def test_device_group_xpath_unchanged():
expected = "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='somegroup']/address/entry[@name='intnet']"
pano = panorama.Panorama("127.0.0.1")
dg = panorama.DeviceGroup("somegroup")
ao = objects.AddressObject("intnet", "192.168.0.0/16")
pano.add(dg)
dg.add(ao)
assert expected == ao.xpath()
def get_rulebase(device, devicegroup):
# Build the rulebase
if isinstance(device, firewall.Firewall):
rulebase = policies.Rulebase()
device.add(rulebase)
elif isinstance(device, panorama.Panorama):
dg = panorama.DeviceGroup(devicegroup)
device.add(dg)
rulebase = policies.PreRulebase()
dg.add(rulebase)
else:
return False
policies.SecurityRule.refreshall(rulebase)
return rulebase
def eastwesthelper(pa_ip, username, password, pa_type, filename=None):
"""
Main point of entry.
Connect to PA/Panorama.
Grab security rules from pa/pan.
Modify them for intra-zone migration.
"""
for subnet in settings.EXISTING_TRUST_SUBNET:
if subnet.endswith("/32"):
mem.singleip = True
if pa_type == "panorama":
# Grab 'start' time
start = time.perf_counter()
panfw = panorama.Panorama(pa_ip, username, password)
# Grab the Device Groups and Template Names, we don't need Template names.
pa = pa_api.api_lib_pa(pa_ip, username, password, pa_type)
device_group = get_device_group(pa)
pre_rulebase = policies.PreRulebase()
post_rulebase = policies.PostRulebase()
dg = panorama.DeviceGroup(device_group)
dg.add(pre_rulebase)
dg.add(post_rulebase)
panfw.add(dg)
# Grab Objects and Rules
mem.address_object_entries = objects.AddressObject.refreshall(dg, add=False)#,add=False)
mem.address_group_entries = objects.AddressGroup.refreshall(dg, add=False)#,add=False)
#Grabbing the Shared address objects and groups..
shared = panorama.DeviceGroup('shared')
panfw.add(shared)
shared_objects = objects.AddressObject.refreshall(shared, add=False)
mem.address_object_entries += shared_objects
shared_groups = objects.AddressGroup.refreshall(shared, add=False)
mem.address_group_entries += shared_groups
# Add parent DG (like Shared), if used. Ask Chris Evans or me for details.
if settings.OBJ_PARENT_DEVICE_GROUP:
parent_dg = panorama.DeviceGroup(settings.OBJ_PARENT_DEVICE_GROUP)
panfw.add(parent_dg)
parent_objects = objects.AddressObject.refreshall(parent_dg, add=False)
mem.address_object_entries += parent_objects
parent_groups = objects.AddressGroup.refreshall(parent_dg, add=False)
mem.address_group_entries += parent_groups
# GRAB PRE/POST RULES
pre_security_rules = policies.SecurityRule.refreshall(pre_rulebase)#, add=False)
post_security_rules = policies.SecurityRule.refreshall(post_rulebase)#, add=False)
# Modify the rules, Pre & Post
if pre_security_rules:
eastwest_addnew_zone(pre_security_rules, panfw, pre_rulebase)
if post_security_rules:
eastwest_addnew_zone(post_security_rules, panfw, post_rulebase)
elif pa_type == "pa":
# Grab 'start' time
start = time.perf_counter()
panfw = firewall.Firewall(pa_ip, username, password)
# Grab Rules
mem.address_object_entries = objects.AddressObject.refreshall(panfw,add=False)
mem.address_group_entries = objects.AddressGroup.refreshall(panfw,add=False)
rulebase = policies.Rulebase()
panfw.add(rulebase)
security_rules = policies.SecurityRule.refreshall(rulebase)
# Modify the rules
if security_rules:
modified_rules = eastwest_addnew_zone(security_rules, panfw, rulebase)
# Finished
end = time.perf_counter()
runtime = end - start
print(f"Took {runtime} Seconds.\n")