Module: policies

Inheritance diagram

Inheritance diagram of panos.policies

Configuration tree diagram

digraph configtree { graph [rankdir=LR, fontsize=10, margin=0.001]; node [shape=box, fontsize=10, height=0.001, margin=0.1, ordering=out]; PostRulebase [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.PostRulebase" target="_top"]; ApplicationOverride [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.ApplicationOverride" target="_top"]; PostRulebase -> ApplicationOverride; AuthenticationRule [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.AuthenticationRule" target="_top"]; PostRulebase -> AuthenticationRule; DecryptionRule [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.DecryptionRule" target="_top"]; PostRulebase -> DecryptionRule; NatRule [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.NatRule" target="_top"]; PostRulebase -> NatRule; PolicyBasedForwarding [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.PolicyBasedForwarding" target="_top"]; PostRulebase -> PolicyBasedForwarding; SecurityRule [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.SecurityRule" target="_top"]; PostRulebase -> SecurityRule; PreRulebase [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.PreRulebase" target="_top"]; PreRulebase -> ApplicationOverride; PreRulebase -> AuthenticationRule; PreRulebase -> DecryptionRule; PreRulebase -> NatRule; PreRulebase -> PolicyBasedForwarding; PreRulebase -> SecurityRule; Rulebase [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.Rulebase" target="_top"]; Rulebase -> ApplicationOverride; Rulebase -> AuthenticationRule; Rulebase -> DecryptionRule; Rulebase -> NatRule; Rulebase -> PolicyBasedForwarding; Rulebase -> SecurityRule; }

Class Reference

Policies module contains policies and rules that exist in the ‘Policies’ tab in the firewall GUI

class panos.policies.ApplicationOverride(*args, **kwargs)[source]
Parameters:
  • name (str) – Name of the rule
  • fromzone (list) – From zones
  • tozone (list) – To zones
  • source (list) – Source addresses
  • destination (list) – Destination addresses
  • application (str) – Applications
  • description (str) – Description of this rule
  • tag (list) – Administrative tags
  • negate_source (bool) – Match on the reverse of the ‘source’ attribute
  • negate_destination (bool) – Match on the reverse of the ‘destination’ attribute
  • disabled (bool) – Disable this rule
  • negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
  • target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
  • port (str) – Destination port
  • protocol (str) – Protocol used
  • group_tag (str) – (PAN-OS 9.0+) The group tag.
class panos.policies.AuditCommentLog(elm)[source]

A single audit comment log entry.

class panos.policies.AuthenticationRule(*args, **kwargs)[source]

Authentication Rule

Both the naming convention and the order of the parameters tries to closly match what is presented in the GUI.

Parameters:
  • name (str) – The name
  • description (str) – The description
  • uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
  • source_zones (list) – The source zones.
  • source_addresses (list) – The source addresses.
  • negate_source (bool) – Negate the source addresses.
  • destination_zones (list) – The destination zones.
  • destination_addresses (list) – The destination addresses.
  • negate_destination (bool) – Negate the destination addresses.
  • tag (list) – Administrative tags
  • disabled (bool) – Disable this rule
  • service (str) – The service
  • source_hip (list) – (PAN-OS 10.0+) The source HIP info.
  • source_users (list) – The source users.
  • url_categories (list) – URL categories.
  • group_tag (str) – (PAN-OS 9.0+) The group tag.
  • authentication_enforcement (str) – The authentication enforcement object.
  • timeout (str) – The authentication timeout.
  • negate_target (bool) – Target all but the listed target firewalls, (applies to panorama/device groups only)
  • target (list) – Apply this policy to the listed firewalls only, (applies to panorama/device groups only)
  • log_setting (str) – (PAN-OS 10.0+) Log setting.
  • log_authentication_timeout (bool) – Whether the rules logs authentication timeouts or not.
class panos.policies.DecryptionRule(*args, **kwargs)[source]

Decryption rule.

PAN-OS 7.0+

Parameters:
  • name (str) – The name
  • description (str) – The descripton
  • uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
  • source_zones (list) – The source zones.
  • source_addresses (list) – The source addresses.
  • negate_source (bool) – Negate the source addresses.
  • source_users (list) – The source users.
  • source_hip (list) – (PAN-OS 10.0+) The source HIP info.
  • destination_zones (list) – The destination zones.
  • destination_addresses (list) – The destination addresses.
  • negate_destination (bool) – Negate the destination addresses.
  • destination_hip (list) – The destination HIP info.
  • tags (list) – The administrative tags.
  • disabled (bool) – If the rule is disabled or not.
  • services (list) – Services.
  • url_categories (list) – URL categories.
  • action (str) – The action. Valid values are “no-decrypt” (default), “decrypt”, or “decrypt-and-forward” (PAN-OS 8.1+).
  • decryption_type (str) – The decryption type. Valid values are “ssl-forward-proxy”, “ssh-proxy”, or “ssl-inbound-inspection”.
  • ssl_certificate (str) – The SSL cert.
  • decryption_profile (str) – The decryption profile.
  • forwarding_profile (str) – (PAN-OS 8.1+) The forwarding profile.
  • group_tag (str) – (PAN-OS 9.0+) The group tag.
  • log_successful_tls_handshakes (bool) – (PAN-OS 10.0+) Log successful TLS handshakes.
  • log_failed_tls_handshakes (bool) – (PAN-OS 10.0+) Log failed TLS handshakes.
  • log_setting (str) – (PAN-OS 10.0+) Log setting.
  • negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
  • target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
class panos.policies.HitCount(obj, *args, **kwargs)[source]

