Source code for panos.network

#!/usr/bin/env python

# Copyright (c) 2014, Palo Alto Networks
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


"""Network module contains objects that exist in the 'Network' tab in the firewall GUI"""

import logging
import re
import xml.etree.ElementTree as ET

import panos
import panos.errors as err
from panos import device, getlogger, string_or_list
from panos.base import ENTRY, MEMBER, PanObject, Root
from panos.base import VarPath as Var
from panos.base import VersionedPanObject, VersionedParamPath, VsysOperations

logger = getlogger(__name__)


[docs]def interface(name, *args, **kwargs): """Interface object factory Creates an interface object of type determined by the name of the interface. Args: name (str): Name of the interface to create (eg. ethernet1/1.5) mode (str): Mode of the interface. Possible values: layer3, layer2, virtual-wire, tap, ha, aggregate-group. Default: None Keyword Args: tag (int): Tag for the interface, aka vlan id Returns: Interface: An instantiated subclass of :class:`panos.network.Interface` """ name = str(name) if name.startswith("ethernet") and "." not in name: return EthernetInterface(name, *args, **kwargs) elif name.startswith("ae") and "." not in name: return AggregateInterface(name, *args, **kwargs) elif name.startswith("ethernet") or name.startswith("ae"): # Subinterface # Get mode from args args = string_or_list(args) if len(args) > 0: mode = args[0] del args[0] else: mode = kwargs.pop("mode", None) # Get tag from kwargs tag = kwargs.get("tag", None) if tag is None: # Determine tag from name tag = name.split(".")[-1] kwargs["tag"] = tag if mode == "layer3": return Layer3Subinterface(name, *args, **kwargs) elif mode == "layer2": return Layer2Subinterface(name, *args, **kwargs) else: return AbstractSubinterface(name, *args, **kwargs) elif name.startswith("vlan"): return VlanInterface(name, *args, **kwargs) elif name.startswith("loopback"): return LoopbackInterface(name, *args, **kwargs) elif name.startswith("tunnel"): return TunnelInterface(name, *args, **kwargs) else: raise err.PanDeviceError("Can't identify interface type from name: %s" % name)
[docs]class Zone(VersionedPanObject): """Security zone Args: name (str): Name of the zone mode (str): The mode of the security zone. Must match the mode of the interface. Possible values: tap, virtual-wire, layer2, layer3, external interface (list): List of interface names or instantiated subclasses of :class:`panos.network.Interface`. zone_profile (str): Zone protection profile log_setting (str): Log forwarding setting enable_user_identification (bool): If user identification is enabled include_acl (list/str): User identification ACL include list exclude_acl (list/str): User identification ACL exclude list enable_packet_buffer_protection (bool): (PAN-OS 8.0+) Enable packet buffer protection enable_device_identification (bool): (PAN-OS 10.0+) Enable device identification device_include_acl (list): (PAN-OS 10.0+) Device include ACLs list device_exclude_acl (list): (PAN-OS 10.0+) Device exclude ACLs list """ ROOT = Root.VSYS SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/zone") self._xpaths.add_profile( value="{0}/zone".format(self._TEMPLATE_VSYS_XPATH), parents=("Template", "TemplateStack"), ) # params params = [] params.append( VersionedParamPath( "mode", default="layer3", path="network/{mode}", values=["tap", "virtual-wire", "layer2", "layer3", "external"], ) ) params.append( VersionedParamPath("interface", path="network/{mode}", vartype="member") ) params.append( VersionedParamPath("zone_profile", path="network/zone-protection-profile") ) params.append(VersionedParamPath("log_setting", path="network/log-setting")) params.append( VersionedParamPath( "enable_user_identification", vartype="yesno", path="enable-user-identification", ) ) params.append( VersionedParamPath( "include_acl", vartype="member", path="user-acl/include-list" ) ) params.append( VersionedParamPath( "exclude_acl", vartype="member", path="user-acl/exclude-list" ) ) params.append( VersionedParamPath("enable_packet_buffer_protection", exclude=True,) ) params[-1].add_profile( "8.0.0", path="network/enable-packet-buffer-protection", vartype="yesno", ) params.append(VersionedParamPath("enable_device_identification", exclude=True,)) params[-1].add_profile( "10.0.0", path="enable-device-identification", vartype="yesno", ) params.append(VersionedParamPath("device_include_acl", exclude=True,)) params[-1].add_profile( "10.0.0", path="device-acl/include-list", vartype="member", ) params.append(VersionedParamPath("device_exclude_acl", exclude=True,)) params[-1].add_profile( "10.0.0", path="device-acl/exclude-acl", vartype="member", ) self._params = tuple(params)
[docs]class StaticMac(VersionedPanObject): """Static MAC address for a Vlan Can be added to a :class:`panos.network.Vlan` object Args: mac (str): The MAC address interface (str): Name of an interface """ SUFFIX = ENTRY NAME = "mac" def _setup(self): # xpaths self._xpaths.add_profile(value="/mac") # params params = [] params.append(VersionedParamPath("interface", path="interface")) self._params = tuple(params)
[docs]class Vlan(VsysOperations): """Vlan Args: name (str): The name interface (list): List of interface names virtual_interface (VlanInterface): The layer3 vlan interface for this vlan """ SUFFIX = ENTRY ROOT = Root.DEVICE CHILDTYPES = ("network.StaticMac",) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/vlan") self._xpaths.add_profile( value="{0}/network/vlan".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # xpath_imports self._xpath_imports.add_profile(value="/network/vlan") # params params = [] params.append( VersionedParamPath("interface", vartype="member", path="interface") ) params.append( VersionedParamPath("virtual_interface", path="virtual-interface/interface") ) self._params = tuple(params)
[docs]class IPv6Address(VersionedPanObject): """IPv6 Address Can be added to any :class:`panos.network.Interface` subclass that supports IPv6. Args: address (str): The IPv6 address enable_on_interface (bool): Enabled IPv6 on the interface this object was added to prefix (bool): Use interface ID as host portion anycast (bool): Enable anycast advertise_enabled (bool): Enabled router advertisements valid_lifetime (int): Valid lifetime preferred_lifetime (int): Preferred lifetime onlink_flag (bool): auto_config_flag (bool): """ SUFFIX = ENTRY NAME = "address" def _setup(self): # xpaths # Non-mode interface xpaths self._xpaths.add_profile(value="/ipv6/address") # Mode interface xpaths (mode: layer3) self._xpaths.add_profile( value="/layer3/ipv6/address", parents=("EthernetInterface", "AggregateInterface"), ) # params params = [] params.append( VersionedParamPath( "enable_on_interface", vartype="yesno", path="enable-on-interface" ) ) params.append(VersionedParamPath("prefix", vartype="exist", path="prefix")) params.append(VersionedParamPath("anycast", vartype="exist", path="anycast")) params.append( VersionedParamPath( "advertise_enabled", vartype="yesno", path="advertise/enable" ) ) params.append( VersionedParamPath( "valid_lifetime", vartype="int", path="advertise/valid-lifetime" ) ) params.append( VersionedParamPath( "preferred_lifetime", vartype="int", path="advertise/preferred-lifetime" ) ) params.append( VersionedParamPath( "onlink_flag", vartype="yesno", path="advertise/onlink-flag" ) ) params.append( VersionedParamPath( "auto_config_flag", vartype="yesno", path="advertise/auto-config-flag" ) ) self._params = tuple(params)
[docs]class Interface(VsysOperations): """Base class for all interfaces Do not instantiate this object. Use a subclass. Methods in this class are available to all interface subclasses. Args: name (str): Name of the interface state (str): Link state, 'up' or 'down' """ SUFFIX = ENTRY ROOT = Root.DEVICE DEFAULT_MODE = None ALLOW_SET_VLAN = False ALWAYS_IMPORT = True
[docs] def up(self): """Link state of interface Returns: bool: True if state is 'up', False if state is 'down', 'unconfigured' or other """ return self.state == "up"
[docs] def set_zone( self, zone_name, mode=None, refresh=False, update=False, running_config=False, return_type="object", ): """Set the zone for this interface Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn't exist. Args: zone_name (str): The name of the Zone or a :class:`panos.network.Zone` instance mode (str): The mode of the zone. See :class:`panos.network.Zone` for possible values refresh (bool): Refresh the relevant current state of the device before taking action (Default: False) update (bool): Apply the changes to the device (Default: False) running_config: If refresh is True, refresh from the running configuration (Default: False) return_type (str): Specify what this function returns, can be either 'object' (the default) or 'bool'. If this is 'object', then the return value is the Zone in question. If this is 'bool', then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True). Returns: Zone: The zone for this interface after the operation completes """ if mode is None: mode = self.DEFAULT_MODE elif self.vsys == "shared": return False return self._set_reference( zone_name, Zone, "interface", "list", True, refresh, update, running_config, return_type, False, mode=mode, )
[docs] def set_virtual_router( self, virtual_router_name, refresh=False, update=False, running_config=False, return_type="object", ): """Set the virtual router for this interface Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn't exist. Args: virtual_router_name (str): The name of the VirtualRouter or a :class:`panos.network.VirtualRouter` instance refresh (bool): Refresh the relevant current state of the device before taking action (Default: False) update (bool): Apply the changes to the device (Default: False) running_config: If refresh is True, refresh from the running configuration (Default: False) return_type (str): Specify what this function returns, can be either 'object' (the default) or 'bool'. If this is 'object', then the return value is the VirtualRouter in question. If this is 'bool', then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True). Returns: Zone: The zone for this interface after the operation completes """ # Don't add HA or aggregate-group interfaces to virtual router. if getattr(self, "mode", "") in ("ha", "aggregate-group"): return False return self._set_reference( virtual_router_name, VirtualRouter, "interface", "list", True, refresh, update, running_config, return_type, False, )
[docs] def set_vlan( self, vlan_name, refresh=False, update=False, running_config=False, return_type="object", ): """Set the vlan for this interface Creates a reference to this interface in the specified vlan and removes references to this interface from all other interfaces. The vlan will be created if it doesn't exist. Args: vlan_name (str): The name of the vlan or a :class:`panos.network.Vlan` instance refresh (bool): Refresh the relevant current state of the device before taking action (Default: False) update (bool): Apply the changes to the device (Default: False) running_config: If refresh is True, refresh from the running configuration (Default: False) return_type (str): Specify what this function returns, can be either 'object' (the default) or 'bool'. If this is 'object', then the return value is the Vlan in question. If this is 'bool', then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True). Raises: AttributeError: if this class is not allowed to use this function. Returns: Vlan: The VLAN for this interface after the operation completes """ if not self.ALLOW_SET_VLAN: msg = 'Class "{0}" cannot invoke this function' raise AttributeError(msg.format(self.__class__)) return self._set_reference( vlan_name, Vlan, "interface", "list", True, refresh, update, running_config, return_type, False, )
[docs] def get_counters(self): """Pull the counters for an interface Returns: dict: counter name as key, counter as value, None if interface is not configured """ from pan.config import PanConfig device = self.nearest_pandevice() cmd = 'show counter interface "{0}"'.format(self.name) pconf = device.op(cmd) pconf = PanConfig(pconf) response = pconf.python() logger.debug("response: " + str(response)) counters = response["response"]["result"] if counters is not None: entry = {} # Check for entry in ifnet if "entry" in counters.get("ifnet", {}): entry = counters["ifnet"]["entry"][0] elif "ifnet" in counters.get("ifnet", {}): if "entry" in counters["ifnet"].get("ifnet", {}): entry = counters["ifnet"]["ifnet"]["entry"][0] # Convert strings to integers, if they are integers entry.update((k, panos.convert_if_int(v)) for k, v in entry.items()) # If empty dictionary (no results) it usually means the interface is not # configured, so return None return entry if entry else None
[docs] def refresh_state(self): """Pull the state of the interface from the firewall The attribute 'state' is populated with the current state from the firewall. Returns: str: The current state from the firewall """ device = self.nearest_pandevice() cmd = 'show interface "{0}"'.format(self.name) response = device.op(cmd) state = response.findtext("result/hw/state") if state is None: state = "unconfigured" self.state = state return self.state
[docs] def full_delete( self, refresh=False, delete_referencing_objects=False, include_vsys=False ): """Delete the interface and all references to the interface Often when deleting an interface there is an API error because there are still references to the interface from zones, virtual-router, vsys, etc. This method deletes all references to the interface before deleting the interface itself. Args: refresh (bool): Refresh the current state of the device before taking action delete_referencing_objects (bool): Delete the entire object that references this interface """ self.set_zone(None, refresh=refresh, update=True) if self.ALLOW_SET_VLAN: self.set_vlan(None, refresh=refresh, update=True) self.set_virtual_router(None, refresh=refresh, update=True) # Remove any references to the interface across all known # children of this pan_device. This does not use 'refresh'. # Only pre-refreshed objects are scanned for references. for obj in self.nearest_pandevice().findall(PanObject, recursive=True): if isinstance(obj, device.Vsys): if not include_vsys: continue try: if str(self) == obj.interface or self == obj.interface: if delete_referencing_objects: obj.delete() else: obj.interface = None obj.update("interface") elif "__iter__" in dir(obj.interface) and str(self) in obj.interface: if delete_referencing_objects: obj.delete() else: obj.interface.remove(str(self)) obj.update("interface") elif "__iter__" in dir(obj.interface) and self in obj.interface: if delete_referencing_objects: obj.delete() else: obj.interface.remove(self) obj.update("interface") except AttributeError: pass self.delete()
[docs]class Arp(VersionedPanObject): """Static ARP Mapping Can be added to various interfaces. Args: ip (str): The IP address hw_address (str): The MAC address for the static ARP interface (str): The interface (when attached to VlanInterface only) """ SUFFIX = ENTRY NAME = "ip" def _setup(self): # xpaths # Interface xpaths self._xpaths.add_profile(value="/layer3/arp") # Subinterface xpaths self._xpaths.add_profile(value="/arp", parents=("Layer3Subinterface",)) # params params = [] params.append(VersionedParamPath("hw_address", path="hw-address")) params.append(VersionedParamPath("interface", path="interface")) self._params = tuple(params)
[docs]class VirtualWire(VsysOperations): """Virtual wires (vwire) Args: name (str): The vwire name tag (int): Tag for the interface, aka vlan id interface1 (str): The first interface to use interface2 (str): The second interface to use multicast (bool): Enable multicast firewalling or not pass_through (bool): Enable link state pass through or not """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/network/virtual-wire") self._xpaths.add_profile( value="{0}/network/virtual-wire".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/virtual-wire") # params params = [] params.append(VersionedParamPath("tag", path="tag-allowed")) params.append(VersionedParamPath("interface1", path="interface1")) params.append(VersionedParamPath("interface2", path="interface2")) params.append( VersionedParamPath( "multicast", path="multicast-firewalling/enable", default=False, vartype="yesno", ) ) params.append( VersionedParamPath( "pass_through", path="link-state-pass-through/enable", default=True, vartype="yesno", ) ) self._params = tuple(params)
