def __init__(self, name, fw=None, pano=None): if pano: vr = n.VirtualRouter(name=name) pano.add(vr) vr.create() else: vr = n.VirtualRouter(name=name) fw.add(vr) vr.create()
def test_static_routes(self): vr = network.VirtualRouter() self.d.add(vr) route = vr.add( network.StaticRoute("Default", "0.0.0.0/0", None, "10.5.5.2")) vr.create() vr.delete()
def create_tunnel_interface(self, tunnel_name): """ Create a tunnel interface and associate it with a virtual router and security zone """ # Logically create the tunnel interface tunnel_ref = self.tunnel_interfaces.get(tunnel_name) tunnel_intf = network.TunnelInterface(tunnel_ref.name, comment=tunnel_ref.comment) self.fw_dev_hndl.add(tunnel_intf) # Retrieve the existing zones fw_zones = network.Zone(tunnel_ref.security_zone) self.fw_dev_hndl.add(fw_zones) fw_zones.refresh() zone_intfs = fw_zones.interface # Add interface to the zone zone_intfs.append(tunnel_ref.name) fw_zones.interface = zone_intfs # Retrieve the existing list of virtual routers fw_vrs = network.VirtualRouter(tunnel_ref.virtual_router) self.fw_dev_hndl.add(fw_vrs) fw_vrs.refresh() vr_intfs = fw_vrs.interface vr_intfs.append(tunnel_ref.name) fw_vrs.interface = vr_intfs # Push all the configs to the device tunnel_intf.create() fw_zones.apply() fw_vrs.apply()
def main(): argument_spec = setup_args() module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, required_one_of=[['api_key', 'password']]) if not HAS_LIB: module.fail_json(msg='Missing required libraries.') # Get the firewall / panorama auth. auth = [module.params[x] for x in ('ip_address', 'username', 'password', 'api_key')] # exclude the default items from kwargs passed to the object exclude_list = ['ip_address', 'username', 'password', 'api_key', 'state', 'commit'] # generate the kwargs for network.VirtualRouter obj_spec = dict((k, module.params[k]) for k in argument_spec.keys() if k not in exclude_list) name = module.params['name'] state = module.params['state'] commit = module.params['commit'] # create the new state object virtual_router = network.VirtualRouter(**obj_spec) changed = False try: # Create the device with the appropriate pandevice type device = base.PanDevice.create_from_device(*auth) network.VirtualRouter.refreshall(device) # search for the virtual router vr = device.find(name, network.VirtualRouter) # compare differences between the current state vs desired state if state == 'present': if vr is None or not virtual_router.equal(vr, compare_children=False): device.add(virtual_router) virtual_router.create() changed = True elif state == 'absent': if vr is not None: vr.delete() changed = True else: module.fail_json(msg='[%s] state is not implemented yet' % state) except (PanDeviceError, KeyError): exc = get_exception() module.fail_json(msg=exc.message) if commit and changed: device.commit(sync=True, exception=True) if changed: module.exit_json(msg='Virtual router update successful.', changed=changed) else: module.exit_json(msg='no changes required.', changed=changed)
def create_dependencies(self, fw, state): state.eth_obj = None state.eth = testlib.get_available_interfaces(fw)[0] state.eth_obj = network.EthernetInterface(state.eth, 'layer3', testlib.random_ip('/24')) fw.add(state.eth_obj) state.eth_obj.create() state.vr = network.VirtualRouter(testlib.random_name(), interface=state.eth) fw.add(state.vr) state.vr.create()
def create_dependencies(self, fw, state): state.eth_objs = [] state.vr = None state.eths = testlib.get_available_interfaces(fw, 2) for e in state.eths: state.eth_objs.append( network.EthernetInterface(e, 'layer3', testlib.random_ip('/24'))) fw.add(state.eth_objs[-1]) state.eth_objs[-1].create() state.vr = network.VirtualRouter(testlib.random_name(), state.eths) fw.add(state.vr) state.vr.create()
def setup_state_obj(self, fw, state): state.obj = network.VirtualRouter( testlib.random_name(), interface=state.eth, ad_static=random.randint(10, 240), ad_static_ipv6=random.randint(10, 240), ad_ospf_int=random.randint(10, 240), ad_ospf_ext=random.randint(10, 240), ad_ospfv3_int=random.randint(10, 240), ad_ospfv3_ext=random.randint(10, 240), ad_ibgp=random.randint(10, 240), ad_ebgp=random.randint(10, 240), ad_rip=random.randint(10, 240), ) fw.add(state.obj)
