#!/usr/bin/env python
# Copyright (c) 2014, Palo Alto Networks
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
"""Policies module contains policies and rules that exist in the 'Policies' tab in the firewall GUI"""
import xml.etree.ElementTree as ET
import panos.errors as err
from panos import getlogger
from panos.base import ENTRY, MEMBER, OpState, PanObject, Root
from panos.base import VarPath as Var
from panos.base import VersionedPanObject, VersionedParamPath
logger = getlogger(__name__)
[docs]class HitCount(OpState):
"""Hit count operational data."""
FIELDS = (
("latest", "latest", "str"),
("hit_count", "hit-count", "int"),
("last_hit_timestamp", "last-hit-timestamp", "int"),
("last_reset_timestamp", "last-reset-timestamp", "int"),
("first_hit_timestamp", "first-hit-timestamp", "int"),
("rule_creation_timestamp", "rule-creation-timestamp", "int"),
("rule_modification_timestamp", "rule-modification-timestamp", "int"),
)
def _setup(self, name=None, elm=None):
self.name = name if self.obj is None else self.obj.uid
self._refresh_xml(elm)
def refresh(self, elm=None):
if elm is None and self.obj is not None:
self.obj.parent.opstate.hit_count.refresh(
self.obj.HIT_COUNT_STYLE, [self.name,],
)
else:
self._refresh_xml(elm)
def _refresh_xml(self, elm):
for param, path, param_type in self.FIELDS:
if param_type == "int":
setattr(self, param, self._int(elm, path))
else:
setattr(self, param, self._str(elm, path))
[docs]class RulebaseHitCount(OpState):
"""Operational state handling for rulebase hit counts."""
[docs] def refresh(self, style, rules=None, all_rules=False):
"""Retrieves hit count information for the specified rules.
PAN-OS 8.1+
Args:
style (str): The rule style to use. The style can be
"application-override", "authentication", "decryption", "dos",
"nat", "pbf", "qos", "sdwan", "security", or "tunnel-inspect".
rules (list): A list of rules. This can be a mix of `panos.policies`
instances or basic strings. If no rules are given, then the hit
count for all rules is retrieved.
all_rules (bool): If this is False, only retrieve hit count information
for the rules attached to the rulebase of the specified style. If
this is True, then get all rules. Either way, any rule whose hit count
is retrieved and is in the object hierarchy has the hit count data
saved to its `opstate`.
Returns:
dict: A dict where the key is the rule name and the value is the hit count information.
"""
dev = self.obj.nearest_pandevice()
if dev.retrieve_panos_version() < (8, 1, 0):
raise err.PanDeviceError("Rule hit count is supported in PAN-OS 8.1+")
kids = []
for x in self.obj.children:
if not hasattr(x, "HIT_COUNT_STYLE") or x.HIT_COUNT_STYLE != style:
continue
if rules is None or x.uid in rules:
kids.append(x)
cmd = ET.Element("show")
sub = ET.SubElement(cmd, "rule-hit-count")
res_path = "./result/rule-hit-count"
rb_type_path_map = {PreRulebase: "pre-rulebase", PostRulebase: "post-rulebase"}
if dev.__class__.__name__ == "Panorama":
if self.obj.parent.__class__.__name__ == "Panorama":
sub = ET.SubElement(sub, "shared")
res_path += "/shared"
elif self.obj.parent.__class__.__name__ == "DeviceGroup":
sub = ET.SubElement(sub, "device-group")
sub = ET.SubElement(sub, "entry", {"name": self.obj.parent.name})
res_path += "/device-group/entry"
sub = ET.SubElement(sub, rb_type_path_map.get(type(self.obj)))
else:
sub = ET.SubElement(sub, "vsys")
sub = ET.SubElement(sub, "vsys-name")
sub = ET.SubElement(sub, "entry", {"name": dev.vsys or "vsys1"})
sub = ET.SubElement(sub, "rule-base")
res_path += "/vsys/entry"
sub = ET.SubElement(sub, "entry", {"name": style})
sub = ET.SubElement(sub, "rules")
res_path += "/rule-base/entry/rules/entry"
if all_rules:
ET.SubElement(sub, "all")
else:
# Loop over rules specified or the object hierarchy.
rule_list = rules or kids or []
if not rule_list:
return {}
sub = ET.SubElement(sub, "list")
for x in rule_list:
if hasattr(x, "uid"):
ET.SubElement(sub, "member").text = x.uid
else:
ET.SubElement(sub, "member").text = x
res = dev.op(ET.tostring(cmd, encoding="utf-8"), cmd_xml=False)
ans = {}
for elm in res.findall(res_path):
name = elm.attrib["name"]
for x in kids:
if x.uid == name:
x.opstate.hit_count.refresh(elm)
ans[name] = x.opstate.hit_count
break
else:
ans[name] = HitCount(None, name=name, elm=elm)
return ans
[docs]class Rulebase(VersionedPanObject):
"""Rulebase for a Firewall
Firewall only. For Panorama, use :class:`panos.policies.PreRulebase` or
:class:`panos.policies.PostRulebase`.