[docs]class Subinterface(Interface): """Subinterface class Do not instantiate this object. Use a subclass. """ _BASE_INTERFACE_NAME = "entry BASE_INTERFACE_NAME" _BASE_INTERFACE_TYPE = "var BASE_INTERFACE_TYPE"
[docs] def set_name(self): """Create a name appropriate for a subinterface if it isn't already""" if "." not in self.name: self.name = "{0}.{1}".format(self.name, self.tag)
@property def XPATH(self): path = super(Subinterface, self).XPATH if self._BASE_INTERFACE_TYPE in path: if self.uid.startswith("ae"): rep = "aggregate-ethernet" else: rep = "ethernet" path = path.replace(self._BASE_INTERFACE_TYPE, rep) if self._BASE_INTERFACE_NAME in path: base = self.uid.split(".")[0] path = path.replace( self._BASE_INTERFACE_NAME, "entry[@name='{0}']".format(base) ) return path
[docs]class AbstractSubinterface(object): """When a subinterface is needed, but the layer is unknown Kindof like a placeholder or reference for a Layer2Subinterface or Layer3Subinterface. This class gets a parent which is the ethernet or aggregate interface, but it should not be added to the parent interface with add(). Args: name (str): Name of the interface (eg. ethernet1/1.5) tag (int): Tag for the interface, aka vlan id parent (Interface): The base interface for this subinterface """ def __init__(self, name, tag, parent=None): self.name = name self.tag = tag self.parent = parent
[docs] def set_name(self): """Create a name appropriate for a subinterface if it isn't already created Example: If self.name is 'ethernet1/1' and self.tag is 5, this method will change the name to 'ethernet1/1.5'. """ if self.name.find(".") == -1: self.name = self.name + "." + str(self.tag)
[docs] def nearest_pandevice(self): """The PanDevice parent for this instance Returns: PanDevice: Parent PanDevice instance (Firewall or Panorama) """ return self.parent._nearest_pandevice()
def set_zone( self, zone_name, mode=None, refresh=False, update=False, running_config=False ): raise err.PanDeviceError( "Unable to set zone on abstract subinterface because layer must be known to set zone" )
[docs] def set_virtual_router( self, virtual_router_name, refresh=False, update=False, running_config=False ): """Set the virtual router for this interface Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn't exist. Args: virtual_router_name (str): The name of the VirtualRouter or a :class:`panos.network.VirtualRouter` instance refresh (bool): Refresh the relevant current state of the device before taking action (Default: False) update (bool): Apply the changes to the device (Default: False) running_config: If refresh is True, refresh from the running configuration (Default: False) Returns: Zone: The zone for this interface after the operation completes """ interface = Layer3Subinterface(self.name, self.tag) interface.parent = self.parent return interface._set_reference( virtual_router_name, VirtualRouter, "interface", "list", True, refresh=False, update=update, running_config=running_config, return_type="object", name_only=False, )
[docs] def get_layered_subinterface(self, mode, add=True): """Instantiate a regular subinterface type from this AbstractSubinterface Converts an abstract subinterface to a real subinterface by offering it a mode. Args: mode (str): Mode of the subinterface ('layer3' or 'layer2') add (bool): Add the newly instantiated subinterface to the base interface object Returns: Subinterface: A :class:`panos.network.Layer3Subinterface` or :class:`panos.network.Layer2Subinterface` instance, depending on the mode argument """ if self.parent is not None: if mode == "layer3": subintclass = Layer3Subinterface elif mode == "layer2": subintclass = Layer2Subinterface else: raise err.PanDeviceError( "Unknown layer passed to subinterface factory: %s" % mode ) layered_subinterface = self.parent.find(self.name, subintclass) # Verify tag is correct if layered_subinterface is not None: if layered_subinterface.tag != self.tag: layered_subinterface.tag = self.tag else: if add: layered_subinterface = self.parent.add( subintclass(self.name, tag=self.tag) ) else: return return layered_subinterface
[docs] def delete(self): """Deletes both Layer3 and Layer2 subinterfaces by name This is necessary because an AbstractSubinterface's mode is unknown. """ for cls in (Layer3Subinterface, Layer2Subinterface): i = self.parent.find_or_create(self.uid, cls, tag=self.tag) i.delete()
[docs]class Layer3Subinterface(Subinterface): """Ethernet or Aggregate Subinterface in Layer 3 mode. Args: name (str): The name tag (int): Tag for the interface, aka vlan id ip (tuple): Interface IPv4 addresses ipv6_enabled (bool): IPv6 Enabled (requires IPv6Address child object) management_profile (ManagementProfile): Interface Management Profile mtu(int): MTU for interface adjust_tcp_mss (bool): Adjust TCP MSS netflow_profile (str): Netflow profile comment (str): The interface's comment ipv4_mss_adjust(int): TCP MSS adjustment for ipv4 ipv6_mss_adjust(int): TCP MSS adjustment for ipv6 enable_dhcp (bool): Enable DHCP on this interface create_dhcp_default_route (bool): Create default route pointing to default gateway provided by server dhcp_default_route_metric (int): Metric for the DHCP default route decrypt_forward (bool): (PAN-OS 8.1+) Decrypt forward. """ DEFAULT_MODE = "layer3" CHILDTYPES = ( "network.IPv6Address", "network.Arp", ) def _setup(self): # xpaths for parents: EthernetInterface, AggregateInterface) self._xpaths.add_profile(value="/layer3/units") # xpaths for parents: firewall.Firewall, device.Vsys self._xpaths.add_profile( parents=("Firewall", "Vsys"), value=( "/network/interface/{0}/{1}/layer3/units".format( self._BASE_INTERFACE_TYPE, self._BASE_INTERFACE_NAME ) ), ) self._xpaths.add_profile( value="{0}/network/interface/{1}/{2}/layer3/units".format( self._TEMPLATE_DEVICE_XPATH, self._BASE_INTERFACE_TYPE, self._BASE_INTERFACE_NAME, ), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append(VersionedParamPath("tag", path="tag", vartype="int")) params.append(VersionedParamPath("ip", path="ip", vartype="entry")) params.append( VersionedParamPath("ipv6_enabled", path="ipv6/enabled", vartype="yesno") ) params.append( VersionedParamPath( "management_profile", path="interface-management-profile" ) ) params.append(VersionedParamPath("mtu", path="mtu", vartype="int")) params.append( VersionedParamPath("adjust_tcp_mss", path="adjust-tcp-mss", vartype="yesno") ) params[-1].add_profile("7.1.0", vartype="yesno", path="adjust-tcp-mss/enable") params.append(VersionedParamPath("netflow_profile", path="netflow-profile")) params.append(VersionedParamPath("comment", path="comment")) params.append(VersionedParamPath("ipv4_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="adjust-tcp-mss/ipv4-mss-adjustment", vartype="int" ) params.append(VersionedParamPath("ipv6_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="adjust-tcp-mss/ipv6-mss-adjustment", vartype="int" ) params.append( VersionedParamPath( "enable_dhcp", path="dhcp-client/enable", vartype="yesno" ) ) params.append( VersionedParamPath( "create_dhcp_default_route", path="dhcp-client/create-default-route", vartype="yesno", ) ) params.append( VersionedParamPath( "dhcp_default_route_metric", path="dhcp-client/default-route-metric", vartype="int", ) ) params.append( VersionedParamPath("decrypt_forward", vartype="yesno", exclude=True) ) params[-1].add_profile("8.1.0", vartype="yesno", path="decrypt-forward") self._params = tuple(params)
[docs]class Layer2Subinterface(Subinterface): """Ethernet or Aggregate Subinterface in Layer 2 mode. Args: name (str): The name tag (int): Tag for the interface, aka vlan id lldp_enabled (bool): Enable LLDP lldp_profile (str): Reference to an lldp profile netflow_profile_l2 (str): Netflow profile comment (str): The interface's comment """ SUFFIX = ENTRY DEFAULT_MODE = "layer2" ALLOW_SET_VLAN = True def _setup(self): # xpaths for parents: EthernetInterface, AggregateInterface self._xpaths.add_profile(value="/layer2/units") # xpaths for parents: firewall.Firewall, device.Vsys self._xpaths.add_profile( parents=("Firewall", "Vsys"), value=( "/network/interface/{0}/{1}/layer2/units".format( self._BASE_INTERFACE_TYPE, self._BASE_INTERFACE_NAME ) ), ) self._xpaths.add_profile( value="{0}/network/interface/{1}/{2}/layer2/units".format( self._TEMPLATE_DEVICE_XPATH, self._BASE_INTERFACE_TYPE, self._BASE_INTERFACE_NAME, ), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append(VersionedParamPath("tag", path="tag", vartype="int")) params.append( VersionedParamPath("lldp_enabled", path="lldp/enable", vartype="yesno") ) params.append(VersionedParamPath("lldp_profile", path="lldp/profile")) params.append(VersionedParamPath("netflow_profile_l2", path="netflow-profile")) params.append(VersionedParamPath("comment", path="comment")) self._params = tuple(params)
[docs]class PhysicalInterface(Interface): """Absract base class for Ethernet and Aggregate Interfaces Do not instantiate this object. Use a subclass. """
[docs] def set_zone( self, zone_name, mode=None, refresh=False, update=False, running_config=False, return_type="object", ): """Set the zone for this interface Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn't exist. Args: zone_name (str): The name of the Zone or a :class:`panos.network.Zone` instance mode (str): The mode of the zone. See :class:`panos.network.Zone` for possible values refresh (bool): Refresh the relevant current state of the device before taking action (Default: False) update (bool): Apply the changes to the device (Default: False) running_config: If refresh is True, refresh from the running configuration (Default: False) return_type (str): Specify what this function returns, can be either 'object' (the default) or 'bool'. If this is 'object', then the return value is the Zone in question. If this is 'bool', then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True). Returns: Zone: The zone for this interface after the operation completes """ if mode is None: mode = self.mode return super(PhysicalInterface, self).set_zone( zone_name, mode, refresh, update, running_config, return_type )
[docs]class EthernetInterface(PhysicalInterface): """Ethernet interface (eg. 'ethernet1/1') Args: name (str): Name of interface (eg. 'ethernet1/1') mode (str): Mode of the interface: * layer3 * layer2 * virtual-wire * tap * ha * decrypt-mirror * aggregate-group Not all modes apply to all interface types (Default: layer3) ip (tuple): Layer3: Interface IPv4 addresses ipv6_enabled (bool): Layer3: IPv6 Enabled (requires IPv6Address child object) management_profile (ManagementProfile): Layer3: Interface Management Profile mtu(int): Layer3: MTU for interface adjust_tcp_mss (bool): Layer3: Adjust TCP MSS netflow_profile (str): Netflow profile lldp_enabled (bool): Layer2: Enable LLDP lldp_profile (str): Layer2: Reference to an lldp profile netflow_profile_l2 (str): Netflow profile link_speed (str): Link speed: eg. auto, 10, 100, 1000 link_duplex (str): Link duplex: eg. auto, full, half link_state (str): Link state: eg. auto, up, down aggregate_group (str): Aggregate interface (eg. ae1) comment (str): The interface's comment ipv4_mss_adjust(int): (PAN-OS 7.1+) TCP MSS adjustment for ipv4 ipv6_mss_adjust(int): (PAN-OS 7.1+) TCP MSS adjustment for ipv6 enable_dhcp (bool): Enable DHCP on this interface create_dhcp_default_route (bool): Create default route pointing to default gateway provided by server dhcp_default_route_metric (int): Metric for the DHCP default route enable_untagged_subinterface (bool): (PAN-OS 7.1+) Enable untagged subinterface decrypt_forward (bool): (PAN-OS 8.1+) Decrypt forward. rx_policing_rate (int): (PAN-OS 8.1+) Receive policing rate tx_policing_rate (int): (PAN-OS 8.1+) Transmit policing rate dhcp_send_hostname_enable (bool): Enable send firewall or custom hostname to DHCP server dhcp_send_hostname_value (string): Set interface hostname """ ALLOW_SET_VLAN = True CHILDTYPES = ( "network.Layer3Subinterface", "network.Layer2Subinterface", "network.IPv6Address", "network.Arp", ) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/interface/ethernet") self._xpaths.add_profile( value="{0}/network/interface/ethernet".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append( VersionedParamPath( "mode", path="{mode}", default="layer3", values=[ "layer3", "layer2", "virtual-wire", "tap", "ha", "decrypt-mirror", "aggregate-group", ], ) ) params.append( VersionedParamPath( "ip", path="{mode}/ip", vartype="entry", condition={"mode": "layer3"} ) ) params.append( VersionedParamPath( "ipv6_enabled", path="{mode}/ipv6/enabled", vartype="yesno", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "management_profile", path="{mode}/interface-management-profile", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "mtu", path="{mode}/mtu", vartype="int", condition={"mode": "layer3"} ) ) params.append( VersionedParamPath( "adjust_tcp_mss", path="{mode}/adjust-tcp-mss", vartype="yesno", condition={"mode": "layer3"}, ) ) params[-1].add_profile( "7.1.0", path="{mode}/adjust-tcp-mss/enable", vartype="yesno", condition={"mode": "layer3"}, ) params.append( VersionedParamPath( "netflow_profile", path="{mode}/netflow-profile", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "lldp_enabled", path="{mode}/lldp/enable", vartype="yesno", condition={"mode": ["layer2", "layer3", "virtual-wire"]}, ) ) params.append( VersionedParamPath( "lldp_profile", path="{mode}/lldp/profile", condition={"mode": ["layer2", "layer3", "virtual-wire"]}, ) ) params.append( VersionedParamPath( "netflow_profile_l2", path="{mode}/netflow-profile", condition={"mode": "layer2"}, ) ) params.append(VersionedParamPath("link_speed", path="link-speed")) params.append(VersionedParamPath("link_duplex", path="link-duplex")) params.append(VersionedParamPath("link_state", path="link-state")) params.append( VersionedParamPath( "aggregate_group", path="aggregate-group", condition={"mode": "aggregate-group"}, ) ) params.append(VersionedParamPath("comment", path="comment")) params.append(VersionedParamPath("ipv4_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="{mode}/adjust-tcp-mss/ipv4-mss-adjustment", vartype="int", condition={"mode": "layer3"}, ) params.append(VersionedParamPath("ipv6_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="{mode}/adjust-tcp-mss/ipv6-mss-adjustment", vartype="int", condition={"mode": "layer3"}, ) params.append( VersionedParamPath( "enable_dhcp", path="{mode}/dhcp-client/enable", vartype="yesno", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "create_dhcp_default_route", path="{mode}/dhcp-client/create-default-route", vartype="yesno", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "dhcp_default_route_metric", path="{mode}/dhcp-client/default-route-metric", vartype="int", condition={"mode": "layer3"}, ) ) params.append(VersionedParamPath("enable_untagged_subinterface", exclude=True)) params[-1].add_profile( "7.1.0", vartype="yesno", condition={"mode": "layer3"}, path="{mode}/untagged-sub-interface", ) params.append(VersionedParamPath("decrypt_forward", exclude=True)) params[-1].add_profile( "8.1.0", vartype="yesno", condition={"mode": "layer3"}, path="{mode}/decrypt-forward", ) params.append(VersionedParamPath("rx_policing_rate", exclude=True)) params[-1].add_profile( "8.1.0", vartype="int", condition={"mode": "layer3"}, path="{mode}/policing/rx-rate", ) params.append(VersionedParamPath("tx_policing_rate", exclude=True)) params[-1].add_profile( "8.1.0", vartype="int", condition={"mode": "layer3"}, path="{mode}/policing/tx-rate", ) params.append(VersionedParamPath("dhcp_send_hostname_enable", exclude=True)) params[-1].add_profile( "9.0.0", vartype="yesno", condition={"mode": "layer3"}, path="{mode}/dhcp-client/send-hostname/enable", ) params.append(VersionedParamPath("dhcp_send_hostname_value", exclude=True)) params[-1].add_profile( "9.0.0", condition={"mode": "layer3"}, path="{mode}/dhcp-client/send-hostname/hostname", ) self._params = tuple(params)
