palo_alto 0.4.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +2 -0
- data/examples/test_config.rb +31 -15
- data/examples/test_op.rb +54 -73
- data/lib/palo_alto/config.rb +79922 -52904
- data/lib/palo_alto/op.rb +5290 -756
- data/lib/palo_alto/version.rb +1 -1
- data/lib/palo_alto.rb +41 -31
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 35c89839bc38cd0398a88bd1c12c701b27e86de98bd1012a6c9d939898e9982a
|
4
|
+
data.tar.gz: 4c7e1ac46cf17e7d0780e768c2923dfa457e8cda93b8b3e714057e5909c3e764
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 351d244c00165c18d7d94d1c0e35d820db16f6cb586d613fe0d682df00fd1f49c68846548effa82d6568521fac0cfff31c62135bd8dfc81bb7b96f8ad3181d02
|
7
|
+
data.tar.gz: 65bb8bf61772a2630edb8354f9eb6098e25aaef0c420413bb00995f0eab9f6b4ab8c7a4d964a87ecd8921b9b53da9ad133ad249872e33badd59a0957a74db04e
|
data/CHANGELOG.md
CHANGED
@@ -1 +1,5 @@
|
|
1
|
+
Version 0.5.1: Breaking changes for op commands, to be able to build more complex scenarios
|
2
|
+
Version 0.5.0: Update schema for Panorama 11.0
|
3
|
+
Version 0.4.1: Update schema for Panorama 10.2 for op commands
|
4
|
+
Version 0.4.0: Update schema for Panorama 10.2 for config
|
1
5
|
Version 0.3.0: Update schema for Panorama 10.1
|
data/README.md
CHANGED
data/examples/test_config.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'palo_alto'
|
2
4
|
|
3
5
|
client = PaloAlto::XML.new(host: 'panorama-test', username: 'admin', password: 'Admin123!',
|
@@ -6,11 +8,11 @@ dg = 'PLAYGROUND'
|
|
6
8
|
|
7
9
|
# create a tag
|
8
10
|
tag_name = 'test'
|
9
|
-
|
10
11
|
new_tag = client.config.devices.entry(name: 'localhost.localdomain').device_group.entry(name: dg).tag.entry(name: tag_name).create!
|
11
12
|
new_tag.color = 'color23'
|
12
|
-
new_tag.
|
13
|
+
new_tag.set!
|
13
14
|
|
15
|
+
# get rules
|
14
16
|
# filtered rules:
|
15
17
|
# rules = client.config.devices.entry(name:'localhost.localdomain').device_group.entry(name: 'PLAYGROUND').pre_rulebase.security.rules
|
16
18
|
# .entry{ (child(:source).child(:member).text == "Net_10.1.1.0-24").or(child(:destination).child(:member).text == 'Net_10.1.1.0-24') }
|
@@ -19,46 +21,60 @@ new_tag.push!
|
|
19
21
|
# or:
|
20
22
|
#
|
21
23
|
# filter = (PaloAlto.child(:source).child(:member).text == "Net_10.1.1.0-24").or(PaloAlto.child(:destination).child(:member).text == 'Net_10.1.1.0-24')
|
22
|
-
# puts filter.to_xpath
|
24
|
+
# puts filter.to_xpath # prints generated Xpath filter
|
23
25
|
# => ./source/member/text()='Net_10.1.1.0-24'or./destination/member/text()='Net_10.1.1.0-24'
|
24
26
|
#
|
25
27
|
# rules = client.config.devices.entry(name:'localhost.localdomain').device_group.entry(name: 'PLAYGROUND').pre_rulebase.security.rules
|
26
28
|
# .entry{filter}.get_all
|
27
|
-
|
29
|
+
|
28
30
|
# also more advanced filters are possible:
|
29
|
-
# PaloAlto.not(PaloAlto.child(:'profile-setting').child(:group).child(:member) == 'IPS-Policy').and(
|
31
|
+
# filter = PaloAlto.not(PaloAlto.child(:'profile-setting').child(:group).child(:member) == 'IPS-Policy').and(
|
30
32
|
# PaloAlto.parenthesis(
|
31
33
|
# (PaloAlto.child(:tag).child(:member) == 'ips_enabled').or(
|
32
34
|
# PaloAlto.child(:tag).child(:member) == 'ips_force_enabled'
|
33
35
|
# )
|
34
36
|
# )
|
35
|
-
# )
|
36
|
-
#
|
37
|
+
# )
|
38
|
+
# puts filter.to_xpath
|
37
39
|
# => not(./profile-setting/group/member='IPS-Policy')and(./tag/member='ips_enabled'or./tag/member='ips_force_enabled')
|
38
40
|
|
39
41
|
rules = client.config.devices.entry(name: 'localhost.localdomain').device_group.entry(name: dg).pre_rulebase.security.rules.entry{}.get_all
|
40
42
|
|
41
|
-
rules.