def create_dependencies(self, fw, state): state.eths = testlib.get_available_interfaces(fw, 2) state.eth_obj_v4 = network.EthernetInterface(state.eths[0], 'layer3', testlib.random_ip('/24')) fw.add(state.eth_obj_v4) state.eth_obj_v6 = network.EthernetInterface(state.eths[1], 'layer3', ipv6_enabled=True) fw.add(state.eth_obj_v6) state.eth_obj_v4.create_similar() state.vr = network.VirtualRouter(testlib.random_name(), state.eths) fw.add(state.vr) state.vr.create() if any((self.WITH_OSPF, self.WITH_AUTH_PROFILE, self.WITH_AREA, self.WITH_AREA_INTERFACE)): state.ospf = network.Ospf(True, testlib.random_ip()) state.vr.add(state.ospf) if self.WITH_AUTH_PROFILE: state.auth = network.OspfAuthProfile(testlib.random_name(), 'md5') state.ospf.add(state.auth) if self.WITH_AREA or self.WITH_AREA_INTERFACE: state.area = network.OspfArea(testlib.random_ip()) state.ospf.add(state.area) if self.WITH_AREA_INTERFACE: state.iface = network.OspfAreaInterface( state.eths[0], True, True, 'p2mp') state.area.add(state.iface) state.ospf.create()
def create_dependencies(self, fw, state): state.vr = network.VirtualRouter(testlib.random_name()) fw.add(state.vr) state.vr.create()
def config_builder(instanceList): global netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list = [], [], [], [], [] vrDict, zoneDict = {}, {} for item in instanceList: item = [i if i != '' else None for i in item[:]] netObj_tunInt = network.TunnelInterface() netObj_tunInt.name = item[0] netObj_tunInt.comment = item[1] netObj_tunInt.ip = item[2] netObj_tunInt.management_profile = item[3] netObj_tunInt_list.append(pan.add(netObj_tunInt)) if item[4] not in vrDict.keys(): vrDict[item[4]] = [] vrDict[item[4]].append(item[0]) if len(item[5]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[5], item[5][:31])) item[5] = item[5][:31] if item[5] not in zoneDict.keys(): zoneDict[item[5]] = [] zoneDict[item[5]].append(item[0]) if len(item[6]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[6], item[6][:31])) item[6] = item[6][:31] netObj_ike = network.IkeGateway() netObj_ike.name = item[6] netObj_ike.interface = item[7] netObj_ike.local_ip_address_type = 'ip' netObj_ike.local_ip_address = item[8] netObj_ike.peer_ip_type = item[9] if netObj_ike.peer_ip_type != 'dynamic': netObj_ike.peer_ip_value = item[10] netObj_ike.pre_shared_key = item[11] if item[12] is not None: temp_item = item[12].replace(': ', ':').split(':') netObj_ike.local_id_type = temp_item[0] netObj_ike.local_id_value = temp_item[1] if item[13] is not None: temp_item = item[13].replace(': ', ':').split(':') netObj_ike.peer_id_type = temp_item[0] netObj_ike.peer_id_value = temp_item[1] if item[14] is not None and item[14].lower() == 'true': netObj_ike.enable_passive_mode = True else: netObj_ike.enable_passive_mode = False if item[15] is not None and item[15].lower() == 'true': netObj_ike.enable_nat_traversal = True else: netObj_ike.enable_nat_traversal = False netObj_ike.ikev1_exchange_mode = item[16] netObj_ike.ikev1_crypto_profile = item[17] if item[18] is not None and item[18].lower() == 'true': netObj_ike.enable_fragmentation = True else: netObj_ike.enable_fragmentation = False if item[19] is None or item[19].lower() == 'true': netObj_ike.enable_dead_peer_detection = True elif item[19].lower() == 'false': netObj_ike.enable_dead_peer_detection = False else: temp_item = item[19].replace('; ', ';').split(';') netObj_ike.enable_dead_peer_detection = True netObj_ike.dead_peer_detection_interval = temp_item[0] netObj_ike.dead_peer_detection_retry = temp_item[1] netObj_ike_list.append(pan.add(netObj_ike)) if len(item[20]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[20], item[20][:31])) item[20] = item[20][:31] netObj_ipsec = network.IpsecTunnel() netObj_ipsec.name = item[20] netObj_ipsec.tunnel_interface = item[21] if len(item[22]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[22], item[22][:31])) item[22] = item[22][:31] netObj_ipsec.ak_ike_gateway = item[22] if item[23] is None: item[23] = 'default' netObj_ipsec.ak_ipsec_crypto_profile = item[23] netObj_ipsec_list.append(pan.add(netObj_ipsec)) print('Building Config --- Tunnel-Int - {} // IKE-GW - {} // IPSec-Tunnel - {}'.format(netObj_tunInt.name, netObj_ike.name, netObj_ipsec.name)) for key, value in vrDict.items(): netObj_vr = network.VirtualRouter() netObj_vr.name = key netObj_vr.interface = value netObj_vr_list.append(pan.add(netObj_vr)) for key, value in zoneDict.items(): netObj_zone = network.Zone() netObj_zone.name = key netObj_zone.interface = value netObj_zone_list.append(pan.add(netObj_zone))
