pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Delete_similar() not working in 10.1.X

Open rebelfish opened this issue 1 year ago • 5 comments

Describe the bug

A script using .delete_similar() worked against 9.1.X but was recently discovered to not be working against 10.1.7. The script has not changed. Only the PAN-OS upgrade.

Expected behavior

Cycling through a dict of DeviceGroups as keys and a list of SecurityRule objects as the value:

for dg in dictRules:
    dictRules[dg][0].delete_similar()

This would do an atomic delete per Device Group

Current behavior

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/panos/base.py", line 3878, in method
    super_method(self, *args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/pan/xapi.py", line 733, in delete
    self.__type_config('delete', query, extra_qs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/pan/xapi.py", line 805, in __type_config
    raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: The request could not be handled

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#54>", line 2, in <module>
    dictDisabled[dg][0].delete_similar()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/panos/base.py", line 1993, in delete_similar
    dev.xapi.delete(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/panos/base.py", line 3899, in method
    raise the_exception
panos.errors.PanDeviceXapiError: The request could not be handled

Possible solution

Steps to reproduce

Screenshots

Context

This is part of an automation script that is used to disable a csv list of rules and then on a designated day of the month, the script is used to delete those rules if still disabled

Your Environment

Tested with multiple versions of lxml, pan-os-python, and pan-python (0.16.0, 0.17.0).

rebelfish avatar May 17 '23 15:05 rebelfish

I am seeing this same issue on 10.1.10.

Reverting back to using the standard delete() on each rule still works, albeit it is much slower than using delete_similar().

scubar avatar Jun 23 '23 13:06 scubar

This is not linked to pan-os-python but to PAN-OS itself. After getting some feedback from the TAC, the bulk delete XML API calls have been removed voluntarily starting 10.X because of some wrong behaviour on some objects caches. It seems it has been restored (PAN-179059) on the following releases :

  • 10.0.10
  • 10.1.5
  • 10.2.2-h2

Tested on my side on 10.1.9, and it seems it's still not working... Trying to get more inputs.

AnthoBalitrand avatar Jul 03 '23 13:07 AnthoBalitrand

I can confirm that .delete_simillar() works as expected on 10.2.4-h3.

scubar avatar Jul 21 '23 14:07 scubar

delete_simillar has stopped working again on 10.2.5 and greater in the 10.x.x release train. It also does not work on 11.0.3.

scubar avatar Nov 30 '23 19:11 scubar

I got this feedback from Palo Alto support.

"The support for XML API requests to delete multiple security policies at one shot by, passing the policy names separated by the 'or' operator in the x-path is no longer available."

scubar avatar Dec 11 '23 15:12 scubar