see action_community_type='append' and action_community_argument='\n ' ( which seems odd to me and makes me wonder if it could be a bug)
I even get the error when I just pull down the virtual-router and do a create() or apply() without making any changes.

Do you think this could be a bug, or do I just not understand the proper way to update the virtual-router. Is there a better way, or a work-around?

Any help or direction is greatly appreciated.

ecwest
@ecwest
Hey I have hopefully a really quick question. In pandevice how do I get security post rules for the Shared policies? I can get device group easily, but can't seem to access Shared.
mrzepa
@mrzepa
Hi. I am new to pandevice so please be patient with me. I am trying to add an address object with a tag, and I'm getting PanDeviceXapiError: xxx -> tag 'whatever' is not a valid reference. I don't understand why. If I remove the tag argument, the object creats just fine. I've created a list object for the tag.
TAGS = ['whatever']
pano.add(pandevice.objects.AddressObject(name='test',type='ip-netmask',value='10.1.1.1',tag=TAGS)).create()
Any ideas?
Ghost
@ghost~5ee22f2cd73408ce4fe69d08
I'm playing around with the update feature, and besides a few small bugs which already seems have open issues, it seems that I'm getting a timeout issue. I'm trying to update a PA-220, and it takes just above 20 minutes (They are damn slow). Which is the problem. At 20 minutes, the session ends and I'm getting a "Read timeout". I'm not sure "who" closes the connection, I can't find any timeout setting in the pandevice code, so it could be related to something else or the system. Any ideas? Currently testing local on Pandevice 0.14, Python 3.7.7, OS X, in a flask app, running local in a development mode.
mrzepa
@mrzepa
Anyone know how to populate a Template variable with the value for a particular firewall? Something equivalent to importing the CSV file of variables and their values?
jasoncal108
@jasoncal108
Are there baseline panorama templates available anywhere?
mrzepa
@mrzepa
@jasoncal108 check out Iron Skillet: https://github.com/PaloAltoNetworks/iron-skillet
jasoncal108
@jasoncal108
@mrzepa this is very cool... is this supposed to replace panorama... trying to understand how this integrates
jasoncal108
@jasoncal108
Re: panhandler
mrzepa
@mrzepa
@jasoncal108 Iron Skillet does not replace panorama. Iron Skillet is a set of config snippets that implement a best practice baseline for your firewall.
jasoncal108
@jasoncal108
@mrzepa cool... I’ve been testing by import xml on my Palo Alto device and importing the baseline to panorama as a template... but one thing I’m struggling to understand is what is the recommend way to import the the baseline Config to the panorama directly as code into templates for usage on my Palo Alto devices?
jasoncal108
@jasoncal108
There on I want to layer on additional configs for application specific things such as security policies, custom app ids.... wondering if that is achieved through templates as well?
mrzepa
@mrzepa
@jasoncal108 In Panorama, there are 2 sections, Templates and Device Groups. Templates are for all the network and device related configurations, and Device Groups are for all the Policy and Object related items. You can put all of your configurations into Panorama, nothing except the hostname needs to be configured locally on the firewall. Each firewall can have multiple templates assigned to it, this is called a template stack. In the stack you can have a baseline template and then firewall specific templates.
mrzepa
@mrzepa
Does anyone know how to add a tunnel interface in the current version of pandevice?
The above examples do not appear to work anymore. When looking at the documentation, there is no argument for the tunnel ID in the network.TunnelInterface class.
mrzepa
@mrzepa
I figured it out, in Paroama, you have to add it to the Template class, not the panorama class...
jasoncal108
@jasoncal108
Thank you @mrzepa... curious if you have used the AWS dynamic address groups... wondering if that can do IAM roles instead of access keys
mrzepa
@mrzepa
@jasoncal108 sorry, I don't play with AWS.
mrzepa
@mrzepa
@btorresgil Hi, are you still maintaining pandevice?
jasoncal108
@jasoncal108
Is there any best practice for creating custom app Id’s for internal https apps?
jasoncal108
@jasoncal108
If i want to automate creation of app specific configs into templates and device groups on my panorama to be pushed out would it be easier to achieve this through Ansible pan modules or usage of skillets?
jasoncal108
@jasoncal108
Does anyone know if it’s possible to do decrypt of a packet capture from Palo Alto if the cipher of the packets use PFS?
Rick Kauffman
@xod442