"""
NAME = None
ROOT = Root.VSYS
OPSTATES = {
"hit_count": RulebaseHitCount,
}
CHILDTYPES = (
"policies.NatRule",
"policies.PolicyBasedForwarding",
"policies.SecurityRule",
"policies.DecryptionRule",
"policies.ApplicationOverride",
"policies.AuthenticationRule",
)
def _setup(self):
self._xpaths.add_profile(value="/rulebase")
[docs]class PreRulebase(Rulebase):
"""Pre-rulebase for a Panorama
Panorama only. For Firewall, use :class:`panos.policies.Rulebase`.
"""
def _setup(self):
self._xpaths.add_profile(value="/pre-rulebase")
[docs]class PostRulebase(Rulebase):
"""Post-rulebase for a Panorama
Panorama only. For Firewall, use :class:`panos.policies.Rulebase`.
"""
def _setup(self):
self._xpaths.add_profile(value="/post-rulebase")
[docs]class SecurityRule(VersionedPanObject):
"""Security Rule
Args:
name (str): Name of the rule
fromzone (list): From zones
tozone (list): To zones
source (list): Source addresses
source_user (list): Source users and groups
hip_profiles (list): (PAN-OS 10.0.0-) GlobalProtect host integrity profiles
destination (list): Destination addresses
application (list): Applications
service (list): Destination services (ports) (Default:
application-default)
category (list): Destination URL Categories
action (str): Action to take (deny, allow, drop, reset-client,
reset-server, reset-both)
Note: Not all options are available on all PAN-OS versions.
log_setting (str): Log forwarding profile
log_start (bool): Log at session start
log_end (bool): Log at session end
description (str): Description of this rule
type (str): 'universal', 'intrazone', or 'intrazone' (Default:
universal)
tag (list): Administrative tags
negate_source (bool): Match on the reverse of the 'source' attribute
negate_destination (bool): Match on the reverse of the 'destination'
attribute
disabled (bool): Disable this rule
schedule (str): Schedule Profile
icmp_unreachable (bool): Send ICMP Unreachable
disable_server_response_inspection (bool): Disable server response
inspection
group (str): Security Profile Group
negate_target (bool): Target all but the listed target firewalls
(applies to panorama/device groups only)
target (list): Apply this policy to the listed firewalls only
(applies to panorama/device groups only)
virus (str): Antivirus Security Profile
spyware (str): Anti-Spyware Security Profile
vulnerability (str): Vulnerability Protection Security Profile
url_filtering (str): URL Filtering Security Profile
file_blocking (str): File Blocking Security Profile
wildfire_analysis (str): Wildfire Analysis Security Profile
data_filtering (str): Data Filtering Security Profile
uuid (str): (PAN-OS 9.0+) The UUID for this rule.
source_devices (list): (PAN-OS 10.0+) Host devices subject to the
policy.
destination_devices (list): (PAN-OS 10.0+) Destination devices
subject to the policy.
group_tag (str): (PAN-OS 9.0+) The group tag.
