def add_nat(xapi, module, rule_name, from_zone, to_zone, source, destination, service, dnatxml=None, snatxml=None): exml = [] if dnatxml: exml.append(dnatxml) if snatxml: exml.append(snatxml) exml.append("<to><member>%s</member></to>" % to_zone) exml.append("<from>") exml = exml + ["<member>%s</member>" % e for e in from_zone] exml.append("</from>") exml.append("<source>") exml = exml + ["<member>%s</member>" % e for e in source] exml.append("</source>") exml.append("<destination>") exml = exml + ["<member>%s</member>" % e for e in destination] exml.append("</destination>") exml.append("<service>%s</service>" % service) exml.append("<nat-type>ipv4</nat-type>") exml = ''.join(exml) xapi.set(xpath=_NAT_XPATH % rule_name, element=exml) return True
def set_publickey(xapi, user, cpkey, pkey): b64pkey = base64.b64encode(pkey) e = "<public-key>%s</public-key>" % b64pkey if cpkey is None: xapi.set(xpath=_ADMINPROFILE_XPATH % user, element=e) else: xapi.edit(xpath=_PKEY_XPATH % user, element=e)
def add_pg(xapi, pg_name, data_filtering, file_blocking, spyware, url_filtering, virus, vulnerability, wildfire): if pg_exists(xapi, pg_name): return False exml = [] if data_filtering is not None: exml.append('<data-filtering><member>%s</member></data-filtering>' % data_filtering) if file_blocking is not None: exml.append('<file-blocking><member>%s</member></file-blocking>' % file_blocking) if spyware is not None: exml.append('<spyware><member>%s</member></spyware>' % spyware) if url_filtering is not None: exml.append('<url-filtering><member>%s</member></url-filtering>' % url_filtering) if virus is not None: exml.append('<virus><member>%s</member></virus>' % virus) if vulnerability is not None: exml.append('<vulnerability><member>%s</member></vulnerability>' % vulnerability) if wildfire is not None: exml.append( '<wildfire-analysis><member>%s</member></wildfire-analysis>' % wildfire) exml = ''.join(exml) xapi.set(xpath=_PG_XPATH % pg_name, element=exml) return True
def add_pg(xapi, pg_name, data_filtering, file_blocking, spyware, url_filtering, virus, vulnerability): if pg_exists(xapi, pg_name): return False exml = [] if data_filtering is not None: exml.append('<data-filtering><member>%s</member></data-filtering>' % data_filtering) if file_blocking is not None: exml.append('<file-blocking><member>%s</member></file-blocking>' % file_blocking) if spyware is not None: exml.append('<spyware><member>%s</member></spyware>' % spyware) if url_filtering is not None: exml.append('<url-filtering><member>%s</member></url-filtering>' % url_filtering) if virus is not None: exml.append('<virus><member>%s</member></virus>' % virus) if vulnerability is not None: exml.append('<vulnerability><member>%s</member></vulnerability>' % vulnerability) exml = ''.join(exml) xapi.set(xpath=_PG_XPATH % pg_name, element=exml) return True
def setConfigEntry(fw, xpath, value, module): if 'hostname' not in fw or 'username' not in fw or 'password' not in fw: module.fail_json(msg='Device credentials not specified!') #print('Connecting to device') try: xapi = pan.xapi.PanXapi(hostname=fw['hostname'], api_username=fw['username'], api_password=fw['password']) except pan.xapi.PanXapiError as msg: module.fail_json(msg='pan.xapi.PanXapi: {}'.format(msg)) except Exception as e: module.fail_json(msg='Exception: {}'.format(e)) #print('Connected to device, setting configuration in path: {}'.format(xpath)) try: xapi.set(xpath=xpath, element=value) except pan.xapi.PanXapiError as msg: if "Unauthorized request" in str(msg): # skip duplicate region set return True module.fail_json(msg='pan.xapi.PanXapi (set): {}'.format(msg)) #print('Configuration successfully set!') return True
def setPanoramaEntry(pn, xpath, value): if 'hostname' not in pn or 'username' not in pn or 'password' not in pn: print('Panorama credentials not specified!') return False print('Connecting to Panorama') try: xapi = pan.xapi.PanXapi(hostname=pn['hostname'], api_username=pn['username'], api_password=pn['password']) except pan.xapi.PanXapiError as msg: print('pan.xapi.PanXapi: {}'.format(msg)) return False except Exception as e: print('Exception: {}'.format(e)) return False print('Connected to Panorama, setting configuration in path: {}'.format( xpath)) try: xapi.set(xpath=xpath, element=value) except pan.xapi.PanXapiError as msg: print('pan.xapi.PanXapi (set): {}'.format(msg)) return False print('Configuration successfully set!') return True
def add_custom_app(xapi, app_name, host_regex): if custom_app_exists(xapi, app_name): return False xapi.set(xpath=_CUSTOM_APP_XPATH % app_name, element=_CUSTOM_APP_TEMPLATE % (app_name, host_regex)) return True
def create_template_variable(username, password, panorama_name, variable, value, variable_type, template): xapi = pan.xapi.PanXapi(api_username = username, \ api_password = password, \ hostname= panorama_name) xpath = '{0}{1}{2}'.format("/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='", template, "']/variable") element = '{0}{1}{2}{3}{4}{5}{6}{7}{8}'.format('<entry name="', variable, '"><type><', variable_type, '>', value, '</', variable_type, '></type></entry>') xapi.set(xpath = xpath, \ element = element)
def add_snat_dipp(xapi, module, rule_name, from_zone, to_zone, source, destination, service, translated_address=None, interface_address_ip=None, interface_address_if=None): if translated_address is not None and interface_address_if is not None: module.fail_json(msg="only one of interface_address_if and " "translated_address should be specified") if nat_rule_exists(xapi, rule_name): return False exml = ["<source-translation>", "<dynamic-ip-and-port>"] if interface_address_if is not None: exml = exml+[ "<interface-address>", "<interface>%s</interface>" % interface_address_if] if interface_address_ip is not None: exml.append("<ip>%s</ip>" % interface_address_ip) exml.append("</interface-address>") elif translated_address is not None: exml.append("<translated-address>") for t in translated_address: exml.append("<member>%s</member>" % t) exml.append("</translated-address>") else: module.fail_json(msg="no interface_address_if or " "translated_address specified") exml.append('</dynamic-ip-and-port>') exml.append('</source-translation>') exml.append("<to><member>%s</member></to>" % to_zone) exml.append("<from>") exml = exml+["<member>%s</member>" % e for e in from_zone] exml.append("</from>") exml.append("<source>") exml = exml+["<member>%s</member>" % e for e in source] exml.append("</source>") exml.append("<destination>") exml = exml+["<member>%s</member>" % e for e in destination] exml.append("</destination>") exml.append("<service>%s</service>" % service) exml.append("<nat-type>ipv4</nat-type>") exml = ''.join(exml) xapi.set(xpath=_NAT_XPATH % rule_name, element=exml) return True
