def add_nat(xapi, module, rule_name, from_zone, to_zone,
source, destination, service, dnatxml=None, snatxml=None):
exml = []
if dnatxml:
exml.append(dnatxml)
if snatxml:
exml.append(snatxml)
exml.append("<to><member>%s</member></to>" % to_zone)
exml.append("<from>")
exml = exml + ["<member>%s</member>" % e for e in from_zone]
exml.append("</from>")
exml.append("<source>")
exml = exml + ["<member>%s</member>" % e for e in source]
exml.append("</source>")
exml.append("<destination>")
exml = exml + ["<member>%s</member>" % e for e in destination]
exml.append("</destination>")
exml.append("<service>%s</service>" % service)
exml.append("<nat-type>ipv4</nat-type>")
exml = ''.join(exml)
xapi.set(xpath=_NAT_XPATH % rule_name, element=exml)
return True
def set_publickey(xapi, user, cpkey, pkey):
b64pkey = base64.b64encode(pkey)
e = "<public-key>%s</public-key>" % b64pkey
if cpkey is None:
xapi.set(xpath=_ADMINPROFILE_XPATH % user, element=e)
else:
xapi.edit(xpath=_PKEY_XPATH % user, element=e)
def add_pg(xapi, pg_name, data_filtering, file_blocking, spyware,
url_filtering, virus, vulnerability, wildfire):
if pg_exists(xapi, pg_name):
return False
exml = []
if data_filtering is not None:
exml.append('<data-filtering><member>%s</member></data-filtering>' %
data_filtering)
if file_blocking is not None:
exml.append('<file-blocking><member>%s</member></file-blocking>' %
file_blocking)
if spyware is not None:
exml.append('<spyware><member>%s</member></spyware>' % spyware)
if url_filtering is not None:
exml.append('<url-filtering><member>%s</member></url-filtering>' %
url_filtering)
if virus is not None:
exml.append('<virus><member>%s</member></virus>' % virus)
if vulnerability is not None:
exml.append('<vulnerability><member>%s</member></vulnerability>' %
vulnerability)
if wildfire is not None:
exml.append(
'<wildfire-analysis><member>%s</member></wildfire-analysis>' %
wildfire)
exml = ''.join(exml)
xapi.set(xpath=_PG_XPATH % pg_name, element=exml)
return True
def add_pg(xapi, pg_name, data_filtering, file_blocking, spyware,
url_filtering, virus, vulnerability):
if pg_exists(xapi, pg_name):
return False
exml = []
if data_filtering is not None:
exml.append('<data-filtering><member>%s</member></data-filtering>' %
data_filtering)
if file_blocking is not None:
exml.append('<file-blocking><member>%s</member></file-blocking>' %
file_blocking)
if spyware is not None:
exml.append('<spyware><member>%s</member></spyware>' %
spyware)
if url_filtering is not None:
exml.append('<url-filtering><member>%s</member></url-filtering>' %
url_filtering)
if virus is not None:
exml.append('<virus><member>%s</member></virus>' %
virus)
if vulnerability is not None:
exml.append('<vulnerability><member>%s</member></vulnerability>' %
vulnerability)
exml = ''.join(exml)
xapi.set(xpath=_PG_XPATH % pg_name, element=exml)
return True
def setConfigEntry(fw, xpath, value, module):
if 'hostname' not in fw or 'username' not in fw or 'password' not in fw:
module.fail_json(msg='Device credentials not specified!')
#print('Connecting to device')
try:
xapi = pan.xapi.PanXapi(hostname=fw['hostname'],
api_username=fw['username'],
api_password=fw['password'])
except pan.xapi.PanXapiError as msg:
module.fail_json(msg='pan.xapi.PanXapi: {}'.format(msg))
except Exception as e:
module.fail_json(msg='Exception: {}'.format(e))
#print('Connected to device, setting configuration in path: {}'.format(xpath))
try:
xapi.set(xpath=xpath, element=value)
except pan.xapi.PanXapiError as msg:
if "Unauthorized request" in str(msg): # skip duplicate region set
return True
module.fail_json(msg='pan.xapi.PanXapi (set): {}'.format(msg))
#print('Configuration successfully set!')
return True
def setPanoramaEntry(pn, xpath, value):
if 'hostname' not in pn or 'username' not in pn or 'password' not in pn:
print('Panorama credentials not specified!')
return False
print('Connecting to Panorama')
try:
xapi = pan.xapi.PanXapi(hostname=pn['hostname'],
api_username=pn['username'],
api_password=pn['password'])
except pan.xapi.PanXapiError as msg:
print('pan.xapi.PanXapi: {}'.format(msg))
return False
except Exception as e:
print('Exception: {}'.format(e))
return False
print('Connected to Panorama, setting configuration in path: {}'.format(
xpath))
try:
xapi.set(xpath=xpath, element=value)
except pan.xapi.PanXapiError as msg:
print('pan.xapi.PanXapi (set): {}'.format(msg))
return False
print('Configuration successfully set!')
