PaloAltoNetworks
Issue/Help with "Python SDK SecurityRule group and target"
Documentation link
panos.policies.SecurityRule in pan-os-python module
Describe the problem
I'm programming a python script to retrieve security rules in a Device Group policy from Panorama, and I've noticed some things that differ from or are not included in the documentation. The target attribute in panos.policies.SecurityRule is the important issue and the reason I'm writing here, as I describe below
panos.policies.SecurityRule.group type
Although the documentation specifies this attribute is a string, the security profile group is returned as a list (with a string)
panos.policies.SecurityRule.target value
The XML API specifies which virtual system alongside the firewall the rule applies to, but the SDK only returns a list with the firewalls' serial number and no information about the virtual systems within that firewall where the rule is applied. This makes it impossible to know which policy has targeted rules included, unless you only use one virtual system per firewall or don't use the target field in any rule
Suggested fix
-
As only one security profile group can be provided to a rule, panos.policies.SecurityRule.group could be as easy as adding
[0]somewhere -
The SDK needs to look for aditional information retrieved from XML API when assigning panos.policies.SecurityRule.target its value, since the virtual system is also specified as an attribute in a tag named "entry" (same as the firewall's serial number, but this tag is a child of the child tag "vsys" of its "entry" tag, e.g.
<entry name="SERIAL_NUMBER"><vsys><entry name="VSYS#"/></vsys></entry>). The retrieved list could be a list of tuple with 2 values, dictionaries with 2 keys, or even a list of strings with both serial number and virtual system name concatenated with any separator character