def add_tunnel_if(xapi, tunnel_unit, zone_name): tif_xml = ['<entry name="tunnel.%s"></entry>'] tif_xml = (''.join(tif_xml)) % (tunnel_unit) xapi.edit(xpath=_TIF_XPATH % tunnel_unit, element=tif_xml) xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name, element='<member>tunnel.%s</member>' % tunnel_unit) xapi.set(xpath=_VR_XPATH + "[@name='default']/interface", element='<member>tunnel.%s</member>' % tunnel_unit) return True
def add_tunnel_if(xapi, tunnel_unit, zone_name): tif_xml = ['<entry name="tunnel.%s"></entry>'] tif_xml = (''.join(tif_xml)) % (tunnel_unit) xapi.edit(xpath=_TIF_XPATH % tunnel_unit, element=tif_xml) xapi.set(xpath=_ZONE_XPATH+"[@name='%s']/network/layer3" % zone_name, element='<member>tunnel.%s</member>' % tunnel_unit) xapi.set(xpath=_VR_XPATH+"[@name='default']/interface", element='<member>tunnel.%s</member>' % tunnel_unit) return True
def admin_set(xapi, module, admin_username, admin_password, role): if admin_password is not None: xapi.op(cmd='request password-hash password "%s"' % admin_password, cmd_xml=True) r = xapi.element_root phash = r.find(".//phash").text if role is not None: rbval = "yes" if role != "superuser" and role != "superreader": rbval = "" ea = admin_exists(xapi, admin_username) if ea is not None: # user exists changed = False if role is not None: rb = ea.find(".//role-based") if rb is not None: if rb[0].tag != role: changed = True xpath = _ADMIN_XPATH % admin_username xpath += "/permissions/role-based/%s" % rb[0].tag xapi.delete(xpath=xpath) xpath = _ADMIN_XPATH % admin_username xpath += "/permissions/role-based" xapi.set(xpath=xpath, element="<%s>%s</%s>" % (role, rbval, role)) if admin_password is not None: xapi.edit( xpath=_ADMIN_XPATH % admin_username + "/phash", element="<phash>%s</phash>" % phash, ) changed = True return changed # setup the non encrypted part of the monitor exml = [] exml.append("<phash>%s</phash>" % phash) exml.append("<permissions><role-based><%s>%s</%s>" "</role-based></permissions>" % (role, rbval, role)) exml = "".join(exml) # module.fail_json(msg=exml) xapi.set(xpath=_ADMIN_XPATH % admin_username, element=exml) return True
def admin_set(xapi, module, admin_username, admin_password, role): if admin_password is not None: xapi.op(cmd='request password-hash password "%s"' % admin_password, cmd_xml=True) r = xapi.element_root phash = r.find('.//phash').text if role is not None: rbval = "yes" if role != "superuser" and role != 'superreader': rbval = "" ea = admin_exists(xapi, admin_username) if ea is not None: # user exists changed = False if role is not None: rb = ea.find('.//role-based') if rb is not None: if rb[0].tag != role: changed = True xpath = _ADMIN_XPATH % admin_username xpath += '/permissions/role-based/%s' % rb[0].tag xapi.delete(xpath=xpath) xpath = _ADMIN_XPATH % admin_username xpath += '/permissions/role-based' xapi.set(xpath=xpath, element='<%s>%s</%s>' % (role, rbval, role)) if admin_password is not None: xapi.edit(xpath=_ADMIN_XPATH % admin_username+'/phash', element='<phash>%s</phash>' % phash) changed = True return changed # setup the non encrypted part of the monitor exml = [] exml.append('<phash>%s</phash>' % phash) exml.append('<permissions><role-based><%s>%s</%s>' '</role-based></permissions>' % (role, rbval, role)) exml = ''.join(exml) # module.fail_json(msg=exml) xapi.set(xpath=_ADMIN_XPATH % admin_username, element=exml) return True
def add_dag(xapi, dag_name, dag_filter): if addressgroup_exists(xapi, dag_name): return False # setup the non encrypted part of the monitor exml = [] exml.append('<dynamic>') exml.append('<filter>%s</filter>' % dag_filter) exml.append('</dynamic>') exml = ''.join(exml) xapi.set(xpath=_ADDRGROUP_XPATH % dag_name, element=exml) return True
def add_service(xapi, module, service_name, protocol, port, source_port): if service_exists(xapi, service_name): return False exml = ['<protocol>'] exml.append('<%s>' % protocol) exml.append('<port>%s</port>' % port) if source_port: exml.append('<source-port>%s</source-port>' % source_port) exml.append('</%s>' % protocol) exml.append('</protocol>') exml = ''.join(exml) xapi.set(xpath=_SERVICE_XPATH % service_name, element=exml) return True
def push_service(service, context): xapi = panorama_login() snippets_dir = Path(os.path.join(settings.BASE_DIR, 'mssp', 'snippets')) if xapi is None: print('Could not push service to Panorama') return False try: for snippet in service['snippets']: xpath = snippet['xpath'] xml_file_name = snippet['file'] xml_full_path = os.path.join(snippets_dir, service['name'], xml_file_name) with open(xml_full_path, 'r') as xml_file: xml_string = xml_file.read() xml_template = Environment( loader=BaseLoader()).from_string(xml_string) xpath_template = Environment( loader=BaseLoader()).from_string(xpath) xml_snippet = xml_template.render(context).replace('\n', '') xpath_string = xpath_template.render(context) print('Pushing xpath: %s' % xpath_string) #print('Pushing element: %s' % xml_snippet) xapi.set(xpath=xpath_string, element=xml_snippet) # FIXME - We need to fix this if xapi.status_code == '19' or xapi.status_code == '20': print('xpath is already present') elif xapi.status_code == '7': print('xpath was NOT found') return False xapi.commit('<commit/>', sync=True) print(xapi.xml_result()) return True except IOError as ioe: print('Could not open xml snippet file for reading!!!') # FIXME - raise a decent error here return False except pan.xapi.PanXapiError as pxe: print('Could not push service snippet!') print(pxe) return False