un_zone = network.Zone("untrust", \ mode = "layer3", \ interface = "ethernet1/1") fw.add(un_zone) un_zone.create() print(un_zone) #creates master vr_master virtual router and assoictes ethernet1/1 vr_master = network.VirtualRouter("vr_master", \ interface = ["ethernet1/1", "tunnel.100", "ethernet1/2"]) fw.add(vr_master) vr_master.create() print(vr_master) # Creates IKE Crypto Profile ikecp = network.IkeCryptoProfile("ICP-DH_G5-AUTH_SHA256-EN_AES256", \ dh_group = "group5", \ authentication = "sha256", \ encryption = "aes-256-cbc", \ lifetime_seconds = "3600")
@pytest.mark.parametrize('vsys', [None, 'vsys1', 'vsys3']) @pytest.mark.parametrize('with_pano', [False, True]) def test_xpath_for_mgtconfig_root(vsys, with_pano): obj = device.Administrator('newadmin') _check(obj, vsys, with_pano) @pytest.mark.parametrize('vsys', [None, 'vsys1', 'vsys3']) @pytest.mark.parametrize('with_pano', [False, True]) @pytest.mark.parametrize('obj', [ network.EthernetInterface('ethernet1/3', 'layer3'), network.Layer3Subinterface('ethernet1/4.42', 42), network.Layer2Subinterface('ethernet1/4.420', 420), network.VirtualRouter('someroute'), network.VirtualWire('tripwire'), network.Vlan('myvlan'), ]) def test_xpath_import(vsys, with_pano, obj): _check(obj, vsys, with_pano, True) def test_vsys_xpath_unchanged(): expected = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']" c = firewall.Firewall('127.0.0.1', 'admin', 'admin') c.vsys = 'vsys3' assert expected == c.xpath_vsys() c.vsys = None
def main(): argument_spec = dict(ip_address=dict(required=True), username=dict(default='admin'), password=dict(no_log=True), api_key=dict(no_log=True), name=dict(type='str', required=True), devicegroup=dict(type='str', required=False), panorama_template=dict(), priority=dict(type='int', required=True), action=dict(type='str', required=True), filter_type=dict(type='str', required=True), vr=dict(type='str', required=True), state=dict(default='present', choices=['present', 'absent'])) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False) if not HAS_LIB: module.fail_json( msg='pan-python and pandevice are required for this module.') ip_address = module.params['ip_address'] username = module.params['username'] password = module.params['password'] api_key = module.params['api_key'] name = module.params['name'] devicegroup = module.params['devicegroup'] state = module.params['state'] priority = module.params['priority'] action = module.params['action'] filter_type = module.params['filter_type'] vr = module.params['vr'] changed = False try: device = base.PanDevice.create_from_device(ip_address, username, password, api_key=api_key) dev_group = None if devicegroup and isinstance(device, panorama.Panorama): dev_group = get_devicegroup(device, devicegroup) if dev_group: device.add(dev_group) else: module.fail_json( msg= '\'%s\' device group not found in Panorama. Is the name correct?' % devicegroup) active_vr = network.VirtualRouter(vr) device.add(active_vr) active_vr.refreshall(device) active_profs = network.RedistributionProfile.refreshall(active_vr) found = False for current_prof in active_profs: if current_prof.name == name: found = True del_obj = current_prof break #exit() # only change when present, and does not already exist if state == 'present' and not found: changed = True redist_prof = network.RedistributionProfile( name=name, priority=priority, action=action, filter_type=filter_type) selected_vr = network.VirtualRouter(vr) device.add(selected_vr) selected_vr.add(redist_prof) redist_prof.create() # only change when absent, and does already exist elif state == 'absent' and found: changed = True selected_vr = network.VirtualRouter(vr) device.add(selected_vr) selected_vr.add(del_obj) del_obj.delete() except PanDeviceError as e: module.fail_json(msg=e.message) module.exit_json(changed=changed)