"""
# TODO: Add QoS variables
SUFFIX = ENTRY
ROOT = Root.VSYS
HIT_COUNT_STYLE = "security"
OPSTATES = {
"audit_comment": RuleAuditComment,
"hit_count": HitCount,
}
def _setup(self):
# xpaths
self._xpaths.add_profile(value="/security/rules")
# params
params = []
any_defaults = (
("fromzone", "from"),
("tozone", "to"),
("source", "source"),
("source_user", "source-user"),
("hip_profiles", "hip-profiles"),
("destination", "destination"),
("application", "application"),
)
for var_name, path in any_defaults:
params.append(
VersionedParamPath(
var_name, default=["any",], vartype="member", path=path
)
)
# 10.0.0 drops support for hip-profiles,
# so we want to make sure we don't include it in the request
# body that we send to the api
for param in params:
if param.name == "hip_profiles":
param.add_profile("10.0.0", exclude=True)
break
params.append(
VersionedParamPath(
"service",
default="application-default",
vartype="member",
path="service",
)
)
params.append(
VersionedParamPath(
"category", default=["any",], vartype="member", path="category"
)
)
params.append(VersionedParamPath("action", path="action"))
params.append(VersionedParamPath("log_setting", path="log-setting"))
params.append(
VersionedParamPath("log_start", path="log-start", vartype="yesno")
)
params.append(VersionedParamPath("log_end", path="log-end", vartype="yesno"))
params.append(VersionedParamPath("description", path="description"))
params.append(VersionedParamPath("type", default="universal", path="rule-type"))
params.append(VersionedParamPath("tag", path="tag", vartype="member"))
params.append(
VersionedParamPath("negate_source", path="negate-source", vartype="yesno")
)
params.append(
VersionedParamPath(
"negate_destination", path="negate-destination", vartype="yesno"
)
)
params.append(VersionedParamPath("disabled", path="disabled", vartype="yesno"))
params.append(VersionedParamPath("schedule", path="schedule"))
params.append(
VersionedParamPath(
"icmp_unreachable", path="icmp-unreachable", vartype="yesno"
)
)
params.append(
VersionedParamPath(
"disable_server_response_inspection",
vartype="yesno",
path="option/disable-server-response-inspection",
)
)
params.append(
VersionedParamPath("group", path="profile-setting/group", vartype="member")
)
params.append(
VersionedParamPath("negate_target", path="target/negate", vartype="yesno")
)
params.append(
VersionedParamPath("target", path="target/devices", vartype="entry")
)
member_profiles = (
"virus",
"spyware",
"vulnerability",
"url-filtering",
"file-blocking",
"wildfire-analysis",
"data-filtering",
)
for p in member_profiles:
params.append(
VersionedParamPath(
p, vartype="member", path="profile-setting/profiles/{0}".format(p)
)
)
params.append(VersionedParamPath("uuid", exclude=True))
params[-1].add_profile("9.0.0", vartype="attrib", path="uuid")
params.append(
VersionedParamPath("source_devices", default=["any",], exclude=True)
)
params[-1].add_profile("10.0.0", vartype="member", path="source-hip")
params.append(
VersionedParamPath("destination_devices", default=["any",], exclude=True)
)
params[-1].add_profile("10.0.0", vartype="member", path="destination-hip")
params.append(VersionedParamPath("group_tag", exclude=True))
params[-1].add_profile("9.0.0", path="group-tag")
self._params = tuple(params)
[docs]class NatRule(VersionedPanObject):
"""NAT Rule
Both the naming convention and the order of the parameters tries to closly
match what is presented in the GUI.
There are groupings of parameters that give hints to the sections that
they contribute towards:
* source_translation_<etc>
* source_translation_fallback_<etc>
* source_translation_static_<etc>
* destination_translation_<etc>
Args:
name (str): Name of the rule
description (str): The description
nat_type (str): Type of NAT
fromzone (list): From zones
tozone (list): To zones
to_interface (str): Egress interface from route lookup
service (str): The service
source (list): Source addresses
destination (list): Destination addresses
source_translation_type (str): Type of source address translation
source_translation_address_type (str): Address type for Dynamic IP
And Port or Dynamic IP source translation types
source_translation_interface (str): Interface of the source address
translation for Dynamic IP and Port source translation types
source_translation_ip_address (str): IP address of the source address
translation for Dynamic IP and Port source translation types
source_translation_translated_addresses (list): Translated addresses
of the source address translation for Dynamic IP And Port or
Dynamic IP source translation types
source_translation_fallback_type (str): Type of fallback for Dynamic IP
source translation types
source_translation_fallback_translated_addresses (list): Addresses for
translated address types of fallback source translation
source_translation_fallback_interface (str): The interface for the
fallback source translation
source_translation_fallback_ip_type (str): The type of the IP address
for the fallback source translation IP address
source_translation_fallback_ip_address (str): The IP address of the
fallback source translation
source_translation_static_translated_address (str): The IP address
for the static source translation
source_translation_static_bi_directional (bool): Allow reverse
translation from translated address to original address
destination_translated_address (str): Translated destination IP
address
destination_translated_port (int): Translated destination port number
ha_binding (str): Device binding configuration in HA Active-Active mode
disabled (bool): Disable this rule
negate_target (bool): Target all but the listed target firewalls
(applies to panorama/device groups only)
target (list): Apply this policy to the listed firewalls only
(applies to panorama/device groups only)
tag (list): Administrative tags
destination_dynamic_translated_address (str): (PAN-OS 8.1+) Dynamic
destination translated address.
destination_dynamic_translated_port (int): (PAN-OS 8.1+) Dynamic
destination translated port.
destination_dynamic_translated_distribution (str): (PAN-OS 8.1+) Dynamic
destination translated distribution.
uuid (str): (PAN-OS 9.0+) The UUID for this rule.
group_tag (str): (PAN-OS 9.0+) The group tag.