def create_gpp_gateway(xapi, module, portal_name, config_name, type_, gateway_address, manual, description, exists): entry = [] # entry.append("<entry name='%s'>"%gateway_address) entry.append("<manual>%s</manual>" % ('yes' if manual else 'no')) entry.append("<priority>1</priority>") if description: entry.append("<description>%s</description>" % description) # entry.append("<entry/>") if exists: xapi.set(xpath=_GW_PATH % (portal_name, config_name, type_, gateway_address), element=''.join(entry)) else: xapi.set(xpath=_GW_PATH % (portal_name, config_name, type_, gateway_address), element=''.join(entry)) return True
def add_dhcp_if(xapi, if_name, zone_name, create_default_route): if_xml = [ '<entry name="%s">', '<layer3>', '<dhcp-client>', '<create-default-route>%s</create-default-route>', '</dhcp-client>' '</layer3>' '</entry>' ] cdr = 'yes' if not create_default_route: cdr = 'no' if_xml = (''.join(if_xml)) % (if_name, cdr) xapi.edit(xpath=_IF_XPATH % if_name, element=if_xml) xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name, element='<member>%s</member>' % if_name) xapi.set(xpath=_VR_XPATH + "[@name='default']/interface", element='<member>%s</member>' % if_name) return True
def add_snat_static_ip(xapi, module, rule_name, from_zone, to_zone, source, destination, service, bidirectional, translated_address): if translated_address is None: module.fail_json(msg="translated_address not specified") if nat_rule_exists(xapi, rule_name): return False exml = ["<source-translation>", "<static-ip>"] exml.append('<bi-directional>%s</bi-directional>' % ('yes' if bidirectional else 'no')) exml.append('<translated-address>%s</translated-address>' % translated_address) exml.append('</static-ip>') exml.append('</source-translation>') exml.append("<to><member>%s</member></to>" % to_zone) exml.append("<from>") exml = exml+["<member>%s</member>" % e for e in from_zone] exml.append("</from>") exml.append("<source>") exml = exml+["<member>%s</member>" % e for e in source] exml.append("</source>") exml.append("<destination>") exml = exml+["<member>%s</member>" % e for e in destination] exml.append("</destination>") exml.append("<service>%s</service>" % service) exml.append("<nat-type>ipv4</nat-type>") exml = ''.join(exml) xapi.set(xpath=_NAT_XPATH % rule_name, element=exml) return True
def add_dnat(xapi, module, rule_name, from_zone, to_zone, source, destination, service, translated_address=None, translated_port=None): if translated_address is None and translated_port is None: module.fail_json(msg="at least one of translated_address " "and translated_port should be specified") if nat_rule_exists(xapi, rule_name): return False exml = ["<destination-translation>"] if translated_address is not None: exml.append("<translated-address>%s</translated-address>" % translated_address) if translated_port is not None: exml.append("<translated-port>%s</translated-port>" % translated_port) exml.append('</destination-translation>') exml.append("<to><member>%s</member></to>" % to_zone) exml.append("<from>") exml = exml+["<member>%s</member>" % e for e in from_zone] exml.append("</from>") exml.append("<source>") exml = exml+["<member>%s</member>" % e for e in source] exml.append("</source>") exml.append("<destination>") exml = exml+["<member>%s</member>" % e for e in destination] exml.append("</destination>") exml.append("<service>%s</service>" % service) exml.append("<nat-type>ipv4</nat-type>") exml = ''.join(exml) xapi.set(xpath=_NAT_XPATH % rule_name, element=exml) return True
def add_awsmonitor(xapi, monitor_name, vpc_id, source, access_key, secret_access_key): if vmmonitor_exists(xapi, monitor_name): return False # setup the non encrypted part of the monitor exml = [] exml.append('<AWS-VPC>') exml.append('<vpc-id>%s</vpc-id>' % vpc_id) exml.append('<source>%s</source>' % source) exml.append('<access-key-id>%s</access-key-id>' % access_key) exml.append('<secret-access-key>%s</secret-access-key>' % secret_access_key) exml.append('<disabled>no</disabled>') exml.append('</AWS-VPC>') exml = ''.join(exml) xapi.set(xpath=_VMMONITOR_XPATH % monitor_name, element=exml) return True
def _set_config(self, config, hostname, xpath): xapi = pan.xapi.PanXapi(**self._get_pan_credentials(hostname)) try: xapi.set(xpath=xpath, element=config) except pan.xapi.PanXapiError as e: print("{error}".format(error=e)) return False time.sleep(3) print("Config: {status}".format(status=xapi.status)) time.sleep(1) print( "Applying config on {hostname} with user {username} and password {password}..." .format(hostname=hostname, username=self.username, password=self.password[:1])) try: xapi.commit(cmd="<commit></commit>", timeout=10) except pan.xapi.PanXapiError as e: print("{error}".format(error=e)) return False print("Commit: {status}".format(status=xapi.status))
def add_static_route(xapi, vr_name, sr_name, destination, nexthop, nexthoptype): sr_xml = [ '<entry name="%s">', '<destination>%s</destination>', '<nexthop>', '%s', '</nexthop>', '</entry>', ] if (nexthoptype == "ip"): nh_xml = '<ip-address>' + nexthop + '</ip-address>' elif (nexthoptype == "vr"): nh_xml = '<next-vr>' + nexthop + '</next-vr>' else: return False sr_xml = (''.join(sr_xml) % (sr_name, destination, nh_xml)) vr_sr_path = _VR_XPATH % vr_name vr_sr_path += "/routing-table/ip/static-route" xapi.set(xpath=vr_sr_path, element=sr_xml) return True
def add_if(xapi, if_name, if_type, if_address, vr_name, zone_name, create_default_route): if_xml = ['<entry name="%s">', '<layer3>', '%s', '</layer3>', '</entry>'] if (if_type == "dhcp"): cdr = 'yes' if not create_default_route: cdr = 'no' if_ip = '<dhcp-client><create-default-route>' + cdr + '</create-default-route></dhcp-client>' elif (if_type == "static"): if_ip = '<ip><entry name="' + if_address + '"/></ip>' else: return False if_xml = (''.join(if_xml)) % (if_name, if_ip) xapi.edit(xpath=_IF_XPATH % if_name, element=if_xml) xapi.set(xpath=_ZONE_XPATH + "[@name='%s']/network/layer3" % zone_name, element='<member>%s</member>' % if_name) xapi.set(xpath=_VR_XPATH + "[@name='" + vr_name + "']/interface", element='<member>%s</member>' % if_name) return True
