def main(): # Get command line arguments parser = argparse.ArgumentParser( description="Commit and Push an updated Panorama device group configuration" ) parser.add_argument( "-v", "--verbose", action="count", help="Verbose (-vv for extra verbose)" ) parser.add_argument("-q", "--quiet", action="store_true", help="No output") # Palo Alto Networks related arguments fw_group = parser.add_argument_group("Palo Alto Networks Device") fw_group.add_argument("hostname", help="Hostname of Panorama") fw_group.add_argument("username", help="Username for Panorama") fw_group.add_argument("password", help="Password for Panorama") fw_group.add_argument("devicegroup", help="DeviceGroup for Panorama") args = parser.parse_args() # Connects to Panorama. pano = panorama.Panorama(args.hostname, args.username, args.password,) # Create a panorama object # Performs the commit and device group push print("Performing commit...") pano.commit(sync_all=True,sync=True) print("Done") print("Performing device push...") pano.commit_all(sync=True,sync_all=True,cmd="<commit-all><shared-policy><device-group><entry name='%s'/></device-group></shared-policy></commit-all>"%(args.devicegroup)) print("Done")
def test_device_group_xpath_unchanged(): expected = "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='somegroup']/address/entry[@name='intnet']" pano = panorama.Panorama("127.0.0.1") dg = panorama.DeviceGroup("somegroup") ao = objects.AddressObject("intnet", "192.168.0.0/16") pano.add(dg) dg.add(ao) assert expected == ao.xpath()
def _check(obj, vsys, with_pano, chk_import=False): if chk_import: func = "xpath_import_base" else: func = "xpath" fw = firewall.Firewall("127.0.0.1", "admin", "admin", serial="01234567890") fw.vsys = vsys fw.add(obj) if with_pano: pano = panorama.Panorama("127.0.0.1", "admin2", "admin2") pano.add(fw) expected = getattr(obj, func)() fw.remove(obj) fw.vsys = None vsys = device.Vsys(vsys or "vsys1") fw.add(vsys) vsys.add(obj) result = getattr(obj, func)() assert expected == result
def init(): """ Environment variables: PD_USERNAME PD_PASSWORD PD_PANORAMAS PD_FIREWALLS """ global live_devices global one_fw_per_version global one_device_per_version global one_panorama_per_version global ha_pairs global panorama_fw_combinations # Get os.environ stuff to set the live_devices global. try: username = os.environ["PD_USERNAME"] password = os.environ["PD_PASSWORD"] panos = os.environ["PD_PANORAMAS"].split() fws = os.environ["PD_FIREWALLS"].split() except KeyError as e: print('NOT RUNNING LIVE TESTS - missing "{0}"'.format(e)) return # Add each panorama to the live_devices. for hostname in panos: c = panorama.Panorama(hostname, username, password) try: c.refresh_system_info() except Exception as e: raise ValueError("Failed to connect to panorama {0}: {1}".format( hostname, e)) # There should only be one panorama per version. version = c._version_info if version in live_devices: raise ValueError("Two panoramas, same version: {0} and {1}".format( live_devices[version]["pano"].hostname, hostname)) live_devices.setdefault(version, {"fws": [], "pano": None}) live_devices[version]["pano"] = c # Add each firewall to the live_devices. for hostname in fws: c = firewall.Firewall(hostname, username, password) try: c.refresh_system_info() except Exception as e: raise ValueError("Failed to connect to firewall {0}: {1}".format( hostname, e)) # Multiple firewalls are allowed per version, but only ever the first # two will be used. version = c._version_info live_devices.setdefault(version, {"fws": [], "pano": None}) live_devices[version]["fws"].append(c) # Set: # one_fw_per_version # one_device_type_per_version # one_panorama_per_version for version in live_devices: pano = live_devices[version]["pano"] fws = live_devices[version]["fws"] if fws: fw = random.choice(fws) one_device_type_per_version.append((fw, desc(fw=version))) one_fw_per_version.append((fw, desc(fw=version))) if pano is not None: one_panorama_per_version.append((pano, desc(pano=version))) one_device_type_per_version.append((pano, desc(pano=version))) # Set: ha_pairs for version in live_devices: fws = live_devices[version]["fws"] if len(fws) >= 2: ha_pairs.append((fws[:2], version)) # Set panorama_fw_combinations for pano_version in live_devices: pano = live_devices[pano_version]["pano"] if pano is None: continue for fw_version in live_devices: fws = live_devices[fw_version]["fws"] if not fws or pano_version < fw_version: continue fw = random.choice(fws) panorama_fw_combinations.append(( (pano, fw), desc(pano_version, fw_version), ))
