Module: policies
Inheritance diagram
Configuration tree diagram
Class Reference
Policies module contains policies and rules that exist in the ‘Policies’ tab in the firewall GUI
- class panos.policies.ApplicationOverride(*args, **kwargs)[source]
- Parameters:
name (str) – Name of the rule
fromzone (list) – From zones
tozone (list) – To zones
source (list) – Source addresses
destination (list) – Destination addresses
application (str) – Applications
description (str) – Description of this rule
tag (list) – Administrative tags
negate_source (bool) – Match on the reverse of the ‘source’ attribute
negate_destination (bool) – Match on the reverse of the ‘destination’ attribute
disabled (bool) – Disable this rule
negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
port (str) – Destination port
protocol (str) – Protocol used
group_tag (str) – (PAN-OS 9.0+) The group tag.
- class panos.policies.AuthenticationRule(*args, **kwargs)[source]
Authentication Rule
Both the naming convention and the order of the parameters tries to closly match what is presented in the GUI.
- Parameters:
name (str) – The name
description (str) – The description
uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
source_zones (list) – The source zones.
source_addresses (list) – The source addresses.
negate_source (bool) – Negate the source addresses.
destination_zones (list) – The destination zones.
destination_addresses (list) – The destination addresses.
negate_destination (bool) – Negate the destination addresses.
tag (list) – Administrative tags
disabled (bool) – Disable this rule
service (str) – The service
source_hip (list) – (PAN-OS 10.0+) The source HIP info.
source_users (list) – The source users.
url_categories (list) – URL categories.
group_tag (str) – (PAN-OS 9.0+) The group tag.
authentication_enforcement (str) – The authentication enforcement object.
timeout (str) – The authentication timeout.
negate_target (bool) – Target all but the listed target firewalls, (applies to panorama/device groups only)
target (list) – Apply this policy to the listed firewalls only, (applies to panorama/device groups only)
log_setting (str) – (PAN-OS 10.0+) Log setting.
log_authentication_timeout (bool) – Whether the rules logs authentication timeouts or not.
- class panos.policies.DecryptionRule(*args, **kwargs)[source]
Decryption rule.
PAN-OS 7.0+
- Parameters:
name (str) – The name
description (str) – The descripton
uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
source_zones (list) – The source zones.
source_addresses (list) – The source addresses.
negate_source (bool) – Negate the source addresses.
source_users (list) – The source users.
source_hip (list) – (PAN-OS 10.0+) The source HIP info.
destination_zones (list) – The destination zones.
destination_addresses (list) – The destination addresses.
negate_destination (bool) – Negate the destination addresses.
destination_hip (list) – The destination HIP info.
tags (list) – The administrative tags.
disabled (bool) – If the rule is disabled or not.
services (list) – Services.
url_categories (list) – URL categories.
action (str) – The action. Valid values are “no-decrypt” (default), “decrypt”, or “decrypt-and-forward” (PAN-OS 8.1+).
decryption_type (str) – The decryption type. Valid values are “ssl-forward-proxy”, “ssh-proxy”, or “ssl-inbound-inspection”.
ssl_certificate (str) – The SSL cert.
decryption_profile (str) – The decryption profile.
forwarding_profile (str) – (PAN-OS 8.1+) The forwarding profile.
group_tag (str) – (PAN-OS 9.0+) The group tag.
log_successful_tls_handshakes (bool) – (PAN-OS 10.0+) Log successful TLS handshakes.
log_failed_tls_handshakes (bool) – (PAN-OS 10.0+) Log failed TLS handshakes.
log_setting (str) – (PAN-OS 10.0+) Log setting.
negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
- class panos.policies.NatRule(*args, **kwargs)[source]
NAT Rule
Both the naming convention and the order of the parameters tries to closly match what is presented in the GUI.