return True
def set_publickey(xapi, user, cpkey, pkey):
b64pkey = base64.b64encode(pkey)
e = "<public-key>%s</public-key>" % b64pkey
if cpkey is None:
xapi.set(xpath=_ADMINPROFILE_XPATH % user, element=e)
else:
xapi.edit(xpath=_PKEY_XPATH % user, element=e)
def add_nat(xapi, module, rule_name, from_zone, to_zone,
source, destination, service, dnatxml=None, snatxml=None):
exml = []
if dnatxml:
exml.append(dnatxml)
if snatxml:
exml.append(snatxml)
exml.append("<to><member>%s</member></to>" % to_zone)
exml.append("<from>")
exml = exml + ["<member>%s</member>" % e for e in from_zone]
exml.append("</from>")
exml.append("<source>")
exml = exml + ["<member>%s</member>" % e for e in source]
exml.append("</source>")
exml.append("<destination>")
exml = exml + ["<member>%s</member>" % e for e in destination]
exml.append("</destination>")
exml.append("<service>%s</service>" % service)
exml.append("<nat-type>ipv4</nat-type>")
exml = ''.join(exml)
xapi.set(xpath=_NAT_XPATH % rule_name, element=exml)
return True
def add_custom_app(xapi, app_name, host_regex):
if custom_app_exists(xapi, app_name):
return False
xapi.set(xpath=_CUSTOM_APP_XPATH % app_name,
element=_CUSTOM_APP_TEMPLATE % (app_name, host_regex))
return True
def create_template_variable(username, password, panorama_name, variable, value, variable_type, template):
xapi = pan.xapi.PanXapi(api_username = username, \
api_password = password, \
hostname= panorama_name)
xpath = '{0}{1}{2}'.format("/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='", template, "']/variable")
element = '{0}{1}{2}{3}{4}{5}{6}{7}{8}'.format('<entry name="', variable, '"><type><', variable_type, '>', value, '</', variable_type, '></type></entry>')
xapi.set(xpath = xpath, \
element = element)
def add_snat_dipp(xapi, module, rule_name, from_zone, to_zone,
source, destination, service,
translated_address=None, interface_address_ip=None,
interface_address_if=None):
if translated_address is not None and interface_address_if is not None:
module.fail_json(msg="only one of interface_address_if and "
"translated_address should be specified")
if nat_rule_exists(xapi, rule_name):
return False
exml = ["<source-translation>",
"<dynamic-ip-and-port>"]
if interface_address_if is not None:
exml = exml+[
"<interface-address>",
"<interface>%s</interface>" % interface_address_if]
if interface_address_ip is not None:
exml.append("<ip>%s</ip>" % interface_address_ip)
exml.append("</interface-address>")
elif translated_address is not None:
exml.append("<translated-address>")
for t in translated_address:
exml.append("<member>%s</member>" % t)
exml.append("</translated-address>")
else:
module.fail_json(msg="no interface_address_if or "
"translated_address specified")
exml.append('</dynamic-ip-and-port>')
exml.append('</source-translation>')
exml.append("<to><member>%s</member></to>" % to_zone)
exml.append("<from>")
exml = exml+["<member>%s</member>" % e for e in from_zone]
exml.append("</from>")
exml.append("<source>")
exml = exml+["<member>%s</member>" % e for e in source]
exml.append("</source>")
exml.append("<destination>")
exml = exml+["<member>%s</member>" % e for e in destination]
exml.append("</destination>")
exml.append("<service>%s</service>" % service)
exml.append("<nat-type>ipv4</nat-type>")
exml = ''.join(exml)
xapi.set(xpath=_NAT_XPATH % rule_name, element=exml)
return True
def add_tunnel_if(xapi, tunnel_unit, zone_name):
tif_xml = ['<entry name="tunnel.%s"></entry>']
tif_xml = (''.join(tif_xml)) % (tunnel_unit)
xapi.edit(xpath=_TIF_XPATH % tunnel_unit, element=tif_xml)
xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name,
element='<member>tunnel.%s</member>' % tunnel_unit)
xapi.set(xpath=_VR_XPATH + "[@name='default']/interface",
element='<member>tunnel.%s</member>' % tunnel_unit)
return True
def add_tunnel_if(xapi, tunnel_unit, zone_name):
tif_xml = ['<entry name="tunnel.%s"></entry>']
tif_xml = (''.join(tif_xml)) % (tunnel_unit)
xapi.edit(xpath=_TIF_XPATH % tunnel_unit, element=tif_xml)
xapi.set(xpath=_ZONE_XPATH+"[@name='%s']/network/layer3" % zone_name,
element='<member>tunnel.%s</member>' % tunnel_unit)
xapi.set(xpath=_VR_XPATH+"[@name='default']/interface",
element='<member>tunnel.%s</member>' % tunnel_unit)
return True
def admin_set(xapi, module, admin_username, admin_password, role):
if admin_password is not None:
xapi.op(cmd='request password-hash password "%s"' % admin_password,
cmd_xml=True)
r = xapi.element_root
phash = r.find(".//phash").text
if role is not None:
rbval = "yes"
if role != "superuser" and role != "superreader":
rbval = ""
ea = admin_exists(xapi, admin_username)
if ea is not None:
# user exists
changed = False
if role is not None:
rb = ea.find(".//role-based")
if rb is not None:
if rb[0].tag != role:
changed = True
xpath = _ADMIN_XPATH % admin_username
xpath += "/permissions/role-based/%s" % rb[0].tag
xapi.delete(xpath=xpath)
xpath = _ADMIN_XPATH % admin_username
xpath += "/permissions/role-based"
xapi.set(xpath=xpath,
element="<%s>%s</%s>" % (role, rbval, role))
if admin_password is not None:
xapi.edit(
xpath=_ADMIN_XPATH % admin_username + "/phash",
element="<phash>%s</phash>" % phash,
)
changed = True
return changed
# setup the non encrypted part of the monitor
exml = []
exml.append("<phash>%s</phash>" % phash)
exml.append("<permissions><role-based><%s>%s</%s>"
"</role-based></permissions>" % (role, rbval, role))
exml = "".join(exml)
# module.fail_json(msg=exml)
xapi.set(xpath=_ADMIN_XPATH % admin_username, element=exml)
return True
def admin_set(xapi, module, admin_username, admin_password, role):
if admin_password is not None:
xapi.op(cmd='request password-hash password "%s"' % admin_password,
cmd_xml=True)
r = xapi.element_root
phash = r.find('.//phash').text
if role is not None:
rbval = "yes"
if role != "superuser" and role != 'superreader':
rbval = ""
ea = admin_exists(xapi, admin_username)
if ea is not None:
# user exists
changed = False
if role is not None:
rb = ea.find('.//role-based')
if rb is not None:
if rb[0].tag != role:
changed = True
xpath = _ADMIN_XPATH % admin_username
xpath += '/permissions/role-based/%s' % rb[0].tag
xapi.delete(xpath=xpath)
xpath = _ADMIN_XPATH % admin_username
xpath += '/permissions/role-based'
xapi.set(xpath=xpath,
element='<%s>%s</%s>' % (role, rbval, role))
if admin_password is not None:
xapi.edit(xpath=_ADMIN_XPATH % admin_username+'/phash',
element='<phash>%s</phash>' % phash)
changed = True
return changed
# setup the non encrypted part of the monitor
exml = []
exml.append('<phash>%s</phash>' % phash)
exml.append('<permissions><role-based><%s>%s</%s>'
'</role-based></permissions>' % (role, rbval, role))
exml = ''.join(exml)
# module.fail_json(msg=exml)
xapi.set(xpath=_ADMIN_XPATH % admin_username, element=exml)
return True
def add_dag(xapi, dag_name, dag_filter):
if addressgroup_exists(xapi, dag_name):
return False
# setup the non encrypted part of the monitor
exml = []
exml.append('<dynamic>')
exml.append('<filter>%s</filter>' % dag_filter)
exml.append('</dynamic>')
exml = ''.join(exml)
xapi.set(xpath=_ADDRGROUP_XPATH % dag_name, element=exml)
return True
def add_dag(xapi, dag_name, dag_filter):
if addressgroup_exists(xapi, dag_name):
return False
# setup the non encrypted part of the monitor
exml = []
exml.append('<dynamic>')
exml.append('<filter>%s</filter>' % dag_filter)
exml.append('</dynamic>')
exml = ''.join(exml)
xapi.set(xpath=_ADDRGROUP_XPATH % dag_name, element=exml)
return True
def add_service(xapi, module, service_name, protocol, port, source_port):
if service_exists(xapi, service_name):
return False
exml = ['<protocol>']
exml.append('<%s>' % protocol)
exml.append('<port>%s</port>' % port)
if source_port:
exml.append('<source-port>%s</source-port>' % source_port)
exml.append('</%s>' % protocol)
exml.append('</protocol>')
exml = ''.join(exml)
xapi.set(xpath=_SERVICE_XPATH % service_name, element=exml)
return True
def push_service(service, context):
xapi = panorama_login()
snippets_dir = Path(os.path.join(settings.BASE_DIR, 'mssp', 'snippets'))
if xapi is None:
print('Could not push service to Panorama')
return False
try:
for snippet in service['snippets']:
xpath = snippet['xpath']
xml_file_name = snippet['file']
xml_full_path = os.path.join(snippets_dir, service['name'],
xml_file_name)
with open(xml_full_path, 'r') as xml_file:
xml_string = xml_file.read()
xml_template = Environment(
loader=BaseLoader()).from_string(xml_string)
xpath_template = Environment(
loader=BaseLoader()).from_string(xpath)
xml_snippet = xml_template.render(context).replace('\n', '')
xpath_string = xpath_template.render(context)
print('Pushing xpath: %s' % xpath_string)
#print('Pushing element: %s' % xml_snippet)
xapi.set(xpath=xpath_string, element=xml_snippet)
# FIXME - We need to fix this
if xapi.status_code == '19' or xapi.status_code == '20':
print('xpath is already present')
elif xapi.status_code == '7':
print('xpath was NOT found')
return False
xapi.commit('<commit/>', sync=True)
print(xapi.xml_result())
return True
except IOError as ioe:
print('Could not open xml snippet file for reading!!!')
