napalm
napalm copied to clipboard
napalm-automation
NAPALM get_firewall_policies support
Hi Team!
Not really sure if this is the right way to start :)
Working on a network automation project with Juniper vSRX firewalls. One of the tasks I'm working on is to get firewall policies.
As per https://napalm.readthedocs.io/en/latest/support/, looks like this is a pending item for all platforms..
Just came up with a very simple version 0.1 extending JunOSDriver as follows:
### junos.py ###
from napalm.junos.junos import JunOSDriver
class CustomJunOSDriver(JunOSDriver):
"""EXTENDING NAPALM JunOS HANDLER TO PARSE FIREWALL POLICIES"""
def get_firewall_policies(self):
commands = ['show security policies']
output = self.cli(commands)
return_vars = {}
policy_index = 1
for line in output['show security policies'].splitlines():
if 'From zone' in line:
from_zone = line.split(",")[0].split(": ")[1].strip()
to_zone = line.split(",")[1].split(": ")[1].strip()
elif 'Policy' in line:
policy = line.split(",")[0].split(": ")[1].strip()
elif 'Source addresses' in line:
source = line.split(":")[1].strip()
elif 'Destination addresses' in line:
destination = line.split(":")[1].strip()
elif 'Applications' in line:
application = line.split(":")[1].strip()
elif 'Action' in line:
if 'log' in line:
action = line.split(":")[1].split(",")[0].strip()
log = 'Yes'
else:
action = line.split(":")[1].strip()
log = 'No'
return_vars[policy_index] = {
'From Zone': from_zone,
'To Zone': to_zone,
'Policy Name': policy,
'Source': source,
'Destination': destination,
'Applications': application,
'Action': action,
'Log Enabled': log
}
policy_index += 1
return return_vars
To launch:
### ibnrisen_nr.py ###
from nornir import InitNornir
from nornir_napalm.plugins.tasks import napalm_get
from nornir_utils.plugins.functions import print_result
nr = InitNornir(config_file="nr_config.yaml")
def get_firewall_policies():
policies_xls = nr.run(task=napalm_get, getters=['firewall_policies'])
print_result(policies_xls)
if __name__ == '__main__':
get_firewall_policies()
Sample output:
architect@architect-Virtual-Machine:~/Documents/ibnraisen_nr$ /bin/python3 /home/architect/Documents/ibnraisen_nr/ibnrisen_nr.py napalm_get**********************************************************************
- vSRX-Firewall ** changed : False ********************************************* vvvv napalm_get ** changed : False vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO { 'firewall_policies': { 1: { 'Action': 'permit', 'Applications': 'any', 'Destination': 'any', 'From Zone': 'trust', 'Log Enabled': 'No', 'Policy Name': 'default-permit', 'Source': 'any', 'To Zone': 'trust'}, 2: { 'Action': 'permit', 'Applications': 'any', 'Destination': 'any', 'From Zone': 'trust', 'Log Enabled': 'No', 'Policy Name': 'default-permit', 'Source': 'any', 'To Zone': 'untrust'}, 3: { 'Action': 'deny', 'Applications': 'any', 'Destination': 'any', 'From Zone': 'ABC', 'Log Enabled': 'Yes', 'Policy Name': 'P1', 'Source': 'any', 'To Zone': 'XYZ'}, 4: { 'Action': 'deny', 'Applications': 'any', 'Destination': 'any', 'From Zone': 'CDF', 'Log Enabled': 'Yes', 'Policy Name': 'P2', 'Source': 'any', 'To Zone': 'JKH'}, 5: { 'Action': 'deny', 'Applications': 'APP1, APP22', 'Destination': 'D1', 'From Zone': 'ABC', 'Log Enabled': 'Yes', 'Policy Name': 'NAME1', 'Source': 'S1', 'To Zone': 'JKH'}}} ^^^^ END napalm_get ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ """
Any of this makes sense to you as a potential contribution??
Thanks!
Agustin
AGUSTIN CICILIANI Network Solutions Consultant CCIE #52116 | DevNet | Data Center | Python Email: [email protected] Mobile: +54 9 11 4969 3761