There are groupings of parameters that give hints to the sections that they contribute towards:
source_translation_<etc>
source_translation_fallback_<etc>
source_translation_static_<etc>
destination_translation_<etc>
- Parameters:
name (str) – Name of the rule
description (str) – The description
nat_type (str) – Type of NAT
fromzone (list) – From zones
tozone (list) – To zones
to_interface (str) – Egress interface from route lookup
service (str) – The service
source (list) – Source addresses
destination (list) – Destination addresses
source_translation_type (str) – Type of source address translation
source_translation_address_type (str) – Address type for Dynamic IP And Port or Dynamic IP source translation types
source_translation_interface (str) – Interface of the source address translation for Dynamic IP and Port source translation types
source_translation_ip_address (str) – IP address of the source address translation for Dynamic IP and Port source translation types
source_translation_translated_addresses (list) – Translated addresses of the source address translation for Dynamic IP And Port or Dynamic IP source translation types
source_translation_fallback_type (str) – Type of fallback for Dynamic IP source translation types
source_translation_fallback_translated_addresses (list) – Addresses for translated address types of fallback source translation
source_translation_fallback_interface (str) – The interface for the fallback source translation
source_translation_fallback_ip_type (str) – The type of the IP address for the fallback source translation IP address
source_translation_fallback_ip_address (str) – The IP address of the fallback source translation
source_translation_static_translated_address (str) – The IP address for the static source translation
source_translation_static_bi_directional (bool) – Allow reverse translation from translated address to original address
destination_translated_address (str) – Translated destination IP address
destination_translated_port (int) – Translated destination port number
ha_binding (str) – Device binding configuration in HA Active-Active mode
disabled (bool) – Disable this rule
negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
tag (list) – Administrative tags
destination_dynamic_translated_address (str) – (PAN-OS 8.1+) Dynamic destination translated address.
destination_dynamic_translated_port (int) – (PAN-OS 8.1+) Dynamic destination translated port.
destination_dynamic_translated_distribution (str) – (PAN-OS 8.1+) Dynamic destination translated distribution.
uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
group_tag (str) – (PAN-OS 9.0+) The group tag.
- class panos.policies.PolicyBasedForwarding(*args, **kwargs)[source]
PBF rule.
- Parameters:
name (str) – The name
description (str) – The descripton
tags (str/list) – List of tags
from_type (str) – Source from type. Valid values are ‘zone’ (default) or ‘interface’.
from_value (str/list) – The source values for the given type.
source_addresses (str/list) – List of source IP addresses.
source_users (str/list) – List of source users.
negate_source (bool) – Set to negate the source.
destination_addresses (str/list) – List of destination addresses.
negate_destination (bool) – Set to negate the destination.
applications (str/list) – List of applications.
services (str/list) – List of services.
schedule (str) – The schedule.
disabled (bool) – Set to disable this rule.
action (str) – The action to take. Valid values are ‘forward’ (default), ‘forward-to-vsys’, ‘discard’, or ‘no-pbf’.
forward_vsys (str) – The vsys to forward to if action is set to forward to a vsys.
forward_egress_interface (str) – The egress interface.
forward_next_hop_type (str) – The next hop type. Valid values are ‘ip-address’, ‘fqdn’, or None (default).
forward_next_hop_value (str) – The next hop value if the forward next hop type is not None.
forward_monitor_profile (str) – The monitor profile to use.
forward_monitor_ip_address (str) – The monitor IP address.
forward_monitor_disable_if_unreachable (bool) – Set to disable this rule if nexthop / monitor IP is unreachable.
enable_enforce_symmetric_return (bool) – Set to enforce symmetric return.
symmetric_return_addresses (str/list) – List of symmetric return addresses.
active_active_device_binding (str) – Active/Active device binding.
target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
group_tag (str) – (PAN-OS 9.0+) The group tag.
- class panos.policies.PostRulebase(*args, **kwargs)[source]
Post-rulebase for a Panorama
Panorama only. For Firewall, use
panos.policies.Rulebase
.
- class panos.policies.PreRulebase(*args, **kwargs)[source]
Pre-rulebase for a Panorama
Panorama only. For Firewall, use
panos.policies.Rulebase
.
