Panoply¶
-
class
skilletlib.panoply.
EphemeralPanos
(hostname: Optional[str] = None, api_username: Optional[str] = None, api_password: Optional[str] = None, api_port: Optional[int] = 443, serial_number: Optional[str] = None, debug: Optional[bool] = False, api_key: Optional[str] = None)¶ EphemeralPanos is used when a Panos instance may or may not be online and available at all times. This is useful when instantiating instances via a CI/CD pipeline or other automation tool.
-
class
skilletlib.panoply.
Panoply
(hostname: Optional[str] = None, api_username: Optional[str] = None, api_password: Optional[str] = None, api_port: Optional[int] = 443, serial_number: Optional[str] = None, debug: Optional[bool] = False, api_key: Optional[str] = None)¶ Panoply is a wrapper around pan-python PanXAPI class to provide additional, commonly used functions
-
ad_hoc
(qs: str) → str¶ Runs an ad_hoc command against this device.
example: type=op&action=complete&xpath=/operations/show/config/saved
Parameters: qs – qs Returns: the unparsed xml document from the device API
-
backup_config
()¶ Saves a named backup on the PAN-OS device. The format for the backup is ‘config-backup-20190424000000.xml’
Returns: xml results from the op command sequence
-
check_content_updates
(content_type: str) -> (<class 'str'>, None)¶ Iterate through all available content of the specified type, locate and return the version with the highest version number. If that version is already installed, return None as no further action is necessary
Parameters: content_type – type of content to check Returns: version-number to download and install or None if already at the latest
-
commit
(force_sync=True) → str¶ Perform a commit operation on this device instance -
Raises: PanoplyException – if commit failed Parameters: force_sync – Flag to enable sync commit or async Returns: String from the API indicating success or failure
-
commit_gpcs
(force_sync=True) → str¶ Perform a commit operation on this device instance specifically for gpcs remote networks Note - you must do a full commit to panorama before you invoke this commit!
Raises: PanoplyException – if commit failed Parameters: force_sync – Flag to enable sync commit or async Returns: String from the API indicating success or failure
-
connect
(allow_offline: Optional[bool] = False) → None¶ Attempt to connect to this device instance
Parameters: allow_offline – Do not raise an exception if this device is offline unless there is an authentication error :return: None
-
deactivate_vm_license
(api_key: str = None) → bool¶ Deactivate VM-Series Licenses. Will set the API Key is not already set.
Parameters: api_key – Optional api_key. Returns: boolean True on success / False otherwise
-
execute_cli
(cmd_str: str) → str¶ Short-cut to execute a simple CLI op cmd
Parameters: cmd_str – CLI command to send to the NGFW Returns: raw output from the command
-
execute_cmd
(cmd: str, params: dict, context=None) → str¶ Execute the given cmd using the xapi.
Parameters: - cmd – Valid options are: ‘op’, ‘show’, ‘get’, ‘delete’, ‘set’, ‘edit’, ‘override’, ‘move’, ‘rename’, ‘clone’, ‘validate’
- params – valid parameters for the given cmd type
- context – skillet context
Returns: raw results from the cmd output, raises SkilletLoaderException
-
execute_op
(cmd_str: str, cmd_xml=False, parse_result=True) → str¶ Executes an ‘op’ command on the NGFW
Parameters: - cmd_str – op command to send
- cmd_xml – Flag to determine if op command requires XML encoding
- parse_result – Optional flag to indicate whether to return parsed xml results (xml_result) from xapi - not
all commands return valid XML. Setting this to ‘false’ will return the raw string from the API. :return: raw output from the device
-
fetch_license
(auth_code: str, force_fetch_license: bool = False) → bool¶ Fetch and install licenses for PAN-OS NGFW
Parameters: - auth_code – Authorization code to use to license the NGFW
- force_fetch_license – Fetch licenses even if NGFW is already licensed
Returns: True when license installation succeeds / False otherwise
-
filter_connected_devices
(filter_terms=None) → list¶ Returns the list of connected devices filtered according to the given terms.
Filter terms are based on keys in the device facts. Matches are done using simple regex match
Parameters: filter_terms – dict containing key value pairs. Keys match keys from the return device facts and values are regex expressions used to match those keys :return: list of devices that match ALL filter terms
-
generate_baseline
(reset_hostname=False) → str¶ Load baseline config that contains ONLY connecting username / password use device facts to determine which baseline template to load see template/panos/baseline_80.xml for example
Parameters: - self –
- reset_hostname – Flag to reset hostname back to a default value (baseline in this case)
Returns: string contents of baseline config
-
generate_set_cli_from_configs
(previous_config: str, latest_config: str) → list¶ Takes two configuration files, converts them to set commands, then returns only the commands found in the ‘latest_config’ vs the ‘previous_config’. This allows the user to quickly configure one firewall, generate a ‘set cli’ diff and move those configs to another firewall
Parameters: - previous_config – Starting config
- latest_config – Ending config
Returns: list of set cli commands required to convert previous to latest
-
generate_skillet
(from_candidate=False) → list¶ Generates a skillet from the changes detected on this device. This will attempt to create the xml and xpaths for everything that is found to have changed
Parameters: from_candidate – If your changes on in the candidate config, this will detect changes between the running config and the candidate config. If False, this will detect changes between the running config and a generic baseline configuration :return: list of xpaths
-
generate_skillet_from_configs
(previous_config: str, latest_config: str) → list¶ Generates a skillet from the diffs between two XML configuration files
Parameters: - previous_config – Configuration backup taken before desired changes are made to the device
- latest_config – Configuration backup taken after desired changes are made
Returns: list of dictionaries that contain the following keys: * name * element * xpath * full_xpath
-
get_configuration
(config_source='running') → str¶ Get the configuration from the device.
