Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 04 17:51
    tom0010 labeled #289
  • Dec 04 17:51
    tom0010 opened #289
  • Nov 18 22:04
    shinmog opened #288
  • Nov 18 22:03

    shinmog on 287

    fix: correct user-id tag_user /… (compare)

  • Nov 18 21:48
    shinmog labeled #287
  • Nov 18 21:48
    shinmog assigned #287
  • Nov 18 21:48
    shinmog opened #287
  • Nov 09 22:47
    haginara synchronize #286
  • Nov 09 22:41
    haginara synchronize #286
  • Nov 04 23:24
    haginara synchronize #286
  • Nov 04 22:53
    haginara opened #286
  • Oct 29 11:45
    Konakin opened #285
  • Oct 29 11:45
    Konakin labeled #285
  • Oct 24 20:23
    bangi123 opened #284
  • Oct 23 13:28
    mrichardson03 labeled #283
  • Oct 23 13:28
    mrichardson03 opened #283
  • Oct 22 00:51
    rebelfish closed #281
  • Oct 21 17:32
    rebelfish closed #282
  • Oct 21 17:32
    rebelfish reopened #281
  • Oct 21 17:31
    rebelfish closed #281
Quim Montal
@qmontal
hi guys!
I am trying to get all the SecurityRules from Panorama to get the targets of each Security rule and work later with that, but when I do panorama.policies.SecurityRule.refreshall(<panorama.Panorama instance>), it returns an empty list
I have seen something on the history of the channel regarding PreRules, and was using the DeviceGroup with a specific name, but I am trying to get all the rules and all the firewalls even if they are not in a specific group
(we are having issues deleting old palos as it appears as if rules where applying to them, sometimes as target is Any, and want to get the list of rules that are applying to those old palos, which are disconnected and not in any defined group)
Quim Montal
@qmontal
I just saw this link https://github.com/sinontaylor/panmanager, I will be taking a look to it, thx @sinontaylor!
Rickard
@netdevops-se
@shinmog I'm facing issues with ansible-pan (master) and the panos_bgp_peer_group module.
If I'm running it on an existing peer_group with two peers in it, it will reconfigure the peer_group and only one of the peers will remain.
I tracked it down to the panos.py module and this specific line breaks the for loop. If I remove it, it works as expected.
What's the reason for running item.remove(x) ?
https://github.com/PaloAltoNetworks/ansible-pan/blob/6da2d7b4b8d658f1503e9ff4bb137d1cee32b08a/module_utils/network/panos/panos.py#L313
Rickard
@netdevops-se
Is it possible to set device-priority when configuring HA using pandevice?
jcrubaugh
@jcrubaugh
Is it possible to add a certificate to a template with pandevice ?
bornhorstj
@bornhorstj
All, is there a way to pull template stack variables?
bornhorstj
@bornhorstj
@ancoleman did you ever figure out how to do template variable overrides?
bornhorstj
@bornhorstj
Code for pulling template_stack Variables
'
pano = Panorama(hostname=PanoHost, api_username=args.username, api_password=args.userpass)
template_stack = TemplateStack.refreshall(pano)

print(template_stack)
for template in template_stack:
    print("start of {0}".format(template))
    print("This is the description: \n", template.description)
    print("List of Devices {0}".format(template.devices))
    print(template.templates)
    variables = TemplateVariable.refreshall(template)
    for variable in variables:
        print(variable, variable.value)
deverm12
@deverm12
Hi All , I am trying to write code for pulling Interface and zone details for an IP . My end goal is to run test_security cmd to verify rule. Currently using fw.op() i can run test_security cmd but currently pulling zone details manually
deverm12
@deverm12
just checking if anyone can guide me on this
hltclk
@hltclk

Hi All,
I am getting an Element as a response but it is empty.What am I missing here, please help.

