def create_profilepackage(rules, addresses):
device_groups = ['test_dg']
devicegroup_objects = {'test_dg': collections.defaultdict(list)}
devicegroup_objects['test_dg']['Addresses'] = addresses
devicegroup_objects['test_dg']['all_active_child_firewalls'] = [
"fake_firewall"
]
devicegroup_exclusive_objects = {
'test_dg': collections.defaultdict(list)
}
devicegroup_exclusive_objects["test_dg"]['SecurityPreRules'] = rules
profilepackage = ProfilePackage(
api_key='',
pan_config=PanConfig('<_/>'),
settings=ConfigurationSettings().get_config(),
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects=devicegroup_exclusive_objects,
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(shared_addresses, shared_addressgroups,
shared_securityprerules, shared_natprerules,
dg_addresses, dg_securityprerules):
device_groups = ["shared"]
devicegroup_objects = {
"shared": collections.defaultdict(list),
"test_dg": collections.defaultdict(list)
}
devicegroup_objects['shared']['all_child_device_groups'] = [
"shared", "test_dg"
]
devicegroup_objects["shared"]['Addresses'] = shared_addresses
devicegroup_objects["shared"]['AddressGroups'] = shared_addressgroups
devicegroup_objects["shared"][
'SecurityPreRules'] = shared_securityprerules
devicegroup_objects["shared"]['NATPreRules'] = shared_natprerules
devicegroup_objects["test_dg"]['SecurityPreRules'] = dg_addresses
devicegroup_objects["test_dg"]['NATPreRules'] = dg_securityprerules
profilepackage = ProfilePackage(
api_key='',
pan_config=PanConfig('<_/>'),
settings=ConfigurationSettings().get_config(),
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects={},
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(allowed_group_profile, pan_config):
device_groups = ['test_dg']
rules = pan_config.get_devicegroup_policy('SecurityPreRules',
'test_dg')
devicegroup_exclusive_objects = {
'test_dg': {
'SecurityPreRules': rules,
'SecurityPostRules': []
}
}
settings = ConfigurationSettings().get_config()
settings['Allowed Group Profiles'] = allowed_group_profile
profilepackage = ProfilePackage(
api_key='',
pan_config=PanConfig('<_/>'),
settings=settings,
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects={},
devicegroup_exclusive_objects=devicegroup_exclusive_objects,
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(pan_config):
device_groups = ["shared"]
settings = ConfigurationSettings().get_config()
profilepackage = ProfilePackage(api_key='',
pan_config=pan_config,
settings=settings,
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects={},
devicegroup_exclusive_objects={},
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(pan_config, mandated_log_profile):
device_groups = ['test_dg']
settings = ConfigurationSettings().get_config()
settings['Mandated Logging Profile'] = mandated_log_profile
profilepackage = ProfilePackage(api_key='',
pan_config=pan_config,
settings=settings,
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects={},
devicegroup_exclusive_objects={},
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(services):
device_groups = ["shared"]
devicegroup_objects = {"shared": {}}
devicegroup_objects["shared"]['Services'] = services
profilepackage = ProfilePackage(
api_key='',
pan_config=PanConfig('<_/>'),
settings=ConfigurationSettings().get_config(),
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects=[],
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(addresses, ignored_dns_prefixes):
device_groups = ["shared"]
devicegroup_objects = {"shared": {}}
devicegroup_objects["shared"]['Addresses'] = addresses
settings = ConfigurationSettings().get_config()
settings['Ignored DNS Prefixes'] = ",".join(ignored_dns_prefixes)
profilepackage = ProfilePackage(
api_key='',
pan_config=PanConfig('<_/>'),
settings=settings,
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects={},
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(pan_config):
device_groups = ["shared"]
devicegroup_objects = {
"shared": collections.defaultdict(list),
"test_dg": collections.defaultdict(list)
}
devicegroup_objects['shared']['all_child_device_groups'] = [
"shared", "test_dg"
]
profilepackage = ProfilePackage(
api_key='',
pan_config=pan_config,
settings=ConfigurationSettings().get_config(),
device_group_hierarchy_children={},
device_group_hierarchy_parent={},
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects={},
rule_limit_enabled=False,
no_api=False)
return profilepackage
def create_profilepackage(shared_addresses, dg_addresses,
shared_address_groups, dg_address_groups):
device_groups = ["shared", "test_dg"]
device_group_hierarchy_parent = {"test_dg": "shared"}
devicegroup_objects = {"shared": {}, "test_dg": {}}
devicegroup_objects["shared"]['Addresses'] = shared_addresses
