def get_rulebase(device, devicegroup):
# Build the rulebase
if isinstance(device, firewall.Firewall):
rulebase = policies.Rulebase()
device.add(rulebase)
elif isinstance(device, panorama.Panorama):
dg = panorama.DeviceGroup(devicegroup)
device.add(dg)
rulebase = policies.PreRulebase()
dg.add(rulebase)
else:
return False
policies.SecurityRule.refreshall(rulebase)
return rulebase
group.static_value.append(address.name)
fw.add(group)
group.create()
print("14. Saved Address groups")
# add the static router to the VirtualRouter #########################################
# This is how it should work, but an exception is thrown saying
# static-route is already in use for some reason.
#
# vr.extend(static_route_arr)
# static_route_arr[0].create_similar()
# So instead, this is used.
for route in static_route_arr:
vr.add(route)
route.create()
print("15. Saved Static routes")
# Add Firewall Rule to FW ############################################################
rb = policies.Rulebase()
fw.add(rb)
rb.extend(firewall_rule_arr)
firewall_rule_arr[0].create_similar()
print("16. Saved Firewall rules")
print("Yay! Script is done! Now commit your changes on the firewall.")
def main():
argument_spec = dict(
ip_address=dict(required=True),
password=dict(no_log=True),
username=dict(default="admin"),
api_key=dict(no_log=True),
application=dict(default=None),
source_zone=dict(default=None),
destination_zone=dict(default=None),
source_ip=dict(default=None),
destination_ip=dict(default=None),
source_port=dict(default=None),
destination_port=dict(default=None),
protocol=dict(default=None, choices=["tcp", "udp"]),
tag_name=dict(default=None),
devicegroup=dict(default=None),
)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=False,
required_one_of=[["api_key", "password"]],
)
module.deprecate(
"This module has been deprecated; use panos_match_rule",
version="3.0.0",
collection_name="paloaltonetworks.panos",
)
if not HAS_LIB:
module.fail_json(msg="Missing required libraries.")
ip_address = module.params["ip_address"]
password = module.params["password"]
username = module.params["username"]
api_key = module.params["api_key"]
# application = module.params['application']
source_zone = module.params["source_zone"]
source_ip = module.params["source_ip"]
source_port = module.params["source_port"]
destination_zone = module.params["destination_zone"]
destination_ip = module.params["destination_ip"]
destination_port = module.params["destination_port"]
protocol = module.params["protocol"]
tag_name = module.params["tag_name"]
devicegroup = module.params["devicegroup"]
# Create the device with the appropriate pandevice type
device = base.PanDevice.create_from_device(
ip_address, username, password, api_key=api_key
)
# Grab the global objects
objects.AddressObject.refreshall(device)
objects.AddressGroup.refreshall(device)
objects.ServiceObject.refreshall(device)
objects.ServiceGroup.refreshall(device)
objects.Tag.refreshall(device)
# If Panorama, validate the devicegroup and grab the devicegroup objects
dev_group = None
if devicegroup and isinstance(device, panorama.Panorama):
dev_group = get_devicegroup(device, devicegroup)
if dev_group:
device.add(dev_group)
objects.AddressObject.refreshall(dev_group)
objects.AddressGroup.refreshall(dev_group)
objects.ServiceObject.refreshall(dev_group)
objects.ServiceGroup.refreshall(dev_group)
objects.Tag.refreshall(dev_group)
else:
module.fail_json(
failed=1,
msg="'%s' device group not found in Panorama. Is the name correct?"
% devicegroup,
)
# Build the rulebase and produce list
rulebase = get_rulebase(device, dev_group)
rulelist = rulebase.children
hitbase = policies.Rulebase()
loose_match = True
# Process each rule
for rule in rulelist:
hitlist = []
if source_zone:
source_zone_match = False
if loose_match and "any" in rule.fromzone:
source_zone_match = True
else:
for object_string in rule.fromzone:
if object_string == source_zone:
source_zone_match = True
hitlist.append(source_zone_match)
if destination_zone:
destination_zone_match = False
if loose_match and "any" in rule.tozone:
destination_zone_match = True
else:
for object_string in rule.tozone:
if object_string == destination_zone:
destination_zone_match = True
hitlist.append(destination_zone_match)
if source_ip:
source_ip_match = False
if loose_match and "any" in rule.source:
source_ip_match = True
else:
for object_string in rule.source:
# Get a valid AddressObject or AddressGroup
obj = get_object(device, dev_group, object_string)
# Otherwise the object_string is not an object and should be handled differently
if obj is False:
if "-" in object_string:
obj = ipaddress.ip_address(source_ip)
source_range = object_string.split("-")
source_lower = ipaddress.ip_address(source_range[0])
source_upper = ipaddress.ip_address(source_range[1])
if source_lower <= obj <= source_upper:
source_ip_match = True
else:
if source_ip == object_string:
source_ip_match = True
if isinstance(obj, objects.AddressObject) and addr_in_obj(
source_ip, obj
):
source_ip_match = True
elif isinstance(obj, objects.AddressGroup) and obj.static_value:
for member_string in obj.static_value:
member = get_object(device, dev_group, member_string)
if addr_in_obj(source_ip, member):
source_ip_match = True
hitlist.append(source_ip_match)
if destination_ip:
destination_ip_match = False
if loose_match and "any" in rule.destination:
destination_ip_match = True
else:
for object_string in rule.destination:
# Get a valid AddressObject or AddressGroup
obj = get_object(device, dev_group, object_string)
# Otherwise the object_string is not an object and should be handled differently
if obj is False:
if "-" in object_string:
obj = ipaddress.ip_address(destination_ip)
destination_range = object_string.split("-")
destination_lower = ipaddress.ip_address(
destination_range[0]
)
destination_upper = ipaddress.ip_address(
destination_range[1]
)
if destination_lower <= obj <= destination_upper:
destination_ip_match = True
else:
if destination_ip == object_string:
destination_ip_match = True
if isinstance(obj, objects.AddressObject) and addr_in_obj(
destination_ip, obj
):
destination_ip_match = True
elif isinstance(obj, objects.AddressGroup) and obj.static_value:
for member_string in obj.static_value:
member = get_object(device, dev_group, member_string)
if addr_in_obj(destination_ip, member):
destination_ip_match = True
hitlist.append(destination_ip_match)
if source_port:
source_port_match = False
orientation = "source"
if loose_match and (rule.service[0] == "any"):
source_port_match = True
elif rule.service[0] == "application-default":
source_port_match = False # Fix this once apps are supported
else:
service_list = []
service_list = get_services(
device, dev_group, rule.service, service_list
)
for obj in service_list:
if port_in_svc(orientation, source_port, protocol, obj):
source_port_match = True
break
hitlist.append(source_port_match)
if destination_port:
destination_port_match = False
orientation = "destination"
if loose_match and (rule.service[0] == "any"):
destination_port_match = True
elif rule.service[0] == "application-default":
destination_port_match = False # Fix this once apps are supported
else:
service_list = []
service_list = get_services(
device, dev_group, rule.service, service_list
)
for obj in service_list:
if port_in_svc(orientation, destination_port, protocol, obj):
destination_port_match = True
break
hitlist.append(destination_port_match)
if tag_name:
tag_match = False
if rule.tag:
for object_string in rule.tag:
obj = get_tag(device, dev_group, object_string)
if obj and (obj.name == tag_name):
tag_match = True
hitlist.append(tag_match)
# Add to hit rulebase
if False not in hitlist:
hitbase.add(rule)
# Dump the hit rulebase
if hitbase.children:
output_string = xmltodict.parse(hitbase.element_str())
module.exit_json(
stdout_lines=json.dumps(output_string, indent=2),
msg="%s of %s rules matched"
% (hitbase.children.__len__(), rulebase.children.__len__()),
)
else:
module.fail_json(msg="No matching rules found.")
def eastwesthelper(pa_ip, username, password, pa_type, filename=None):
"""
Main point of entry.
Connect to PA/Panorama.
Grab security rules from pa/pan.
Modify them for intra-zone migration.
"""
for subnet in settings.EXISTING_TRUST_SUBNET:
if subnet.endswith("/32"):
mem.singleip = True
if pa_type == "panorama":
# Grab 'start' time
start = time.perf_counter()
panfw = panorama.Panorama(pa_ip, username, password)
# Grab the Device Groups and Template Names, we don't need Template names.
pa = pa_api.api_lib_pa(pa_ip, username, password, pa_type)
device_group = get_device_group(pa)
pre_rulebase = policies.PreRulebase()
post_rulebase = policies.PostRulebase()
dg = panorama.DeviceGroup(device_group)
dg.add(pre_rulebase)
dg.add(post_rulebase)
panfw.add(dg)
# Grab Objects and Rules
mem.address_object_entries = objects.AddressObject.refreshall(dg, add=False)#,add=False)
mem.address_group_entries = objects.AddressGroup.refreshall(dg, add=False)#,add=False)
#Grabbing the Shared address objects and groups..
shared = panorama.DeviceGroup('shared')
panfw.add(shared)
shared_objects = objects.AddressObject.refreshall(shared, add=False)
mem.address_object_entries += shared_objects
shared_groups = objects.AddressGroup.refreshall(shared, add=False)
mem.address_group_entries += shared_groups
# Add parent DG (like Shared), if used. Ask Chris Evans or me for details.
if settings.OBJ_PARENT_DEVICE_GROUP:
parent_dg = panorama.DeviceGroup(settings.OBJ_PARENT_DEVICE_GROUP)
panfw.add(parent_dg)
parent_objects = objects.AddressObject.refreshall(parent_dg, add=False)
mem.address_object_entries += parent_objects
parent_groups = objects.AddressGroup.refreshall(parent_dg, add=False)
mem.address_group_entries += parent_groups
# GRAB PRE/POST RULES
pre_security_rules = policies.SecurityRule.refreshall(pre_rulebase)#, add=False)
post_security_rules = policies.SecurityRule.refreshall(post_rulebase)#, add=False)
# Modify the rules, Pre & Post
if pre_security_rules:
eastwest_addnew_zone(pre_security_rules, panfw, pre_rulebase)
if post_security_rules:
eastwest_addnew_zone(post_security_rules, panfw, post_rulebase)
elif pa_type == "pa":
# Grab 'start' time
start = time.perf_counter()
panfw = firewall.Firewall(pa_ip, username, password)
# Grab Rules
mem.address_object_entries = objects.AddressObject.refreshall(panfw,add=False)
mem.address_group_entries = objects.AddressGroup.refreshall(panfw,add=False)
rulebase = policies.Rulebase()
panfw.add(rulebase)
security_rules = policies.SecurityRule.refreshall(rulebase)
# Modify the rules
if security_rules:
modified_rules = eastwest_addnew_zone(security_rules, panfw, rulebase)
# Finished
end = time.perf_counter()
runtime = end - start
print(f"Took {runtime} Seconds.\n")