[docs]class AggregateInterface(PhysicalInterface): """Aggregate interface (eg. 'ae1') Args: name (str): Name of interface (eg. 'ae1') mode (str): Mode of the interface: * layer3 * layer2 * virtual-wire * ha Not all modes apply to all interface types (Default: layer3) ip (tuple): Layer3: Interface IPv4 addresses ipv6_enabled (bool): Layer3: IPv6 Enabled (requires IPv6Address child object) management_profile (ManagementProfile): Layer3: Interface Management Profile mtu(int): Layer3: MTU for interface adjust_tcp_mss (bool): Layer3: Adjust TCP MSS netflow_profile (str): Netflow profile lldp_enabled (bool): Enable LLDP lldp_profile (str): Reference to an lldp profile comment (str): The interface's comment ipv4_mss_adjust(int): Layer3: TCP MSS adjustment for ipv4 ipv6_mss_adjust(int): Layer3: TCP MSS adjustment for ipv6 enable_dhcp (bool): Enable DHCP on this interface create_dhcp_default_route (bool): Layer3: Create default route pointing to default gateway provided by server dhcp_default_route_metric (int): Layer3: Metric for the DHCP default route lacp_enable (bool): Enables LACP lacp_passive_pre_negotiation (bool): Enable LACP passive pre-negotiation, off by default lacp_mode (str): Set LACP mode to 'active' or 'passive' lacp_rate (str): Set LACP transmission-rate to 'fast' or 'slow' """ ALLOW_SET_VLAN = True CHILDTYPES = ( "network.Layer3Subinterface", "network.Layer2Subinterface", "network.IPv6Address", "network.Arp", ) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/interface/aggregate-ethernet") self._xpaths.add_profile( value="{0}/network/interface/aggregate-ethernet".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append( VersionedParamPath( "mode", path="{mode}", default="layer3", values=["layer3", "layer2", "virtual-wire", "ha",], ) ) params.append( VersionedParamPath( "ip", condition={"mode": "layer3"}, path="{mode}/ip", vartype="entry" ) ) params.append( VersionedParamPath( "ipv6_enabled", condition={"mode": "layer3"}, path="{mode}/ipv6/enabled", vartype="yesno", ) ) params.append( VersionedParamPath( "management_profile", condition={"mode": ["layer3", "layer2"]}, path="{mode}/interface-management-profile", ) ) params.append( VersionedParamPath( "mtu", condition={"mode": "layer3"}, path="{mode}/mtu", vartype="int" ) ) params.append( VersionedParamPath( "adjust_tcp_mss", condition={"mode": "layer3"}, path="{path}/adjust-tcp-mss/enable", vartype="yesno", ) ) params[-1].add_profile( "7.1.0", condition={"mode": "layer3"}, vartype="yesno", path="{mode}/adjust-tcp-mss/enable", ) params.append( VersionedParamPath( "netflow_profile", condition={"mode": ["layer3", "layer2", "virtual-wire"]}, path="{mode}/netflow-profile", ) ) params.append( VersionedParamPath( "lldp_enabled", condition={"mode": ["layer3", "layer2", "virtual-wire"]}, path="{mode}/lldp/enable", vartype="yesno", ) ) params.append( VersionedParamPath( "lldp_profile", condition={"mode": ["layer3", "layer2", "virtual-wire"]}, path="{mode}/lldp/profile", ) ) params.append(VersionedParamPath("comment", path="comment")) params.append(VersionedParamPath("ipv4_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", condition={"mode": "layer3"}, path="{mode}/adjust-tcp-mss/ipv4-mss-adjustment", vartype="int", ) params.append(VersionedParamPath("ipv6_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", condition={"mode": "layer3"}, path="{mode}/adjust-tcp-mss/ipv6-mss-adjustment", vartype="int", ) params.append( VersionedParamPath( "enable_dhcp", path="{mode}/dhcp-client/enable", vartype="yesno", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "create_dhcp_default_route", path="{mode}/dhcp-client/create-default-route", vartype="yesno", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "dhcp_default_route_metric", path="{mode}/dhcp-client/default-route-metric", vartype="int", condition={"mode": "layer3"}, ) ) params.append( VersionedParamPath( "lacp_enable", condition={"mode": ["layer3", "layer2", "ha"]}, vartype="yesno", path="{mode}/lacp/enable", ) ) params.append( VersionedParamPath( "lacp_passive_pre_negotiation", condition={"mode": ["layer3", "layer2"], "lacp_enable": True}, vartype="yesno", path="{mode}/lacp/high-availability/passive-pre-negotiation", ) ) params.append( VersionedParamPath( "lacp_mode", condition={"mode": ["layer3", "layer2", "ha"], "lacp_enable": True}, values=["active", "passive"], path="{mode}/lacp/mode", ) ) params.append( VersionedParamPath( "lacp_rate", condition={"mode": ["layer3", "layer2", "ha"], "lacp_enable": True}, values=["fast", "slow"], path="{mode}/lacp/transmission-rate", ) ) self._params = tuple(params)
[docs]class VlanInterface(Interface): """Vlan interface Args: name (str): Interface name ip (tuple): Interface IPv4 addresses ipv6_enabled (bool): IPv6 Enabled (requires IPv6Address child object) management_profile (ManagementProfile): Interface Management Profile mtu(int): MTU for interface adjust_tcp_mss (bool): Adjust TCP MSS netflow_profile (str): Netflow profile comment (str): The interface's comment ipv4_mss_adjust(int): TCP MSS adjustment for ipv4 ipv6_mss_adjust(int): TCP MSS adjustment for ipv6 enable_dhcp (bool): Enable DHCP on this interface create_dhcp_default_route (bool): Create default route pointing to default gateway provided by server dhcp_default_route_metric (int): Metric for the DHCP default route """ CHILDTYPES = ( "network.IPv6Address", "network.Arp", ) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/interface/vlan/units") self._xpaths.add_profile( value="{0}/network/interface/vlan/units".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append(VersionedParamPath("ip", path="ip", vartype="entry")) params.append( VersionedParamPath("ipv6_enabled", path="ipv6/enabled", vartype="yesno") ) params.append( VersionedParamPath( "management_profile", path="interface-management-profile" ) ) params.append(VersionedParamPath("mtu", path="mtu", vartype="int")) params.append( VersionedParamPath("adjust_tcp_mss", path="adjust-tcp-mss", vartype="yesno") ) params[-1].add_profile("7.1.0", vartype="yesno", path="adjust-tcp-mss/enable") params.append(VersionedParamPath("netflow_profile", path="netflow-profile")) params.append(VersionedParamPath("comment", path="comment")) params.append(VersionedParamPath("ipv4_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="adjust-tcp-mss/ipv4-mss-adjustment", vartype="int" ) params.append(VersionedParamPath("ipv6_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="adjust-tcp-mss/ipv6-mss-adjustment", vartype="int" ) params.append( VersionedParamPath( "enable_dhcp", path="dhcp-client/enable", vartype="yesno" ) ) params.append( VersionedParamPath( "create_dhcp_default_route", path="dhcp-client/create-default-route", vartype="yesno", ) ) params.append( VersionedParamPath( "dhcp_default_route_metric", path="dhcp-client/default-route-metric", vartype="int", ) ) self._params = tuple(params)
[docs] def set_vlan_interface( self, vlan_name, refresh=False, update=False, running_config=False, return_type="object", ): """Sets the VLAN's VLAN interface to this VLAN interface Creates a reference to this interface in the specified vlan and removes references to this interface from all other VLANs. The vlan will be created if it doesn't exist. Args: vlan_name (str): The name of the vlan or a :class:`panos.network.Vlan` instance refresh (bool): Refresh the relevant current state of the device before taking action (Default: False) update (bool): Apply the changes to the device (Default: False) running_config: If refresh is True, refresh from the running configuration (Default: False) return_type (str): Specify what this function returns, can be either 'object' (the default) or 'bool'. If this is 'object', then the return value is the Vlan in question. If this is 'bool', then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True). Returns: Vlan: The VLAN for this interface after the operation completes """ return self._set_reference( vlan_name, Vlan, "virtual_interface", "string", True, refresh, update, running_config, return_type, False, )
[docs]class LoopbackInterface(Interface): """Loopback interface Args: name (str): The name ip (tuple): Interface IPv4 addresses ipv6_enabled (bool): IPv6 Enabled (requires IPv6Address child object) management_profile (ManagementProfile): Interface Management Profile mtu(int): MTU for interface adjust_tcp_mss (bool): Adjust TCP MSS netflow_profile (str): Netflow profile comment (str): The interface's comment ipv4_mss_adjust(int): TCP MSS adjustment for ipv4 ipv6_mss_adjust(int): TCP MSS adjustment for ipv6 """ CHILDTYPES = ("network.IPv6Address",) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/interface/loopback/units") self._xpaths.add_profile( value="{0}/network/interface/loopback/units".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append(VersionedParamPath("ip", path="ip", vartype="entry")) params.append( VersionedParamPath("ipv6_enabled", path="ipv6/enabled", vartype="yesno") ) params.append( VersionedParamPath( "management_profile", path="interface-management-profile" ) ) params.append(VersionedParamPath("mtu", path="mtu", vartype="int")) params.append( VersionedParamPath("adjust_tcp_mss", path="adjust-tcp-mss", vartype="yesno") ) params[-1].add_profile("7.1.0", vartype="yesno", path="adjust-tcp-mss/enable") params.append(VersionedParamPath("netflow_profile", path="netflow-profile")) params.append(VersionedParamPath("comment", path="comment")) params.append(VersionedParamPath("ipv4_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="adjust-tcp-mss/ipv4-mss-adjustment", vartype="int" ) params.append(VersionedParamPath("ipv6_mss_adjust", exclude=True)) params[-1].add_profile( "7.1.0", path="adjust-tcp-mss/ipv6-mss-adjustment", vartype="int" ) self._params = tuple(params)
[docs]class TunnelInterface(Interface): """Tunnel interface Args: name (str): The name ip (tuple): Interface IPv4 addresses ipv6_enabled (bool): IPv6 Enabled (requires IPv6Address child object) management_profile (ManagementProfile): Interface Management Profile mtu(int): MTU for interface netflow_profile (str): Netflow profile comment (str): The interface's comment """ CHILDTYPES = ("network.IPv6Address",) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/interface/tunnel/units") self._xpaths.add_profile( value="{0}/network/interface/tunnel/units".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/interface") # params params = [] params.append(VersionedParamPath("ip", path="ip", vartype="entry")) params.append( VersionedParamPath("ipv6_enabled", path="ipv6/enabled", vartype="yesno") ) params.append( VersionedParamPath( "management_profile", path="interface-management-profile" ) ) params.append(VersionedParamPath("mtu", path="mtu", vartype="int")) params.append(VersionedParamPath("netflow_profile", path="netflow-profile")) params.append(VersionedParamPath("comment", path="comment")) self._params = tuple(params)
[docs]class StaticRoute(VersionedPanObject): """Static Route Add to a :class:`panos.network.VirtualRouter` instance. Args: name (str): The name destination (str): Destination network nexthop_type (str): ip-address, discard, or next-vr nexthop (str): Next hop IP address or Next VR Name interface (str): Next hop interface admin_dist (str): Administrative distance metric (int): Metric (Default: 10) enable_path_monitor (bool): Enable Path Monitor failure_condition (str): Path Monitor failure condition set 'any' or 'all' preemptive_hold_time (int): Path Monitor Preemptive Hold Time in minutes """ SUFFIX = ENTRY CHILDTYPES = ("network.PathMonitorDestination",) def _setup(self): # xpaths self._xpaths.add_profile(value="/routing-table/ip/static-route") # params params = [] params.append(VersionedParamPath("destination", path="destination")) params.append( VersionedParamPath( "nexthop_type", default="ip-address", values=["discard", "ip-address", "next-vr"], path="nexthop/{nexthop_type}", ) ) params.append(VersionedParamPath("nexthop", path="nexthop/{nexthop_type}")) params.append(VersionedParamPath("interface", path="interface")) params.append( VersionedParamPath("admin_dist", vartype="int", path="admin-dist") ) params.append( VersionedParamPath("metric", default=10, vartype="int", path="metric") ) params.append( VersionedParamPath( "enable_path_monitor", path="path-monitor/enable", vartype="yesno" ) ) params.append( VersionedParamPath( "failure_condition", values=("all", "any"), path="path-monitor/failure-condition", ) ) params.append( VersionedParamPath( "preemptive_hold_time", vartype="int", path="path-monitor/hold-time" ) ) self._params = tuple(params)
[docs]class StaticRouteV6(VersionedPanObject): """IPV6 Static Route Add to a :class:`panos.network.VirtualRouter` instance. Args: name (str): The name destination (str): Destination network nexthop_type (str): ip-address or discard nexthop (str): Next hop IP address interface (str): Next hop interface admin_dist (str): Administrative distance metric (int): Metric (Default: 10) enable_path_monitor (bool): Enable Path Monitor failure_condition (str): Path Monitor failure condition set 'any' or 'all' preemptive_hold_time (int): Path Monitor Preemptive Hold Time in minutes """ SUFFIX = ENTRY CHILDTYPES = ("network.PathMonitorDestination",) def _setup(self): # xpaths self._xpaths.add_profile(value="/routing-table/ipv6/static-route") # params params = [] params.append(VersionedParamPath("destination", path="destination")) params.append( VersionedParamPath( "nexthop_type", default="ipv6-address", values=["discard", "ipv6-address"], path="nexthop/{nexthop_type}", ) ) params.append(VersionedParamPath("nexthop", path="nexthop/{nexthop_type}")) params.append(VersionedParamPath("interface", path="interface")) params.append( VersionedParamPath("admin_dist", vartype="int", path="admin-dist") ) params.append( VersionedParamPath("metric", default=10, vartype="int", path="metric") ) params.append( VersionedParamPath( "enable_path_monitor", path="path-monitor/enable", vartype="yesno" ) ) params.append( VersionedParamPath( "failure_condition", values=("all", "any"), path="path-monitor/failure-condition", ) ) params.append( VersionedParamPath( "preemptive_hold_time", vartype="int", path="path-monitor/hold-time" ) ) self._params = tuple(params)
[docs]class PathMonitorDestination(VersionedPanObject): """PathMonitorDestination Static Route Args: name (str): Name of Path Monitor Destination enable (bool): Enable Path Monitor Destination source (str): Source ip of interface destination (str): Destination ip interval (int): Ping Interval (sec) (Default: 3) count (int): Ping count (Default: 5) """ SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/path-monitor/monitor-destinations") # params params = [] params.append(VersionedParamPath("enable", vartype="yesno", path="enable")) params.append(VersionedParamPath("source", path="source")) params.append(VersionedParamPath("destination", path="destination")) params.append( VersionedParamPath("interval", default=3, vartype="int", path="interval") ) params.append( VersionedParamPath("count", default=5, vartype="int", path="count") ) self._params = tuple(params)
[docs]class VirtualRouter(VsysOperations): """Virtual router Args: name (str): Name of virtual router (Default: "default") interface (list): List of interface names ad_static (int): Administrative distance for this protocol ad_static_ipv6 (int): Administrative distance for this protocol ad_ospf_int (int): Administrative distance for this protocol ad_ospf_ext (int): Administrative distance for this protocol ad_ospfv3_int (int): Administrative distance for this protocol ad_ospfv3_ext (int): Administrative distance for this protocol ad_ibgp (int): Administrative distance for this protocol ad_ebgp (int): Administrative distance for this protocol ad_rip (int): Administrative distance for this protocol """ _DEFAULT_NAME = "default" SUFFIX = ENTRY CHILDTYPES = ( "network.StaticRoute", "network.StaticRouteV6", "network.RedistributionProfile", "network.RedistributionProfileIPv6", "network.Ospf", "network.Bgp", "network.Rip", ) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/virtual-router") self._xpaths.add_profile( value="{0}/network/virtual-router".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # xpath imports self._xpath_imports.add_profile(value="/network/virtual-router") # params params = [] params.append( VersionedParamPath("interface", path="interface", vartype="member") ) admin_dists = ( ("ad_static", "static"), ("ad_static_ipv6", "static-ipv6"), ("ad_ospf_int", "ospf-int"), ("ad_ospf_ext", "ospf-ext"), ("ad_ospfv3_int", "ospfv3-int"), ("ad_ospfv3_ext", "ospfv3-ext"), ("ad_ibgp", "ibgp"), ("ad_ebgp", "ebgp"), ("ad_rip", "rip"), ) for var_name, path in admin_dists: params.append( VersionedParamPath(var_name, vartype="int", path="admin-dists/" + path) ) self._params = tuple(params)