# FIXME - raise a decent error here
return False
except pan.xapi.PanXapiError as pxe:
print('Could not push service snippet!')
print(pxe)
return False
def create_gpp_gateway(xapi, module, portal_name, config_name,
type_, gateway_address, manual, description, exists):
entry = []
# entry.append("<entry name='%s'>"%gateway_address)
entry.append("<manual>%s</manual>" % ('yes' if manual else 'no'))
entry.append("<priority>1</priority>")
if description:
entry.append("<description>%s</description>" % description)
# entry.append("<entry/>")
if exists:
xapi.set(xpath=_GW_PATH %
(portal_name, config_name, type_, gateway_address),
element=''.join(entry))
else:
xapi.set(xpath=_GW_PATH %
(portal_name, config_name, type_, gateway_address),
element=''.join(entry))
return True
def create_gpp_gateway(xapi, module, portal_name, config_name,
type_, gateway_address, manual, description, exists):
entry = []
# entry.append("<entry name='%s'>"%gateway_address)
entry.append("<manual>%s</manual>" % ('yes' if manual else 'no'))
entry.append("<priority>1</priority>")
if description:
entry.append("<description>%s</description>" % description)
# entry.append("<entry/>")
if exists:
xapi.set(xpath=_GW_PATH %
(portal_name, config_name, type_, gateway_address),
element=''.join(entry))
else:
xapi.set(xpath=_GW_PATH %
(portal_name, config_name, type_, gateway_address),
element=''.join(entry))
return True
def add_dhcp_if(xapi, if_name, zone_name, create_default_route):
if_xml = [
'<entry name="%s">', '<layer3>', '<dhcp-client>',
'<create-default-route>%s</create-default-route>', '</dhcp-client>'
'</layer3>'
'</entry>'
]
cdr = 'yes'
if not create_default_route:
cdr = 'no'
if_xml = (''.join(if_xml)) % (if_name, cdr)
xapi.edit(xpath=_IF_XPATH % if_name, element=if_xml)
xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name,
element='<member>%s</member>' % if_name)
xapi.set(xpath=_VR_XPATH + "[@name='default']/interface",
element='<member>%s</member>' % if_name)
return True
def add_snat_static_ip(xapi, module, rule_name, from_zone, to_zone,
source, destination, service,
bidirectional, translated_address):
if translated_address is None:
module.fail_json(msg="translated_address not specified")
if nat_rule_exists(xapi, rule_name):
return False
exml = ["<source-translation>",
"<static-ip>"]
exml.append('<bi-directional>%s</bi-directional>' %
('yes' if bidirectional else 'no'))
exml.append('<translated-address>%s</translated-address>' %
translated_address)
exml.append('</static-ip>')
exml.append('</source-translation>')
exml.append("<to><member>%s</member></to>" % to_zone)
exml.append("<from>")
exml = exml+["<member>%s</member>" % e for e in from_zone]
exml.append("</from>")
exml.append("<source>")
exml = exml+["<member>%s</member>" % e for e in source]
exml.append("</source>")
exml.append("<destination>")
exml = exml+["<member>%s</member>" % e for e in destination]
exml.append("</destination>")
exml.append("<service>%s</service>" % service)
exml.append("<nat-type>ipv4</nat-type>")
exml = ''.join(exml)
xapi.set(xpath=_NAT_XPATH % rule_name, element=exml)
return True
def add_dnat(xapi, module, rule_name, from_zone, to_zone,
source, destination, service,
translated_address=None, translated_port=None):
if translated_address is None and translated_port is None:
module.fail_json(msg="at least one of translated_address "
"and translated_port should be specified")
if nat_rule_exists(xapi, rule_name):
return False
exml = ["<destination-translation>"]
if translated_address is not None:
exml.append("<translated-address>%s</translated-address>" %
translated_address)
if translated_port is not None:
exml.append("<translated-port>%s</translated-port>" % translated_port)
exml.append('</destination-translation>')
exml.append("<to><member>%s</member></to>" % to_zone)
exml.append("<from>")
exml = exml+["<member>%s</member>" % e for e in from_zone]
exml.append("</from>")
exml.append("<source>")
exml = exml+["<member>%s</member>" % e for e in source]
exml.append("</source>")
exml.append("<destination>")
exml = exml+["<member>%s</member>" % e for e in destination]
exml.append("</destination>")
exml.append("<service>%s</service>" % service)
exml.append("<nat-type>ipv4</nat-type>")
exml = ''.join(exml)
xapi.set(xpath=_NAT_XPATH % rule_name, element=exml)
return True
def add_awsmonitor(xapi, monitor_name, vpc_id, source,
access_key, secret_access_key):
if vmmonitor_exists(xapi, monitor_name):
return False
# setup the non encrypted part of the monitor
exml = []
exml.append('<AWS-VPC>')
exml.append('<vpc-id>%s</vpc-id>' % vpc_id)
exml.append('<source>%s</source>' % source)
exml.append('<access-key-id>%s</access-key-id>' % access_key)
exml.append('<secret-access-key>%s</secret-access-key>' %
secret_access_key)
exml.append('<disabled>no</disabled>')
exml.append('</AWS-VPC>')
exml = ''.join(exml)
xapi.set(xpath=_VMMONITOR_XPATH % monitor_name, element=exml)
return True
def _set_config(self, config, hostname, xpath):
xapi = pan.xapi.PanXapi(**self._get_pan_credentials(hostname))
try:
xapi.set(xpath=xpath, element=config)
except pan.xapi.PanXapiError as e:
print("{error}".format(error=e))
return False
time.sleep(3)
print("Config: {status}".format(status=xapi.status))
time.sleep(1)
print(
"Applying config on {hostname} with user {username} and password {password}..."
