pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Interface full_delete fails if static route references any other interface

Open tintedcorals opened this issue 3 years ago • 2 comments

Describe the bug

If a static route exists on the firewall which references an interface, a full_delete() will fail on a different interface.

Expected behavior

full_delete() should complete without throwing an exception

Current behavior

A TypeError exception is thrown, such as:

File "/work/panos/network.py", line 595, in full_delete elif "__iter__" in dir(obj.interface) and self in obj.interface: TypeError: 'in ' requires string as left operand, not EthernetInterface

Possible solution

StaticRoute's interface attribute gets populated as a string, whereas the full_delete code appears to expect a list (which is the case for other objects such as VirtualRouter or Zone). Since the str type will also pass the __iter__ check, a more specific type check may be needed to avoid the in test that results at network.py:595.

Steps to reproduce

Minimal pan-os-python reproduction without a live firewall (StaticRoute is being added directly to Firewall for brevity but error still triggers with VirtualRouter):

from panos.network import EthernetInterface, StaticRoute
from panos.firewall import Firewall

firewall = Firewall()
ethernet1 = firewall.add(EthernetInterface("ethernet1/1", mode="layer3"))
ethernet2 = firewall.add(EthernetInterface("ethernet1/2", mode="layer3"))
route = firewall.add(StaticRoute("test", interface="ethernet1/1"))

ethernet2.full_delete()  # generates error

Context

This can be a really tricky situation to avoid since the StaticRoute that triggers the error is unrelated to the interface being changed. Routes targeted at interfaces rather than next-hops can be common in environments with IPSec tunnels, but the interface can also be present in addition to a next-hop for any static route.

Your Environment

Python 3.9.15 pan-os-python 1.7.3

tintedcorals avatar Oct 25 '22 17:10 tintedcorals

:tada: Thanks for opening your first issue here! Welcome to the community!

welcome-to-palo-alto-networks[bot] avatar Oct 25 '22 17:10 welcome-to-palo-alto-networks[bot]

The following fixes the problem for me: In version 1.8.0 in network.py line 594 from elif "__iter__" in dir(obj.interface) and self in obj.interface: to elif "__iter__" in dir(obj.interface) and str(self) in obj.interface:

pechsteinma avatar Jan 19 '23 13:01 pechsteinma