from pandevice import panorama

pano = panorama.Panorama('hostname',api_key=api_key)
response = pano.op('show templates')

response has an attribute 'status' : 'success'
deverm12
@deverm12
@hltclk please try using : response = pano.op('show templates', xml=True)
hltclk
@hltclk
@deverm12 thank you very much, it worked
dkoych
@dkoych
Hi team, I need to copy Panorama Device Group from one panorama (pano1) to another panorama appliance (pano2). I can get the device group object from pano1, but how can I then "copy" it to pano2 ?
ikswobyd
@iks0_gitlab
@dkoych im not sure how to accomplish this with pandevice directly off the top of my head but i think using the panos_type_cmd/the panos ansible role you could try get on the origin panorama and set on the target panorama. Passing the output of the origin get as the set argument for element. I would try this in a lab first. Also I mostly leverage the repo for basic repetitive things so hopefully someone from the dev team can chime in for you.
kichuku
@kichuku

Hi. Is this a right place to ask questions about Ansible modules for Palo Alto?
I am trying to find the right syntax for the panos_type_cmd playbook for adding a IP_netmask address object inside a GlobalProtect gateway exclude-access-route.

The set command syntax is this
set global-protect global-protect-gateway testvpn.intuit.com remote-user-tunnel-configs corp-users split-tunneling exclude-access-route named-address-object

However, I am getting an error when I run the Ansible playbook with regards to the address object, because I have got the syntax for that wrong in the playbook.

Can someone here please help?
Or point me to the right direction where I can get help?

@shinmog May I know if you are available to help?
kichuku
@kichuku
This above problem is solved. I was complicating it too much. I didn't know that the syntax is as simple as the one which shows up in the xml format of running config.
Steve Krause
@steve-krause_gitlab

Hi all. I am new to using pandevice and so far it has really been just what my project needed. I have run across an issue though and I don't know if it is due to my lack of understanding, or if it may be a bug.

I am attempting to automate the adding of BGP peers to a virtual-router already setup in a Panorama Template. I start by creating a new AggregateEthernet Layer3 subinterface. Then I go to add the new subinterface to the virtual-router's interface list. The problem occurs whenever I try to do a vrouter.apply() or vrouter.create() I get an error similar to the following...

BGPPolicyImportRule_1 -> action -> allow -> update -> community -> append has unexpected text.
BGPPolicyImportRule_1 -> action -> allow -> update -> community -> append is invalid

We do already have in place two BGPPolicyImport rules with an action Community type of 'Append' the ASN '65222:1'. This was setup using the Panorama GUI and has been working properly for weeks.

When I inspect the policy object variables I see action_community_type='append' and action_community_argument='\n ' ( which seems odd to me and makes me wonder if it could be a bug)
I even get the error when I just pull down the virtual-router and do a create() or apply() without making any changes.

Do you think this could be a bug, or do I just not understand the proper way to update the virtual-router. Is there a better way, or a work-around?

Any help or direction is greatly appreciated.

