pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard
verified publisher icon PaloAltoNetworks

rulebase overwriting object that weren't pulled

Open Jdev252 opened this issue 6 years ago • 5 comments

I'm using version 0.6.6 and Python3

Is it normal that when you are pulling the security rule

rulebase = pandevice.policies.Rulebase() fw.add(rulebase) current_security_rules = pandevice.policies.SecurityRule.refreshall( rulebase)

You are performing modification on the ruleset and then you rulebase.apply() and fw.apply()

That you are loosing all the other configuration that you didn't pull into the current rulebase ?

I got a case where I did a lot of modification to the security rule and then all the nat rule disappeared from the firewall.

Jdev252 avatar Apr 19 '19 10:04 Jdev252

Hello,

Yes that’s expected. apply() replaces the configuration at that node with the pandevice objects. Security rules and NAT rules share the same Rulebase parent, so an apply() on the rulebase will replace all rules including Security, NAT, decryption, etc.

Instead, try using the apply_similar() method on the SecurityRule object (not the Rulebase object). apply_similar() applies all objects of the same type with the same parent, so it will apply all SecurityRules without touching the NAT rules.

Sent with GitHawk

btorresgil avatar Apr 19 '19 15:04 btorresgil

Hi,

Thanks for the precision. I want to say that your documentation is really shit then. There is almost no explanation of theses differences. Or I'm not looking at the correct documentation.

Some good howto would really prevent theses kind of misunderstanding.

Jdev252 avatar Apr 22 '19 06:04 Jdev252

Agreed. Documentation needs an overhaul. We added a lot of functionality but it’s mostly “documented” via issues and Gitter chats. We are working on improving this.

Something that might help but isn’t well known right now is these tutorial notebooks we made for Ignite. Will try to tie those into the documentation better.

https://github.com/PaloAltoNetworks/pandevice-tutorial?files=1

Sent with GitHawk

btorresgil avatar Apr 22 '19 13:04 btorresgil

Yes I went trough the notebook for some of that documentation for another project and it has been useful !

But I think it would really be a good idea to do a short summary with some of the method like apply() and the fact that it overwrite everything under it's parent object where it's used. It should be mentioned on page one. Because the user is more likely to use it for this than to add interfaces.

One example with modifying a bunch of Firewall rules would be great for other engineers to learn from my misunderstanding !

Jdev252 avatar Apr 22 '19 16:04 Jdev252

Sounds good, thanks for the feedback. We’ll keep this issue open to track the documentation change.

btorresgil avatar Apr 22 '19 17:04 btorresgil