pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard
verified publisher icon PaloAltoNetworks

Unexpected source-hip here error -> While creating a security Policy on Panorama - 9.1.x

Open sikulkar opened this issue 4 years ago • 5 comments

Describe the bug

While creating security policy on Panorama Panos 9.1.10, we are getting this error message :

SecurityPolicyName -> source-hip unexpected here Traceback (most recent call last): File "/home/site/wwwroot/.python_packages/lib/site-packages/panos/base.py", line 3661, in method super_method(self, *args, **kwargs) File "/home/site/wwwroot/.python_packages/lib/site-packages/pan/xapi.py", line 741, in set self.__type_config('set', query, extra_qs) File "/home/site/wwwroot/.python_packages/lib/site-packages/pan/xapi.py", line 805, in __type_config raise PanXapiError(self.status_detail) pan.xapi.PanXapiError: SecurityPolicyName-> source-hip unexpected here

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/site/wwwroot/implementation/init.py", line 77, in main new_pano = create_security_policies(preCheckInput,pano) File "/home/site/wwwroot/implementation/init.py", line 240, in create_security_policies raise err File "/home/site/wwwroot/implementation/init.py", line 235, in create_security_policies policy.create() File "/home/site/wwwroot/.python_packages/lib/site-packages/panos/base.py", line 641, in create device.active().xapi.set( File "/home/site/wwwroot/.python_packages/lib/site-packages/panos/base.py", line 3682, in method raise the_exception panos.errors.PanDeviceXapiError: SecurityPolicyName-> source-hip unexpected here

Expected behavior

The security policy should be created without any errors

Current behavior

The security policy doesn't get created and throws the above error

Possible solution

Steps to reproduce

Screenshots

Context

We are unable to proceed ahead building our service to automate creating customer policy requests/tickets

Your Environment

Using Azure Durable Functions - Python 3.9 Panorama & NGFW Version - 9.1.10

sikulkar avatar Aug 04 '21 21:08 sikulkar

:tada: Thanks for opening your first issue here! Welcome to the community!

welcome-to-palo-alto-networks[bot] avatar Aug 04 '21 21:08 welcome-to-palo-alto-networks[bot]

@shinmog : Just wondering if you have any thoughts on this ?

Thought this was similar to this issue - https://github.com/PaloAltoNetworks/pan-os-python/issues/345

Thanks in advance !

sikulkar avatar Aug 04 '21 21:08 sikulkar

I did some tests, the issue doesn't seem to happen in the previous version -> pan-os-python version 1.3.0

sikulkar avatar Aug 05 '21 03:08 sikulkar

I just did a quick test against a 9.1.3 firewall, and pan-os-python is not trying to add source-hip to the XML sent to PAN-OS. It seems to be doing the right thing for me. Here is my repro:

from panos.firewall import Firewall
from panos.policies import Rulebase, SecurityRule

fw = Firewall(.......)
fw.refresh_system_info()

rb = Rulebase()
fw.add(rb)

hip_value = 'foo'
o = SecurityRule('a')
o.source_devices = [hip_value, ]
rb.add(o)

print("{0}".format(hip_value in o.element_str().decode('utf-8')))

This prints False for me.

shinmog avatar Aug 17 '21 16:08 shinmog

Performed the same test, returns True for me

Running 1.8.1 and Pan 9.1.10

F1p avatar Mar 30 '23 13:03 F1p