[docs]class RedistributionProfileBase(VersionedPanObject): """Redistribution Profile Args: name (str): Name of profile priority (int): Priority id action (str): 'no-redist' or 'redist' filter_type (tuple): Any of 'static', 'connect', 'rip', 'ospf', or 'bgp' filter_interface (tuple): Filter interface filter_destination (tuple): Filter destination filter_nexthop (tuple): Filter nexthop ospf_filter_pathtype (tuple): Any of 'intra-area', 'inter-area', 'ext-1', or 'ext-2 ospf_filter_area (tuple): OSPF filter on area ospf_filter_tag (tuple): OSPF filter on tag bgp_filter_community (tuple): BGP filter on community bgp_filter_extended_community (tuple): BGP filter on extended community """ SUFFIX = ENTRY def _setup(self): # self._xpaths.add_profile(value='/protocol/redist-profile') params = [] params.append(VersionedParamPath("priority", vartype="int")) params.append( VersionedParamPath( "action", values=["no-redist", "redist"], path="action/{action}" ) ) params.append( VersionedParamPath("filter_type", path="filter/type", vartype="member") ) params.append( VersionedParamPath( "filter_interface", path="filter/interface", vartype="member" ) ) params.append( VersionedParamPath( "filter_destination", path="filter/destination", vartype="member" ) ) params.append( VersionedParamPath( "filter_nexthop", path="filter/nexthop", vartype="member" ) ) params.append( VersionedParamPath( "ospf_filter_pathtype", path="filter/ospf/path-type", vartype="member", values=["intra-area", "inter-area", "ext-1", "ext-2"], ) ) params.append( VersionedParamPath( "ospf_filter_area", path="filter/ospf/area", vartype="member" ) ) params.append( VersionedParamPath( "ospf_filter_tag", path="filter/ospf/tag", vartype="member" ) ) params.append( VersionedParamPath( "bgp_filter_community", path="filter/bgp/community", vartype="member" ) ) params.append( VersionedParamPath( "bgp_filter_extended_community", path="filter/bgp/extended-community", vartype="member", ) ) self._params = tuple(params)
[docs]class RedistributionProfile(RedistributionProfileBase): """Redistribution Profile Args: name (str): Name of profile priority (int): Priority id action (str): 'no-redist' or 'redist' filter_type (tuple): Any of 'static', 'connect', 'rip', 'ospf', or 'bgp' filter_interface (tuple): Filter interface filter_destination (tuple): Filter destination filter_nexthop (tuple): Filter nexthop ospf_filter_pathtype (tuple): Any of 'intra-area', 'inter-area', 'ext-1', or 'ext-2 ospf_filter_area (tuple): OSPF filter on area ospf_filter_tag (tuple): OSPF filter on tag bgp_filter_community (tuple): BGP filter on community bgp_filter_extended_community (tuple): BGP filter on extended community """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/protocol/redist-profile") RedistributionProfileBase._setup(self)
[docs]class RedistributionProfileIPv6(RedistributionProfileBase): """Redistribution Profile Args: name (str): Name of profile priority (int): Priority id action (str): 'no-redist' or 'redist' filter_type (tuple): Any of 'static', 'connect', 'rip', 'ospf', or 'bgp' filter_interface (tuple): Filter interface filter_destination (tuple): Filter destination filter_nexthop (tuple): Filter nexthop ospf_filter_pathtype (tuple): Any of 'intra-area', 'inter-area', 'ext-1', or 'ext-2 ospf_filter_area (tuple): OSPF filter on area ospf_filter_tag (tuple): OSPF filter on tag bgp_filter_community (tuple): BGP filter on community bgp_filter_extended_community (tuple): BGP filter on extended community """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/protocol/redist-profile-ipv6") RedistributionProfileBase._setup(self)
[docs]class Rip(VersionedPanObject): """Rip Add to a :class:`panos.network.VirtualRouter` instance. Args: enable (bool): Enable RIP reject_default_route (bool): Reject default route allow_redist_default_route (bool): Allow Redistribute Default Route delete_intervals (int): Delete Intervals expire_intervals (int): Expire Intervals interval_seconds (int): Interval Seconds (sec) update_intervals (int): Update Intervals global_bfd_profile (str): Global BFD profile """ NAME = None CHILDTYPES = ( "network.RipInterface", "network.RipAuthProfile", "network.RipExportRule", ) def _setup(self): # xpaths self._xpaths.add_profile(value="/protocol/rip") # params params = [] params.append( VersionedParamPath("enable", path="enable", default=True, vartype="yesno") ) params.append( VersionedParamPath("reject_default_route", default=True, vartype="yesno",) ) params.append( VersionedParamPath( "allow_redist_default_route", path="allow-redist-default-route", vartype="yesno", ) ) params.append( VersionedParamPath( "delete_intervals", path="timers/delete-intervals", vartype="int", default=120, ) ) params.append( VersionedParamPath( "expire_intervals", path="timers/expire-intervals", vartype="int", default=180, ) ) params.append( VersionedParamPath( "interval_seconds", path="timers/interval-seconds", vartype="int", default=1, ) ) params.append( VersionedParamPath( "update_intervals", path="timers/update-intervals", vartype="int", default=30, ) ) params.append( VersionedParamPath("global_bfd_profile", path="global-bfd/profile") ) self._params = tuple(params)
[docs]class RipInterface(VersionedPanObject): """Rip Interface Add to a :class:`panos.network.Rip` instance. Args: name (str): Interface name enable (bool): Enable advertise_default_route: Advertise default route * advertise * disable metric (int): Default route metric. Requires {advertise_default_route: "advertise"} auth_profile (str): Auth profile name mode (str): Mode of RipInterface * normal (default) * passive * send-only """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/interface") params = [] params.append( VersionedParamPath("enable", path="enable", vartype="yesno", default=True) ) params.append( VersionedParamPath( "advertise_default_route", values=["advertise", "disable"], default="disable", path="default-route/{advertise_default_route}", ) ) params.append( VersionedParamPath( "metric", path="default-route/{advertise_default_route}/metric", vartype="int", default=10, condition={"advertise_default_route": "advertise"}, ) ) params.append(VersionedParamPath("auth_profile", path="authentication")) params.append( VersionedParamPath( "mode", path="mode", values=["normal", "passive", "send-only"], default="normal", ) ) self._params = tuple(params)
[docs]class RipAuthProfile(VersionedPanObject): """Rip Authentication Profile Args: name (str): Name of Auth Profile auth_type (str): 'password' or 'md5' password (str): The password if auth_type is set to 'password'. If auth_type is set to 'md5', add a :class:`panos.network.RipAuthProfileMd5` """ SUFFIX = ENTRY CHILDTYPES = ("network.RipAuthProfileMd5",) def _setup(self): self._xpaths.add_profile(value="/auth-profile") params = [] params.append( VersionedParamPath( "auth_type", values=["password", "md5"], path="{auth_type}" ) ) params.append( VersionedParamPath( "password", condition={"auth_type": "password"}, path="{auth_type}", vartype="encrypted", ) ) self._params = tuple(params)
[docs]class RipAuthProfileMd5(VersionedPanObject): """Rip Authentication Profile Args: keyid (int): Identifier for key key (str): The authentication key preferred (bool): This key is preferred """ SUFFIX = ENTRY NAME = "keyid" def _setup(self): self._xpaths.add_profile(value="/md5") params = [] params.append(VersionedParamPath("key", vartype="encrypted")) params.append(VersionedParamPath("preferred", vartype="yesno")) self._params = tuple(params)
[docs]class RipExportRule(VersionedPanObject): """Rip Export Rules Args: name (str): IP subnet or :class:`panos.network.RedistributionProfile` metric (int): Metric """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/export-rules") params = [] params.append(VersionedParamPath("metric", vartype="int")) self._params = tuple(params)
[docs]class Ospf(VersionedPanObject): """OSPF Process Args: enable (bool): Enable OSPF (Default: True) router_id (str): Router ID in IP format (eg. 1.1.1.1) reject_default_route (bool): Reject default route allow_redist_default_route (bool): Allow redistribution in default route rfc1583 (bool): rfc1583 spf_calculation_delay (int): SPF calculation delay lsa_interval (int): LSA interval graceful_restart_enable (bool): Enable OSPF graceful restart gr_grace_period (int): Graceful restart period gr_helper_enable (bool): Graceful restart helper enable gr_strict_lsa_checking (bool): Graceful restart strict lsa checking gr_max_neighbor_restart_time (int): Graceful restart neighbor restart time """ NAME = None CHILDTYPES = ( "network.OspfArea", "network.OspfAuthProfile", "network.OspfExportRules", ) def _setup(self): self._xpaths.add_profile(value="/protocol/ospf") params = [] params.append( VersionedParamPath("enable", default=True, path="enable", vartype="yesno") ) params.append(VersionedParamPath("router_id")) params.append(VersionedParamPath("reject_default_route", vartype="yesno")) params.append(VersionedParamPath("allow_redist_default_route", vartype="yesno")) params.append(VersionedParamPath("rfc1583", vartype="yesno")) # TODO: Add flood prevention params.append( VersionedParamPath( "spf_calculation_delay", path="timers/spf-calculation-delay", vartype="int", ) ) params.append( VersionedParamPath( "lsa_interval", path="timers/lsa-interval", vartype="int" ) ) params.append( VersionedParamPath( "graceful_restart_enable", path="graceful-restart/enable", vartype="yesno", ) ) params.append( VersionedParamPath( "gr_grace_period", path="graceful-restart/grace-period", vartype="int" ) ) params.append( VersionedParamPath( "gr_helper_enable", path="graceful-restart/helper-enable", vartype="yesno", ) ) params.append( VersionedParamPath( "gr_strict_lsa_checking", path="graceful-restart/strict-LSA-checking", vartype="yesno", ) ) params.append( VersionedParamPath( "gr_max_neighbor_restart_time", path="graceful-restart/max-neighbor-restart-time", vartype="int", ) ) self._params = tuple(params)
[docs]class OspfArea(VersionedPanObject): """OSPF Area Args: name (str): Area in IP format type (str): Type of area, 'normal', 'stub', or 'nssa' (Default: normal) accept_summary (bool): Accept summary route - stub and nssa only default_route_advertise (str): 'disable' or 'advertise' (Default: disable) - stub and nssa only default_route_advertise_metric (int): Default route metric - stub and nssa only default_route_advertise_type (str): 'ext-1' or 'ext2' (Default: ext-2 - nssa only """ SUFFIX = ENTRY CHILDTYPES = ( "network.OspfRange", "network.OspfAreaInterface", "network.OspfNssaExternalRange", ) def _setup(self): self._xpaths.add_profile(value="/area") params = [] params.append( VersionedParamPath( "type", default="normal", values=["normal", "stub", "nssa"], path="type/{type}", ) ) params.append( VersionedParamPath( "accept_summary", condition={"type": ["stub", "nssa"]}, path="type/{type}/accept-summary", vartype="yesno", ) ) params.append( VersionedParamPath( "default_route_advertise", default="disable", condition={"type": ["stub", "nssa"]}, values=["disable", "advertise"], path="type/{type}/default-route/{default_route_advertise}", ) ) params.append( VersionedParamPath( "default_route_advertise_metric", condition={ "type": ["stub", "nssa"], "default_route_advertise": "advertise", }, path="type/{type}/default-route/advertise/metric", vartype="int", ) ) params.append( VersionedParamPath( "default_route_advertise_type", default="ext-2", condition={"type": "nssa", "default_route_advertise": "advertise"}, values=["ext-1", "ext-2"], path="type/nssa/default-route/advertise/type", ) ) self._params = tuple(params)
[docs]class OspfRange(VersionedPanObject): """OSPF Range Args: name (str): IP network with prefix mode (str): 'advertise' or 'suppress' (Default: advertise) """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/range") params = [] params.append( VersionedParamPath( "mode", default="advertise", values=["advertise", "suppress"], path="{mode}", ) ) self._params = tuple(params)
[docs]class OspfNssaExternalRange(VersionedPanObject): """OSPF NSSA External Range Args: name (str): IP network with prefix mode (str): 'advertise' or 'suppress' (Default: advertise) """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/type/nssa/nssa-ext-range") params = [] params.append( VersionedParamPath( "mode", default="advertise", values=["advertise", "suppress"], path="{mode}", ) ) self._params = tuple(params)
[docs]class OspfAreaInterface(VersionedPanObject): """OSPF Area Interface Args: name (str): Name of the interface (interface must exist) enable (bool): OSPF enabled on this interface passive (bool): Passive mode link_type (str): Link type, 'broadcast', 'p2p', or 'p2mp' (Default: broadcast) metric (int): Metric priority (int): Priority id hello_interval (int): Hello interval dead_counts (int): Dead counts retransmit_interval (int): Retransmit interval transit_delay (int): Transit delay gr_delay (int): Graceful restart delay authentication (str): Reference to a :class:`panos.network.OspfAuthProfile` """ SUFFIX = ENTRY CHILDTYPES = ("network.OspfNeighbor",) def _setup(self): self._xpaths.add_profile(value="/interface") params = [] params.append(VersionedParamPath("enable", vartype="yesno")) params.append(VersionedParamPath("passive", vartype="yesno")) params.append( VersionedParamPath( "link_type", default="broadcast", values=["broadcast", "p2p", "p2mp"], path="link-type/{link_type}", ) ) params.append(VersionedParamPath("metric", vartype="int")) params.append(VersionedParamPath("priority", vartype="int")) params.append(VersionedParamPath("hello_interval", vartype="int")) params.append(VersionedParamPath("dead_counts", vartype="int")) params.append(VersionedParamPath("retransmit_interval", vartype="int")) params.append(VersionedParamPath("transit_delay", vartype="int")) params.append(VersionedParamPath("gr_delay", vartype="int")) params.append(VersionedParamPath("authentication")) self._params = tuple(params)
[docs]class OspfNeighbor(VersionedPanObject): """OSPF Neighbor Args: name (str): IP of neighbor metric (int): Metric """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/neighbor") params = [] params.append(VersionedParamPath("metric", vartype="int", exclude=True)) self._params = tuple(params)
[docs]class OspfAuthProfile(VersionedPanObject): """OSPF Authentication Profile Args: name (str): Name of Auth Profile type (str): 'password' or 'md5' password (str): The password if type is set to 'password'. If type is set to 'md5', add a :class:`panos.network.OspfAuthProfileMd5` """ SUFFIX = ENTRY CHILDTYPES = ("network.OspfAuthProfileMd5",) def _setup(self): self._xpaths.add_profile(value="/auth-profile") params = [] params.append( VersionedParamPath("type", values=["password", "md5"], path="{type}") ) params.append( VersionedParamPath( "password", condition={"type": "password"}, path="{type}" ) ) self._params = tuple(params)
[docs]class OspfAuthProfileMd5(VersionedPanObject): """OSPF Authentication Profile Args: keyid (int): Identifier for key key (str): The authentication key preferred (bool): This key is preferred """ SUFFIX = ENTRY NAME = "keyid" def _setup(self): self._xpaths.add_profile(value="/md5") params = [] params.append(VersionedParamPath("key", vartype="encrypted")) params.append(VersionedParamPath("preferred", vartype="yesno")) self._params = tuple(params)
