def main():
args = get_cli_arguments()
setup_logging(args)
# The Panorama object. This is the root object of the config tree.
pano = panorama.Panorama(
hostname=HOSTNAME,
api_key=APIKEY,
)
# Add the devicegroup as a child of the Panorama
if args.devicegroup is not None:
scope = pano.add(panorama.DeviceGroup(args.devicegroup))
else:
scope = pano
# Create a security rule in the required scope
rulebase = scope.add(policies.PreRulebase())
rule = rulebase.add(
policies.SecurityRule(
args.name,
args.szone,
args.dzone,
source=args.saddr,
destination=args.daddr,
application=args.application,
action=args.action,
log_setting=args.log,
group=args.group,
virus=args.virus,
spyware=args.spyware,
vulnerability=args.threat,
url_filtering=args.url,
file_blocking=args.file,
wildfire_analysis=args.wildfire,
data_filtering=args.data,
tag=args.tag,
description=args.description,
))
# Push the new security rule to the live Panorama device
rule.create()
if args.above is not None:
pano.xapi.move(rule.xpath(), "before", args.above)
def create_security_rule(**kwargs):
"""
Create a security rule object and return
the object handle
"""
security_rule = policies.SecurityRule(
name=kwargs['rule_name'],
description=kwargs['description'],
fromzone=kwargs['source_zone'],
#source=kwargs['source_ip'],
source_user=kwargs['source_user'],
hip_profiles=kwargs['hip_profiles'],
tozone=kwargs['destination_zone'],
destination=kwargs['destination_ip'],
application=kwargs['application'],
service=kwargs['service'],
category=kwargs['category'],
log_start=kwargs['log_start'],
log_end=kwargs['log_end'],
action=kwargs['action'],
type=kwargs['rule_type']
)
if 'tag_name' in kwargs:
security_rule.tag = kwargs['tag_name']
# profile settings
if 'group_profile' in kwargs:
security_rule.group = kwargs['group_profile']
else:
if 'antivirus' in kwargs:
security_rule.virus = kwargs['antivirus']
if 'vulnerability' in kwargs:
security_rule.vulnerability = kwargs['vulnerability']
if 'spyware' in kwargs:
security_rule.spyware = kwargs['spyware']
if 'url_filtering' in kwargs:
security_rule.url_filtering = kwargs['url_filtering']
if 'file_blocking' in kwargs:
security_rule.file_blocking = kwargs['file_blocking']
if 'data_filtering' in kwargs:
security_rule.data_filtering = kwargs['data_filtering']
if 'wildfire_analysis' in kwargs:
security_rule.wildfire_analysis = kwargs['wildfire_analysis']
return security_rule
def from_criteria(cls, criteria):
"""Create an instance from the provided criteria
"""
logging_criteria = criteria.get('logging', [])
pandevice_object = policies.SecurityRule()
pandevice_object.name = criteria['name']
pandevice_object.description = criteria.get('description', '')
pandevice_object.action = criteria[
'action'] # we expect it to be human readable at this point, map it later
if 'start' in logging_criteria or 'both' in logging_criteria:
pandevice_object.log_start = True
if 'end' in logging_criteria or 'both' in logging_criteria:
pandevice_object.log_end = True
return cls(pandevice_object)
if process_name in line:
return line
pano = panorama.Panorama('10.46.164.193', 'zmacharia', 'paloalto')
dallas_dg = panorama.DeviceGroup('Test') # creating device group object
pano.add(dallas_dg) # adding device group to the panorama object
rulebase = policies.PreRulebase()
dallas_dg.add(rulebase)
rules = policies.SecurityRule.refreshall(rulebase, add=False)
print(f'Before loop: {display_process_id("configd")}')
print(f'Starting timestamp: {datetime.datetime.now()}')
t1_start = time.process_time()
for rule in rules:
if rule.log_setting is None:
rulebase.add(policies.SecurityRule(rule.name,
log_setting='default')).create()
rule.log_setting = None
rule.tozone = 'L3-Untrust'
rule.fromzone = 'L3-Trust'
rule.apply()
t1_stop = time.process_time()
print(f'After loop: {display_process_id("configd")}')
print(f'Stopping timestamp: {datetime.datetime.now()}')
print(f'Elapsed time: {t1_stop-t1_start}')
pano = panorama.Panorama('10.46.164.193', 'zmacharia', 'paloalto')
def display_process_id(process_name):
output_bytes = pano.op('show system software status', xml=True)
output_str = output_bytes.decode('utf-8')
output_lines = output_str.split('\n')
for line in output_lines:
if process_name in line:
return line
display_process_id('configd')
test_dg = panorama.DeviceGroup('Test2') # creating device group object
pano.add(test_dg) # adding device group to the panorama object
rulebase = policies.PreRulebase() # this is a PreRulebase container
test_dg.add(rulebase) # adding the container object to the device group
for rule_number in range(1, 1801):
rule_parameters = [
'test' + str(rule_number), 'L3-Trust', 'L3-Untrust', 'allow'
]
new_rule = policies.SecurityRule(name=rule_parameters[0],
fromzone=rule_parameters[1],
tozone=rule_parameters[2],
action=rule_parameters[3])
rulebase.add(new_rule)
new_rule.create()
