pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

cannot get opstate working for SecurityRule

Open FliesLikeABrick opened this issue 6 months ago • 4 comments

Documentation link

https://pan-os-python.readthedocs.io/en/latest/getting-started.html#the-opstate-namespace

Describe the problem

hit_count.refresh() reliably is resulting in hit_count still being None, with no values being populated

rulebase = panos.policies.Rulebase()
fw = ce.nodes["nat-gw1.iad.internal-domain"].interactor.obj
fw.add(rulebase)
rulebase.refresh()
for rule in rulebase.children:
    if isinstance(rule, panos.policies.SecurityRule):
        rule.opstate.hit_count.refresh()
        hit_count = rule.opstate.hit_count
        print(f"Hit count for rule '{rule.name}': {hit_count}")
Output:
Hit count for rule 'APP_FRONT_DEVOPS_UNTRUST_OUT': None
Hit count for rule 'DEVOPS_BASELINE_PING_UNTRUST': None
Hit count for rule 'DEVOPS_BASTION_DNS': None
Hit count for rule 'DEVOPS_BASELINE_YUM_NSS': None
Hit count for rule 'DEVOPS_BASELINE_YUM_NSS-EXEMPT': None
Hit count for rule 'DEVOPS_BASELINE_YUM_NSS-new': None
...

Suggested fix

The documentation at https://pan-os-python.readthedocs.io/en/latest/getting-started.html#the-opstate-namespace has a number of examples of making changes to opstate via objects, but I believe it may be missing a fundamental step about what needs to be done to refresh/fetch data from the firewall, for a simple use case such as getting security policy hit counters.

FliesLikeABrick avatar May 27 '25 17:05 FliesLikeABrick

(As of now, we are still unable to figure out how to retrieve hit count data)

FliesLikeABrick avatar May 29 '25 14:05 FliesLikeABrick

@shinmog would you or someone be able to help provide some direction on how I might get help with this? I'm happy to open doc PR(s) if I can get this functionality working to unblock our project

FliesLikeABrick avatar Jun 02 '25 14:06 FliesLikeABrick

@btorresgil sorry to ping you directly, but this is a weird issue we are hung up on and I could use some kind of direction if you are able to weigh in

FliesLikeABrick avatar Jun 17 '25 18:06 FliesLikeABrick

After rulebase.refresh(), try rulebase.opstate.hit_count.refresh("security"). Then something like the following should work:

for rule in rulebase.findall(SecurityRule):
    print(f"Hit count for rule '{rule.name}': {rule.opstate.hit_count.hit_count}")

rebelfish avatar Jun 18 '25 14:06 rebelfish

That did work. Is there documentation in this repo or another repo that can be updated with some explanation? I genuinely would offer to open a PR for doc improvements, but do not have the knowledge or terminology to convey what the different refresh commands are doing and why they are both necessary

FliesLikeABrick avatar Aug 05 '25 20:08 FliesLikeABrick

Other than Readthedocs.io, I know of no other documentation. I often find myself stuck trying to figure out the syntax and wish there was a way to publish the examples when I finally figure out something that isn't clearly documented.

rebelfish avatar Aug 06 '25 18:08 rebelfish