PaloAltoNetworks
Error when modifying firewall interface attributes on a parent firewall interface with sub-interfaces
def config_comment(fw_obj):
x = ['ethernet1/1']
try:
EthernetInterface.refreshall(fw_obj)
AggregateInterface.refreshall(fw_obj)
except PanDeviceError as e:
print(e.message)
for interface_name in x:
if 'ae' in interface_name:
try:
target_int = fw_obj.find(interface_name, AggregateInterface)
except PanDeviceError as e:
print(e.message)
elif 'ethernet' in interface_name:
try:
target_int = fw_obj.find(interface_name, EthernetInterface)
except PanDeviceError as e:
print(e.message)
else:
print('Invalid interface {0}'.format(interface_name))
target_int.comment = 'test comment'
target_int.apply()
Error:
Traceback (most recent call last):
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 3447, in method
super_method(self, *args, **kwargs)
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pan/xapi.py", line 741, in set
self.__type_config('set', query, extra_qs)
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pan/xapi.py", line 805, in __type_config
raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: interface 'ethernet1/1.2' is already in use
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "enable_lldp.py", line 154, in <module>
main()
File "enable_lldp.py", line 151, in main
config_lldp(firewall, lldp_ints)
File "enable_lldp.py", line 122, in config_lldp
target_int.apply()
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 3001, in apply
super(VsysOperations, self).apply()
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 561, in apply
child._check_child_methods("apply")
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 518, in _check_child_methods
getattr(self, "child_"+method)()
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 3012, in child_apply
return self._create_apply_child()
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 3019, in _create_apply_child
self.create_import('vsys1')
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 3050, in create_import
device.active().xapi.set(xpath, element, retry_on_peer=True)
File "/home/admin/venvs/auto_venv_py3.6/lib64/python3.6/site-packages/pandevice/base.py", line 3464, in method
raise the_exception
pandevice.errors.PanDeviceXapiError: interface 'ethernet1/1.2' is already in use
Python Module Versions: pan-python 0.15.0 pandevice 0.11.1
@smatt241 Seems your firewall has multiple vsys.
In the firewall, there are, in general, three places where something could exist:
- not in a vsys
- in a vsys
- not in a vsys directly but imported into a vsys
Interfaces fall into that 3rd category, but they are special in that PAN-OS cannot use an interface unless it's imported into one, so interfaces are always imported. When you are using pandevice to deal with vsys importables, it imports based on self.vsys, which keeps on checking up the object hierarchy until it hits an object that authoritatively answers, "what vsys does this belong in," which can be set either on the pandevice.firewall.Firewall object itself or a pandevice.device.Vsys object. So when you call .create() or .apply() on an interface (or any importable), it will first create the thing and then performs the specified vsys import.
In your case, if your intent is not to change the vsys that each (sub)interface is imported into, then you should use fw_obj.organize_info_vsys(). This will do a few queries as to which importables are in which vsys, and re-configure fw_obj's object tree as appropriate. What I would recommend is to make use of the fact that .refreshall() returns a list of objects found, and to build up a list of both ethernet interfaces and aggregate interfaces that you could then iterate over to update the comment on the interfaces.