def add_address(xapi, module, address, address_name, description, type, tag): if address_exists(xapi, address_name): return False exml = [] exml.append('<%s>' % type) exml.append('%s' % address) exml.append('</%s>' % type) if description: exml.append('<description>') exml.append('%s' % description) exml.append('</description>') if tag: exml.append('<tag>') exml.append('<member>%s</member>' % tag) exml.append('</tag>') exml = ''.join(exml) xapi.set(xpath=_ADDRESS_XPATH % address_name, element=exml) return True
def main(): argument_spec = dict(ip_address=dict(required=True), password=dict(no_log=True), username=dict(default='admin'), api_key=dict(no_log=True), device_ip=dict(default=None), device_username=dict(no_log=True), device_password=dict(no_log=True), device_api_key=dict(no_log=True), device_serial=dict(default=None), operation=dict(required=True, choices=['add', 'delete'])) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, required_one_of=[['api_key', 'password']]) if not HAS_LIB: module.fail_json(msg='Missing required libraries.') ip_address = module.params["ip_address"] password = module.params["password"] username = module.params['username'] api_key = module.params['api_key'] device_ip = module.params['device_ip'] device_username = module.params['device_username'] device_password = module.params['device_password'] device_api_key = module.params['device_api_key'] device_serial = module.params['device_serial'] operation = module.params['operation'] if operation == "add": try: if device_serial != "None": xpath_deviceconfig = "/config/mgt-config/devices" xapi = pan.xapi.PanXapi(hostname=ip_address, api_username=username, api_password=password, api_key=api_key) xapi.set(xpath=xpath_deviceconfig, element='<entry name="%s"></entry>' % device_serial) else: cmd = "<show><system><info></info></system></show>" device = base.PanDevice.create_from_device( device_ip, device_username, device_password, api_key=device_api_key) xmldoc = device.op(cmd=cmd, cmd_xml=False) serial_node = xmldoc.find('./result/system/serial') serial_text = serial_node.text xpath_deviceconfig = "/config/mgt-config/devices" xapi = pan.xapi.PanXapi(hostname=ip_address, api_username=username, api_password=password, api_key=api_key) xapi.set(xpath=xpath_deviceconfig, element='<entry name="%s"></entry>' % serial_text) except PanXapiError: exc = get_exception() module.fail_json(msg=exc.message) module.exit_json(changed=True, msg='Device \'%s\' successfully added to Panorama') elif operation == "delete": try: module.exit_json(changed=False, msg='Need to develop ') except PanXapiError: exc = get_exception() module.fail_json(msg=exc.message) module.exit_json(changed=False, msg='Need to develop ')
def main(): try: signal.signal(signal.SIGPIPE, signal.SIG_DFL) except AttributeError: # Windows pass set_encoding() options = parse_opts() if options['debug']: logger = logging.getLogger() if options['debug'] == 3: logger.setLevel(pan.xapi.DEBUG3) elif options['debug'] == 2: logger.setLevel(pan.xapi.DEBUG2) elif options['debug'] == 1: logger.setLevel(pan.xapi.DEBUG1) # log_format = '%(levelname)s %(name)s %(message)s' log_format = '%(message)s' handler = logging.StreamHandler() formatter = logging.Formatter(log_format) handler.setFormatter(formatter) logger.addHandler(handler) if options['cafile'] or options['capath']: ssl_context = create_ssl_context(options['cafile'], options['capath']) else: ssl_context = None try: xapi = pan.xapi.PanXapi(timeout=options['timeout'], tag=options['tag'], use_http=options['use_http'], use_get=options['use_get'], api_username=options['api_username'], api_password=options['api_password'], api_key=options['api_key'], hostname=options['hostname'], port=options['port'], serial=options['serial'], ssl_context=ssl_context) except pan.xapi.PanXapiError as msg: print('pan.xapi.PanXapi:', msg, file=sys.stderr) sys.exit(1) if options['debug'] > 2: print('xapi.__str__()===>\n', xapi, '\n<===', sep='', file=sys.stderr) extra_qs_used = False try: if options['keygen']: action = 'keygen' if options['ad_hoc'] is not None: extra_qs_used = True xapi.keygen(extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if (options['api_username'] and options['api_password'] and options['hostname'] and options['tag']): # .panrc d = datetime.now() print('# %s generated: %s' % (os.path.basename( sys.argv[0]), d.strftime('%Y/%m/%d %H:%M:%S'))) print('hostname%%%s=%s' % (options['tag'], options['hostname'])) print('api_key%%%s=%s' % (options['tag'], xapi.api_key)) else: print('API key: "%s"' % xapi.api_key) if options['show']: action = 'show' if options['ad_hoc'] is not None: extra_qs_used = True xapi.show(xpath=options['xpath'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['get']: action = 'get' if options['ad_hoc'] is not None: extra_qs_used = True xapi.get(xpath=options['xpath'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['delete']: action = 'delete' if options['ad_hoc'] is not None: extra_qs_used = True xapi.delete(xpath=options['xpath'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['edit']: action = 'edit' if options['ad_hoc'] is not None: extra_qs_used = True xapi.edit(xpath=options['xpath'], element=options['element'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['set']: action = 'set' if options['ad_hoc'] is not None: extra_qs_used = True xapi.set(xpath=options['xpath'], element=options['element'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['dynamic-update']: action = 'dynamic-update' kwargs = { 'cmd': options['cmd'], } if options['ad_hoc'] is not None: extra_qs_used = True kwargs['extra_qs'] = options['ad_hoc'] if len(options['vsys']): kwargs['vsys'] = options['vsys'][0] xapi.user_id(**kwargs) print_status(xapi, action) print_response(xapi, options) if options['move'] is not None: action = 'move' if options['ad_hoc'] is not None: extra_qs_used = True xapi.move(xpath=options['xpath'], where=options['move'], dst=options['dst'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['rename']: action = 'rename' if options['ad_hoc'] is not None: extra_qs_used = True xapi.rename(xpath=options['xpath'], newname=options['dst'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['clone']: action = 'clone' if options['ad_hoc'] is not None: extra_qs_used = True xapi.clone(xpath=options['xpath'], xpath_from=options['src'], newname=options['dst'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['override']: action = 'override' if options['ad_hoc'] is