Parameters: config_source – Configuration source. This can be either ‘candidate, running, baseline, or an audit version number. Candidate is the candidate config, running is the running config, baseline is an autogenerated bare configuration, and version number is the previously saved running configuration. A positive version number will get the configuration version matching that id. A negative version number will get the most recent to least recent configuration versions where (-1) is the most recent previous running config. :return: configuration xml as a string or a blank string if not connected
-
get_configuration_version
(version: str) → str¶ Returns a configuration version on the device. Use ‘list_configuration_versions’ to get a list of available options
Parameters: version – version number of the configuration version to export Returns: configuration as an XML encoded string
-
get_extended_facts
() → dict¶ Get extended facts about the device to which we are connected.
Return interfaces, security_rules, and zones
Returns: dict with extended facts
-
get_facts
() → dict¶ Gather system info and keep on self.facts This gets called on every connect
Returns: dict containing all system facts
-
get_interfaces
() → dict¶ Return a dict of all interfaces configured on this device. The dict has the following structure:
- {
- “ifnet”: {
- “entry”: [
- {
- “name”: “ethernet1/1”, “zone”: “internet”, “fwd”: “vr:default”, “vsys”: “1”, “dyn-addr”: null, “addr6”: null, “tag”: “0”, “ip”: “10.48.58.161/23”, “id”: “16”, “addr”: null
}
]
}, “hw”: {
- “entry”: [
- {
- “name”: “ethernet1/1”, “duplex”: “full”, “type”: “0”, “state”: “up”, “st”: “10000/full/up”, “mac”: “fa:16:3e:65:7d:05”, “mode”: “(autoneg)”, “speed”: “10000”, “id”: “16”
}
]
}
}
Returns: dict with two keys ‘ifnet’ and ‘hw’.
-
static
get_ordered_xpaths
() → tuple¶ Returns a list of ordered xpaths for use in ordering snippets and set commands
Will be enhanced one day with version and model specific information if necessary
Returns: tuple of two lists, xpaths and post_xpaths
-
get_saved_configuration
(configuration_name: str) → str¶ Returns a saved configuration on the device. Use ‘list_saved_configuration’ to get a list of available options
Parameters: configuration_name – name of the saved configuration to export Returns: configuration as an XML encoded string
-
get_security_rules
() → list¶ Return the list of configured security rules on this device.
- returns a blank list for Panorama devices!
Returns: list of security rules
-
get_zones
() → list¶ Return the list of configured zones on this device.
- returns a blank list for Panorama devices!
Returns: list of zone names
-
has_running_jobs
() → bool¶ Simple check to determine if there are any running jobs on this device
Returns: bool True if there is currently a running job
-
import_file
(filename: str, file_contents: (<class 'str'>, <class 'bytes'>), category: str) → bool¶ Import the given file into this device
Parameters: - filename –
- file_contents –
- category – ‘configuration’
Returns: bool True on success
-
list_saved_configurations
() → list¶ Returns a list of saved configuration files on this device
Returns: list of saved configurations
-
load_baseline
() → bool¶ Load baseline config that contains ONLY connecting username / password use device facts to determine which baseline template to load see template/panos/baseline_80.xml for example
Parameters: self – Returns: bool true on success
-
load_config
(filename: str) → bool¶ Loads the named configuration file into this device
Parameters: filename – name of the configuration file on the device to load. Note this filename must already exist on the target device :return: bool True on success
-
static
sanitize_element
(element: str) → str¶ Eliminate some unneeded characters from the XML snippet if they appear.
Parameters: element – element str Returns: sanitized element str
-
set_at_path
(name: str, xpath: str, xml_str: str) → None¶ Insert XML into the configuration tree at the specified xpath
Parameters: - name – name of the snippet - used in logging and debugging only
- xpath – full xpath where the xml element will be inserted
- xml_str – string representation of the XML element to insert
Returns: None
-
set_license_api_key
(api_key: str) → bool¶ Set’s the Palo Alto Networks Support API Key in the firewall. This is required to deactivate a VM-Series NGFW.
Parameters: api_key – Your support account API Key found on the support.paloaltonetworks.com site Returns: boolean True on success / False otherwise
-
update_dynamic_content
(content_type: str) → bool¶ Check for newer dynamic content and install if found
Parameters: content_type – type of content to check. can be either: ‘content’, ‘anti-virus’, ‘wildfire’ Returns: bool True on success
-
wait_for_device_ready
(interval=30, timeout=600) → bool¶ Loop and wait until device is ready or times out
Parameters: - interval – how often to check in seconds
- timeout – how long to wait until we declare a timeout condition
Returns: boolean true on ready, false on timeout
-
wait_for_job
(job_id: str, interval=10, timeout=600) → bool¶ Loops until a given job id is completed. Will timeout after the timeout period if the device is offline or otherwise unavailable.
Parameters: - job_id – id the job to check and wait for
- interval – how long to wait between checks
- timeout – how long to wait with no response before we give up
Returns: bool true on content updated, false otherwise
-
-
class
skilletlib.panoply.
Panos
(hostname: Optional[str], api_username: Optional[str], api_password: Optional[str], api_port: Optional[int] = 443, serial_number: Optional[str] = None, debug: Optional[bool] = False, api_key: Optional[str] = None)¶ Panos is used to connect to PAN-OS devices that are expected to be currently and always online! Exceptions will be raised in any event that we cannot connect!