Building an app to bulk add layer 3 subinterfaces. New to Palo Alto FW's but I think I'm close....still not working...trying to set zone and virtual router to interface.
eth = network.Layer3Subinterface(name, tag, ip)
security_zone = network.Interface.set_zone(eth,zone)

I get this...raise err.PanDeviceNotSet("No PanDevice set for object tree")

Rick Kauffman
@xod442
Nevermind :-)
Rick Kauffman
@xod442
@pmalinen were you able to get the comment to appear in the firewall? I can get every other variable to appear but the comments.
Thomas Christory
@thomaschristory
Hello people, after an hour of googling, I give up and I will ask here, is there a way in the pan os python to do a template variable override so I can add my serials numbers to a DG and then add(override) the variables in relation to that device ?
@btorresgil Hi, related to my last message, I found some discussion with you from 2 years ago about this topic, but I don't think there was an outcome in this room, would have I missed something ?
Brian Torres-Gil
@btorresgil

Hi everyone! As you've probably noticed there's not much activity here on Gitter, as it hasn't worked well since GitLab acquired it so we've decided to retire this chat.

I'd like to invite you to our new GitHub Discussions page! You can continue the conversation over at https://github.com/PaloAltoNetworks/pan-os-python/discussions

Thanks so much!

utami1511
@utami1511
@deverm12 do you ever get this working?
Hi All , I am trying to write code for pulling Interface and zone details for an IP . My end goal is to run test_security cmd to verify rule. Currently using fw.op() i can run test_security cmd but currently pulling zone details manually
shincecx
@shincecx

what need to be done to overcome this error??

self._xapi_private = self.generate_xapi()

File "/usr/lib/python2.7/site-packages/panos/firewall.py", line 222, in generate_xapi
return super(Firewall, self).generate_xapi()
File "/usr/lib/python2.7/site-packages/panos/base.py", line 3849, in generate_xapi
"api_key": self.api_key,
File "/usr/lib/python2.7/site-packages/panos/base.py", line 3777, in api_key
self._api_key = self._retrieve_api_key()
File "/usr/lib/python2.7/site-packages/panos/base.py", line 3936, in _retrieve_api_key
xapi.keygen(retry_on_peer=False)
File "/usr/lib/python2.7/site-packages/panos/base.py", line 3680, in method
raise the_exception
panos.errors.PanURLError: URLError: reason: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

using Centos 7.3 and panos Virtual KVM image 8.1.10

Brian Torres-Gil
@btorresgil
Python 2.7 is end of life, please use python 3.6 or higher. After that, the error is due to the certificate. Check that your certs are trusted. If you’re using client cert auth to login, try using password auth instead. Ensure you set a password for the admin user.
Zacho
@zacho112
Anyone know the right syntax to delete/remove a firewall from a template stack ?
xometry-johnny
@xometry-johnny

Hi, we are working on using Palo GlobalProtect VPN connected to our network in AWS. We have a setup were we are multi-region, we set up ONE transit gateway per region. In each region all VPCs we need to access are peered to the respective transit gateway. The transit gateways are then peered to each other as well, so multiple transit gateway involved, one per region.

We have our Palo boxes set up in us-east-1 and its' able to connect to the instances in the same VPC. However we are unable to get traffic out of the region. The network hop here will be VPC (us-east-1)--> TGW (us-east-1) ---> TGW (us-east-2) ---> VPC (us-east-2) . This is network flow supported by Palo? all of the docs I've found seem to suggest it only supports a single TGW