not None: extra_qs_used = True xapi.override(xpath=options['xpath'], element=options['element'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['export'] is not None: action = 'export' if options['ad_hoc'] is not None: extra_qs_used = True if options['pcapid'] is not None: xapi.export(category=options['export'], pcapid=options['pcapid'], search_time=options['stime'], serialno=options['serial'], extra_qs=options['ad_hoc']) else: xapi.export(category=options['export'], from_name=options['src'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['pcap_listing']: pcap_listing(xapi, options['export']) save_attachment(xapi, options) if options['log'] is not None: action = 'log' if options['ad_hoc'] is not None: extra_qs_used = True xapi.log(log_type=options['log'], nlogs=options['nlogs'], skip=options['skip'], filter=options['filter'], interval=options['interval'], timeout=options['job_timeout'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['op'] is not None: action = 'op' kwargs = { 'cmd': options['op'], 'cmd_xml': options['cmd_xml'], } if options['ad_hoc'] is not None: extra_qs_used = True kwargs['extra_qs'] = options['ad_hoc'] if len(options['vsys']): kwargs['vsys'] = options['vsys'][0] xapi.op(**kwargs) print_status(xapi, action) print_response(xapi, options) if (options['commit'] or options['commit_all']): if options['cmd']: cmd = options['cmd'] if options['cmd_xml']: cmd = xapi.cmd_xml(cmd) else: c = pan.commit.PanCommit(validate=options['validate'], force=options['force'], commit_all=options['commit_all'], merge_with_candidate=options['merge']) for part in options['partial']: if part == 'device-and-network-excluded': c.device_and_network_excluded() elif part == 'policy-and-objects-excluded': c.policy_and_objects_excluded() elif part == 'shared-object-excluded': c.shared_object_excluded() elif part == 'no-vsys': c.no_vsys() elif part == 'vsys': c.vsys(options['vsys']) if options['serial'] is not None: c.device(options['serial']) if options['group'] is not None: c.device_group(options['group']) if options['commit_all'] and options['vsys']: c.vsys(options['vsys'][0]) cmd = c.cmd() kwargs = { 'cmd': cmd, 'sync': options['sync'], 'interval': options['interval'], 'timeout': options['job_timeout'], } if options['ad_hoc'] is not None: extra_qs_used = True kwargs['extra_qs'] = options['ad_hoc'] if options['commit_all']: kwargs['action'] = 'all' action = 'commit' xapi.commit(**kwargs) print_status(xapi, action) print_response(xapi, options) if not extra_qs_used and options['ad_hoc'] is not None: action = 'ad_hoc' xapi.ad_hoc(qs=options['ad_hoc'], xpath=options['xpath'], modify_qs=options['modify']) print_status(xapi, action) print_response(xapi, options) except pan.xapi.PanXapiError as msg: print_status(xapi, action, str(msg)) print_response(xapi, options) sys.exit(1) sys.exit(0)
def add_vulnerability_profile(xapi, **kwargs): if vulnerability_profile_exists(xapi, kwargs['vulnprofile_name']): return False exml = [] if kwargs['rule_tuples'] is not None: exml.append('<rules>') for item in kwargs['rule_tuples']: cve = "any" vendor_id = "any" threat_name = "any" host_type = "client" action = "default" capture = "disable" category = "any" if 'cve' in item: cve = item['cve'] if 'vendor_id' in item: vendor_id = item['vendor_id'] if 'threat_name' in item: threat_name = item['threat_name'] if 'host_type' in item: host_type = item['host_type'] if 'action' in item: action = item['action'] if 'capture' in item: capture = item['capture'] if 'category' in item: category = item['category'] exml.append('<entry name=\"%s\">' % item['rule_name']) exml.append('<cve><member>%s</member></cve>' % cve) exml.append('<vendor-id><member>%s</member></vendor-id>' % vendor_id) exml.append('<severity><member>%s</member></severity>' % item['severity']) exml.append('<threat-name>%s</threat-name>' % threat_name) exml.append('<host>%s</host>' % host_type) exml.append('<category>%s</category>' % category) exml.append('<packet-capture>%s</packet-capture>' % capture) exml.append('<action><%s/></action>' % action) exml.append('</entry>') exml.append('</rules>') if kwargs['exception_ids'] is not None: exml.append('<threat-exception>') for t in kwargs['exception_ids']: exml.append('<entry name=\"%s\">' '<action><reset-client/></action>' '</entry>' % t) exml.append('</threat-exception>') if kwargs['description'] is not None: exml.append('<description>%s</description>' % kwargs['description']) exml = ''.join(exml) # FOR DEBUGGING # print "element='%s'"%exml xapi.set(xpath=_SERVICE_XPATH % kwargs['vulnprofile_name'], element=exml) return True
def add_security_rule(xapi, **kwargs): if security_rule_exists(xapi, kwargs['rule_name']): return False # exml = ['<entry name="permit-server"%s">'%kwargs['rule_name']] exml = [] exml.append('<to>') for t in kwargs['to_zone']: exml.append('<member>%s</member>' % t) exml.append('</to>') exml.append('<from>') for t in kwargs['from_zone']: exml.append('<member>%s</member>' % t) exml.append('</from>') exml.append('<source>') for t in kwargs['source']: exml.append('<member>%s</member>' % t) exml.append('</source>') exml.append('<destination>') for t in kwargs['destination']: exml.append('<member>%s</member>' % t) exml.append('</destination>') exml.append('<source-user>') for t in kwargs['source_user']: exml.append('<member>%s</member>' % t) exml.append('</source-user>') exml.append('<category>') for t in kwargs['category']: exml.append('<member>%s</member>' % t) exml.append('</category>') exml.append('<application>') for t in kwargs['application']: exml.append('<member>%s</member>' % t) exml.append('</application>') exml.append('<service>') for t in kwargs['service']: exml.append('<member>%s</member>' % t) exml.append('</service>') exml.append('<hip-profiles>') for t in kwargs['hip_profiles']: exml.append('<member>%s</member>' % t) exml.append('</hip-profiles>') if kwargs['group_profile'] is not None: exml.append('<profile-setting>' '<group><member>%s</member></group>' '</profile-setting>' % kwargs['group_profile']) if kwargs['log_start']: exml.append('<log-start>yes</log-start>') else: exml.append('<log-start>no</log-start>') if kwargs['log_end']: exml.append('<log-end>yes</log-end>') else: exml.append('<log-end>no</log-end>') if kwargs['rule_type'] != 'universal': exml.append('<rule-type>%s</rule-type>' % kwargs['rule_type']) exml.append('<action>%s</action>' % kwargs['action']) if kwargs['vulnprofile_name'] is not None: exml.append('<profile-setting>') exml.append('<profiles>') exml.append('<vulnerability>') exml.append('<member>%s</member>' % kwargs['vulnprofile_name']) exml.append('</vulnerability>') exml.append('</profiles>') exml.append('</profile-setting>') # exml.append('</entry>') exml = ''.join(exml) xapi.set(xpath=_SRULE_XPATH % kwargs['rule_name'], element=exml) return True