.format(hostname=hostname,
username=self.username,
password=self.password[:1]))
try:
xapi.commit(cmd="<commit></commit>", timeout=10)
except pan.xapi.PanXapiError as e:
print("{error}".format(error=e))
return False
print("Commit: {status}".format(status=xapi.status))
def add_dhcp_if(xapi, if_name, zone_name, create_default_route):
if_xml = [
'<entry name="%s">',
'<layer3>',
'<dhcp-client>',
'<create-default-route>%s</create-default-route>',
'</dhcp-client>'
'</layer3>'
'</entry>'
]
cdr = 'yes'
if not create_default_route:
cdr = 'no'
if_xml = (''.join(if_xml)) % (if_name, cdr)
xapi.edit(xpath=_IF_XPATH % if_name, element=if_xml)
xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name,
element='<member>%s</member>' % if_name)
xapi.set(xpath=_VR_XPATH + "[@name='default']/interface",
element='<member>%s</member>' % if_name)
return True
def add_static_route(xapi, vr_name, sr_name, destination, nexthop, nexthoptype):
sr_xml = [
'<entry name="%s">',
'<destination>%s</destination>',
'<nexthop>',
'%s',
'</nexthop>',
'</entry>',
]
if (nexthoptype == "ip"):
nh_xml = '<ip-address>' + nexthop + '</ip-address>'
elif (nexthoptype == "vr"):
nh_xml = '<next-vr>' + nexthop + '</next-vr>'
else:
return False
sr_xml = (''.join(sr_xml) % (sr_name, destination, nh_xml))
vr_sr_path = _VR_XPATH % vr_name
vr_sr_path += "/routing-table/ip/static-route"
xapi.set(xpath=vr_sr_path, element=sr_xml)
return True
def add_if(xapi, if_name, if_type, if_address, vr_name, zone_name,
create_default_route):
if_xml = ['<entry name="%s">', '<layer3>', '%s', '</layer3>', '</entry>']
if (if_type == "dhcp"):
cdr = 'yes'
if not create_default_route:
cdr = 'no'
if_ip = '<dhcp-client><create-default-route>' + cdr + '</create-default-route></dhcp-client>'
elif (if_type == "static"):
if_ip = '<ip><entry name="' + if_address + '"/></ip>'
else:
return False
if_xml = (''.join(if_xml)) % (if_name, if_ip)
xapi.edit(xpath=_IF_XPATH % if_name, element=if_xml)
xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name,
element='<member>%s</member>' % if_name)
xapi.set(xpath=_VR_XPATH + "[@name='" + vr_name + "']/interface",
element='<member>%s</member>' % if_name)
return True
def add_address(xapi, module, address, address_name, description, type, tag):
if address_exists(xapi, address_name):
return False
exml = []
exml.append('<%s>' % type)
exml.append('%s' % address)
exml.append('</%s>' % type)
if description:
exml.append('<description>')
exml.append('%s' % description)
exml.append('</description>')
if tag:
exml.append('<tag>')
exml.append('<member>%s</member>' % tag)
exml.append('</tag>')
exml = ''.join(exml)
xapi.set(xpath=_ADDRESS_XPATH % address_name, element=exml)
return True
def main():
argument_spec = dict(ip_address=dict(required=True),
password=dict(no_log=True),
username=dict(default='admin'),
api_key=dict(no_log=True),
device_ip=dict(default=None),
device_username=dict(no_log=True),
device_password=dict(no_log=True),
device_api_key=dict(no_log=True),
device_serial=dict(default=None),
operation=dict(required=True,
choices=['add', 'delete']))
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False,
required_one_of=[['api_key', 'password']])
if not HAS_LIB:
module.fail_json(msg='Missing required libraries.')
ip_address = module.params["ip_address"]
password = module.params["password"]
username = module.params['username']
api_key = module.params['api_key']
device_ip = module.params['device_ip']
device_username = module.params['device_username']
device_password = module.params['device_password']
device_api_key = module.params['device_api_key']
device_serial = module.params['device_serial']
operation = module.params['operation']
if operation == "add":
try:
if device_serial != "None":
xpath_deviceconfig = "/config/mgt-config/devices"
xapi = pan.xapi.PanXapi(hostname=ip_address,
api_username=username,
api_password=password,
api_key=api_key)
xapi.set(xpath=xpath_deviceconfig,
element='<entry name="%s"></entry>' % device_serial)
else:
cmd = "<show><system><info></info></system></show>"
device = base.PanDevice.create_from_device(
device_ip,
device_username,
device_password,
api_key=device_api_key)
xmldoc = device.op(cmd=cmd, cmd_xml=False)
serial_node = xmldoc.find('./result/system/serial')
serial_text = serial_node.text
xpath_deviceconfig = "/config/mgt-config/devices"
xapi = pan.xapi.PanXapi(hostname=ip_address,
api_username=username,
api_password=password,
api_key=api_key)
xapi.set(xpath=xpath_deviceconfig,
element='<entry name="%s"></entry>' % serial_text)
except PanXapiError:
exc = get_exception()
module.fail_json(msg=exc.message)
module.exit_json(changed=True,
msg='Device \'%s\' successfully added to Panorama')
elif operation == "delete":
try:
module.exit_json(changed=False, msg='Need to develop ')
except PanXapiError:
exc = get_exception()
module.fail_json(msg=exc.message)
module.exit_json(changed=False, msg='Need to develop ')
def main():
try:
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
except AttributeError:
# Windows
pass
set_encoding()
options = parse_opts()
if options['debug']:
logger = logging.getLogger()
if options['debug'] == 3:
logger.setLevel(pan.xapi.DEBUG3)
elif options['debug'] == 2:
logger.setLevel(pan.xapi.DEBUG2)
elif options['debug'] == 1:
logger.setLevel(pan.xapi.DEBUG1)
# log_format = '%(levelname)s %(name)s %(message)s'
log_format = '%(message)s'
handler = logging.StreamHandler()
formatter = logging.Formatter(log_format)
handler.setFormatter(formatter)
logger.addHandler(handler)
if options['cafile'] or options['capath']:
ssl_context = create_ssl_context(options['cafile'], options['capath'])
else:
ssl_context = None
try:
xapi = pan.xapi.PanXapi(timeout=options['timeout'],
tag=options['tag'],
use_http=options['use_http'],
use_get=options['use_get'],
api_username=options['api_username'],
api_password=options['api_password'],
api_key=options['api_key'],
hostname=options['hostname'],
port=options['port'],
serial=options['serial'],
ssl_context=ssl_context)
except pan.xapi.PanXapiError as msg:
print('pan.xapi.PanXapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('xapi.__str__()===>\n', xapi, '\n<===', sep='', file=sys.stderr)
extra_qs_used = False
try:
if options['keygen']:
action = 'keygen'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.keygen(extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if (options['api_username'] and options['api_password']
and options['hostname'] and options['tag']):
# .panrc
d = datetime.now()
print('# %s generated: %s' % (os.path.basename(
sys.argv[0]), d.strftime('%Y/%m/%d %H:%M:%S')))
print('hostname%%%s=%s' %
(options['tag'], options['hostname']))
print('api_key%%%s=%s' % (options['tag'], xapi.api_key))
else:
print('API key: "%s"' % xapi.api_key)
if options['show']:
action = 'show'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.show(xpath=options['xpath'], extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['get']:
action = 'get'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.get(xpath=options['xpath'], extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['delete']:
action = 'delete'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.delete(xpath=options['xpath'], extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['edit']:
action = 'edit'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.edit(xpath=options['xpath'],
element=options['element'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['set']:
action = 'set'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.set(xpath=options['xpath'],
element=options['element'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['dynamic-update']:
action = 'dynamic-update'
kwargs = {
'cmd': options['cmd'],
}
if options['ad_hoc'] is not None:
extra_qs_used = True
kwargs['extra_qs'] = options['ad_hoc']
if len(options['vsys']):