def connect(panoAddress): username = input('Username: ' ) password = getpass.getpass() print(panoAddress) pano = panorama.Panorama(panoAddress, username, password) return pano
from panos import panorama import os username = os.environ["panorama_username"] passw = os.environ["panorama_password"] hostname = os.environ["panorama_host"] student_id = os.environ["panorama_student_id"] # destroy = True # create = False pano = panorama.Panorama(hostname=hostname, api_password=passw, api_username=username) def build_access_domain(): access_domain_xp = "/config/mgt-config/access-domain/entry[@name='ACD-STUDENT-{}']".format( student_id) access_domain_e = "<device-groups><member>DG-STUDENT-{}</member></device-groups><templates>" \ "<member>TPL-COMMON</member><member>TPL-STUDENT-BASE-{}</member>" \ "<member>TPL-STUDENT-STACK-{}</member></templates>" \ "<shared-access>write</shared-access>".format(student_id, student_id, student_id) pano.xapi.set(xpath=access_domain_xp, element=access_domain_e) def build_admin_user(): admin_password = pano.xapi.op( 'request password-hash password "{}"'.format("student-" + student_id), cmd_xml=True) r = admin_password phash = r.find(".//phash").text admin_add_xp = "/config/mgt-config/users/entry[@name='student-{}']".format( student_id)
def eastwesthelper(pa_ip, username, password, pa_type, filename=None): """ Main point of entry. Connect to PA/Panorama. Grab security rules from pa/pan. Modify them for intra-zone migration. """ for subnet in settings.EXISTING_TRUST_SUBNET: if subnet.endswith("/32"): mem.singleip = True if pa_type == "panorama": # Grab 'start' time start = time.perf_counter() panfw = panorama.Panorama(pa_ip, username, password) # Grab the Device Groups and Template Names, we don't need Template names. pa = pa_api.api_lib_pa(pa_ip, username, password, pa_type) device_group = get_device_group(pa) pre_rulebase = policies.PreRulebase() post_rulebase = policies.PostRulebase() dg = panorama.DeviceGroup(device_group) dg.add(pre_rulebase) dg.add(post_rulebase) panfw.add(dg) # Grab Objects and Rules mem.address_object_entries = objects.AddressObject.refreshall(dg, add=False)#,add=False) mem.address_group_entries = objects.AddressGroup.refreshall(dg, add=False)#,add=False) #Grabbing the Shared address objects and groups.. shared = panorama.DeviceGroup('shared') panfw.add(shared) shared_objects = objects.AddressObject.refreshall(shared, add=False) mem.address_object_entries += shared_objects shared_groups = objects.AddressGroup.refreshall(shared, add=False) mem.address_group_entries += shared_groups # Add parent DG (like Shared), if used. Ask Chris Evans or me for details. if settings.OBJ_PARENT_DEVICE_GROUP: parent_dg = panorama.DeviceGroup(settings.OBJ_PARENT_DEVICE_GROUP) panfw.add(parent_dg) parent_objects = objects.AddressObject.refreshall(parent_dg, add=False) mem.address_object_entries += parent_objects parent_groups = objects.AddressGroup.refreshall(parent_dg, add=False) mem.address_group_entries += parent_groups # GRAB PRE/POST RULES pre_security_rules = policies.SecurityRule.refreshall(pre_rulebase)#, add=False) post_security_rules = policies.SecurityRule.refreshall(post_rulebase)#, add=False) # Modify the rules, Pre & Post if pre_security_rules: eastwest_addnew_zone(pre_security_rules, panfw, pre_rulebase) if post_security_rules: eastwest_addnew_zone(post_security_rules, panfw, post_rulebase) elif pa_type == "pa": # Grab 'start' time start = time.perf_counter() panfw = firewall.Firewall(pa_ip, username, password) # Grab Rules mem.address_object_entries = objects.AddressObject.refreshall(panfw,add=False) mem.address_group_entries = objects.AddressGroup.refreshall(panfw,add=False) rulebase = policies.Rulebase() panfw.add(rulebase) security_rules = policies.SecurityRule.refreshall(rulebase) # Modify the rules if security_rules: modified_rules = eastwest_addnew_zone(security_rules, panfw, rulebase) # Finished end = time.perf_counter() runtime = end - start print(f"Took {runtime} Seconds.\n")