"""
SUFFIX = ENTRY
ROOT = Root.VSYS
HIT_COUNT_STYLE = "nat"
OPSTATES = {
"audit_comment": RuleAuditComment,
"hit_count": HitCount,
}
def _setup(self):
# xpaths
self._xpaths.add_profile(value="/nat/rules")
# params
params = []
params.append(VersionedParamPath("description", path="description"))
params.append(
VersionedParamPath(
"nat_type",
path="nat-type",
default="ipv4",
values=("ipv4", "nat64", "nptv6"),
)
)
params.append(
VersionedParamPath(
"fromzone", default=["any",], vartype="member", path="from"
)
)
params.append(VersionedParamPath("tozone", vartype="member", path="to"))
params.append(VersionedParamPath("to_interface", path="to-interface"))
params.append(VersionedParamPath("service", default="any", path="service"))
params.append(
VersionedParamPath(
"source", default=["any",], vartype="member", path="source"
)
)
params.append(
VersionedParamPath(
"destination", default=["any",], vartype="member", path="destination"
)
)
params.append(
VersionedParamPath(
"source_translation_type",
path="source-translation/{source_translation_type}",
values=("dynamic-ip-and-port", "dynamic-ip", "static-ip"),
)
)
params.append(
VersionedParamPath(
"source_translation_address_type",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"{source_translation_address_type}",
)
),
values=("interface-address", "translated-address"),
default="translated-address",
condition={
"source_translation_type": ["dynamic-ip-and-port", "dynamic-ip"]
},
)
)
params.append(
VersionedParamPath(
"source_translation_interface",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"{source_translation_address_type}",
"interface",
)
),
condition={
"source_translation_type": "dynamic-ip-and-port",
"source_translation_address_type": "interface-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_ip_address",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"{source_translation_address_type}",
"ip",
)
),
condition={
"source_translation_type": "dynamic-ip-and-port",
"source_translation_address_type": "interface-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_translated_addresses",
vartype="member",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"{source_translation_address_type}",
)
),
condition={
"source_translation_type": ["dynamic-ip-and-port", "dynamic-ip"],
"source_translation_address_type": "translated-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_fallback_type",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"fallback",
"{source_translation_fallback_type}",
)
),
values=("translated-address", "interface-address"),
condition={"source_translation_type": "dynamic-ip"},
)
)
params.append(
VersionedParamPath(
"source_translation_fallback_translated_addresses",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"fallback",
"{source_translation_fallback_type}",
)
),
vartype="member",
condition={
"source_translation_type": "dynamic-ip",
"source_translation_fallback_type": "translated-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_fallback_interface",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"fallback",
"{source_translation_fallback_type}",
"interface",
)
),
condition={
"source_translation_type": "dynamic-ip",
"source_translation_fallback_type": "interface-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_fallback_ip_type",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"fallback",
"{source_translation_fallback_type}",
"{source_translation_fallback_ip_type}",
)
),
values=("ip", "floating-ip"),
default="ip",
condition={
"source_translation_type": "dynamic-ip",
"source_translation_fallback_type": "interface-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_fallback_ip_address",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"fallback",
"{source_translation_fallback_type}",
"{source_translation_fallback_ip_type}",
)
),
condition={
"source_translation_type": "dynamic-ip",
"source_translation_fallback_type": "interface-address",
},
)
)
params.append(
VersionedParamPath(
"source_translation_static_translated_address",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"translated-address",
)
),
condition={"source_translation_type": "static-ip"},
)
)
params.append(
VersionedParamPath(
"source_translation_static_bi_directional",
vartype="yesno",
path="/".join(
(
"source-translation",
"{source_translation_type}",
"bi-directional",
)
),
condition={"source_translation_type": "static-ip"},
)
)
params.append(
VersionedParamPath(
"destination_translated_address",
path="destination-translation/translated-address",
)
)
params.append(
VersionedParamPath(
"destination_translated_port",
vartype="int",