[docs]class OspfExportRules(VersionedPanObject): """OSPF Export Rules Args: name (str): IP subnet or :class:`panos.network.RedistributionProfile` new_path_type (str): New path type, 'ext-1' or 'ext-2' (Default: ext-2) new_tag (str): New tag (int or IP format) metric (int): Metric """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/export-rules") params = [] params.append( VersionedParamPath( "new_path_type", default="ext-2", values=["ext-1", "ext-2"] ) ) params.append(VersionedParamPath("new_tag")) params.append(VersionedParamPath("metric", vartype="int")) self._params = tuple(params)
[docs]class Bgp(VersionedPanObject): """BGP Process Args: enable (bool): Enable BGP (Default: True) router_id (str): Router ID in IP format (eg. 1.1.1.1) reject_default_route (bool): Reject default route allow_redist_default_route (bool): Allow redistribution in default route install_route (bool): Populate BGP learned route to global route table ecmp_multi_as (bool): Support multiple AS in ECMP enforce_first_as (bool): Enforce First AS for EBGP local_as (int): local AS number global_bfd_profile (str): BFD Profile """ NAME = None CHILDTYPES = ( "network.BgpRoutingOptions", "network.BgpAuthProfile", "network.BgpDampeningProfile", "network.BgpPeerGroup", "network.BgpPolicyImportRule", "network.BgpPolicyExportRule", "network.BgpPolicyConditionalAdvertisement", "network.BgpPolicyAggregationAddress", "network.BgpRedistributionRule", ) def _setup(self): self._xpaths.add_profile(value="/protocol/bgp") params = [] params.append( VersionedParamPath("enable", default=True, path="enable", vartype="yesno") ) params.append(VersionedParamPath("router_id")) params.append( VersionedParamPath("reject_default_route", default=True, vartype="yesno") ) params.append( VersionedParamPath( "allow_redist_default_route", default=False, vartype="yesno" ) ) params.append( VersionedParamPath("install_route", default=False, vartype="yesno") ) params.append( VersionedParamPath("ecmp_multi_as", default=False, vartype="yesno") ) params.append( VersionedParamPath("enforce_first_as", default=True, vartype="yesno") ) params.append(VersionedParamPath("local_as", vartype="str")) params.append( VersionedParamPath("global_bfd_profile", path="global-bfd/profile") ) self._params = tuple(params)
[docs]class BgpRoutingOptions(VersionedPanObject): """BGP Routing Options Args: as_format (str): AS format ('2-byte'/'4-byte') always_compare_med (bool): always compare MEDs deterministic_med_comparison (bool): deterministic MEDs comparison default_local_preference (int): default local preference graceful_restart_enable (bool): enable graceful restart gr_stale_route_time (int): time to remove stale routes after peer restart (in seconds) gr_local_restart_time (int): local restart time to advertise to peer (in seconds) gr_max_peer_restart_time (int): maximum of peer restart time accepted (in seconds) reflector_cluster_id (str): route reflector cluster ID confederation_member_as (str): 32-bit value in decimal or dot decimal AS.AS format aggregate_med (bool): aggregate route only if they have same MED attributes """ NAME = None SUFFIX = None CHILDTYPES = ("network.BgpOutboundRouteFilter",) def _setup(self): self._xpaths.add_profile(value="/routing-options") params = [] params.append( VersionedParamPath( "as_format", default="2-byte", values=["2-byte", "4-byte"] ) ) params.append( VersionedParamPath( "always_compare_med", path="med/always-compare-med", vartype="yesno" ) ) params.append( VersionedParamPath( "deterministic_med_comparison", path="med/deterministic-med-comparison", vartype="yesno", ) ) params.append(VersionedParamPath("default_local_preference", vartype="int")) params.append( VersionedParamPath( "graceful_restart_enable", path="graceful-restart/enable", vartype="yesno", ) ) params.append( VersionedParamPath( "gr_stale_route_time", path="graceful-restart/stale-route-time", vartype="int", ) ) params.append( VersionedParamPath( "gr_local_restart_time", path="graceful-restart/local-restart-time", vartype="int", ) ) params.append( VersionedParamPath( "gr_max_peer_restart_time", path="graceful-restart/max-peer-restart-time", vartype="int", ) ) params.append(VersionedParamPath("reflector_cluster_id")) params.append(VersionedParamPath("confederation_member_as", default=None)) params.append( VersionedParamPath( "aggregate_med", path="aggregate/aggregate-med", vartype="yesno" ) ) self._params = tuple(params)
[docs]class BgpOutboundRouteFilter(VersionedPanObject): """BGP Outbound Route Filtering NOTE: This functionality is not enabled yet in PanOS Args: enable (bool): enable prefix-based outbound route filtering. max_received_entries (int): maximum of ORF prefixes to receive. cisco_prefix_mode (bool): ORF vendor-compatible mode """ NAME = None SUFFIX = None def _setup(self): self._xpaths.add_profile(value="/outbound-route-filter") params = [] params.append(VersionedParamPath("enable", path="enable", vartype="yesno")) params.append( VersionedParamPath( "max_received_entries", path="max-received-entries", vartype="int" ) ) params.append( VersionedParamPath( "cisco_prefix_mode", path="cisco-prefix-mode", vartype="yesno" ) ) self._params = tuple(params)
[docs]class BgpDampeningProfile(VersionedPanObject): """BGP Dampening Profile Args: name (str): Name of Dampening Profile enable (bool): Enable profile (Default: True) cutoff (float): Cutoff threshold value reuse (float): Reuse threshold value max_hold_time (int): Maximum of hold-down time (in seconds) decay_half_life_reachable (int): Decay half-life while reachable (in seconds) decay_half_life_unreachable (int): Decay half-life while unreachable (in seconds) """ _DEFAULT_NAME = "default" SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/dampening-profile") params = [] params.append(VersionedParamPath("enable", vartype="yesno")) params.append(VersionedParamPath("cutoff", vartype="float")) params.append(VersionedParamPath("reuse", vartype="float")) params.append(VersionedParamPath("max_hold_time", vartype="int")) params.append(VersionedParamPath("decay_half_life_reachable", vartype="int")) params.append(VersionedParamPath("decay_half_life_unreachable", vartype="int")) self._params = tuple(params)
[docs]class BgpAuthProfile(VersionedPanObject): """BGP Authentication Profile Args: name (str): Name of Auth Profile secret (str): shared secret for the TCP MD5 authentication. """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/auth-profile") params = [] params.append(VersionedParamPath("secret", vartype="encrypted")) self._params = tuple(params)
[docs]class BgpPeerGroup(VersionedPanObject): """BGP Peer Group Args: name (str): Name of BGP Peer Group enable (bool): Enable Peer Group (Default: True) aggregated_confed_as_path (bool): the peers understand aggregated confederation AS path soft_reset_with_stored_info (bool): soft reset with stored info type (str): peer group type I('ebgp')/I('ibgp')/I('ebgp-confed')/I('ibgp-confed') export_nexthop (str): export locally resolved nexthop I('resolve')/I('use-self') import_nexthop (str): override nexthop with peer address I('original')/I('use-peer'), only with 'ebgp' remove_private_as (bool): remove private AS when exporting route, only with 'ebgp' """ SUFFIX = ENTRY CHILDTYPES = ("network.BgpPeer",) def _setup(self): self._xpaths.add_profile(value="/peer-group") params = [] params.append(VersionedParamPath("enable", vartype="yesno")) params.append(VersionedParamPath("aggregated_confed_as_path", vartype="yesno")) params.append( VersionedParamPath("soft_reset_with_stored_info", vartype="yesno") ) params.append( VersionedParamPath( "type", path="type/{type}", default="ebgp", values=("ebgp", "ibgp", "ebgp-confed", "ibgp-confed"), ) ) params.append( VersionedParamPath( "export_nexthop", path="type/{type}/export-nexthop", values=("resolve", "use-self"), ) ) params.append( VersionedParamPath( "import_nexthop", condition={"type": "ebgp"}, path="type/{type}/import-nexthop", values=("original", "use-peer"), ) ) params.append( VersionedParamPath( "remove_private_as", condition={"type": "ebgp"}, path="type/{type}/remove-private-as", vartype="yesno", ) ) self._params = tuple(params)
[docs]class BgpPeer(VersionedPanObject): """BGP Peer Args: name (str): Name of BGP Peer enable (bool): Enable Peer (Default: True) peer_as (str): peer AS number enable_mp_bgp (bool): enable MP-BGP extentions address_family_identifier (str): peer address family type * ipv4 * ipv6 subsequent_address_unicast (bool): select SAFI for this peer subsequent_address_multicast (bool): select SAFI for this peer local_interface (str): interface to accept BGP session local_interface_ip (str): specify exact IP address if interface has multiple addresses peer_address_ip (str): IP address of peer connection_authentication (str): BGP auth profile name connection_keep_alive_interval (int): keep-alive interval (in seconds) connection_min_route_adv_interval (int): Minimum Route Advertisement Interval (in seconds) connection_multihop (int): IP TTL value used for sending BGP packet. set to 0 means eBGP use 2, iBGP use 255 connection_open_delay_time (int): open delay time (in seconds) connection_hold_time (int): hold time (in seconds) connection_idle_hold_time (int): idle hold time (in seconds) connection_incoming_allow (bool): allow incoming connections connection_outgoing_allow (bool): allow outgoing connections connection_incoming_remote_port (int): restrict remote port for incoming BGP connections connection_outgoing_local_port (int): use specific local port for outgoing BGP connections enable_sender_side_loop_detection (bool): reflector_client (str): * non-client * client * meshed-client peering_type (str): * unspecified * bilateral max_prefixes (int): maximum of prefixes to receive from peer bfd_profile (str): BFD configuration * Inherit-vr-global-setting * None * Pre-existing BFD profile name * None """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/peer") params = [] params.append(VersionedParamPath("enable", path="enable", vartype="yesno")) params.append(VersionedParamPath("peer_as", path="peer-as")) params.append(VersionedParamPath("enable_mp_bgp", vartype="yesno")) params.append( VersionedParamPath( "address_family_identifier", condition={"enable_mp_bgp": True}, values=("ipv4", "ipv6"), ) ) params.append( VersionedParamPath( "subsequent_address_unicast", condition={"enable_mp_bgp": True}, path="subsequent-address-family-identifier/unicast", vartype="yesno", ) ) params.append( VersionedParamPath( "subsequent_address_multicast", condition={"enable_mp_bgp": True}, path="subsequent-address-family-identifier/multicast", vartype="yesno", ) ) params.append( VersionedParamPath("local_interface", path="local-address/interface") ) params.append(VersionedParamPath("local_interface_ip", path="local-address/ip")) params.append(VersionedParamPath("peer_address_ip", path="peer-address/ip")) params.append( VersionedParamPath( "connection_authentication", path="connection-options/authentication" ) ) params.append( VersionedParamPath( "connection_keep_alive_interval", path="connection-options/keep-alive-interval", vartype="int", ) ) params.append( VersionedParamPath( "connection_min_route_adv_interval", path="connection-options/min-route-adv-interval", vartype="int", ) ) params.append( VersionedParamPath( "connection_multihop", path="connection-options/multihop", vartype="int" ) ) params.append( VersionedParamPath( "connection_open_delay_time", path="connection-options/open-delay-time", vartype="int", ) ) params.append( VersionedParamPath( "connection_hold_time", path="connection-options/hold-time", vartype="int", ) ) params.append( VersionedParamPath( "connection_idle_hold_time", path="connection-options/idle-hold-time", vartype="int", ) ) params.append( VersionedParamPath( "connection_incoming_allow", path="connection-options/incoming-bgp-connection/allow", vartype="yesno", ) ) params.append( VersionedParamPath( "connection_outgoing_allow", path="connection-options/outgoing-bgp-connection/allow", vartype="yesno", ) ) params.append( VersionedParamPath( "connection_incoming_remote_port", path="connection-options/incoming-bgp-connection/remote-port", vartype="int", ) ) params.append( VersionedParamPath( "connection_outgoing_local_port", path="connection-options/outgoing-bgp-connection/local-port", vartype="int", ) ) params.append( VersionedParamPath("enable_sender_side_loop_detection", vartype="yesno") ) params.append( VersionedParamPath( "reflector_client", values=("non-client", "client", "meshed-client") ) ) params.append( VersionedParamPath("peering_type", values=("unspecified", "bilateral")) ) """ aggregated_confed_as_path (bool): this peer understands aggregated confederation AS path max_orf_entries (int): maximum of ORF entries accepted from peer soft_reset_with_stored_info (bool): soft reset with stored info """ # params.append(VersionedParamPath( # 'aggregated_confed_as_path', vartype='yesno')) params.append(VersionedParamPath("max_prefixes")) # params.append(VersionedParamPath( # 'max_orf_entries', vartype='int')) # params.append(VersionedParamPath( # 'soft_reset_with_stored_info', vartype='yesno')) params.append(VersionedParamPath("bfd_profile", path="bfd/profile")) self._params = tuple(params)
[docs]class BgpPolicyFilter(VersionedPanObject): """Base class for BGP Policy Match Filters Do not instantiate this class, use one of: * BgpPolicyImportRule * BgpPolicyExportRule Args: name (str): Name of filter enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): Community AS-path regular expression match_extended_community_regex (str): Extended Community AS-path regular expression """ # SUFFIX = None def _setup(self): # disabled because this is a base class # self._xpaths.add_profile(value='/policy') params = [] params.append(VersionedParamPath("enable", vartype="yesno")) params.append( VersionedParamPath( "match_afi", path="match/afi", default=None, values=("ip", "ipv6") ) ) params.append( VersionedParamPath( "match_safi", path="match/safi", default=None, values=("ip", "ipv6") ) ) params.append( VersionedParamPath( "match_route_table", path="match/route-table", default="unicast", values=("unicast", "multicast", "both"), ) ) params.append( VersionedParamPath("match_nexthop", path="match/nexthop", vartype="member") ) params.append( VersionedParamPath( "match_from_peer", path="match/from-peer", vartype="member" ) ) params.append(VersionedParamPath("match_med", path="match/med", vartype="int")) params.append( VersionedParamPath("match_as_path_regex", path="match/as-path/regex") ) params.append( VersionedParamPath("match_community_regex", path="match/community/regex") ) params.append( VersionedParamPath( "match_extended_community_regex", path="match/extended-community/regex" ) ) self._params = tuple(params)
[docs]class BgpPolicyNonExistFilter(BgpPolicyFilter): """BGP Policy Non-Exist Filter Args: name (str): Name of filter enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): Community AS-path regular expression match_extended_community_regex (str): Extended Community AS-path regular expression """ SUFFIX = ENTRY CHILDTYPES = ("network.BgpPolicyAddressPrefix",) def _setup(self): self._xpaths.add_profile(value="/non-exist-filters") BgpPolicyFilter._setup(self)
[docs]class BgpPolicyAdvertiseFilter(BgpPolicyFilter): """BGP Policy Advertise Filter Args: name (str): Name of filter enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): Community AS-path regular expression match_extended_community_regex (str): Extended Community AS-path regular expression """ SUFFIX = ENTRY CHILDTYPES = ("network.BgpPolicyAddressPrefix",) def _setup(self): self._xpaths.add_profile(value="/advertise-filters") BgpPolicyFilter._setup(self)
[docs]class BgpPolicySuppressFilter(BgpPolicyFilter): """BGP Policy Suppress Filter Args: name (str): Name of filter enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): Community AS-path regular expression match_extended_community_regex (str): Extended Community AS-path regular expression """ SUFFIX = ENTRY CHILDTYPES = ("network.BgpPolicyAddressPrefix",) def _setup(self): self._xpaths.add_profile(value="/suppress-filters") BgpPolicyFilter._setup(self)
