pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Security rule targets are missing the vsys identifier

Open ngobert opened this issue 5 years ago • 2 comments

Describe the bug

The vsys identifier is missing from security rule targets. Only the firewall serial number is returned.

Expected behavior

The target of a security policy should return the virtual system that the rule is targeting in addition to the serial number for multi-vsys firewalls. Example: [ "SERIAL-NO1/vsys2", "SERIAL-NO2/vsys2" ]

Additionally, updating the target of a policy should be able to handle virtual system identifiers in the same format, which is how virtual systems are displayed in the UI.

Current behavior

Only the serial numbers are returned in the target list. Example: ["SERIAL-NO1","SERIAL-NO2"]

Possible solution

Update the parsing of the target parameter to look for the virtual system in the XML. The current VersionedParamPath method does not support looking for children, which is how virtual systems are stored in the target XML of a security policy:

<target>
    <negate>no</negate>
    <devices>
        <entry name="SERIAL-NO1">
            <vsys>
                <entry name="vsys2"/>
            </vsys>
        </entry>
    </devices>
</target>

Steps to reproduce

  1. Create new panorama device (PanDevice.create_from_device)
  2. Create a new DeviceGroup class and add to panorama device.
  3. Create a new PreRulebase class and add to the DeviceGroup.
  4. Execute a refreshall (pandevice.policies.SecurityRule.refreshall) to pull in all security policies and loop through rule target values.

Screenshots

None

Context

Issue prevents correctly pulling current rulebase configuration from Panorama and prevents the modification of Ansible modules to deploy a security rule to a specified virtual system of a firewall.

Your Environment

python 3.6.8 pan-python 0.16.0 pandevice 0.14.0 Windows 10

ngobert avatar Feb 05 '20 20:02 ngobert

+1

Can we please get a response for this? At the moment it seems impossible to create a rule that has a VSYS as a target. No matter what syntax I was I'm getting an error ("<syntax I used >is invalid")

DeepSpace2 avatar Oct 04 '20 13:10 DeepSpace2

Confirming that this is a bug that needs to be fixed; just need to figure out a fix that makes sense.

shinmog avatar Mar 31 '21 18:03 shinmog