Hit count operational data.

class panos.policies.NatRule(*args, **kwargs)[source]

NAT Rule

Both the naming convention and the order of the parameters tries to closly match what is presented in the GUI.

There are groupings of parameters that give hints to the sections that they contribute towards:

  • source_translation_<etc>
  • source_translation_fallback_<etc>
  • source_translation_static_<etc>
  • destination_translation_<etc>
Parameters:
  • name (str) – Name of the rule
  • description (str) – The description
  • nat_type (str) – Type of NAT
  • fromzone (list) – From zones
  • tozone (list) – To zones
  • to_interface (str) – Egress interface from route lookup
  • service (str) – The service
  • source (list) – Source addresses
  • destination (list) – Destination addresses
  • source_translation_type (str) – Type of source address translation
  • source_translation_address_type (str) – Address type for Dynamic IP And Port or Dynamic IP source translation types
  • source_translation_interface (str) – Interface of the source address translation for Dynamic IP and Port source translation types
  • source_translation_ip_address (str) – IP address of the source address translation for Dynamic IP and Port source translation types
  • source_translation_translated_addresses (list) – Translated addresses of the source address translation for Dynamic IP And Port or Dynamic IP source translation types
  • source_translation_fallback_type (str) – Type of fallback for Dynamic IP source translation types
  • source_translation_fallback_translated_addresses (list) – Addresses for translated address types of fallback source translation
  • source_translation_fallback_interface (str) – The interface for the fallback source translation
  • source_translation_fallback_ip_type (str) – The type of the IP address for the fallback source translation IP address
  • source_translation_fallback_ip_address (str) – The IP address of the fallback source translation
  • source_translation_static_translated_address (str) – The IP address for the static source translation
  • source_translation_static_bi_directional (bool) – Allow reverse translation from translated address to original address
  • destination_translated_address (str) – Translated destination IP address
  • destination_translated_port (int) – Translated destination port number
  • ha_binding (str) – Device binding configuration in HA Active-Active mode
  • disabled (bool) – Disable this rule
  • negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
  • target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
  • tag (list) – Administrative tags
  • destination_dynamic_translated_address (str) – (PAN-OS 8.1+) Dynamic destination translated address.
  • destination_dynamic_translated_port (int) – (PAN-OS 8.1+) Dynamic destination translated port.
  • destination_dynamic_translated_distribution (str) – (PAN-OS 8.1+) Dynamic destination translated distribution.
  • uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
  • group_tag (str) – (PAN-OS 9.0+) The group tag.
class panos.policies.PolicyBasedForwarding(*args, **kwargs)[source]

PBF rule.

Parameters:
  • name (str) – The name
  • description (str) – The descripton
  • tags (str/list) – List of tags
  • from_type (str) – Source from type. Valid values are ‘zone’ (default) or ‘interface’.
  • from_value (str/list) – The source values for the given type.
  • source_addresses (str/list) – List of source IP addresses.
  • source_users (str/list) – List of source users.
  • negate_source (bool) – Set to negate the source.
  • destination_addresses (str/list) – List of destination addresses.
  • negate_destination (bool) – Set to negate the destination.
  • applications (str/list) – List of applications.
  • services (str/list) – List of services.
  • schedule (str) – The schedule.
  • disabled (bool) – Set to disable this rule.
  • action (str) – The action to take. Valid values are ‘forward’ (default), ‘forward-to-vsys’, ‘discard’, or ‘no-pbf’.
  • forward_vsys (str) – The vsys to forward to if action is set to forward to a vsys.
  • forward_egress_interface (str) – The egress interface.
  • forward_next_hop_type (str) – The next hop type. Valid values are ‘ip-address’, ‘fqdn’, or None (default).
  • forward_next_hop_value (str) – The next hop value if the forward next hop type is not None.
  • forward_monitor_profile (str) – The monitor profile to use.
  • forward_monitor_ip_address (str) – The monitor IP address.
  • forward_monitor_disable_if_unreachable (bool) – Set to disable this rule if nexthop / monitor IP is unreachable.
  • enable_enforce_symmetric_return (bool) – Set to enforce symmetric return.
  • symmetric_return_addresses (str/list) – List of symmetric return addresses.
  • active_active_device_binding (str) – Active/Active device binding.
  • target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
  • negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
  • uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
  • group_tag (str) – (PAN-OS 9.0+) The group tag.
class panos.policies.PostRulebase(*args, **kwargs)[source]

