[python]Create and update object groups

I am experimenting a real life example, when server is created the hostname and ip address are assigned by an orchestrator. The orchestrator will then call the python script and pass the hostname to be object entry name and ip address.

This is the code sample. I referred to this link to understand the xml structure, the PA documentation only mention an example for creating a new rule.

The configuration set api required xpath. To find out the xpath use the https://your_PA_firewall/api/ to navigate Configuration Commands > devices > entry[@name='localhost.localdomain'] > vsys > entry[@name='vsys1'] > address

Here’s the code sample, can modify this to be more dynamic.

import requests, time
from bs4 import BeautifulSoup as bs

address_group_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group"
address_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address"

create_address = """
<entry name="member4">
    <ip-netmask>10.0.0.4</ip-netmask>
</entry>
    <entry name="member5">
    <ip-netmask>10.0.0.5</ip-netmask>
</entry>
<entry name="member6">
    <ip-netmask>10.0.0.6</ip-netmask>
</entry>
"""

create_address_group = """
<entry name="group1">
    <static>
        <member>member4</member>
        <member>member5</member>
        <member>member6</member>
    </static>
</entry>
"""

def get_key(username,password):
    response = requests.get('https://192.168.1.104/api/?type=keygen&user={}&password={}'.format(username,password), verify=False)
    soup = bs(response.content, 'html.parser')
    # store the data inside the <key>element
    pa_key = soup.find('key').text
    return pa_key

key = get_key('admin','admin')

requests.post("https://192.168.1.104/api?type=config&action=set&key={}&xpath={}&element={}".format(key,address_xpath,create_address), verify=False)
time.sleep(3)
requests.post("https://192.168.1.104/api/?type=config&action=set&key={}&xpath={}&element={}".format(key,address_group_xpath,create_address_group), verify=False)

You need to commit on the PAN OS UI, either on PA firewall locally or through Panorama, depending the destination of the rest api. For this code sample the destination is directly to firewall.

How it looks like:
Snip20171112_1.png

Snip20171112_4

Advertisements
This entry was posted in Python, Scripting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s