path="destination-translation/translated-port",
)
)
params.append(
VersionedParamPath(
"ha_binding",
path="active-active-device-binding",
values=("primary", "both", "0", "1"),
)
)
params.append(VersionedParamPath("disabled", vartype="yesno", path="disabled"))
params.append(
VersionedParamPath("negate_target", path="target/negate", vartype="yesno")
)
params.append(
VersionedParamPath("target", path="target/devices", vartype="entry")
)
params.append(VersionedParamPath("tag", path="tag", vartype="member"))
params.append(
VersionedParamPath("destination_dynamic_translated_address", exclude=True)
)
params[-1].add_profile(
"8.1.0", path="dynamic-destination-translation/translated-address"
)
params.append(
VersionedParamPath("destination_dynamic_translated_port", exclude=True)
)
params[-1].add_profile(
"8.1.0",
path="dynamic-destination-translation/translated-port",
vartype="int",
)
params.append(
VersionedParamPath(
"destination_dynamic_translated_distribution", exclude=True
)
)
params[-1].add_profile(
"8.1.0",
path="dynamic-destination-translation/distribution",
values=("round-robin",),
)
params.append(VersionedParamPath("uuid", exclude=True))
params[-1].add_profile("9.0.0", vartype="attrib", path="uuid")
params.append(VersionedParamPath("group_tag", exclude=True))
params[-1].add_profile("9.0.0", path="group-tag")
self._params = tuple(params)
[docs]class ApplicationOverride(VersionedPanObject):
"""ApplicationOverride
Args:
name (str): Name of the rule
fromzone (list): From zones
tozone (list): To zones
source (list): Source addresses
destination (list): Destination addresses
application (str): Applications
description (str): Description of this rule
tag (list): Administrative tags
negate_source (bool): Match on the reverse of the 'source' attribute
negate_destination (bool): Match on the reverse of the 'destination'
attribute
disabled (bool): Disable this rule
negate_target (bool): Target all but the listed target firewalls
(applies to panorama/device groups only)
target (list): Apply this policy to the listed firewalls only
(applies to panorama/device groups only)
port (str): Destination port
protocol (str): Protocol used
group_tag (str): (PAN-OS 9.0+) The group tag.
"""
SUFFIX = ENTRY
ROOT = Root.VSYS
HIT_COUNT_STYLE = "application-override"
OPSTATES = {
"audit_comment": RuleAuditComment,
"hit_count": HitCount,
}
def _setup(self):
# xpaths
self._xpaths.add_profile(value="/application-override/rules")
# params
params = []
any_defaults = (
("fromzone", "from"),
("tozone", "to"),
("source", "source"),
("destination", "destination"),
)
for var_name, path in any_defaults:
params.append(
VersionedParamPath(
var_name, default=["any",], vartype="member", path=path
)
)
params.append(VersionedParamPath("application", path="application"))
params.append(VersionedParamPath("description", path="description"))
params.append(VersionedParamPath("tag", path="tag", vartype="member"))
params.append(
VersionedParamPath("negate_source", path="negate-source", vartype="yesno")
)
params.append(
VersionedParamPath(
"negate_destination", path="negate-destination", vartype="yesno"
)
)
params.append(VersionedParamPath("disabled", path="disabled", vartype="yesno"))
params.append(
VersionedParamPath("negate_target", path="target/negate", vartype="yesno")
)
params.append(
VersionedParamPath("target", path="target/devices", vartype="entry")
)
params.append(VersionedParamPath("port", path="port"))
params.append(VersionedParamPath("protocol", path="protocol"))
params.append(VersionedParamPath("group_tag", exclude=True))
params[-1].add_profile("9.0.0", path="group-tag")
self._params = tuple(params)
[docs]class PolicyBasedForwarding(VersionedPanObject):
"""PBF rule.
Args:
name (str): The name
description (str): The descripton
tags (str/list): List of tags
from_type (str): Source from type. Valid values are 'zone' (default)
or 'interface'.
from_value (str/list): The source values for the given type.
source_addresses (str/list): List of source IP addresses.
source_users (str/list): List of source users.
negate_source (bool): Set to negate the source.
destination_addresses (str/list): List of destination addresses.
negate_destination (bool): Set to negate the destination.
applications (str/list): List of applications.
services (str/list): List of services.
schedule (str): The schedule.
disabled (bool): Set to disable this rule.
action (str): The action to take. Valid values are 'forward'
(default), 'forward-to-vsys', 'discard', or 'no-pbf'.
forward_vsys (str): The vsys to forward to if action is set to
forward to a vsys.
forward_egress_interface (str): The egress interface.