[docs]class BgpPolicyConditionalAdvertisement(VersionedPanObject): """BGP Conditional Advertisement Policy Args: name (str): Name of Conditional Advertisement Policy enable (bool): enable prefix-based outbound route filtering. used_by (list): peer-groups that use this rule. """ SUFFIX = ENTRY CHILDTYPES = ( "network.BgpPolicyNonExistFilter", "network.BgpPolicyAdvertiseFilter", ) def _setup(self): self._xpaths.add_profile(value="/policy/conditional-advertisement/policy") params = [] params.append(VersionedParamPath("enable", vartype="yesno")) params.append(VersionedParamPath("used_by", vartype="member")) self._params = tuple(params)
[docs]class BgpPolicyRule(BgpPolicyFilter): """Base class for BGP Policy Import/Export Rules Do not instantiate this class, use one of: * BgpPolicyImportRule * BgpPolicyExportRule Args: name (str): The name enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): AS-path regular expression match_extended_community_regex (str): AS-path regular expression used_by (list): Peer-groups that use this rule. action (str): The action action_local_preference (int): New local preference value action_med (int): New MED value action_nexthop (str): Nexthop address action_origin (str): New route origin * igp * egp * incomplete action_as_path_limit (int): Add AS path limit attribute if it does not exist action_as_path_type (str): AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend action_as_path_prepend_times (int): Prepend local AS for specified number of times * only valid when action_as_path_type is 'prepend' or 'remove-and-prepend' action_community (str): Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite action_community_argument (str): Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL action_extended_community_type (str): Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite action_extended_community_argument (str): Argument to the action extended community value if needed """ # SUFFIX = None def _setup(self): # disabled because this is a base class # self._xpaths.add_profile(value='/policy') BgpPolicyFilter._setup(self) params = list(self._params) params.append(VersionedParamPath("used_by", vartype="member")) params.append( VersionedParamPath( "action", path="action/{action}", default="allow", values=("allow", "deny"), ) ) params.append( VersionedParamPath( "action_local_preference", condition={"action": "allow"}, path="action/{action}/update/local-preference", vartype="int", ) ) params.append( VersionedParamPath( "action_med", condition={"action": "allow"}, path="action/{action}/update/med", vartype="int", ) ) params.append( VersionedParamPath( "action_nexthop", condition={"action": "allow"}, path="action/{action}/update/nexthop", ) ) params.append( VersionedParamPath( "action_origin", default="incomplete", condition={"action": "allow"}, path="action/{action}/update/origin", values=("igp", "egp", "incomplete"), ) ) params.append( VersionedParamPath( "action_as_path_limit", condition={"action": "allow"}, path="action/{action}/update/as-path-limit", vartype="int", ) ) params.append( VersionedParamPath( "action_as_path_type", condition={"action": "allow"}, default="none", path="action/{action}/update/as-path/{action_as_path_type}", values=("none", "remove", "prepend", "remove-and-prepend"), ) ) params.append( VersionedParamPath( "action_as_path_prepend_times", condition={ "action": "allow", "action_as_path_type": ["prepend", "remove-and-prepend"], }, path="action/{action}/update/as-path/{action_as_path_type}", vartype="int", ) ) params.append( VersionedParamPath( "action_community_type", condition={"action": "allow"}, default="none", path="action/{action}/update/community/{action_community_type}", values=("none", "remove-all", "remove-regex", "append", "overwrite"), ) ) params.append( VersionedParamPath( "action_community_argument", default=None, condition={ "action": "allow", "action_community_type": ["remove-regex", "append", "overwrite"], }, path="action/{action}/update/community/{action_community_type}", ) ) params.append( VersionedParamPath( "action_extended_community_type", condition={"action": "allow"}, default="none", path="action/{action}/update/extended-community/{action_extended_community_type}", values=("none", "remove-all", "remove-regex", "append", "overwrite"), ) ) params.append( VersionedParamPath( "action_extended_community_argument", default=None, condition={ "action": "allow", "action_extended_community_type": [ "remove-regex", "append", "overwrite", ], }, path="action/{action}/update/extended-community/{action_extended_community_type}", ) ) self._params = tuple(params)
[docs]class BgpPolicyImportRule(BgpPolicyRule): """BGP Policy Import Rule Args: name (str): The name enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): AS-path regular expression match_extended_community_regex (str): AS-path regular expression used_by (list): Peer-groups that use this rule. action (str): The action action_local_preference (int): New local preference value action_med (int): New MED value action_nexthop (str): Nexthop address action_origin (str): New route origin * igp * egp * incomplete action_as_path_limit (int): Add AS path limit attribute if it does not exist action_as_path_type (str): AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend action_as_path_prepend_times (int): Prepend local AS for specified number of times * only valid when action_as_path_type is 'prepend' or 'remove-and-prepend' action_community_type (str): Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite action_community_argument (str): Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL action_extended_community_type (str): Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite action_extended_community_argument (str): Argument to the action extended community value if needed action_dampening (str): Route flap dampening profile action_weight (int): New weight value """ SUFFIX = ENTRY CHILDTYPES = ("network.BgpPolicyAddressPrefix",) def _setup(self): self._xpaths.add_profile(value="/policy/import/rules") BgpPolicyRule._setup(self) params = list(self._params) params.append( VersionedParamPath( "action_dampening", path="action/{action}/dampening", condition={"action": "allow"}, ) ) params.append( VersionedParamPath( "action_weight", path="action/{action}/update/weight", condition={"action": "allow"}, vartype="int", ) ) self._params = tuple(params)
[docs]class BgpPolicyExportRule(BgpPolicyRule): """BGP Policy Export Rule Args: name (str): The name enable (bool): Enable rule. match_afi (str): Address Family Identifier * ip * ipv6 match_safi (str): Subsequent Address Family Identifier * ip * ipv6 match_route_table (str): Route table to match rule * unicast * multicast * both match_nexthop (list): Next-hop attributes match_from_peer (list): Filter by peer that sent this route match_med (int): Multi-Exit Discriminator match_as_path_regex (str): AS-path regular expression match_community_regex (str): AS-path regular expression match_extended_community_regex (str): AS-path regular expression used_by (list): Peer-groups that use this rule. action (str): The action action_local_preference (int): New local preference value action_med (int): New MED value action_nexthop (str): Nexthop address action_origin (str): New route origin * igp * egp * incomplete action_as_path_limit (int): Add AS path limit attribute if it does not exist action_as_path_type (str): AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend action_as_path_prepend_times (int): Prepend local AS for specified number of times * only valid when action_as_path_type is 'prepend' or 'remove-and-prepend' action_community_type (str): Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite action_community_argument (str): Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL action_extended_community_type (str): Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite action_extended_community_argument (str): Argument to the action extended community value if needed """ SUFFIX = ENTRY CHILDTYPES = ("network.BgpPolicyAddressPrefix",) def _setup(self): self._xpaths.add_profile(value="/policy/export/rules") BgpPolicyRule._setup(self)
[docs]class BgpPolicyAddressPrefix(VersionedPanObject): """BGP Policy Address Prefix with Exact Args: name (str): address prefix exact (str): match exact prefix length """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/match/address-prefix") params = [] params.append(VersionedParamPath("exact", default=None, vartype="yesno")) self._params = tuple(params)
[docs]class BgpPolicyAggregationAddress(VersionedPanObject): """BGP Policy Aggregation Address Args: name (str): Sddress prefix enable (bool): Enable aggregation for this prefix prefix (str): Aggregating address prefix summary (bool): Summarize route as_set (bool): Generate AS-set attribute attr_local_preference (int): New local preference value attr_med (int): New MED value attr_weight (int): New weight value attr_nexthop (str): Nexthop address attr_origin (str): New route origin * igp * egp * incomplete attr_as_path_limit (int): Add AS path limit attribute if it does not exist attr_as_path_type (str): AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend attr_as_path_prepend_times (int): Prepend local AS for specified number of times * only valid when attr_as_path_type is 'prepend' or 'remove-and-prepend' attr_community_type (str): Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite attr_community_argument (str): Argument to the attr community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL attr_extended_community_type (str): Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite attr_extended_community_argument (str): Argument to the attr extended community value if needed """ SUFFIX = ENTRY CHILDTYPES = ( "network.BgpPolicySuppressFilter", "network.BgpPolicyAdvertiseFilter", ) def _setup(self): self._xpaths.add_profile(value="/policy/aggregation/address") params = [] params.append(VersionedParamPath("enable", default=True, vartype="yesno")) params.append(VersionedParamPath("prefix")) params.append(VersionedParamPath("summary", default=False, vartype="yesno")) params.append(VersionedParamPath("as_set", default=False, vartype="yesno")) params.append( VersionedParamPath( "attr_local_preference", condition={"attr": "allow"}, path="aggregate-route-attributes/local-preference", vartype="int", ) ) params.append( VersionedParamPath( "attr_med", condition={"attr": "allow"}, path="aggregate-route-attributes/med", vartype="int", ) ) params.append( VersionedParamPath( "attr_weight", condition={"attr": "allow"}, path="aggregate-route-attributes/weight", vartype="int", ) ) params.append( VersionedParamPath( "attr_nexthop", condition={"attr": "allow"}, path="aggregate-route-attributes/nexthop", ) ) params.append( VersionedParamPath( "attr_origin", default="incomplete", condition={"attr": "allow"}, path="aggregate-route-attributes/origin", values=("igp", "egp", "incomplete"), ) ) params.append( VersionedParamPath( "attr_as_path_limit", condition={"attr": "allow"}, path="aggregate-route-attributes/as-path-limit", vartype="int", ) ) params.append( VersionedParamPath( "attr_as_path_type", condition={"attr": "allow"}, default="none", path="aggregate-route-attributes/as-path/{attr_as_path_type}", values=("none", "remove", "prepend", "remove-and-prepend"), ) ) params.append( VersionedParamPath( "attr_as_path_prepend_times", condition={ "attr": "allow", "attr_as_path_type": ["prepend", "remove-and-prepend"], }, path="aggregate-route-attributes/as-path/{attr_as_path_type}", vartype="int", ) ) params.append( VersionedParamPath( "attr_community_type", condition={"attr": "allow"}, default="none", path="aggregate-route-attributes/community/{attr_community_type}", values=("none", "remove-all", "remove-regex", "append", "overwrite"), ) ) params.append( VersionedParamPath( "attr_community_argument", default=None, condition={ "attr": "allow", "attr_community_type": ["remove-regex", "append", "overwrite"], }, path="aggregate-route-attributes/community/{attr_community_type}", ) ) params.append( VersionedParamPath( "attr_extended_community_type", condition={"attr": "allow"}, default="none", path="aggregate-route-attributes/extended-community/{attr_extended_community_type}", values=("none", "remove-all", "remove-regex", "append", "overwrite"), ) ) params.append( VersionedParamPath( "attr_extended_community_argument", default=None, condition={ "attr": "allow", "attr_extended_community_type": [ "remove-regex", "append", "overwrite", ], }, path="aggregate-route-attributes/extended-community/{attr_extended_community_type}", ) ) self._params = tuple(params)
[docs]class BgpRedistributionRule(VersionedPanObject): """BGP Policy Address Prefix with Exact Args: name (str): Redistribution profile name enable (bool): Enable redistribution rule. address_family_identifier (str): Select redistribution profile type * ipv4 * ipv6 route_table (str): Select destination SAFI for redistribution * unicast * multicast * both set_origin (str): Add the ORIGIN path attribute * igp * egp * incomplete set_med (int): Add the MULTI_EXIT_DISC path attribute set_local_preference (int): Add the LOCAL_PREF path attribute set_as_path_limit (int): Add the AS_PATHLIMIT path attribute set_community (list): Add the COMMUNITY path attribute set_extended_community (list): Add the EXTENDED COMMUNITY path attribute metric (int): Metric value """ SUFFIX = ENTRY def _setup(self): self._xpaths.add_profile(value="/redist-rules") params = [] params.append(VersionedParamPath("enable", vartype="yesno")) params.append( VersionedParamPath( "address_family_identifier", default="ipv4", values=("ipv4", "ipv6") ) ) params.append( VersionedParamPath( "route_table", default="unicast", values=("unicast", "multicast", "both"), ) ) params.append( VersionedParamPath( "set_origin", default="incomplete", values=("igp", "egp", "incomplete") ) ) params.append(VersionedParamPath("set_med", vartype="int")) params.append(VersionedParamPath("set_local_preference", vartype="int")) params.append(VersionedParamPath("set_as_path_limit", vartype="int")) params.append(VersionedParamPath("set_community", vartype="member")) params.append(VersionedParamPath("set_extended_community", vartype="member")) params.append(VersionedParamPath("metric", vartype="int")) self._params = tuple(params)
[docs]class ManagementProfile(VersionedPanObject): """Interface management provile. Add to any of the following interfaces: * Layer3Subinterface * EthernetInterface * AggregateInterface * VlanInterface * LoopbackInterface * TunnelInterface Args: name (str): The name ping (bool): Enable ping telnet (bool): Enable telnet ssh (bool): Enable ssh http (bool): Enable http http_ocsp (bool): Enable http-ocsp https (bool): Enable https snmp (bool): Enable snmp response_pages (bool): Enable response pages userid_service (bool): Enable userid service userid_syslog_listener_ssl (bool): Enable userid syslog listener ssl userid_syslog_listener_udp (bool): Enable userid syslog listener udp permitted_ip (list): The list of permitted IP addresses """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/network/profiles/interface-management-profile") self._xpaths.add_profile( value="{0}/network/profiles/interface-management-profile".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # params params = [] yesnos = ( "ping", "telnet", "ssh", "http", "http-ocsp", "https", "snmp", "response-pages", "userid-service", "userid-syslog-listener-ssl", "userid-syslog-listener-udp", ) for yn in yesnos: params.append(VersionedParamPath(yn, path=yn, vartype="yesno")) params.append( VersionedParamPath("permitted-ip", path="permitted-ip", vartype="entry") ) self._params = tuple(params)