grpEntryStaticMember.text = nodeID data = ET.tostring(root) print(data) try: xapi = pan.xapi.PanXapi(api_username=os.environ['username'], api_password=os.environ['password'], hostname=os.environ['ipAddr']) print("Successfully Connected!") xapi.op(cmd='show system info', cmd_xml=True) print(xapi.xml_result()) #set the config using the above xpath xapi.set(xpath, element=data) print(xapi.xml_result()) #commit the config. Make sure to add the xml command. xapi.commit('<commit/>') print(xapi.xml_result()) except pan.xapi.PanXapiError as msg: print('pan.xapi.PanXapi:', msg, file=sys.stderr) sys.exit(1) elif cmd == "stop": # Build the XML tree for the settings we want to add to the FW. In this case adding a named address. # root.set("name", "Kimberly")
def main(): set_encoding() options = parse_opts() try: xapi = pan.xapi.PanXapi(debug=options['debug'], timeout=options['timeout'], tag=options['tag'], use_http=options['use_http'], use_get=options['use_get'], api_username=options['api_username'], api_password=options['api_password'], api_key=options['api_key'], hostname=options['hostname'], port=options['port'], serial=options['serial'], cafile=options['cafile'], capath=options['capath']) except pan.xapi.PanXapiError as msg: print('pan.xapi.PanXapi:', msg, file=sys.stderr) sys.exit(1) if options['debug'] > 2: print('xapi.__str__()===>\n', xapi, '\n<===', sep='', file=sys.stderr) try: if options['ad_hoc'] is not None: action = 'ad_hoc' xapi.ad_hoc(qs=options['ad_hoc'], xpath=options['xpath'], modify_qs=options['modify']) print_status(xapi, action) print_response(xapi, options) if options['keygen']: action = 'keygen' xapi.keygen() print_status(xapi, action) print_response(xapi, options) print('API key: "%s"' % xapi.api_key) if options['show']: action = 'show' xapi.show(xpath=options['xpath']) print_status(xapi, action) print_response(xapi, options) if options['get']: action = 'get' xapi.get(xpath=options['xpath']) print_status(xapi, action) print_response(xapi, options) if options['delete']: action = 'delete' xapi.delete(xpath=options['xpath']) print_status(xapi, action) print_response(xapi, options) if options['edit']: action = 'edit' xapi.edit(xpath=options['xpath'], element=options['element']) print_status(xapi, action) print_response(xapi, options) if options['set']: action = 'set' xapi.set(xpath=options['xpath'], element=options['element']) print_status(xapi, action) print_response(xapi, options) if options['dynamic-update']: action = 'dynamic-update' kwargs = { 'cmd': options['cmd'], } if len(options['vsys']): kwargs['vsys'] = options['vsys'][0] xapi.user_id(**kwargs) print_status(xapi, action) print_response(xapi, options) if options['move'] is not None: action = 'move' xapi.move(xpath=options['xpath'], where=options['move'], dst=options['dst']) print_status(xapi, action) print_response(xapi, options) if options['rename']: action = 'rename' xapi.rename(xpath=options['xpath'], newname=options['dst']) print_status(xapi, action) print_response(xapi, options) if options['clone']: action = 'clone' xapi.clone(xpath=options['xpath'], xpath_from=options['src'], newname=options['dst']) print_status(xapi, action) print_response(xapi, options) if options['override']: action = 'override' xapi.override(xpath=options['xpath'], element=options['element']) print_status(xapi, action) print_response(xapi, options) if options['export'] is not None: action = 'export' xapi.export(category=options['export'], from_name=options['src']) print_status(xapi, action) print_response(xapi, options) if options['pcap_listing']: pcap_listing(xapi, options) save_pcap(xapi, options) if options['log'] is not None: action = 'log' xapi.log(log_type=options['log'], nlogs=options['nlogs'], skip=options['skip'], filter=options['filter'], interval=options['interval'], timeout=options['job_timeout']) print_status(xapi, action) print_response(xapi, options) if options['op'] is not None: action = 'op' kwargs = { 'cmd': options['op'], 'cmd_xml': options['cmd_xml'], } if len(options['vsys']): kwargs['vsys'] = options['vsys'][0] xapi.op(**kwargs) print_status(xapi, action) print_response(xapi, options) if (options['commit'] or options['commit_all']): if options['cmd']: cmd = options['cmd'] if options['cmd_xml']: cmd = xapi.cmd_xml(cmd) else: c = pan.commit.PanCommit(debug=options['debug'], validate=options['validate'], force=options['force'], commit_all=options['commit_all'], merge_with_candidate= options['merge']) for part in options['partial']: if part == 'device-and-network-excluded': c.device_and_network_excluded() elif part == 'policy-and-objects-excluded': c.policy_and_objects_excluded() elif part == 'shared-object-excluded': c.shared_object_excluded() elif part == 'no-vsys': c.no_vsys() elif part == 'vsys': c.vsys(options['vsys']) if options['serial'] is not None: c.device(options['serial']) if options['group'] is not None: c.device_group(options['group']) if options['commit_all'] and options['vsys']: c.vsys(options['vsys'][0]) cmd = c.cmd() kwargs = { 'cmd': cmd, 'sync': options['sync'], 'interval': options['interval'], 'timeout': options['job_timeout'], } if options['commit_all']: kwargs['action'] = 'all' action = 'commit' xapi.commit(**kwargs) print_status(xapi, action) print_response(xapi, options) except pan.xapi.PanXapiError as msg: print_status(xapi, action, msg) print_response(xapi, options) sys.exit(1) sys.exit(0)