|
43
|
+
rules.select! { |rule| rule.api_attributes['loc'] == dg } # filter rules inherited from upper device groups
|
42
44
|
|
43
45
|
pp rules
|
44
46
|
pp rules.length
|
45
47
|
|
46
|
-
pp rules.first.api_attributes # attributes like uuid and loc
|
47
|
-
pp rules.first.values # values as hash
|
48
|
-
|
49
48
|
rule = rules.first
|
49
|
+
|
50
|
+
pp rule.api_attributes # attributes like uuid and loc
|
51
|
+
pp rule.values # values as hash
|
52
|
+
|
50
53
|
rule.tag.member = [new_tag.name]
|
51
54
|
rule.group_tag = new_tag.name
|
52
55
|
rule.description += '....'
|
53
|
-
rule.
|
56
|
+
rule.edit!
|
54
57
|
|
58
|
+
# renaming rules
|
55
59
|
puts rule.to_xpath
|
56
60
|
rule.rename!('Test 1')
|
57
61
|
puts rule.to_xpath
|
58
|
-
|
62
|
+
puts rule.name
|
59
63
|
|
60
|
-
|
64
|
+
# Bulk changes on multiple rules:
|
65
|
+
rules = client.config.devices.entry(name: 'localhost.localdomain').device_group.entry(name: dg).pre_rulebase.security.rules.get
|
66
|
+
|
67
|
+
rules.entries.each do |name, rule|
|
68
|
+
next unless rule.values.dig('profile-setting', 'group', 'member') == ['Internal-detect']
|
69
|
+
|
70
|
+
rule.profile_setting.group.member = ['Internal']
|
71
|
+
# to remove profile-setting: rule.delete_child('profile-setting')
|
72
|
+
end
|
73
|
+
puts "Pushing all rules to #{rules.to_xpath}"
|
74
|
+
rules.edit!
|
61
75
|
|
62
76
|
# create a new template
|
63
77
|
new_template = client.config.devices.entry(name: 'localhost.localdomain').template.entry(name: 'testtemplate').create!
|
64
|
-
new_template.
|
78
|
+
new_template.set!
|
79
|
+
|
80
|
+
exit 0
|
data/examples/test_op.rb
CHANGED
@@ -1,31 +1,33 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
'
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
3
|
+
require 'palo_alto'
|
4
|
+
load '/usr/share/panorama-api/new_op.rb'
|
5
|
+
|
6
|
+
a = { commit: { partial:
|
7
|
+
{ admin: ['admin'],
|
8
|
+
'no-template': true,
|
9
|
+
'no-template-stack': true,
|
10
|
+
'no-log-collector': true,
|
11
|
+
'no-log-collector-group': true,
|
12
|
+
'no-wildfire-appliance': true,
|
13
|
+
'no-wildfire-appliance-cluster': true,
|
14
|
+
'device-and-network': 'excluded',
|
15
|
+
'shared-object': 'excluded' } } }
|
14
16
|
|
15
17
|
b = { show: { devices: 'all' } }
|
16
18
|
|
17
19
|
c = { revert: { config: {
|
18
|
-
partial:
|
19
|
-
|
20
|
-
'no-template',
|
21
|
-
'no-template-stack',
|
22
|
-
'no-log-collector',
|
23
|
-
'no-log-collector-group',
|
24
|
-
'no-wildfire-appliance',
|
25
|
-
'no-wildfire-appliance-cluster',
|
26
|
-
|
27
|
-
|
28
|
-
|
20
|
+
partial: {
|
21
|
+
admin: ['admin'],
|
22
|
+
'no-template': true,
|
23
|
+
'no-template-stack': true,
|
24
|
+
'no-log-collector': true,
|
25
|
+
'no-log-collector-group': true,
|
26
|
+
'no-wildfire-appliance': true,
|
27
|
+
'no-wildfire-appliance-cluster': true,
|
28
|
+
'device-and-network': 'excluded',
|
29
|
+
'shared-object': 'excluded'