devicegroup_objects["test_dg"]['Addresses'] = dg_addresses
devicegroup_objects["shared"]['AddressGroups'] = shared_address_groups
devicegroup_objects["test_dg"]['AddressGroups'] = dg_address_groups
profilepackage = ProfilePackage(
api_key='',
pan_config=PanConfig('<_/>'),
settings=ConfigurationSettings().get_config(),
device_group_hierarchy_children={},
device_group_hierarchy_parent=device_group_hierarchy_parent,
device_groups_and_firewalls={},
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects={},
rule_limit_enabled=False,
no_api=False)
return profilepackage
def load_config_package(configuration_settings, api_key, device_group, limit, no_api, xml_file=None):
if xml_file:
# The list of firewalls are not available from the API, so
# these variables will remain empty
logger.debug(f"Loading configuration from XML file: {xml_file}")
with open(xml_file, encoding='utf-8') as fh:
xml_config = fh.read()
pan_config = PanConfig(xml_config, True)
device_groups_and_firewalls = collections.defaultdict(list)
active_firewalls_per_devicegroup = collections.defaultdict(list)
else:
# Load the XML configuration and list of firewalls via API requests
panorama = configuration_settings.get('panorama')
xml_config = pan_api.export_configuration2(panorama, api_key)
pan_config = PanConfig(xml_config)
device_groups_and_firewalls = pan_api.get_device_groups_and_firewalls(panorama, api_key)
active_firewalls = pan_api.get_active_firewalls(panorama, api_key)
# Build the mapping of active FWs in each device group
active_firewalls_per_devicegroup = collections.defaultdict(list)
for dg, firewalls in device_groups_and_firewalls.items():
active_firewalls_per_devicegroup[dg] = [fw for fw in firewalls if fw in active_firewalls]
device_group_hierarchy_children, device_group_hierarchy_parent = pan_config.get_device_groups_hierarchy()
# Build a mapping of device groups to their 'child' device groups
all_device_groups = pan_config.get_device_groups() + ['shared']
devicegroups_to_child_devicegroups = squash_all_devicegroups(all_device_groups,
device_group_hierarchy_children)
all_active_firewalls_per_devicegroup = collections.defaultdict(list)
for dg, child_dgs in devicegroups_to_child_devicegroups.items():
all_active_firewalls_per_devicegroup[dg] = []
for child_dg in child_dgs:
all_active_firewalls_per_devicegroup[dg] += active_firewalls_per_devicegroup[child_dg]
# Create and fill in the devicegroup_objects, which represents all entries, per devicegroup
devicegroup_objects = {}
if device_group:
device_groups = [device_group]
else:
device_groups = all_device_groups
for device_group in all_device_groups:
devicegroup_objects[device_group] = {}
devicegroup_objects[device_group]['all_child_device_groups'] = devicegroups_to_child_devicegroups[device_group]
devicegroup_objects[device_group]['all_active_child_firewalls'] = all_active_firewalls_per_devicegroup[
device_group]
for policy_type in pan_config.SUPPORTED_POLICY_TYPES:
devicegroup_objects[device_group][policy_type] = pan_config.get_devicegroup_policy(policy_type, device_group)[:limit]
for object_type in pan_config.SUPPORTED_OBJECT_TYPES:
devicegroup_objects[device_group][object_type] = pan_config.get_devicegroup_object(object_type, device_group)
rule_limit_enabled = limit is not None
# Build a listing of policy objects that are exclusive to each device group, which won't include policies inherited from the parent device groups
devicegroup_exclusive_objects = {}
for device_group in all_device_groups:
devicegroup_exclusive_objects[device_group] = {}
for policy_type in pan_config.SUPPORTED_POLICY_TYPES:
if device_group not in device_group_hierarchy_parent:
# No parent means no inherited policies
devicegroup_exclusive_objects[device_group][policy_type] = devicegroup_objects[device_group][
policy_type]
else:
parent_dg = device_group_hierarchy_parent[device_group]
parent_policy_uuids = set([entry.get('@uuid') for entry in devicegroup_objects[parent_dg][policy_type]])
exclusive_objects = [entry for entry in devicegroup_objects[device_group][policy_type] if
entry.get('@uuid') not in parent_policy_uuids]
devicegroup_exclusive_objects[device_group][policy_type] = exclusive_objects
profilepackage = ProfilePackage(
api_key=api_key,
pan_config=pan_config,
settings=configuration_settings,
device_group_hierarchy_children=device_group_hierarchy_children,
device_group_hierarchy_parent=device_group_hierarchy_parent,
device_groups_and_firewalls=device_groups_and_firewalls,
device_groups=device_groups,
devicegroup_objects=devicegroup_objects,
devicegroup_exclusive_objects=devicegroup_exclusive_objects,
rule_limit_enabled=rule_limit_enabled,
no_api=no_api
)
return profilepackage