def main(): try: signal.signal(signal.SIGPIPE, signal.SIG_DFL) except AttributeError: # Windows pass set_encoding() options = parse_opts() if options['debug']: logger = logging.getLogger() if options['debug'] == 3: logger.setLevel(pan.xapi.DEBUG3) elif options['debug'] == 2: logger.setLevel(pan.xapi.DEBUG2) elif options['debug'] == 1: logger.setLevel(pan.xapi.DEBUG1) # log_format = '%(levelname)s %(name)s %(message)s' log_format = '%(message)s' handler = logging.StreamHandler() formatter = logging.Formatter(log_format) handler.setFormatter(formatter) logger.addHandler(handler) if options['cafile'] or options['capath']: ssl_context = create_ssl_context(options['cafile'], options['capath']) else: ssl_context = None try: xapi = pan.xapi.PanXapi(timeout=options['timeout'], tag=options['tag'], use_http=options['use_http'], use_get=options['use_get'], api_username=options['api_username'], api_password=options['api_password'], api_key=options['api_key'], hostname=options['hostname'], port=options['port'], serial=options['serial'], ssl_context=ssl_context) except pan.xapi.PanXapiError as msg: print('pan.xapi.PanXapi:', msg, file=sys.stderr) sys.exit(1) if options['debug'] > 2: print('xapi.__str__()===>\n', xapi, '\n<===', sep='', file=sys.stderr) extra_qs_used = False try: if options['keygen']: action = 'keygen' if options['ad_hoc'] is not None: extra_qs_used = True xapi.keygen(extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) print('API key: "%s"' % xapi.api_key) if options['show']: action = 'show' if options['ad_hoc'] is not None: extra_qs_used = True xapi.show(xpath=options['xpath'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['get']: action = 'get' if options['ad_hoc'] is not None: extra_qs_used = True xapi.get(xpath=options['xpath'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['delete']: action = 'delete' if options['ad_hoc'] is not None: extra_qs_used = True xapi.delete(xpath=options['xpath'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['edit']: action = 'edit' if options['ad_hoc'] is not None: extra_qs_used = True xapi.edit(xpath=options['xpath'], element=options['element'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['set']: action = 'set' if options['ad_hoc'] is not None: extra_qs_used = True xapi.set(xpath=options['xpath'], element=options['element'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['dynamic-update']: action = 'dynamic-update' kwargs = { 'cmd': options['cmd'], } if options['ad_hoc'] is not None: extra_qs_used = True kwargs['extra_qs'] = options['ad_hoc'] if len(options['vsys']): kwargs['vsys'] = options['vsys'][0] xapi.user_id(**kwargs) print_status(xapi, action) print_response(xapi, options) if options['move'] is not None: action = 'move' if options['ad_hoc'] is not None: extra_qs_used = True xapi.move(xpath=options['xpath'], where=options['move'], dst=options['dst'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['rename']: action = 'rename' if options['ad_hoc'] is not None: extra_qs_used = True xapi.rename(xpath=options['xpath'], newname=options['dst'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['clone']: action = 'clone' if options['ad_hoc'] is not None: extra_qs_used = True xapi.clone(xpath=options['xpath'], xpath_from=options['src'], newname=options['dst'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['override']: action = 'override' if options['ad_hoc'] is not None: extra_qs_used = True xapi.override(xpath=options['xpath'], element=options['element'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['export'] is not None: action = 'export' if options['ad_hoc'] is not None: extra_qs_used = True if options['pcapid'] is not None: xapi.export(category=options['export'], pcapid=options['pcapid'], search_time=options['stime'], serialno=options['serial'], extra_qs=options['ad_hoc']) else: xapi.export(category=options['export'], from_name=options['src'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['pcap_listing']: pcap_listing(xapi, options['export']) save_attachment(xapi, options) if options['log'] is not None: action = 'log' if options['ad_hoc'] is not None: extra_qs_used = True xapi.log(log_type=options['log'], nlogs=options['nlogs'], skip=options['skip'], filter=options['filter'], interval=options['interval'], timeout=options['job_timeout'], extra_qs=options['ad_hoc']) print_status(xapi, action) print_response(xapi, options) if options['op'] is not None: action = 'op' kwargs = { 'cmd': options['op'], 'cmd_xml': options['cmd_xml'], } if options['ad_hoc'] is not None: extra_qs_used = True kwargs['extra_qs'] = options['ad_hoc'] if len(options['vsys']): kwargs['vsys'] = options['vsys'][0] xapi.op(**kwargs) print_status(xapi, action) print_response(xapi, options) if (options['commit'] or options['commit_all']): if options['cmd']: cmd = options['cmd'] if options['cmd_xml']: cmd = xapi.cmd_xml(cmd) else: c = pan.commit.PanCommit(validate=options['validate'], force=options['force'], commit_all=options['commit_all'], merge_with_candidate= options['merge']) for part in options['partial']: if part == 'device-and-network-excluded': c.device_and_network_excluded() elif part == 'policy-and-objects-excluded': c.policy_and_objects_excluded() elif part == 'shared-object-excluded': c.shared_object_excluded() elif part == 'no-vsys': c.no_vsys() elif part == 'vsys': c.vsys(options['vsys']) if options['serial'] is not None: c.device(options['serial']) if options['group'] is not None: c.device_group(options['group']) if options['commit_all'] and options['vsys']: c.vsys(options['vsys'][0]) cmd = c.cmd() kwargs = { 'cmd': cmd, 'sync': options['sync'], 'interval': options['interval'], 'timeout': options['job_timeout'], } if options['ad_hoc'] is not None: extra_qs_used = True kwargs['extra_qs'] = options['ad_hoc'] if options['commit_all']: kwargs['action'] = 'all' action = 'commit' xapi.commit(**kwargs) print_status(xapi, action) print_response(xapi, options) if not extra_qs_used and options['ad_hoc'] is not None: action = 'ad_hoc' xapi.ad_hoc(qs=options['ad_hoc'], xpath=options['xpath'], modify_qs=options['modify']) print_status(xapi, action) print_response(xapi, options) except pan.xapi.PanXapiError as msg: print_status(xapi, action, msg) print_response(xapi, options) sys.exit(1) sys.exit(0)