Post-rulebase for a Panorama

Panorama only. For Firewall, use panos.policies.Rulebase.

class panos.policies.PreRulebase(*args, **kwargs)[source]

Pre-rulebase for a Panorama

Panorama only. For Firewall, use panos.policies.Rulebase.

class panos.policies.RuleAuditComment(obj, *args, **kwargs)[source]

Operational state handling for a rule’s audit comments.

Note: Audit comments are present in PAN-OS 9.0+.

current()[source]

Returns the current audit comment.

Returns:string
history(count=100, direction='backward', skip=None)[source]

Returns a chunk of historical audit comment logs.

Parameters:
  • count (int) – Number of audit comments to return, maximum 5000.
  • direction (str) – Specify whether logs are shown oldest first (forward) or newest first (backward).
  • skip (int) – Specify the number of logs to skip when doing log retrieval. This is useful when retrieving logs in batches where you can skip the previously retrieved logs.
Returns:

list of panos.policies.AuditCommentLog
update(comment)[source]

Sets an audit comment for the given rule.

Parameters:comment (str) – The audit comment.
class panos.policies.Rulebase(*args, **kwargs)[source]

Rulebase for a Firewall

Firewall only. For Panorama, use panos.policies.PreRulebase or panos.policies.PostRulebase.

class panos.policies.RulebaseHitCount(obj, *args, **kwargs)[source]

Operational state handling for rulebase hit counts.

refresh(style, rules=None, all_rules=False)[source]

Retrieves hit count information for the specified rules.

PAN-OS 8.1+

Parameters:
  • style (str) – The rule style to use. The style can be “application-override”, “authentication”, “decryption”, “dos”, “nat”, “pbf”, “qos”, “sdwan”, “security”, or “tunnel-inspect”.
  • rules (list) – A list of rules. This can be a mix of panos.policies instances or basic strings. If no rules are given, then the hit count for all rules is retrieved.
  • all_rules (bool) – If this is False, only retrieve hit count information for the rules attached to the rulebase of the specified style. If this is True, then get all rules. Either way, any rule whose hit count is retrieved and is in the object hierarchy has the hit count data saved to its opstate.
Returns:

A dict where the key is the rule name and the value is the hit count information.
Return type:

dict
class panos.policies.SecurityRule(*args, **kwargs)[source]

Security Rule

Parameters:
  • name (str) – Name of the rule
  • fromzone (list) – From zones
  • tozone (list) – To zones
  • source (list) – Source addresses
  • source_user (list) – Source users and groups
  • hip_profiles (list) – (PAN-OS 10.0.0-) GlobalProtect host integrity profiles
  • destination (list) – Destination addresses
  • application (list) – Applications
  • service (list) – Destination services (ports) (Default: application-default)
  • category (list) – Destination URL Categories
  • action (str) – Action to take (deny, allow, drop, reset-client, reset-server, reset-both) Note: Not all options are available on all PAN-OS versions.
  • log_setting (str) – Log forwarding profile
  • log_start (bool) – Log at session start
  • log_end (bool) – Log at session end
  • description (str) – Description of this rule
  • type (str) – ‘universal’, ‘intrazone’, or ‘intrazone’ (Default: universal)
  • tag (list) – Administrative tags
  • negate_source (bool) – Match on the reverse of the ‘source’ attribute
  • negate_destination (bool) – Match on the reverse of the ‘destination’ attribute
  • disabled (bool) – Disable this rule
  • schedule (str) – Schedule Profile
  • icmp_unreachable (bool) – Send ICMP Unreachable
  • disable_server_response_inspection (bool) – Disable server response inspection
  • group (str) – Security Profile Group
  • negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
  • target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
  • virus (str) – Antivirus Security Profile
  • spyware (str) – Anti-Spyware Security Profile
  • vulnerability (str) – Vulnerability Protection Security Profile
  • url_filtering (str) – URL Filtering Security Profile
  • file_blocking (str) – File Blocking Security Profile
  • wildfire_analysis (str) – Wildfire Analysis Security Profile
  • data_filtering (str) – Data Filtering Security Profile
  • uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
  • source_devices (list) – (PAN-OS 10.0+) Host devices subject to the policy.
  • destination_devices (list) – (PAN-OS 10.0+) Destination devices subject to the policy.
  • group_tag (str) – (PAN-OS 9.0+) The group tag.