ecwest
@ecwest
Hey I have hopefully a really quick question. In pandevice how do I get security post rules for the Shared policies? I can get device group easily, but can't seem to access Shared.
mrzepa
@mrzepa
Hi. I am new to pandevice so please be patient with me. I am trying to add an address object with a tag, and I'm getting PanDeviceXapiError: xxx -> tag 'whatever' is not a valid reference. I don't understand why. If I remove the tag argument, the object creats just fine. I've created a list object for the tag.
TAGS = ['whatever']
pano.add(pandevice.objects.AddressObject(name='test',type='ip-netmask',value='10.1.1.1',tag=TAGS)).create()
Any ideas?
Ghost
@ghost~5ee22f2cd73408ce4fe69d08
I'm playing around with the update feature, and besides a few small bugs which already seems have open issues, it seems that I'm getting a timeout issue. I'm trying to update a PA-220, and it takes just above 20 minutes (They are damn slow). Which is the problem. At 20 minutes, the session ends and I'm getting a "Read timeout". I'm not sure "who" closes the connection, I can't find any timeout setting in the pandevice code, so it could be related to something else or the system. Any ideas? Currently testing local on Pandevice 0.14, Python 3.7.7, OS X, in a flask app, running local in a development mode.
mrzepa
@mrzepa
Anyone know how to populate a Template variable with the value for a particular firewall? Something equivalent to importing the CSV file of variables and their values?
jasoncal108
@jasoncal108
Are there baseline panorama templates available anywhere?
mrzepa
@mrzepa
@jasoncal108 check out Iron Skillet: https://github.com/PaloAltoNetworks/iron-skillet
jasoncal108
@jasoncal108
@mrzepa this is very cool... is this supposed to replace panorama... trying to understand how this integrates
jasoncal108
@jasoncal108
Re: panhandler
mrzepa
@mrzepa
@jasoncal108 Iron Skillet does not replace panorama. Iron Skillet is a set of config snippets that implement a best practice baseline for your firewall.
jasoncal108
@jasoncal108
@mrzepa cool... I’ve been testing by import xml on my Palo Alto device and importing the baseline to panorama as a template... but one thing I’m struggling to understand is what is the recommend way to import the the baseline Config to the panorama directly as code into templates for usage on my Palo Alto devices?
jasoncal108
@jasoncal108
There on I want to layer on additional configs for application specific things such as security policies, custom app ids.... wondering if that is achieved through templates as well?
mrzepa
@mrzepa
@jasoncal108 In Panorama, there are 2 sections, Templates and Device Groups. Templates are for all the network and device related configurations, and Device Groups are for all the Policy and Object related items. You can put all of your configurations into Panorama, nothing except the hostname needs to be configured locally on the firewall. Each firewall can have multiple templates assigned to it, this is called a template stack. In the stack you can have a baseline template and then firewall specific templates.
mrzepa
@mrzepa
Does anyone know how to add a tunnel interface in the current version of pandevice?
The above examples do not appear to work anymore. When looking at the documentation, there is no argument for the tunnel ID in the network.TunnelInterface class.
mrzepa
@mrzepa
I figured it out, in Paroama, you have to add it to the Template class, not the panorama class...
jasoncal108
@jasoncal108
Thank you @mrzepa... curious if you have used the AWS dynamic address groups... wondering if that can do IAM roles instead of access keys
mrzepa
@mrzepa
@jasoncal108 sorry, I don't play with AWS.
mrzepa
@mrzepa
@btorresgil Hi, are you still maintaining pandevice?
jasoncal108
@jasoncal108
Is there any best practice for creating custom app Id’s for internal https apps?
jasoncal108
@jasoncal108
If i want to automate creation of app specific configs into templates and device groups on my panorama to be pushed out would it be easier to achieve this through Ansible pan modules or usage of skillets?
jasoncal108
@jasoncal108
Does anyone know if it’s possible to do decrypt of a packet capture from Palo Alto if the cipher of the packets use PFS?
Rick Kauffman
@xod442

Building an app to bulk add layer 3 subinterfaces. New to Palo Alto FW's but I think I'm close....still not working...trying to set zone and virtual router to interface.
eth = network.Layer3Subinterface(name, tag, ip)
security_zone = network.Interface.set_zone(eth,zone)

I get this...raise err.PanDeviceNotSet("No PanDevice set for object tree")

Rick Kauffman
@xod442
Nevermind :-)
Rick Kauffman
@xod442
@pmalinen were you able to get the comment to appear in the firewall? I can get every other variable to appear but the comments.
Thomas Christory
@thomaschristory
Hello people, after an hour of googling, I give up and I will ask here, is there a way in the pan os python to do a template variable override so I can add my serials numbers to a DG and then add(override) the variables in relation to that device ?
@btorresgil Hi, related to my last message, I found some discussion with you from 2 years ago about this topic, but I don't think there was an outcome in this room, would have I missed something ?