[docs]class IkeGateway(VersionedPanObject): """IKE Gateway. Args: name: IKE gateway name version: (7.0+) ikev1, ikev2, or ikev2-prefered (default: ikev1) enable_ipv6 (bool): (7.0+) enable IPv6 disabled (bool): (7.0+) disable this object peer_ip_type: ip, dynamic, or fqdn (8.1+) (default: ip) peer_ip_value: the IP for peer_ip_type of 'ip' or 'fqdn' interface: local gateway end-point local_ip_address_type: ip or floating-ip local_ip_address: IP address if interface has multiple addresses auth_type: pre-shared-key or certificate (default: pre-shared-key) pre_shared_key: The string used as pre-shared key local_id_type: ipaddr, fqdn, ufqdn, keyid, or dn local_id_value: The value for local_id_type peer_id_type: ipaddr, fqdn, ufqdn, keyid, or dn peer_id_value: The value for peer_id_type peer_id_check: exact or wildcard (default: exact) local_cert: Local certificate name cert_enable_hash_and_url (bool): (7.0+) Use hash-and-url for local certificate. cert_base_url: (7.0+) The host and directory part of URL for local certificates (http only). cert_use_management_as_source (bool): (7.0+) Use management interface IP as source to retrieve http certificates cert_permit_payload_mismatch (bool): Permit peer identification and certificate payload identification mismatch. cert_profile: Local certificate name cert_enable_strict_validation (bool): Enable strict validation of peer's extended key use enable_passive_mode (bool): Enable passive mode (responder only) enable_nat_traversal (bool): Enable NAT traversal nat_traversal_keep_alive (int): sending interval for NAT keep-alive packets (in seconds) nat_traversal_enable_udp_checksum (bool): enable UDP checksum enable_fragmentation (bool): Enable IKE fragmentation ikev1_exchange_mode: auto, main, or aggressive ikev1_crypto_profile: IKE SA crypto oprofile name enable_dead_peer_detection (bool): enable Dead-Peer-Detection dead_peer_detection_interval (int): sending interval for probing packets (in seconds) dead_peer_detection_retry (int): number of retries before disconnection ikev1_send_commit_bit (bool): Send commit bit ikev1_initial_contact (bool): send initial contact ikev2_crypto_profile: (7.0+) IKE SE crypto profile name ikev2_cookie_validation (bool): (7.0+) require cookie ikev2_send_peer_id (bool): (7.0+) send peer ID enable_liveness_check (bool): (7.0+) enable sending empty information liveness check message liveness_check_interval (int): (7.0+) delay interval before sending probing packets (in seconds) """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/network/ike/gateway") self._xpaths.add_profile( value="{0}/network/ike/gateway".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # params params = [] params.append(VersionedParamPath("version", default="ikev1", exclude=True)) params[-1].add_profile( "7.0.0", values=("ikev1", "ikev2", "ikev2-preferred"), path="protocol/version", ) params.append(VersionedParamPath("enable_ipv6", exclude=True)) params[-1].add_profile("7.0.0", path="ipv6", vartype="yesno") params.append(VersionedParamPath("disabled", exclude=True)) params[-1].add_profile("7.0.0", path="disabled", vartype="yesno") params.append( VersionedParamPath( "peer_ip_type", values=("ip", "dynamic"), default="ip", path="peer-address/{peer_ip_type}", ) ) params[-1].add_profile( "8.1.0", values=("ip", "dynamic", "fqdn",), path="peer-address/{peer_ip_type}", ) params.append( VersionedParamPath( "peer_ip_value", condition={"peer_ip_type": "ip"}, path="peer-address/{peer_ip_type}", ) ) params[-1].add_profile( "8.1.0", condition={"peer_ip_type": ["ip", "fqdn"]}, path="peer-address/{peer_ip_type}", ) params.append(VersionedParamPath("interface", path="local-address/interface")) params.append( VersionedParamPath( "local_ip_address_type", values=("ip", "floating-ip"), path="local-address/{local_ip_address_type}", ) ) params.append( VersionedParamPath( "local_ip_address", path="local-address/{local_ip_address_type}" ) ) params.append( VersionedParamPath( "auth_type", values=("pre-shared-key", "certificate"), default="pre-shared-key", path="authentication/{auth_type}", ) ) params.append( VersionedParamPath( "pre_shared_key", condition={"auth_type": "pre-shared-key"}, vartype="encrypted", path="authentication/{auth_type}/key", ) ) params.append( VersionedParamPath( "local_id_type", values=("ipaddr", "fqdn", "ufqdn", "keyid", "dn"), path="local-id/type", ) ) params.append(VersionedParamPath("local_id_value", path="local-id/id")) params.append( VersionedParamPath( "peer_id_type", values=("ipaddr", "fqdn", "ufqdn", "keyid", "dn"), path="peer-id/type", ) ) params.append(VersionedParamPath("peer_id_value", path="peer-id/id")) params.append( VersionedParamPath( "peer_id_check", values=("exact", "wildcard"), path="peer-id/matching" ) ) params.append( VersionedParamPath( "local_cert", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/local-certificate", ) ) params[-1].add_profile( "7.0.0", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/local-certificate/name", ) params.append(VersionedParamPath("cert_enable_hash_and_url", exclude=True)) params[-1].add_profile( "7.0.0", vartype="yesno", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/local-certificate/hash-and-url/enable", ) params.append(VersionedParamPath("cert_base_url", exclude=True)) params[-1].add_profile( "7.0.0", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/local-certificate/hash-and-url/base-url", ) params.append(VersionedParamPath("cert_use_management_as_source", exclude=True)) params[-1].add_profile( "7.0.0", vartype="yesno", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/use-management-as-source", ) params.append( VersionedParamPath( "cert_permit_payload_mismatch", vartype="yesno", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/allow-id-payload-mismatch", ) ) params.append( VersionedParamPath( "cert_profile", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/certificate-profile", ) ) params.append( VersionedParamPath( "cert_enable_strict_validation", vartype="yesno", condition={"auth_type": "certificate"}, path="authentication/{auth_type}/strict-validation-revocation", ) ) params.append( VersionedParamPath( "enable_passive_mode", vartype="yesno", path="protocol-common/passive-mode", ) ) params.append( VersionedParamPath( "enable_nat_traversal", vartype="yesno", path="protocol-common/nat-traversal/enable", ) ) params.append( VersionedParamPath( "nat_traversal_keep_alive", vartype="int", path="protocol-common/nat-traversal/keep-alive-interval", ) ) params.append( VersionedParamPath( "nat_traversal_enable_udp_checksum", vartype="yesno", path="protocol-common/nat-traversal/udp-checksum-enable", ) ) params.append( VersionedParamPath( "enable_fragmentation", vartype="yesno", path="protocol-common/fragmentation/enable", ) ) params.append( VersionedParamPath( "ikev1_exchange_mode", values=("auto", "main", "aggressive"), path="protocol/ikev1/exchange-mode", ) ) params.append( VersionedParamPath( "ikev1_crypto_profile", path="protocol/ikev1/ike-crypto-profile" ) ) params.append( VersionedParamPath( "enable_dead_peer_detection", vartype="yesno", path="protocol/ikev1/dpd/enable", ) ) params.append( VersionedParamPath( "dead_peer_detection_interval", vartype="int", path="protocol/ikev1/dpd/interval", ) ) params.append( VersionedParamPath( "dead_peer_detection_retry", vartype="int", path="protocol/ikev1/dpd/retry", ) ) params.append( VersionedParamPath( "ikev1_send_commit_bit", exclude=True, vartype="yesno", path="protocol/ikev1/commit-bit", ) ) params.append( VersionedParamPath( "ikev1_initial_contact", exclude=True, vartype="yesno", path="protocol/ikev1/initial-contact", ) ) params.append(VersionedParamPath("ikev2_crypto_profile", exclude=True)) params[-1].add_profile("7.0.0", path="protocol/ikev2/ike-crypto-profile") params.append(VersionedParamPath("ikev2_cookie_validation", exclude=True)) params[-1].add_profile( "7.0.0", vartype="yesno", path="protocol/ikev2/require-cookie" ) params.append(VersionedParamPath("ikev2_send_peer_id", exclude=True)) params[-1].add_profile( "7.0.0", vartype="yesno", exclude=True, path="protocol/ikev2/send-peer-id" ) params.append(VersionedParamPath("enable_liveness_check", exclude=True)) params[-1].add_profile( "7.0.0", vartype="yesno", path="protocol/ikev2/dpd/enable" ) params.append(VersionedParamPath("liveness_check_interval", exclude=True)) params[-1].add_profile( "7.0.0", vartype="int", path="protocol/ikev2/dpd/interval" ) self._params = tuple(params)
[docs]class IpsecTunnel(VersionedPanObject): """IPSec Tunnel A large number of params have prefixes: * ak: Auto Key * mk: Manual Key * gps: GlobalProtect Satellite Only attach IpsecTunnelIpv4ProxyId or IpsecTunnelIpv4ProxyId objects to this one if you are using type='auto-key'. Args: name: IPSec tunnel name tunnel_interface: apply IPSec VPN tunnels to tunnel interface ipv6 (bool): (7.0+) use IPv6 for the IPSec tunnel type: auto-key (default), manual-key, or global-protect-satellite ak_ike_gateway (string/list): IKE gateway name ak_ipsec_crypto_profile: IPSec crypto profile name mk_local_spi: outbound SPI in hex mk_interface: interface to terminate tunnel mk_remote_spi: inbound SPI in hex mk_remote_address: tunnel peer IP address mk_local_address_ip: exact IP address if interface has multiple IP addresses mk_local_address_floating_ip: floating IP address in HA Active-Active configuration mk_protocol: esp or ah mk_auth_type: md5, sha1, sha256, sha384, or sha512 mk_auth_key: the key for the given mk_auth_type mk_esp_encryption: des, 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, or null. The various "aes" options changed in version 7.0 onward. If you need to make a script that is compatible with 6.1 PANOS, then use "set_mk_esp_encryption()". Passing it either "aes128" or "aes-128-cbc" will have it set the appropriate string for the given version. mk_esp_encryption_key: The ESP encryption key for mk_esp_encryption type gps_portal_address: GlobalProtect portal address gps_prefer_ipv6 (bool): (8.0+) perfer to register portal in IPv6 gps_interface: interface to communicate with portal gps_interface_ipv4_ip: exact IPv4 IP address if interface has multiple IP addresses gps_interface_ipv6_ip: (8.0+) exact IPv6 IP address if interface has multiple IP addresses gps_interface_ipv4_floating_ip: (7.0+) floating IPv4 IP address in HA Active-Active configuration gps_interface_ipv6_floating_ip: (8.0+) floating IPv6 IP address in HA Active-Active configuration gps_publish_connected_routes (bool): enable publishing of connected and static routes gps_publish_routes (str/list): specify list of routes to publish to GlobalProtect gateway gps_local_certificate: GlobalProtect satellite certificate file name gps_certificate_profile: profile for authenticating GlobalProtect gateway certificates anti_replay (bool): enable anti-replay check on this tunnel copy_tos (bool): copy IP TOS bits from inner packet to IPSec packet (not recommended) copy_flow_label (bool): (7.0+) copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended) enable_tunnel_monitor (bool): enable tunnel monitoring on this tunnel tunnel_monitor_dest_ip: destination IP to send ICMP probe tunnel_monitor_proxy_id: (7.0+) which proxy-id (or proxy-id-v6) the monitoring traffic will use tunnel_monitor_profile: monitoring action disabled (bool): (7.0+) disable the IPSec tunnel """ ROOT = Root.DEVICE SUFFIX = ENTRY CHILDTYPES = ( "network.IpsecTunnelIpv4ProxyId", "network.IpsecTunnelIpv6ProxyId", ) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/tunnel/ipsec") self._xpaths.add_profile( value="{0}/network/tunnel/ipsec".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # params params = [] params.append(VersionedParamPath("tunnel_interface", path="tunnel-interface")) params.append(VersionedParamPath("ipv6", exclude=True)) params[-1].add_profile("7.0.0", vartype="yesno", path="ipv6") params.append( VersionedParamPath( "type", default="auto-key", path="{type}", values=("auto-key", "manual-key", "global-protect-satellite"), ) ) params.append( VersionedParamPath( "ak_ike_gateway", condition={"type": "auto-key"}, vartype="entry", path="{type}/ike-gateway", ) ) params.append( VersionedParamPath( "ak_ipsec_crypto_profile", condition={"type": "auto-key"}, path="{type}/ipsec-crypto-profile", ) ) params.append( VersionedParamPath( "mk_local_spi", condition={"type": "manual-key"}, path="{type}/local-spi", ) ) params.append( VersionedParamPath( "mk_interface", condition={"type": "manual-key"}, path="{type}/local-address/interface", ) ) params.append( VersionedParamPath( "mk_remote_spi", condition={"type": "manual-key"}, path="{type}/remote-spi", ) ) params.append( VersionedParamPath( "mk_remote_address", condition={"type": "manual-key"}, path="{type}/peer-address/ip", ) ) params.append( VersionedParamPath( "mk_local_address_ip", condition={"type": "manual-key"}, path="{type}/local-address/ip", ) ) params.append(VersionedParamPath("mk_local_address_floating_ip", exclude=True)) params[-1].add_profile( "7.0.0", condition={"type": "manual-key"}, path="{type}/local-address/floating-ip", ) params.append( VersionedParamPath( "mk_protocol", condition={"type": "manual-key"}, values=("esp", "ah"), path="{type}/{mk_protocol}", ) ) params.append( VersionedParamPath( "mk_auth_type", condition={"type": "manual-key"}, values=("md5", "sha1", "sha256", "sha384", "sha512"), path="{type}/{mk_protocol}/authentication/{mk_auth_type}", ) ) params.append( VersionedParamPath( "mk_auth_key", vartype="encrypted", condition={"type": "manual-key"}, path="{type}/{mk_protocol}/authentication/{mk_auth_type}/key", ) ) params.append( VersionedParamPath( "mk_esp_encryption", values=("des", "3des", "aes128", "aes192", "aes256", "null",), path="{type}/{mk_protocol}/encryption/algorithm", ) ) params[-1].add_profile( "7.0.0", condition={"type": "manual-key", "mk_protocol": "esp"}, values=( "des", "3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc", "null", ), path="{type}/{mk_protocol}/encryption/algorithm", ) params.append( VersionedParamPath( "mk_esp_encryption_key", vartype="encrypted", condition={"type": "manual-key", "mk_protocol": "esp"}, path="{type}/{mk_protocol}/encryption/key", ) ) params.append( VersionedParamPath( "gps_portal_address", condition={"type": "global-protect-satellite"}, path="{type}/portal-address", ) ) params.append(VersionedParamPath("gps_prefer_ipv6", exclude=True)) params[-1].add_profile( "8.0.0", vartype="yesno", condition={"type": "global-protect-satellite"}, path="{type}/ipv6-preferred", ) params.append( VersionedParamPath( "gps_interface", condition={"type": "global-protect-satellite"}, path="{type}/local-address/interface", ) ) params.append( VersionedParamPath( "gps_interface_ipv4_ip", condition={"type": "global-protect-satellite"}, path="{type}/local-address/ip", ) ) params[-1].add_profile( "8.0.0", condition={"type": "global-protect-satellite"}, path="{type}/local-address/ip/ipv4", ) params.append(VersionedParamPath("gps_interface_ipv6_ip", exclude=True)) params[-1].add_profile( "8.0.0", condition={"type": "global-protect-satellite"}, path="{type}/local-address/ip/ipv6", ) params.append( VersionedParamPath("gps_interface_ipv4_floating_ip", exclude=True) ) params[-1].add_profile( "7.0.0", condition={"type": "global-protect-satellite"}, path="{type}/local-address/floating-ip", ) params[-1].add_profile( "8.0.0", condition={"type": "global-protect-satellite"}, path="{type}/local-address/floating-ip/ipv4", ) params.append( VersionedParamPath("gps_interface_ipv6_floating_ip", exclude=True) ) params[-1].add_profile( "8.0.0", condition={"type": "global-protect-satellite"}, path="{type}/local-address/floating-ip/ipv6", ) params.append( VersionedParamPath( "gps_publish_connected_routes", vartype="yesno", condition={"type": "global-protect-satellite"}, path="{type}/publish-connected-routes/enable", ) ) params.append( VersionedParamPath( "gps_publish_routes", vartype="member", condition={"type": "global-protect-satellite"}, path="{type}/publish-routes", ) ) params.append( VersionedParamPath( "gps_local_certificate", condition={"type": "global-protect-satellite"}, path="{type}/external-ca/local-certificate", ) ) params.append( VersionedParamPath( "gps_certificate_profile", condition={"type": "global-protect-satellite"}, path="{type}/external-ca/certificate-profile", ) ) params.append( VersionedParamPath( "anti_replay", default=True, vartype="yesno", path="anti-replay" ) ) params.append(VersionedParamPath("copy_tos", vartype="yesno", path="copy-tos")) params.append(VersionedParamPath("copy_flow_label", exclude=True)) params[-1].add_profile("7.0.0", vartype="yesno", path="copy-flow-label") params.append( VersionedParamPath( "enable_tunnel_monitor", vartype="yesno", path="tunnel-monitor/enable" ) ) params.append( VersionedParamPath( "tunnel_monitor_dest_ip", path="tunnel-monitor/destination-ip" ) ) params.append(VersionedParamPath("tunnel_monitor_proxy_id", exclude=True)) params[-1].add_profile("7.0.0", path="tunnel-monitor/proxy-id") params.append( VersionedParamPath( "tunnel_monitor_profile", path="tunnel-monitor/tunnel-monitor-profile" ) ) params.append(VersionedParamPath("disabled", exclude=True)) params[-1].add_profile("7.0.0", vartype="yesno", path="disabled") self._params = tuple(params)
