def fix_nat(self, host, user, pw):
pano = panorama.Panorama(host, user, pw)
panorama.DeviceGroup.refreshall(pano, add=True)
for dg in pano.children:
prerulebase = policies.PreRulebase()
dg.add(prerulebase)
natrules = policies.NatRule.refreshall(prerulebase)
self.fix_nat_rules(dg, natrules)
securityrules = policies.SecurityRule.refreshall(prerulebase)
self.fix_security_rules(dg, securityrules)
def get_rulebase(device, devicegroup):
# Build the rulebase
if isinstance(device, pandevice.firewall.Firewall):
rulebase = pandevice.policies.Rulebase()
device.add(rulebase)
elif isinstance(device, pandevice.panorama.Panorama):
dg = panorama.DeviceGroup(devicegroup)
device.add(dg)
rulebase = policies.PreRulebase()
dg.add(rulebase)
else:
return False
policies.SecurityRule.refreshall(rulebase)
return rulebase
def main():
args = get_cli_arguments()
setup_logging(args)
# The Panorama object. This is the root object of the config tree.
pano = panorama.Panorama(
hostname=HOSTNAME,
api_key=APIKEY,
)
# Add the devicegroup as a child of the Panorama
if args.devicegroup is not None:
scope = pano.add(panorama.DeviceGroup(args.devicegroup))
else:
scope = pano
# Create a security rule in the required scope
rulebase = scope.add(policies.PreRulebase())
rule = rulebase.add(
policies.SecurityRule(
args.name,
args.szone,
args.dzone,
source=args.saddr,
destination=args.daddr,
application=args.application,
action=args.action,
log_setting=args.log,
group=args.group,
virus=args.virus,
spyware=args.spyware,
vulnerability=args.threat,
url_filtering=args.url,
file_blocking=args.file,
wildfire_analysis=args.wildfire,
data_filtering=args.data,
tag=args.tag,
description=args.description,
))
# Push the new security rule to the live Panorama device
rule.create()
if args.above is not None:
pano.xapi.move(rule.xpath(), "before", args.above)
def display_process_id(process_name):
output_bytes = pano.op('show system software status', xml=True)
output_str = output_bytes.decode('utf-8')
output_lines = output_str.split('\n')
for line in output_lines:
if process_name in line:
return line
pano = panorama.Panorama('10.46.164.193', 'zmacharia', 'paloalto')
dallas_dg = panorama.DeviceGroup('Test') # creating device group object
pano.add(dallas_dg) # adding device group to the panorama object
rulebase = policies.PreRulebase()
dallas_dg.add(rulebase)
rules = policies.SecurityRule.refreshall(rulebase, add=False)
print(f'Before loop: {display_process_id("configd")}')
print(f'Starting timestamp: {datetime.datetime.now()}')
t1_start = time.process_time()
for rule in rules:
if rule.log_setting is None:
rulebase.add(policies.SecurityRule(rule.name,
log_setting='default')).create()
rule.log_setting = None
rule.tozone = 'L3-Untrust'
rule.fromzone = 'L3-Trust'
rule.apply()
pano = panorama.Panorama('10.46.164.193', 'zmacharia', 'paloalto')
def display_process_id(process_name):
output_bytes = pano.op('show system software status', xml=True)
output_str = output_bytes.decode('utf-8')
output_lines = output_str.split('\n')
for line in output_lines:
if process_name in line:
return line
display_process_id('configd')
test_dg = panorama.DeviceGroup('Test2') # creating device group object
pano.add(test_dg) # adding device group to the panorama object
rulebase = policies.PreRulebase() # this is a PreRulebase container
test_dg.add(rulebase) # adding the container object to the device group
for rule_number in range(1, 1801):
rule_parameters = [
'test' + str(rule_number), 'L3-Trust', 'L3-Untrust', 'allow'
]
new_rule = policies.SecurityRule(name=rule_parameters[0],
fromzone=rule_parameters[1],
tozone=rule_parameters[2],
action=rule_parameters[3])
rulebase.add(new_rule)
new_rule.create()
