Palo Alto Networks uses XML as the data structure for it's representation of the configuration file. Automating a firewall takes three steps.
- Creating the xml file
- Pushing the xml file to the firewall
- Committing the candidate configuration
<entry name="ethernet1/3">
<layer3>
<units>
<entry name="ethernet1/3.1">
<tag>1</tag>
<ip>
<entry name="30.4.1.2/24"/>
</ip>
</entry>
</entry>
</units>
</layer3>
</entry>
This is going to be placed into a text file called sub-int.xml which I'll use later.
In my script I read from the file and and place it into a variable called data. I strip the newlines so that I don't have separate each line into an array.
Last you need to commit the config. One thing about the api is that the commit call needs an xml element <commit/>
When I tried it without a cmd ie. xapi.commit(), I got the following error.
pan.xapi.PanXapiError: Missing value for parameter "cmd".
This was confusing at first, until I spoke with a Palo Alto networks Solutions Architect about it and he explained that you need to tell it which type of commit you want. There are a few options such as commit, commit partial and commit full. I think there should be a default setting. Commit without any input should mean a normal commit. Maybe I'll modify a git cloned repository.
script
-----------
import pan.xapi
from cred import get_pan_credentials
credentials = get_pan_credentials()
print credentials
xapi = pan.xapi.PanXapi(**credentials)
xpath = "/config/devices/entry/network/interface/ethernet"
#open xml file and read it into a variable called data.
with open ("sub-int.xml", "r") as myfile:
data=myfile.read().replace('\n', '')
#set the config using the above xpath
xapi.set(xpath,element=data)
#commit the config. Make sure to add the xml command.
xapi.commit('<commit/>')
-------------
Here's the resulting screen cap:
No comments:
Post a Comment