forward_next_hop_type (str): The next hop type. Valid values
are 'ip-address', 'fqdn', or None (default).
forward_next_hop_value (str): The next hop value if the forward
next hop type is not None.
forward_monitor_profile (str): The monitor profile to use.
forward_monitor_ip_address (str): The monitor IP address.
forward_monitor_disable_if_unreachable (bool): Set to disable
this rule if nexthop / monitor IP is unreachable.
enable_enforce_symmetric_return (bool): Set to enforce
symmetric return.
symmetric_return_addresses (str/list): List of symmetric return
addresses.
active_active_device_binding (str): Active/Active device binding.
target (list): Apply this policy to the listed firewalls only
(applies to panorama/device groups only)
negate_target (bool): Target all but the listed target firewalls
(applies to panorama/device groups only)
uuid (str): (PAN-OS 9.0+) The UUID for this rule.
group_tag (str): (PAN-OS 9.0+) The group tag.
"""
SUFFIX = ENTRY
ROOT = Root.VSYS
HIT_COUNT_STYLE = "pbf"
OPSTATES = {
"audit_comment": RuleAuditComment,
"hit_count": HitCount,
}
def _setup(self):
# xpaths
self._xpaths.add_profile(value="/pbf/rules")
# params
params = []
params.append(VersionedParamPath("description", path="description"))
params.append(VersionedParamPath("tags", vartype="member", path="tag"))
params.append(
VersionedParamPath(
"from_type",
default="zone",
values=["zone", "interface"],
path="from/{from_type}",
)
)
params.append(
VersionedParamPath("from_value", vartype="member", path="from/{from_type}")
)
params.append(
VersionedParamPath("source_addresses", vartype="member", path="source")
)
params.append(
VersionedParamPath("source_users", vartype="member", path="source-user")
)
params.append(
VersionedParamPath("negate_source", vartype="yesno", path="negate-source")
)
params.append(
VersionedParamPath(
"destination_addresses", vartype="member", path="destination"
)
)
params.append(
VersionedParamPath(
"negate_destination", vartype="yesno", path="negate-destination"
)
)
params.append(
VersionedParamPath("applications", vartype="member", path="application")
)
params.append(VersionedParamPath("services", vartype="member", path="service"))
params.append(VersionedParamPath("schedule", path="schedule"))
params.append(VersionedParamPath("disabled", vartype="yesno", path="disabled"))
params.append(
VersionedParamPath(
"action",
default="forward",
values=["forward", "forward-to-vsys", "discard", "no-pbf"],
path="action/{action}",
)
)
params.append(
VersionedParamPath(
"forward_vsys",
condition={"action": "forward-to-vsys"},
path="action/{action}/forward-to-vsys",
)
)
params.append(
VersionedParamPath(
"forward_egress_interface",
condition={"action": "forward"},
path="action/{action}/egress-interface",
)
)
params.append(
VersionedParamPath(
"forward_next_hop_type",
condition={"action": "forward"},
values=["ip-address", "fqdn", None],
path="action/{action}/nexthop/{forward_next_hop_type}",
)
)
params.append(
VersionedParamPath(
"forward_next_hop_value",
condition={
"action": "forward",
"forward_next_hop_type": ["ip-address", "fqdn"],
},
path="action/{action}/nexthop/{forward_next_hop_type}",
)
)
params.append(
VersionedParamPath(
"forward_monitor_profile",
condition={"action": "forward"},
path="action/{action}/monitor/profile",
)
)
params.append(
VersionedParamPath(
"forward_monitor_ip_address",
condition={"action": "forward"},
path="action/{action}/monitor/ip-address",
)
)
params.append(
VersionedParamPath(
"forward_monitor_disable_if_unreachable",
vartype="yesno",
condition={"action": "forward"},
path="action/{action}/monitor/disable-if-unreachable",
)
)
params.append(
VersionedParamPath(
"enable_enforce_symmetric_return",
vartype="yesno",
path="enforce-symmetric-return/enabled",
)
)
params.append(
VersionedParamPath(
"symmetric_return_addresses",
vartype="entry",
path="enforce-symmetric-return/nexthop-address-list",
)
)
params.append(
VersionedParamPath(
"active_active_device_binding", path="active-active-device-binding"
)
)
params.append(
VersionedParamPath("target", vartype="entry", path="target/devices")
)
params.append(
VersionedParamPath("negate_target", vartype="yesno", path="target/negate")
)
params.append(VersionedParamPath("uuid", exclude=True))
params[-1].add_profile("9.0.0", vartype="attrib", path="uuid")
params.append(VersionedParamPath("group_tag", exclude=True))
params[-1].add_profile("9.0.0", path="group-tag")
self._params = tuple(params)
[docs]class DecryptionRule(VersionedPanObject):
"""Decryption rule.