kwargs['vsys'] = options['vsys'][0]
xapi.user_id(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if options['move'] is not None:
action = 'move'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.move(xpath=options['xpath'],
where=options['move'],
dst=options['dst'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['rename']:
action = 'rename'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.rename(xpath=options['xpath'],
newname=options['dst'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['clone']:
action = 'clone'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.clone(xpath=options['xpath'],
xpath_from=options['src'],
newname=options['dst'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['override']:
action = 'override'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.override(xpath=options['xpath'],
element=options['element'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['export'] is not None:
action = 'export'
if options['ad_hoc'] is not None:
extra_qs_used = True
if options['pcapid'] is not None:
xapi.export(category=options['export'],
pcapid=options['pcapid'],
search_time=options['stime'],
serialno=options['serial'],
extra_qs=options['ad_hoc'])
else:
xapi.export(category=options['export'],
from_name=options['src'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['pcap_listing']:
pcap_listing(xapi, options['export'])
save_attachment(xapi, options)
if options['log'] is not None:
action = 'log'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.log(log_type=options['log'],
nlogs=options['nlogs'],
skip=options['skip'],
filter=options['filter'],
interval=options['interval'],
timeout=options['job_timeout'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['op'] is not None:
action = 'op'
kwargs = {
'cmd': options['op'],
'cmd_xml': options['cmd_xml'],
}
if options['ad_hoc'] is not None:
extra_qs_used = True
kwargs['extra_qs'] = options['ad_hoc']
if len(options['vsys']):
kwargs['vsys'] = options['vsys'][0]
xapi.op(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if (options['commit'] or options['commit_all']):
if options['cmd']:
cmd = options['cmd']
if options['cmd_xml']:
cmd = xapi.cmd_xml(cmd)
else:
c = pan.commit.PanCommit(validate=options['validate'],
force=options['force'],
commit_all=options['commit_all'],
merge_with_candidate=options['merge'])
for part in options['partial']:
if part == 'device-and-network-excluded':
c.device_and_network_excluded()
elif part == 'policy-and-objects-excluded':
c.policy_and_objects_excluded()
elif part == 'shared-object-excluded':
c.shared_object_excluded()
elif part == 'no-vsys':
c.no_vsys()
elif part == 'vsys':
c.vsys(options['vsys'])
if options['serial'] is not None:
c.device(options['serial'])
if options['group'] is not None:
c.device_group(options['group'])
if options['commit_all'] and options['vsys']:
c.vsys(options['vsys'][0])
cmd = c.cmd()
kwargs = {
'cmd': cmd,
'sync': options['sync'],
'interval': options['interval'],
'timeout': options['job_timeout'],
}
if options['ad_hoc'] is not None:
extra_qs_used = True
kwargs['extra_qs'] = options['ad_hoc']
if options['commit_all']:
kwargs['action'] = 'all'
action = 'commit'
xapi.commit(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if not extra_qs_used and options['ad_hoc'] is not None:
action = 'ad_hoc'
xapi.ad_hoc(qs=options['ad_hoc'],
xpath=options['xpath'],
modify_qs=options['modify'])
print_status(xapi, action)
print_response(xapi, options)
except pan.xapi.PanXapiError as msg:
print_status(xapi, action, str(msg))
print_response(xapi, options)
sys.exit(1)
sys.exit(0)
def add_vulnerability_profile(xapi, **kwargs):
if vulnerability_profile_exists(xapi, kwargs['vulnprofile_name']):
return False
exml = []
if kwargs['rule_tuples'] is not None:
exml.append('<rules>')
for item in kwargs['rule_tuples']:
cve = "any"
vendor_id = "any"
threat_name = "any"
host_type = "client"
action = "default"
capture = "disable"
category = "any"
if 'cve' in item:
cve = item['cve']
if 'vendor_id' in item:
vendor_id = item['vendor_id']
if 'threat_name' in item:
threat_name = item['threat_name']
if 'host_type' in item:
host_type = item['host_type']
if 'action' in item:
action = item['action']
if 'capture' in item:
capture = item['capture']
if 'category' in item:
category = item['category']
exml.append('<entry name=\"%s\">' % item['rule_name'])
exml.append('<cve><member>%s</member></cve>' % cve)
exml.append('<vendor-id><member>%s</member></vendor-id>' %
vendor_id)
exml.append('<severity><member>%s</member></severity>' %
item['severity'])
exml.append('<threat-name>%s</threat-name>' %
threat_name)
exml.append('<host>%s</host>' % host_type)
exml.append('<category>%s</category>' % category)
exml.append('<packet-capture>%s</packet-capture>' %
capture)
exml.append('<action><%s/></action>' %
action)
exml.append('</entry>')
exml.append('</rules>')
if kwargs['exception_ids'] is not None:
exml.append('<threat-exception>')
for t in kwargs['exception_ids']:
exml.append('<entry name=\"%s\">'
'<action><reset-client/></action>'
'</entry>' % t)
exml.append('</threat-exception>')
if kwargs['description'] is not None:
exml.append('<description>%s</description>' % kwargs['description'])
exml = ''.join(exml)
# FOR DEBUGGING
# print "element='%s'"%exml
xapi.set(xpath=_SERVICE_XPATH % kwargs['vulnprofile_name'], element=exml)
return True
def add_security_rule(xapi, **kwargs):
if security_rule_exists(xapi, kwargs['rule_name']):
return False
# exml = ['<entry name="permit-server"%s">'%kwargs['rule_name']]
exml = []
exml.append('<to>')
for t in kwargs['to_zone']:
exml.append('<member>%s</member>' % t)
exml.append('</to>')
exml.append('<from>')
for t in kwargs['from_zone']:
exml.append('<member>%s</member>' % t)
exml.append('</from>')
exml.append('<source>')
for t in kwargs['source']:
exml.append('<member>%s</member>' % t)
exml.append('</source>')
exml.append('<destination>')
for t in kwargs['destination']:
exml.append('<member>%s</member>' % t)
exml.append('</destination>')
exml.append('<source-user>')
for t in kwargs['source_user']:
exml.append('<member>%s</member>' % t)
exml.append('</source-user>')
exml.append('<category>')
for t in kwargs['category']:
exml.append('<member>%s</member>' % t)
exml.append('</category>')
exml.append('<application>')
for t in kwargs['application']:
exml.append('<member>%s</member>' % t)
exml.append('</application>')
exml.append('<service>')
for t in kwargs['service']:
exml.append('<member>%s</member>' % t)
exml.append('</service>')
exml.append('<hip-profiles>')
for t in kwargs['hip_profiles']:
exml.append('<member>%s</member>' % t)
exml.append('</hip-profiles>')
if kwargs['group_profile'] is not None:
exml.append('<profile-setting>'
'<group><member>%s</member></group>'
'</profile-setting>' % kwargs['group_profile'])
if kwargs['log_start']:
exml.append('<log-start>yes</log-start>')
else:
exml.append('<log-start>no</log-start>')
if kwargs['log_end']:
exml.append('<log-end>yes</log-end>')
else:
exml.append('<log-end>no</log-end>')
if kwargs['rule_type'] != 'universal':
exml.append('<rule-type>%s</rule-type>' % kwargs['rule_type'])
exml.append('<action>%s</action>' % kwargs['action'])
if kwargs['vulnprofile_name'] is not None:
exml.append('<profile-setting>')
exml.append('<profiles>')
exml.append('<vulnerability>')
exml.append('<member>%s</member>' % kwargs['vulnprofile_name'])
exml.append('</vulnerability>')
exml.append('</profiles>')
exml.append('</profile-setting>')
# exml.append('</entry>')
exml = ''.join(exml)
xapi.set(xpath=_SRULE_XPATH % kwargs['rule_name'], element=exml)
return True
grpEntryStaticMember.text = nodeID
data = ET.tostring(root)
print(data)
try:
xapi = pan.xapi.PanXapi(api_username=os.environ['username'],
api_password=os.environ['password'],
hostname=os.environ['ipAddr'])
print("Successfully Connected!")
