PaloAltoNetworks
Create/Modify A Security rule has no pre/post validity and has no way to insert a rule in specific location
Documentation link
https://pan.dev/access/api/prisma-access-config/post-sse-config-v-1-security-rules/
Describe the problem
Type: Request for improvement
Description:
This goes back to the requirement of pre/post in the positional statement. The Pre/Post positional statement only matters in the "Shared" folder and does not have any validity in another folder. Unless this is eventually going to change to reflect how Device Groups are set up in PanOS. Yet, for now in this case you can only really put a rule that goes into a Folder other than "Shared" into the security configuration through the API call when you specify the location. That ends up setting the Folder and Position in the Object that gets returned. But regardless of me putting "pre" or "post" in the positional query the rule I create goes to the bottom of the list every time.
This creates another problem. What if I need this rule above another rule? Inserted? At the top? I'm not able to use pre or post inside a Folder other than "Shared" and on top of that I cannot send a call to change move or insert a rule in a specific location? This becomes a problem as you also do not return the location of the rule in the order that it exists in. In the GUI you do have the location number of the rule, so I do not know why that information isn't returned in the response nor why we cannot use that value as a positional value if pre/post really has no validity when making rules outside of "Shared".
So, if I create a rule via an API I still have to ask someone to go into the front end and move the rule to the location it needs to be in. That should all be handled via an api call. And I should be able to tell the location of a rule outside of just in pre and post. I should know the Folder, pre/post if it's of value outside of "Shared", and the location or number of where the rule falls in
if the folder actually does value pre/post, which currently it doesn't seem to care and can only be entered into the configs via an api even though I send that and it responds with the location being in pre or post based on my body. But then I query the folder and they are all pre and the rule ends up at the bottom regardless.
Suggested fix
First decide if you are going to fix 'pre' and 'post' rule-base inside the folder outside of 'Shared' similar to how PanOS manages the Device Groups. If you are not:
- Determine if it's worth even requiring that as a query param
- If that is going to be supported than the rule base structure and response should reflect that
Once that decision is made; We should get the location of the rule in the response when we query the rule-base:
- Send back either a location# or rule_location_number
- Allow the ability to send an insert or specify the location you want the new rule to be in
- Either have a insert at number say 5 and then whatever rule is at 5 gets moved to 6 and all other rules move down one
- Have an insert at the top to make the rule the first in that area (this can be used in conjunction with pre/post, but if within a folder a insert at top would just mean you are inserting it at the top of the Folder Rule-base)
- Have an insert at the bottom or default to the bottom where you have the new rule put at the bottom.
This leads to the way of adjusting a rule? If you provide the ability to insert or move a rule around then you will or should also allow the ability to move a rule if that is apart of what you need to do to change a rule. Say, you found a placement of a rule incorrect you should be able to not just adjust the rule's values, but also move it to a new location similar to the statements above when creating.
Please advise what you feel/determine the best way forward as this would be key to orchestrating and synchronizing police's externally and assist with change control.