[docs] def set_mk_esp_encryption(self, value): """Version agnostic set for mk_esp_encryption. This object should be connected to a panos.Firewall before invocation. Valid values include the following: * des * 3des * aes128 * aes-128-cbc * aes192 * aes-192-cbc * aes256 * aes-256-cbc * null Raises: PanDeviceNotSet: if there is no Firewall in the object tree ValueError: if value is not one of the above """ # Some values are constant across versioning, so set them outright. if value in ("des", "3des", "null"): self.mk_esp_encryption = value return # Get the version specific values for mk_esp_encryption. self.nearest_pandevice() vals = self.about("mk_esp_encryption")["About"]["Values"] # Normalize the value. for masks in ( ("aes128", "aes-128-cbc"), ("aes192", "aes-192-cbc"), ("aes256", "aes-256-cbc"), ): if value in masks: break else: raise ValueError("Unknown encryption type: {0}".format(value)) # Set the version specific encryption type. for x in vals: if x in masks: self.mk_esp_encryption = x break
[docs]class IpsecTunnelIpv4ProxyId(VersionedPanObject): """IKEv1 proxy-id for auto-key IPSec tunnels. Args: name: The proxy ID local: IP subnet or IP address represents local network remote: IP subnet or IP address represents remote network any_protocol (bool): Any protocol number_protocol (int): Numbered Protocol: protocol number (1-254) tcp_local_port (int): Protocol TCP: local port tcp_remote_port (int): Protocol TCP: remote port udp_local_port (int): Protocol UDP: local port udp_remote_port (int): Protocol UDP: remote port """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/auto-key/proxy-id") self._xpaths.add_profile( value="{0}/auto-key/proxy-id".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # params params = [] params.append(VersionedParamPath("local", path="local")) params.append(VersionedParamPath("remote", path="remote")) params.append( VersionedParamPath("any_protocol", vartype="exist", path="protocol/any") ) params.append( VersionedParamPath("number_protocol", vartype="int", path="protocol/number") ) params.append( VersionedParamPath( "tcp_local_port", vartype="int", path="protocol/tcp/local-port" ) ) params.append( VersionedParamPath( "tcp_remote_port", vartype="int", path="protocol/tcp/remote-port" ) ) params.append( VersionedParamPath( "udp_local_port", vartype="int", path="protocol/udp/local-port" ) ) params.append( VersionedParamPath( "udp_remote_port", vartype="int", path="protocol/udp/remote-port" ) ) self._params = tuple(params)
[docs]class IpsecTunnelIpv6ProxyId(VersionedPanObject): """IKEv1 IPv6 proxy-id for auto-key IPSec tunnels. NOTE: Only supported in 7.0 and forward. Args: name: The proxy ID local: IP subnet or IP address represents local network remote: IP subnet or IP address represents remote network any_protocol (bool): Any protocol number_protocol (int): Numbered Protocol: protocol number (1-254) tcp_local_port (int): Protocol TCP: local port tcp_remote_port (int): Protocol TCP: remote port udp_local_port (int): Protocol UDP: local port udp_remote_port (int): Protocol UDP: remote port """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile(value="/auto-key/proxy-id-v6") self._xpaths.add_profile( value="{0}/auto-key/proxy-id-v6".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # params params = [] params.append(VersionedParamPath("local", path="local")) params.append(VersionedParamPath("remote", path="remote")) params.append( VersionedParamPath("any_protocol", vartype="exist", path="protocol/any") ) params.append( VersionedParamPath("number_protocol", vartype="int", path="protocol/number") ) params.append( VersionedParamPath( "tcp_local_port", vartype="int", path="protocol/tcp/local-port" ) ) params.append( VersionedParamPath( "tcp_remote_port", vartype="int", path="protocol/tcp/remote-port" ) ) params.append( VersionedParamPath( "udp_local_port", vartype="int", path="protocol/udp/local-port" ) ) params.append( VersionedParamPath( "udp_remote_port", vartype="int", path="protocol/udp/remote-port" ) ) self._params = tuple(params)
[docs]class IpsecCryptoProfile(VersionedPanObject): """IPSec SA proposals. Args: name: IPSec crypto profile name esp_encryption (string/list): des, 3des, null, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, aes-128-gcm (7.0+), or aes-256-gcm (7.0+). If you need to write a script that works older than 7.0 firewalls, then please use set_esp_encryption(). esp_authentication (string/list): none, md5, sha1, sha256, sha384, or sha512 ah_authentication (string/list): md5, sha1, sha256, sha384, or sha512 dh_group: no-pfs, group1, group2, group5, group14, group19, or group20 lifetime_seconds (int): IPSec SA lifetime in seconds lifetime_minutes (int): IPSec SA lifetime in minutes lifetime_hours (int): IPSec SA lifetime in hours lifetime_days (int): IPSec SA lifetime in days lifesize_kb (int): IPSec SA lifesize in kilobytes (KB) lifesize_mb (int): IPSec SA lifesize in megabytes (MB) lifesize_gb (int): IPSec SA lifesize in gigabytes (GB) lifesize_tb (int): IPSec SA lifesize in terabytes (TB) """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile( value="/network/ike/crypto-profiles/ipsec-crypto-profiles" ) self._xpaths.add_profile( value="{0}/network/ike/crypto-profiles/ipsec-crypto-profiles".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # params params = [] params.append( VersionedParamPath( "esp_encryption", vartype="member", path="esp/encryption", values=("des", "3des", "aes128", "aes192", "aes256", "null"), ) ) params[-1].add_profile( "7.0.0", vartype="member", path="esp/encryption", values=( "des", "3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc", "aes-128-gcm", "aes-256-gcm", "null", ), ) params.append( VersionedParamPath( "esp_authentication", vartype="member", path="esp/authentication", values=("none", "md5", "sha1", "sha256", "sha384", "sha512"), ) ) params.append( VersionedParamPath( "ah_authentication", vartype="member", path="ah/authentication", values=("md5", "sha1", "sha256", "sha384", "sha512"), ) ) params.append( VersionedParamPath( "dh_group", path="dh-group", values=( "no-pfs", "group1", "group2", "group5", "group14", "group19", "group20", ), ) ) params.append( VersionedParamPath( "lifetime_seconds", vartype="int", path="lifetime/seconds" ) ) params.append( VersionedParamPath( "lifetime_minutes", vartype="int", path="lifetime/minutes" ) ) params.append( VersionedParamPath("lifetime_hours", vartype="int", path="lifetime/hours") ) params.append( VersionedParamPath("lifetime_days", vartype="int", path="lifetime/days") ) params.append( VersionedParamPath("lifesize_kb", vartype="int", path="lifesize/kb") ) params.append( VersionedParamPath("lifesize_mb", vartype="int", path="lifesize/mb") ) params.append( VersionedParamPath("lifesize_gb", vartype="int", path="lifesize/gb") ) params.append( VersionedParamPath("lifesize_tb", vartype="int", path="lifesize/tb") ) self._params = tuple(params)
[docs] def set_esp_encryption(self, value): """Version agnostic set for esp_encryption. This object should be connected to a panos.Firewall before invocation. Valid values include the following: * des * 3des * aes128 * aes-128-cbc * aes192 * aes-192-cbc * aes256 * aes-256-cbc * aes-128-gcm (7.0+) * aes-256-gcm (7.0+) * null Args: value (string/list): values to put in esp_encryption Raises: PanDeviceNotSet: if there is no Firewall in the object tree ValueError: if value is not one of the above, or you attempt to configure aes-128-gcm or aes-256-gcm with this object connected to a PANOS 6.1 firewall. """ normalized = [] # Make sure there is a pandevice set such that we can get versioning. self.nearest_pandevice() for token in string_or_list(value): # Some values are constant across versioning. if token in ("des", "3des", "null"): normalized.append(token) continue # Get the version specific values for mk_esp_encryption. vals = self.about("esp_encryption")["About"]["Values"] # Normalize the value. for masks in ( ("aes128", "aes-128-cbc"), ("aes192", "aes-192-cbc"), ("aes256", "aes-256-cbc"), ("aes-128-gcm",), ("aes-256-gcm",), ): if token in masks: break else: raise ValueError("Unknown encryption type: {0}".format(token)) # Set the version specific encryption type. for x in vals: if x in masks: normalized.append(x) break else: raise ValueError( "ESP encryption {0} not supported in this version".format(token) ) self.esp_encryption = normalized
[docs]class IkeCryptoProfile(VersionedPanObject): """IKE SA proposal. Args: name: IKE crypto profile name dh_group (string/list): phase-1 DH group: group1, group2, group5, group14, group19 (7.0+), or group20 (7.0+). authentication (string/list): hashing algorithm: md5, sha1, sha256, sha384, or sha512. encryption (string/list): encryption algorithm: des (7.1+), 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, or aes256 / aes-256-cbc. If you need to be able to work with older than 7.0 firewalls, then use set_encryption(). lifetime_seconds (int): IKE SA lifetime in seconds lifetime_minutes (int): IKE SA lifetime in minutes lifetime_hours (int): IKE SA lifetime in hours lifetime_days (int): IKE SA lifetime in days authentication_multiple (int): (7.0+) IKEv2 SA reauthentication interval equals authentication_multiple * lifetime; 0 means reauthentication is disabled. """ ROOT = Root.DEVICE SUFFIX = ENTRY def _setup(self): # xpaths self._xpaths.add_profile( value="/network/ike/crypto-profiles/ike-crypto-profiles" ) self._xpaths.add_profile( value="{0}/network/ike/crypto-profiles/ike-crypto-profiles".format( self._TEMPLATE_DEVICE_XPATH ), parents=("Template", "TemplateStack"), ) # params params = [] params.append( VersionedParamPath( "dh_group", vartype="member", path="dh-group", values=("group1", "group2", "group5", "group14"), ) ) params[-1].add_profile( "7.0.0", vartype="member", path="dh-group", values=("group1", "group2", "group5", "group14", "group19", "group20"), ) params.append( VersionedParamPath( "authentication", vartype="member", path="hash", values=("md5", "sha1", "sha256", "sha384", "sha512"), ) ) params.append( VersionedParamPath( "encryption", vartype="member", path="encryption", values=("3des", "aes128", "aes192", "aes256"), ) ) params[-1].add_profile( "7.0.0", vartype="member", path="encryption", values=("3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc"), ) params[-1].add_profile( "7.1.0", vartype="member", path="encryption", values=("des", "3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc"), ) params.append( VersionedParamPath( "lifetime_seconds", vartype="int", path="lifetime/seconds" ) ) params.append( VersionedParamPath( "lifetime_minutes", vartype="int", path="lifetime/minutes" ) ) params.append( VersionedParamPath("lifetime_hours", vartype="int", path="lifetime/hours") ) params.append( VersionedParamPath("lifetime_days", vartype="int", path="lifetime/days") ) params.append(VersionedParamPath("authentication_multiple", exclude=True)) params[-1].add_profile("7.0.0", vartype="int", path="authentication-multiple") self._params = tuple(params)
[docs] def set_encryption(self, value): """Version agnostic set for encryption. This object should be connected to a panos.Firewall before invocation. Valid values include the following: * des (7.1+) * 3des * aes128 * aes-128-cbc * aes192 * aes-192-cbc * aes256 * aes-256-cbc Raises: PanDeviceNotSet: if there is no Firewall in the object tree ValueError: if value is not one of the above, or you attempt to configure 3des with this object connected to a PANOS 7.0 or earlier firewall. """ normalized = [] # Make sure there is a pandevice set such that we can get versioning. self.nearest_pandevice() for token in string_or_list(value): # Some values are constant across versioning. if token in ("3des"): normalized.append(token) continue # Get the version specific values for mk_esp_encryption. vals = self.about("encryption")["About"]["Values"] # Normalize the value. for masks in ( ("3des",), ("aes128", "aes-128-cbc"), ("aes192", "aes-192-cbc"), ("aes256", "aes-256-cbc"), ): if token in masks: break else: raise ValueError("Unknown encryption type: {0}".format(token)) # Set the version specific encryption type. for x in vals: if x in masks: normalized.append(x) break else: raise ValueError( "Encryption {0} not supported in this version".format(token) ) self.encryption = normalized
[docs]class GreTunnel(VersionedPanObject): """GRE Tunnel configuration. Note: This is valid for PAN-OS 9.0+ Args: name: GRE tunnel name. interface: Interface to terminate tunnel. local_address_type: Type of local address. Can be "ip" (default) or "floating-ip". local_address_value: IP address value. peer_address: Peer IP address. tunnel_interface: To apply GRE tunnels to tunnel interface. ttl (int): TTL. copy_tos (bool): Copy IP TOS bits from inner packet to GRE packet. enable_keep_alive (bool): Enable tunnel monitoring. keep_alive_interval (int): Interval. keep_alive_retry (int): Retry. keep_alive_hold_timer (int): Hold timer. disabled (bool): Disable the GRE tunnel. """ SUFFIX = ENTRY ROOT = Root.DEVICE def _setup(self): self._xpaths.add_profile(value="/network/tunnel/gre") self._xpaths.add_profile( value="{0}/network/tunnel/gre".format(self._TEMPLATE_DEVICE_XPATH), parents=("Template", "TemplateStack"), ) # Hidden when default: all keep alive, ttl params = [] params.append(VersionedParamPath("interface", path="local-address/interface")) params.append( VersionedParamPath( "local_address_type", default="ip", values=["ip", "floating-ip"], path="local-address/{local_address_type}", ) ) params.append( VersionedParamPath( "local_address_value", path="local-address/{local_address_type}" ) ) params.append(VersionedParamPath("peer_address", path="peer-address/ip")) params.append(VersionedParamPath("tunnel_interface", path="tunnel-interface")) params.append(VersionedParamPath("ttl", default=64, vartype="int", path="ttl")) params.append(VersionedParamPath("copy_tos", vartype="yesno", path="copy-tos")) params.append( VersionedParamPath( "enable_keep_alive", vartype="yesno", path="keep-alive/enable" ) ) params.append( VersionedParamPath( "keep_alive_interval", default=10, vartype="int", path="keep-alive/interval", ) ) params.append( VersionedParamPath( "keep_alive_retry", default=3, vartype="int", path="keep-alive/retry" ) ) params.append( VersionedParamPath( "keep_alive_hold_timer", default=5, vartype="int", path="keep-alive/hold-timer", ) ) params.append(VersionedParamPath("disabled", vartype="yesno", path="disabled")) self._params = tuple(params)
[docs]class Dhcp(VersionedPanObject): """DHCP config. Args: name (str): Interface name. """ SUFFIX = ENTRY ROOT = Root.DEVICE CHILDTYPES = ("network.DhcpRelay",) def _setup(self): # xpaths self._xpaths.add_profile(value="/network/dhcp/interface") # params self._params = ()
[docs]class DhcpRelay(VersionedPanObject): """DHCP relay config. Args: name (str): The (interface) name enabled (bool): Enabled. servers (list): Relay server IP addresses. ipv6_enabled (bool): Enable DHCPv6 relay. """ SUFFIX = None CHILDTYPES = ("network.DhcpRelayIpv6Address",) def _setup(self): # xpaths self._xpaths.add_profile(value="/relay") # params params = [] params.append( VersionedParamPath("enabled", vartype="yesno", path="ip/enabled"), ) params.append( VersionedParamPath("servers", vartype="member", path="ip/server"), ) params.append( VersionedParamPath("ipv6_enabled", vartype="yesno", path="ipv6/enabled"), ) self._params = tuple(params)
[docs]class DhcpRelayIpv6Address(VersionedPanObject): """DHCP relay IPv6 address. Args: name (str): DHCP server IPv6 address. interface (str): Outgoing interface when using an IPv6 multicast address for the DHCPv6 server. """ SUFFIX = ENTRY ROOT = Root.DEVICE def _setup(self): # xpaths self._xpaths.add_profile(value="/ipv6/server") params = [] params.append(VersionedParamPath("interface", path="interface"),) self._params = tuple(params)