xapi.op(cmd='show system info', cmd_xml=True)
print(xapi.xml_result())
#set the config using the above xpath
xapi.set(xpath, element=data)
print(xapi.xml_result())
#commit the config. Make sure to add the xml command.
xapi.commit('<commit/>')
print(xapi.xml_result())
except pan.xapi.PanXapiError as msg:
print('pan.xapi.PanXapi:', msg, file=sys.stderr)
sys.exit(1)
elif cmd == "stop":
# Build the XML tree for the settings we want to add to the FW. In this case adding a named address.
# root.set("name", "Kimberly")
def add_vulnerability_profile(xapi, **kwargs):
if vulnerability_profile_exists(xapi, kwargs['vulnprofile_name']):
return False
exml = []
if kwargs['rule_tuples'] is not None:
exml.append('<rules>')
for item in kwargs['rule_tuples']:
cve = "any"
vendor_id = "any"
threat_name = "any"
host_type = "client"
action = "default"
capture = "disable"
category = "any"
if 'cve' in item:
cve = item['cve']
if 'vendor_id' in item:
vendor_id = item['vendor_id']
if 'threat_name' in item:
threat_name = item['threat_name']
if 'host_type' in item:
host_type = item['host_type']
if 'action' in item:
action = item['action']
if 'capture' in item:
capture = item['capture']
if 'category' in item:
category = item['category']
exml.append('<entry name=\"%s\">' % item['rule_name'])
exml.append('<cve><member>%s</member></cve>' % cve)
exml.append('<vendor-id><member>%s</member></vendor-id>' %
vendor_id)
exml.append('<severity><member>%s</member></severity>' %
item['severity'])
exml.append('<threat-name>%s</threat-name>' %
threat_name)
exml.append('<host>%s</host>' % host_type)
exml.append('<category>%s</category>' % category)
exml.append('<packet-capture>%s</packet-capture>' %
capture)
exml.append('<action><%s/></action>' %
action)
exml.append('</entry>')
exml.append('</rules>')
if kwargs['exception_ids'] is not None:
exml.append('<threat-exception>')
for t in kwargs['exception_ids']:
exml.append('<entry name=\"%s\">'
'<action><reset-client/></action>'
'</entry>' % t)
exml.append('</threat-exception>')
if kwargs['description'] is not None:
exml.append('<description>%s</description>' % kwargs['description'])
exml = ''.join(exml)
# FOR DEBUGGING
# print "element='%s'"%exml
xapi.set(xpath=_SERVICE_XPATH % kwargs['vulnprofile_name'], element=exml)
return True
def main():
set_encoding()
options = parse_opts()
try:
xapi = pan.xapi.PanXapi(debug=options['debug'],
timeout=options['timeout'],
tag=options['tag'],
use_http=options['use_http'],
use_get=options['use_get'],
api_username=options['api_username'],
api_password=options['api_password'],
api_key=options['api_key'],
hostname=options['hostname'],
port=options['port'],
serial=options['serial'],
cafile=options['cafile'],
capath=options['capath'])
except pan.xapi.PanXapiError as msg:
print('pan.xapi.PanXapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('xapi.__str__()===>\n', xapi, '\n<===',
sep='', file=sys.stderr)
try:
if options['ad_hoc'] is not None:
action = 'ad_hoc'
xapi.ad_hoc(qs=options['ad_hoc'],
xpath=options['xpath'],
modify_qs=options['modify'])
print_status(xapi, action)
print_response(xapi, options)
if options['keygen']:
action = 'keygen'
xapi.keygen()
print_status(xapi, action)
print_response(xapi, options)
print('API key: "%s"' % xapi.api_key)
if options['show']:
action = 'show'
xapi.show(xpath=options['xpath'])
print_status(xapi, action)
print_response(xapi, options)
if options['get']:
action = 'get'
xapi.get(xpath=options['xpath'])
print_status(xapi, action)
print_response(xapi, options)
if options['delete']:
action = 'delete'
xapi.delete(xpath=options['xpath'])
print_status(xapi, action)
print_response(xapi, options)
if options['edit']:
action = 'edit'
xapi.edit(xpath=options['xpath'],
element=options['element'])
print_status(xapi, action)
print_response(xapi, options)
if options['set']:
action = 'set'
xapi.set(xpath=options['xpath'],
element=options['element'])
print_status(xapi, action)
print_response(xapi, options)
if options['dynamic-update']:
action = 'dynamic-update'
kwargs = {
'cmd': options['cmd'],
}
if len(options['vsys']):
kwargs['vsys'] = options['vsys'][0]
xapi.user_id(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if options['move'] is not None:
action = 'move'
xapi.move(xpath=options['xpath'],
where=options['move'],
dst=options['dst'])
print_status(xapi, action)
print_response(xapi, options)
if options['rename']:
action = 'rename'
xapi.rename(xpath=options['xpath'],
newname=options['dst'])
print_status(xapi, action)
print_response(xapi, options)
if options['clone']:
action = 'clone'
xapi.clone(xpath=options['xpath'],
xpath_from=options['src'],
newname=options['dst'])
print_status(xapi, action)
print_response(xapi, options)
if options['override']:
action = 'override'
xapi.override(xpath=options['xpath'],
element=options['element'])
print_status(xapi, action)
print_response(xapi, options)
if options['export'] is not None:
action = 'export'
xapi.export(category=options['export'],
from_name=options['src'])
print_status(xapi, action)
print_response(xapi, options)
if options['pcap_listing']:
pcap_listing(xapi, options)
save_pcap(xapi, options)
if options['log'] is not None:
action = 'log'
xapi.log(log_type=options['log'],
nlogs=options['nlogs'],
skip=options['skip'],
filter=options['filter'],
interval=options['interval'],
timeout=options['job_timeout'])
print_status(xapi, action)
print_response(xapi, options)
if options['op'] is not None:
action = 'op'
kwargs = {
'cmd': options['op'],
'cmd_xml': options['cmd_xml'],
}
if len(options['vsys']):
kwargs['vsys'] = options['vsys'][0]
xapi.op(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if (options['commit'] or options['commit_all']):
if options['cmd']:
cmd = options['cmd']
if options['cmd_xml']:
cmd = xapi.cmd_xml(cmd)
else:
c = pan.commit.PanCommit(debug=options['debug'],
validate=options['validate'],
force=options['force'],
commit_all=options['commit_all'],
merge_with_candidate=
options['merge'])
for part in options['partial']:
if part == 'device-and-network-excluded':
c.device_and_network_excluded()
elif part == 'policy-and-objects-excluded':
c.policy_and_objects_excluded()
elif part == 'shared-object-excluded':
c.shared_object_excluded()
elif part == 'no-vsys':
c.no_vsys()
elif part == 'vsys':
c.vsys(options['vsys'])
if options['serial'] is not None:
c.device(options['serial'])
if options['group'] is not None:
c.device_group(options['group'])
if options['commit_all'] and options['vsys']:
c.vsys(options['vsys'][0])
cmd = c.cmd()