|
30
|
+
}
|
29
31
|
} } }
|
30
32
|
|
31
33
|
d = { commit: nil }
|
@@ -42,18 +44,22 @@ j = { show: { jobs: { id: 12_431 } } }
|
|
42
44
|
|
43
45
|
k = { check: 'full-commit-required' }
|
44
46
|
|
47
|
+
l = { show: { config: { 'commit-scope': { partial: { admin: ['admin'] } } } } }
|
48
|
+
|
49
|
+
m = { show: { config: { 'commit-scope': { partial: { admin: %w[admin1 admin2] } } } } }
|
50
|
+
|
45
51
|
push_to_device = { 'commit-all': { 'shared-policy': { 'device-group': [{ name: 'TEST-DG' }] } } }
|
46
52
|
|
47
53
|
# validate:
|
48
54
|
p = { 'commit-all':
|
49
55
|
{
|
50
|
-
'shared-policy':
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
56
|
+
'shared-policy': {
|
57
|
+
'device-group': [{ name: 'PLAYGROUND' }],
|
58
|
+
'include-template': 'yes',
|
59
|
+
'merge-with-candidate-cfg': 'yes',
|
60
|
+
'force-template-values': 'no',
|
61
|
+
'validate-only': 'yes'
|
62
|
+
}
|
57
63
|
} }
|
58
64
|
|
59
65
|
i = { show: { query: { result: { id: 10_438 } } } }
|
@@ -61,64 +67,39 @@ i = { show: { query: { result: { id: 10_438 } } } }
|
|
61
67
|
# hit counts:
|
62
68
|
device_group = 'PLAYGROUND'
|
63
69
|
|
64
|
-
|
70
|
+
hc1 = {
|
65
71
|
show: {
|
66
|
-
'rule-hit-count':
|
72
|
+
'rule-hit-count': {
|
67
73
|
'device-group': [{
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
entry: [{
|
73
|
-
name: 'security'
|
74
|
-
}, {
|
75
|
-
rules: 'all'
|
76
|
-
}]
|
77
|
-
}]
|
74
|
+
name: device_group,
|
75
|
+
'pre-rulebase': [{
|
76
|
+
name: 'security',
|
77
|
+
rules: ['all']
|
78
78
|
}]
|
79
79
|
}]
|
80
|
-
}
|
80
|
+
}
|
81
81
|
}
|
82
82
|
}
|
83
83
|
|
84
84
|
# hit count for one rule, with more details:
|
85
85
|
rule_name = 'Rule 27'
|
86
|
-
|
86
|
+
hc2 = {
|
87
87
|
show: {
|
88
|
-
'rule-hit-count':
|
88
|
+
'rule-hit-count': {
|
89
89
|
'device-group': [{
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
'
|
94
|
-
entry: [{
|
95
|
-
name: 'security'
|
96
|
-
}, {
|
97
|
-
rules: {
|
98
|
-
'rule-name': [{
|
99
|
-
entry: [{
|
100
|
-
name: rule_name
|
101
|
-
}]
|
102
|
-
}]
|
103
|
-
}
|
104
|
-
}]
|
105
|
-
}]
|
90
|
+
name: device_group,
|
91
|
+
'pre-rulebase': [{
|
92
|
+
name: 'security',
|
93
|
+
rules: { 'rule-name': [{ name: rule_name }] }
|
106
94
|
}]
|
107
95
|
}]
|
108
|
-
}
|
96
|
+
}
|
109
97
|
}
|
110
98
|
}
|
111
99
|
|
112
100
|
client = PaloAlto::XML.new(host: 'panorama-test', username: 'admin', password: 'Admin123!', debug: %i[sent received])
|
113
101
|
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
puts '---------------------------'
|
119
|
-
pp client.op.execute(e)
|
120
|
-
puts '---------------------------'
|
121
|
-
|
122
|
-
# pp client.op.execute(f)
|
123
|
-
|
124
|
-
pp client.op.execute(k)
|
102
|
+
[a, b, c, d, e, f, g, h, j, k, l, m, push_to_device, p, i, hc1, hc2].each do |cmd|
|
103
|
+
puts client.op.to_xml(cmd)
|
104
|
+
puts '---------------------------'
|
105
|
+
end
|