PAN-OS 7.0+
Args:
name (str): The name
description (str): The descripton
uuid (str): (PAN-OS 9.0+) The UUID for this rule.
source_zones (list): The source zones.
source_addresses (list): The source addresses.
negate_source (bool): Negate the source addresses.
source_users (list): The source users.
source_hip (list): (PAN-OS 10.0+) The source HIP info.
destination_zones (list): The destination zones.
destination_addresses (list): The destination addresses.
negate_destination (bool): Negate the destination addresses.
destination_hip (list): The destination HIP info.
tags (list): The administrative tags.
disabled (bool): If the rule is disabled or not.
services (list): Services.
url_categories (list): URL categories.
action (str): The action. Valid values are "no-decrypt" (default),
"decrypt", or "decrypt-and-forward" (PAN-OS 8.1+).
decryption_type (str): The decryption type. Valid values are
"ssl-forward-proxy", "ssh-proxy", or "ssl-inbound-inspection".
ssl_certificate (str): The SSL cert.
decryption_profile (str): The decryption profile.
forwarding_profile (str): (PAN-OS 8.1+) The forwarding profile.
group_tag (str): (PAN-OS 9.0+) The group tag.
log_successful_tls_handshakes (bool): (PAN-OS 10.0+) Log successful TLS
handshakes.
log_failed_tls_handshakes (bool): (PAN-OS 10.0+) Log failed TLS handshakes.
log_setting (str): (PAN-OS 10.0+) Log setting.
negate_target (bool): Target all but the listed target firewalls
(applies to panorama/device groups only)
target (list): Apply this policy to the listed firewalls only
(applies to panorama/device groups only)
"""
SUFFIX = ENTRY
ROOT = Root.VSYS
HIT_COUNT_STYLE = "decryption"
OPSTATES = {
"audit_comment": RuleAuditComment,
"hit_count": HitCount,
}
def _setup(self):
# xpaths
self._xpaths.add_profile(value="/decryption/rules")
# params
params = []
params.append(VersionedParamPath("description", path="description"))
params.append(VersionedParamPath("uuid", exclude=True))
params[-1].add_profile("9.0.0", vartype="attrib", path="uuid")
params.append(
VersionedParamPath("source_zones", vartype="member", path="from",)
)
params.append(
VersionedParamPath("source_addresses", vartype="member", path="source",)
)
params.append(
VersionedParamPath("negate_source", vartype="yesno", path="negate-source",)
)
params.append(
VersionedParamPath("source_users", vartype="member", path="source-user",)
)
params.append(VersionedParamPath("source_hip", exclude=True,))
params[-1].add_profile(
"10.0.0", path="source-hip", vartype="member",
)
params.append(
VersionedParamPath("destination_zones", vartype="member", path="to",)
)
params.append(
VersionedParamPath(
"destination_addresses", vartype="member", path="destination",
)
)
params.append(
VersionedParamPath(
"negate_destination", vartype="yesno", path="negate-destination",
)
)
params.append(VersionedParamPath("destination_hip", exclude=True,))
params[-1].add_profile(
"10.0.0", path="destination-hip", vartype="member",
)
params.append(VersionedParamPath("tags", vartype="member", path="tag",))
params.append(VersionedParamPath("disabled", vartype="yesno", path="disabled",))
params.append(VersionedParamPath("services", vartype="member", path="service",))
params.append(
VersionedParamPath("url_categories", vartype="member", path="category",)
)
params.append(
VersionedParamPath(
"action",
default="no-decrypt",
path="action",
values=("decrypt", "no-decrypt"),
)
)
params[-1].add_profile(
"8.1.0",
path="action",
values=("decrypt", "no-decrypt", "decrypt-and-forward"),
)
params.append(
VersionedParamPath(
"decryption_type",
path="type/{decryption_type}",
values=("ssl-forward-proxy", "ssh-proxy", "ssl-inbound-inspection",),
)
)
params.append(
VersionedParamPath(
"ssl_certificate",
path="type/{decryption_type}",
condition={"decryption_type": "ssl-inbound-inspection",},
)
)
params.append(VersionedParamPath("decryption_profile", path="profile",))
params.append(VersionedParamPath("forwarding_profile", exclude=True,))
params[-1].add_profile(
"8.1.0", path="forwarding-profile",
)
params.append(VersionedParamPath("group_tag", exclude=True,))
params[-1].add_profile(
"9.0.0", path="group-tag",
)
params.append(
VersionedParamPath("log_successful_tls_handshakes", exclude=True,)
)
params[-1].add_profile(
"10.0.0", path="log-success", vartype="yesno",
)
params.append(VersionedParamPath("log_failed_tls_handshakes", exclude=True,))
params[-1].add_profile(
"10.0.0", path="log-fail", vartype="yesno",
)
params.append(VersionedParamPath("log_setting", exclude=True,))
params[-1].add_profile(
"10.0.0", path="log-setting",
)
params.append(
VersionedParamPath("negate_target", path="target/negate", vartype="yesno")
)
params.append(
VersionedParamPath("target", path="target/devices", vartype="entry")
)
self._params = tuple(params)
[docs]class AuthenticationRule(VersionedPanObject):
"""Authentication Rule
Both the naming convention and the order of the parameters tries to closly
match what is presented in the GUI.