kwargs = {
'cmd': cmd,
'sync': options['sync'],
'interval': options['interval'],
'timeout': options['job_timeout'],
}
if options['commit_all']:
kwargs['action'] = 'all'
action = 'commit'
xapi.commit(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
except pan.xapi.PanXapiError as msg:
print_status(xapi, action, msg)
print_response(xapi, options)
sys.exit(1)
sys.exit(0)
def main():
try:
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
except AttributeError:
# Windows
pass
set_encoding()
options = parse_opts()
if options['debug']:
logger = logging.getLogger()
if options['debug'] == 3:
logger.setLevel(pan.xapi.DEBUG3)
elif options['debug'] == 2:
logger.setLevel(pan.xapi.DEBUG2)
elif options['debug'] == 1:
logger.setLevel(pan.xapi.DEBUG1)
# log_format = '%(levelname)s %(name)s %(message)s'
log_format = '%(message)s'
handler = logging.StreamHandler()
formatter = logging.Formatter(log_format)
handler.setFormatter(formatter)
logger.addHandler(handler)
if options['cafile'] or options['capath']:
ssl_context = create_ssl_context(options['cafile'],
options['capath'])
else:
ssl_context = None
try:
xapi = pan.xapi.PanXapi(timeout=options['timeout'],
tag=options['tag'],
use_http=options['use_http'],
use_get=options['use_get'],
api_username=options['api_username'],
api_password=options['api_password'],
api_key=options['api_key'],
hostname=options['hostname'],
port=options['port'],
serial=options['serial'],
ssl_context=ssl_context)
except pan.xapi.PanXapiError as msg:
print('pan.xapi.PanXapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('xapi.__str__()===>\n', xapi, '\n<===',
sep='', file=sys.stderr)
extra_qs_used = False
try:
if options['keygen']:
action = 'keygen'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.keygen(extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
print('API key: "%s"' % xapi.api_key)
if options['show']:
action = 'show'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.show(xpath=options['xpath'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['get']:
action = 'get'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.get(xpath=options['xpath'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['delete']:
action = 'delete'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.delete(xpath=options['xpath'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['edit']:
action = 'edit'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.edit(xpath=options['xpath'],
element=options['element'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['set']:
action = 'set'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.set(xpath=options['xpath'],
element=options['element'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['dynamic-update']:
action = 'dynamic-update'
kwargs = {
'cmd': options['cmd'],
}
if options['ad_hoc'] is not None:
extra_qs_used = True
kwargs['extra_qs'] = options['ad_hoc']
if len(options['vsys']):
kwargs['vsys'] = options['vsys'][0]
xapi.user_id(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if options['move'] is not None:
action = 'move'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.move(xpath=options['xpath'],
where=options['move'],
dst=options['dst'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['rename']:
action = 'rename'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.rename(xpath=options['xpath'],
newname=options['dst'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['clone']:
action = 'clone'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.clone(xpath=options['xpath'],
xpath_from=options['src'],
newname=options['dst'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['override']:
action = 'override'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.override(xpath=options['xpath'],
element=options['element'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['export'] is not None:
action = 'export'
if options['ad_hoc'] is not None:
extra_qs_used = True
if options['pcapid'] is not None:
xapi.export(category=options['export'],
pcapid=options['pcapid'],
search_time=options['stime'],
serialno=options['serial'],
extra_qs=options['ad_hoc'])
else:
xapi.export(category=options['export'],
from_name=options['src'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['pcap_listing']:
pcap_listing(xapi, options['export'])
save_attachment(xapi, options)
if options['log'] is not None:
action = 'log'
if options['ad_hoc'] is not None:
extra_qs_used = True
xapi.log(log_type=options['log'],
nlogs=options['nlogs'],
skip=options['skip'],
filter=options['filter'],
interval=options['interval'],
timeout=options['job_timeout'],
extra_qs=options['ad_hoc'])
print_status(xapi, action)
print_response(xapi, options)
if options['op'] is not None:
action = 'op'
kwargs = {
'cmd': options['op'],
'cmd_xml': options['cmd_xml'],
}
if options['ad_hoc'] is not None:
extra_qs_used = True
kwargs['extra_qs'] = options['ad_hoc']
if len(options['vsys']):
kwargs['vsys'] = options['vsys'][0]
xapi.op(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if (options['commit'] or options['commit_all']):
if options['cmd']:
cmd = options['cmd']
if options['cmd_xml']:
cmd = xapi.cmd_xml(cmd)
else:
c = pan.commit.PanCommit(validate=options['validate'],
force=options['force'],
commit_all=options['commit_all'],
merge_with_candidate=
options['merge'])
for part in options['partial']:
if part == 'device-and-network-excluded':
c.device_and_network_excluded()
elif part == 'policy-and-objects-excluded':
c.policy_and_objects_excluded()
elif part == 'shared-object-excluded':
c.shared_object_excluded()
elif part == 'no-vsys':
c.no_vsys()
elif part == 'vsys':
c.vsys(options['vsys'])
if options['serial'] is not None:
c.device(options['serial'])
if options['group'] is not None:
c.device_group(options['group'])
if options['commit_all'] and options['vsys']:
c.vsys(options['vsys'][0])
cmd = c.cmd()
kwargs = {
'cmd': cmd,
'sync': options['sync'],
'interval': options['interval'],
'timeout': options['job_timeout'],
}
if options['ad_hoc'] is not None:
extra_qs_used = True
kwargs['extra_qs'] = options['ad_hoc']
if options['commit_all']:
kwargs['action'] = 'all'
action = 'commit'
xapi.commit(**kwargs)
print_status(xapi, action)
print_response(xapi, options)
if not extra_qs_used and options['ad_hoc'] is not None:
action = 'ad_hoc'
xapi.ad_hoc(qs=options['ad_hoc'],
xpath=options['xpath'],
modify_qs=options['modify'])
print_status(xapi, action)
print_response(xapi, options)
except pan.xapi.PanXapiError as msg:
print_status(xapi, action, msg)
print_response(xapi, options)
sys.exit(1)
sys.exit(0)
def push_meta(meta, context, force_sync=False, perform_commit=True) -> (str, None):
"""
Push a skillet to a PanXapi connected device
:param meta: dict containing parsed and loaded skillet
:param context: all compiled variables from the user interaction
:param force_sync: should we wait on a successful commit operation or return after queue
:param perform_commit: should we actually commit or not
:return: job_id as a str or None if no job_id could be found
"""
xapi = panos_login()
if xapi is None:
raise CCFParserError('Could not login in to Palo Alto Networks Device')
name = meta['name'] if 'name' in meta else 'unknown'
# default to None as return value, set to job_id if possible later if a commit was requested
return_value = None
# _perform_backup()
if 'snippet_path' in meta:
snippets_dir = meta['snippet_path']
else:
raise CCFParserError(f'Could not locate .meta-cnc file on filesystem for Skillet: {name}')
environment = Environment(loader=BaseLoader())
for f in jinja_filters.defined_filters:
if hasattr(jinja_filters, f):
environment.filters[f] = getattr(jinja_filters, f)
try:
for snippet in meta['snippets']:
if 'xpath' not in snippet or 'file' not in snippet:
print('Malformed meta-cnc error')
raise CCFParserError(f'Malformed snippet section in meta-cnc file for {name}')
xpath = snippet['xpath']
xml_file_name = snippet['file']
# allow snippets to be skipped using the 'when' attribute
if 'when' in snippet:
when_template = environment.from_string(snippet.get('when', ''))
when_result = str(when_template.render(context))
if when_result.lower() == 'false' or when_result.lower() == 'no':
print(f'Skipping snippet {name} due to when condition false')
continue
xml_full_path = os.path.join(snippets_dir, xml_file_name)
with open(xml_full_path, 'r') as xml_file:
xml_string = xml_file.read()
xml_template = environment.from_string(xml_string)
xpath_template = environment.from_string(xpath)
# fix for #74, ensure multiline xpaths do not contain newlines or spaces
xml_snippet = xml_template.render(context).strip().replace('\n', '')
xpath_string = xpath_template.render(context).strip().replace('\n', '').replace(' ', '')
print('Pushing xpath: %s' % xpath_string)
try:
xapi.set(xpath=xpath_string, element=xml_snippet)
if xapi.status_code == '19' or xapi.status_code == '20':
print('xpath is already present')
elif xapi.status_code == '7':
raise CCFParserError(f'xpath {xpath_string} was NOT found for skillet: {name}')
except pan.xapi.PanXapiError as pxe:
err_msg = str(pxe)
if '403' in err_msg:
# Auth issue, let's clear the api_key and bail out!
xapi = None
clear_credentials()
raise CCFParserError(f'Could not push skillet {name} / snippet {xml_file_name}! {pxe}')
if perform_commit:
if 'type' not in meta:
commit_type = 'commit'
else:
if 'panorama' in meta['type']:
commit_type = 'commit-all'
else:
commit_type = 'commit'
if commit_type == 'commit-all':
print('Performing commit-all in panorama')
xapi.commit(cmd='<commit-all></commit-all>', sync=True)
else:
if force_sync:
xapi.commit('<commit></commit>', sync=True)
else:
xapi.commit('<commit></commit>')
results = xapi.xml_result()
if force_sync:
# we have the results of a job id query, the commit results are embedded therein
doc = elementTree.XML(results)
embedded_result = doc.find('result')
if embedded_result is not None:
commit_result = embedded_result.text
print(f'Commit result is {commit_result}')
if commit_result == 'FAIL':
raise TargetCommitException(xapi.status_detail)
else:
if 'with jobid' in results:
result = re.match(r'.* with jobid (\d+)', results)
if result is not None:
return_value = result.group(1)
# for gpcs baseline and svc connection network configuration do a scope push to gpcs
# FIXME - check for 'gpcs' in meta['type'] instead of hardcoded name
if meta['name'] == 'gpcs_baseline':
print('push baseline and svc connection scope to gpcs')
xapi.commit(action='all',
cmd='<commit-all><template-stack>'
'<name>Service_Conn_Template_Stack</name></template-stack></commit-all>')
print(xapi.xml_result())
# for gpcs remote network configuration do a scope push to gpcs
if meta['name'] == 'gpcs_remote' or meta['name'] == 'gpcs_baseline':
print('push remote network scope to gpcs')
xapi.commit(action='all',
cmd='<commit-all><shared-policy><device-group>'
'<entry name="Remote_Network_Device_Group"/>'
'</device-group></shared-policy></commit-all>')
print(xapi.xml_result())
return return_value
except UndefinedError as ue:
raise CCFParserError(f'Undefined variable in skillet: {ue}')
except IOError as ioe:
raise CCFParserError(f'Could not open xml snippet file for reading! {ioe}')
except pan.xapi.PanXapiError as pxe:
raise CCFParserError(f'Could not push meta-cnc for skillet {name}! {pxe}')
def main():
argument_spec = dict(ip_address=dict(required=True),
password=dict(no_log=True),
username=dict(default='admin'),
api_key=dict(no_log=True),
device_serial=dict(default=None),
operation=dict(
required=True,
choices=['add', 'assign', 'remove', 'delete']),
devicegroup=dict(default=None))
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False,
required_one_of=[['api_key', 'password']])
if not HAS_LIB:
module.fail_json(msg='Missing required libraries.')
ip_address = module.params["ip_address"]
password = module.params["password"]
username = module.params['username']
api_key = module.params['api_key']
dvsn = module.params['device_serial']
operation = module.params['operation']
devicegroup = module.params['devicegroup']
if operation == "assign":
try:
xpath_dg = "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='%s']/devices" % devicegroup
xapi = pan.xapi.PanXapi(hostname=ip_address,
api_username=username,
api_password=password,
api_key=api_key)
xapi.set(xpath=xpath_dg,
element='<entry name="%s"></entry>' % dvsn)
except PanXapiError:
exc = get_exception()
module.fail_json(msg=exc.message)
module.exit_json(
changed=True,
msg='Device Group \'%s\' successfully assigned to \'%s\'' %
(devicegroup, dvsn))
elif operation == "add":
try:
xpath_dg = "/config/devices/entry[@name='localhost.localdomain']/device-group"
xapi = pan.xapi.PanXapi(hostname=ip_address,
api_username=username,
api_password=password,
api_key=api_key)
xapi.set(xpath=xpath_dg,
element='<entry name="%s"></entry>' % devicegroup)
except PanXapiError:
exc = get_exception()
module.fail_json(msg=exc.message)
module.exit_json(changed=True,
msg='Device Group \'%s\' successfully added ' %
devicegroup)