- class panos.policies.RuleAuditComment(obj, *args, **kwargs)[source]
Operational state handling for a rule’s audit comments.
Note: Audit comments are present in PAN-OS 9.0+.
- history(count=100, direction='backward', skip=None)[source]
Returns a chunk of historical audit comment logs.
- Parameters:
count (int) – Number of audit comments to return, maximum 5000.
direction (str) – Specify whether logs are shown oldest first (
forward
) or newest first (backward
).skip (int) – Specify the number of logs to skip when doing log retrieval. This is useful when retrieving logs in batches where you can skip the previously retrieved logs.
- Returns:
list of
panos.policies.AuditCommentLog
- class panos.policies.Rulebase(*args, **kwargs)[source]
Rulebase for a Firewall
Firewall only. For Panorama, use
panos.policies.PreRulebase
orpanos.policies.PostRulebase
.
- class panos.policies.RulebaseHitCount(obj, *args, **kwargs)[source]
Operational state handling for rulebase hit counts.
- refresh(style, rules=None, all_rules=False)[source]
Retrieves hit count information for the specified rules.
PAN-OS 8.1+
- Parameters:
style (str) – The rule style to use. The style can be “application-override”, “authentication”, “decryption”, “dos”, “nat”, “pbf”, “qos”, “sdwan”, “security”, or “tunnel-inspect”.
rules (list) – A list of rules. This can be a mix of panos.policies instances or basic strings. If no rules are given, then the hit count for all rules is retrieved.
all_rules (bool) – If this is False, only retrieve hit count information for the rules attached to the rulebase of the specified style. If this is True, then get all rules. Either way, any rule whose hit count is retrieved and is in the object hierarchy has the hit count data saved to its opstate.
- Returns:
A dict where the key is the rule name and the value is the hit count information.
- Return type:
dict
- class panos.policies.SecurityRule(*args, **kwargs)[source]
Security Rule
- Parameters:
name (str) – Name of the rule
fromzone (list) – From zones
tozone (list) – To zones
source (list) – Source addresses
source_user (list) – Source users and groups
hip_profiles (list) – (PAN-OS 10.0.0-) GlobalProtect host integrity profiles
destination (list) – Destination addresses
application (list) – Applications
service (list) – Destination services (ports) (Default: application-default)
category (list) – Destination URL Categories
action (str) – Action to take (deny, allow, drop, reset-client, reset-server, reset-both) Note: Not all options are available on all PAN-OS versions.
log_setting (str) – Log forwarding profile
log_start (bool) – Log at session start
log_end (bool) – Log at session end
description (str) – Description of this rule
type (str) – ‘universal’, ‘intrazone’, or ‘intrazone’ (Default: universal)
tag (list) – Administrative tags
negate_source (bool) – Match on the reverse of the ‘source’ attribute
negate_destination (bool) – Match on the reverse of the ‘destination’ attribute
disabled (bool) – Disable this rule
schedule (str) – Schedule Profile
icmp_unreachable (bool) – Send ICMP Unreachable
disable_server_response_inspection (bool) – Disable server response inspection
group (str) – Security Profile Group
negate_target (bool) – Target all but the listed target firewalls (applies to panorama/device groups only)
target (list) – Apply this policy to the listed firewalls only (applies to panorama/device groups only)
virus (str) – Antivirus Security Profile
spyware (str) – Anti-Spyware Security Profile
vulnerability (str) – Vulnerability Protection Security Profile
url_filtering (str) – URL Filtering Security Profile
file_blocking (str) – File Blocking Security Profile
wildfire_analysis (str) – Wildfire Analysis Security Profile
data_filtering (str) – Data Filtering Security Profile
uuid (str) – (PAN-OS 9.0+) The UUID for this rule.
source_devices (list) – (PAN-OS 10.0+) Host devices subject to the policy.
destination_devices (list) – (PAN-OS 10.0+) Destination devices subject to the policy.
group_tag (str) – (PAN-OS 9.0+) The group tag.