Args:
name (str): The name
description (str): The description
uuid (str): (PAN-OS 9.0+) The UUID for this rule.
source_zones (list): The source zones.
source_addresses (list): The source addresses.
negate_source (bool): Negate the source addresses.
destination_zones (list): The destination zones.
destination_addresses (list): The destination addresses.
negate_destination (bool): Negate the destination addresses.
tag (list): Administrative tags
disabled (bool): Disable this rule
service (str): The service
source_hip (list): (PAN-OS 10.0+) The source HIP info.
source_users (list): The source users.
url_categories (list): URL categories.
group_tag (str): (PAN-OS 9.0+) The group tag.
authentication_enforcement (str): The authentication enforcement object.
timeout (str): The authentication timeout.
negate_target (bool): Target all but the listed target firewalls,
(applies to panorama/device groups only)
target (list): Apply this policy to the listed firewalls only,
(applies to panorama/device groups only)
log_setting (str): (PAN-OS 10.0+) Log setting.
log_authentication_timeout (bool): Whether the rules logs authentication timeouts or not.
"""
SUFFIX = ENTRY
ROOT = Root.VSYS
HIT_COUNT_STYLE = "authentication"
OPSTATES = {
"audit_comment": RuleAuditComment,
"hit_count": HitCount,
}
def _setup(self):
# xpaths
self._xpaths.add_profile(value="/authentication/rules")
# params
params = []
params.append(VersionedParamPath("description", path="description"))
params.append(VersionedParamPath("uuid", exclude=True))
params[-1].add_profile("9.0.0", vartype="attrib", path="uuid")
params.append(
VersionedParamPath("source_zones", vartype="member", path="from",)
)
params.append(
VersionedParamPath(
"source_addresses", default=["any",], vartype="member", path="source"
)
)
params.append(
VersionedParamPath("negate_source", vartype="yesno", path="negate-source",)
)
params.append(
VersionedParamPath("destination_zones", vartype="member", path="to",)
)
params.append(
VersionedParamPath(
"destination_addresses",
default=["any",],
vartype="member",
path="destination",
)
)
params.append(
VersionedParamPath(
"negate_destination", vartype="yesno", path="negate-destination",
)
)
params.append(VersionedParamPath("tag", vartype="member", path="tag",))
params.append(VersionedParamPath("disabled", vartype="yesno", path="disabled",))
params.append(VersionedParamPath("service", vartype="member", path="service",))
params.append(VersionedParamPath("source_hip", exclude=True,))
params[-1].add_profile(
"10.0.0", path="source-hip", vartype="member",
)
params.append(
VersionedParamPath("source_users", vartype="member", path="source-user")
)
params.append(
VersionedParamPath("url_categories", vartype="member", path="category",)
)
params.append(VersionedParamPath("group_tag", exclude=True,))
params[-1].add_profile(
"9.0.0", path="group-tag",
)
params.append(
VersionedParamPath(
"authentication_enforcement", path="authentication-enforcement",
)
)
params.append(VersionedParamPath("timeout", path="timeout",))
params.append(
VersionedParamPath("negate_target", path="target/negate", vartype="yesno")
)
params.append(
VersionedParamPath("target", path="target/devices", vartype="entry")
)
params.append(VersionedParamPath("log_setting", path="log-setting"))
params.append(
VersionedParamPath(
"log_authentication_timeout",
path="log-authentication-timeout",
vartype="yesno",
)
)
self._params = tuple(params)