def push_meta(meta, context, force_sync=False, perform_commit=True) -> (str, None): """ Push a skillet to a PanXapi connected device :param meta: dict containing parsed and loaded skillet :param context: all compiled variables from the user interaction :param force_sync: should we wait on a successful commit operation or return after queue :param perform_commit: should we actually commit or not :return: job_id as a str or None if no job_id could be found """ xapi = panos_login() if xapi is None: raise CCFParserError('Could not login in to Palo Alto Networks Device') name = meta['name'] if 'name' in meta else 'unknown' # default to None as return value, set to job_id if possible later if a commit was requested return_value = None # _perform_backup() if 'snippet_path' in meta: snippets_dir = meta['snippet_path'] else: raise CCFParserError(f'Could not locate .meta-cnc file on filesystem for Skillet: {name}') environment = Environment(loader=BaseLoader()) for f in jinja_filters.defined_filters: if hasattr(jinja_filters, f): environment.filters[f] = getattr(jinja_filters, f) try: for snippet in meta['snippets']: if 'xpath' not in snippet or 'file' not in snippet: print('Malformed meta-cnc error') raise CCFParserError(f'Malformed snippet section in meta-cnc file for {name}') xpath = snippet['xpath'] xml_file_name = snippet['file'] # allow snippets to be skipped using the 'when' attribute if 'when' in snippet: when_template = environment.from_string(snippet.get('when', '')) when_result = str(when_template.render(context)) if when_result.lower() == 'false' or when_result.lower() == 'no': print(f'Skipping snippet {name} due to when condition false') continue xml_full_path = os.path.join(snippets_dir, xml_file_name) with open(xml_full_path, 'r') as xml_file: xml_string = xml_file.read() xml_template = environment.from_string(xml_string) xpath_template = environment.from_string(xpath) # fix for #74, ensure multiline xpaths do not contain newlines or spaces xml_snippet = xml_template.render(context).strip().replace('\n', '') xpath_string = xpath_template.render(context).strip().replace('\n', '').replace(' ', '') print('Pushing xpath: %s' % xpath_string) try: xapi.set(xpath=xpath_string, element=xml_snippet) if xapi.status_code == '19' or xapi.status_code == '20': print('xpath is already present') elif xapi.status_code == '7': raise CCFParserError(f'xpath {xpath_string} was NOT found for skillet: {name}') except pan.xapi.PanXapiError as pxe: err_msg = str(pxe) if '403' in err_msg: # Auth issue, let's clear the api_key and bail out! xapi = None clear_credentials() raise CCFParserError(f'Could not push skillet {name} / snippet {xml_file_name}! {pxe}') if perform_commit: if 'type' not in meta: commit_type = 'commit' else: if 'panorama' in meta['type']: commit_type = 'commit-all' else: commit_type = 'commit' if commit_type == 'commit-all': print('Performing commit-all in panorama') xapi.commit(cmd='<commit-all></commit-all>', sync=True) else: if force_sync: xapi.commit('<commit></commit>', sync=True) else: xapi.commit('<commit></commit>') results = xapi.xml_result() if force_sync: # we have the results of a job id query, the commit results are embedded therein doc = elementTree.XML(results) embedded_result = doc.find('result') if embedded_result is not None: commit_result = embedded_result.text print(f'Commit result is {commit_result}') if commit_result == 'FAIL': raise TargetCommitException(xapi.status_detail) else: if 'with jobid' in results: result = re.match(r'.* with jobid (\d+)', results) if result is not None: return_value = result.group(1) # for gpcs baseline and svc connection network configuration do a scope push to gpcs # FIXME - check for 'gpcs' in meta['type'] instead of hardcoded name if meta['name'] == 'gpcs_baseline': print('push baseline and svc connection scope to gpcs') xapi.commit(action='all', cmd='<commit-all><template-stack>' '<name>Service_Conn_Template_Stack</name></template-stack></commit-all>') print(xapi.xml_result()) # for gpcs remote network configuration do a scope push to gpcs if meta['name'] == 'gpcs_remote' or meta['name'] == 'gpcs_baseline': print('push remote network scope to gpcs') xapi.commit(action='all', cmd='<commit-all><shared-policy><device-group>' '<entry name="Remote_Network_Device_Group"/>' '</device-group></shared-policy></commit-all>') print(xapi.xml_result()) return return_value except UndefinedError as ue: raise CCFParserError(f'Undefined variable in skillet: {ue}') except IOError as ioe: raise CCFParserError(f'Could not open xml snippet file for reading! {ioe}') except pan.xapi.PanXapiError as pxe: raise CCFParserError(f'Could not push meta-cnc for skillet {name}! {pxe}')
def main(): argument_spec = dict(ip_address=dict(required=True), password=dict(no_log=True), username=dict(default='admin'), api_key=dict(no_log=True), device_serial=dict(default=None), operation=dict( required=True, choices=['add', 'assign', 'remove', 'delete']), devicegroup=dict(default=None)) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, required_one_of=[['api_key', 'password']]) if not HAS_LIB: module.fail_json(msg='Missing required libraries.') ip_address = module.params["ip_address"] password = module.params["password"] username = module.params['username'] api_key = module.params['api_key'] dvsn = module.params['device_serial'] operation = module.params['operation'] devicegroup = module.params['devicegroup'] if operation == "assign": try: xpath_dg = "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='%s']/devices" % devicegroup xapi = pan.xapi.PanXapi(hostname=ip_address, api_username=username, api_password=password, api_key=api_key) xapi.set(xpath=xpath_dg, element='<entry name="%s"></entry>' % dvsn) except PanXapiError: exc = get_exception() module.fail_json(msg=exc.message) module.exit_json( changed=True, msg='Device Group \'%s\' successfully assigned to \'%s\'' % (devicegroup, dvsn)) elif operation == "add": try: xpath_dg = "/config/devices/entry[@name='localhost.localdomain']/device-group" xapi = pan.xapi.PanXapi(hostname=ip_address, api_username=username, api_password=password, api_key=api_key) xapi.set(xpath=xpath_dg, element='<entry name="%s"></entry>' % devicegroup) except PanXapiError: exc = get_exception() module.fail_json(msg=exc.message) module.exit_json(changed=True, msg='Device Group \'%s\' successfully added ' % devicegroup)