File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/states/__pycache__/panos.cpython-310.pyc
o
�����N�g�������������������������@���s|���d�Z�d�d�l�Z�d�d�l�m�����m�Z���d�d�l�m�����m�Z ��e��
e���Z�d�d���Z
d:d�d���Z�d�d ��Z�d
d���Z�d�d
��Z�d�d���Z�d�d���Z�d�d���Z�d�d���Z�d�d���Z�d�d���Z�d�d���Z� � � � � � � �d;d�d���Z� �d<d�d ��Z�d=d!d"��Z�d#d$��Z�d>d%d&��Z�d?d'd(��Z�d=d)d*��Z�d@d+d,��Z d-d.��Z!d=d/d0��Z" � 1 � � � � � � � � � � � � � � � � � � � � � � � � �dAd2d3��Z# � � � � � �dBd4d5��Z$ �d<d6d7��Z%d=d8d9��Z&d�S�)Ca[
��
A state module to manage Palo Alto network devices.
:codeauthor: ``Spencer Ervin <spencer_ervin@hotmail.com>``
:maturity: new
:depends: none
:platform: unix
About
=====
This state module was designed to handle connections to a Palo Alto based
firewall. This module relies on the Palo Alto proxy module to interface with the devices.
This state module is designed to give extreme flexibility in the control over XPATH values on the PANOS device. It
exposes the core XML API commands and allows state modules to chain complex XPATH commands.
Below is an example of how to construct a security rule and move to the top of the policy. This will take a config
lock to prevent execution during the operation, then remove the lock. After the XPATH has been deployed, it will
commit to the device.
.. code-block:: yaml
panos/takelock:
panos.add_config_lock
panos/service_tcp_22:
panos.set_config:
- xpath: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service
- value: <entry name='tcp-22'><protocol><tcp><port>22</port></tcp></protocol></entry>
- commit: False
panos/create_rule1:
panos.set_config:
- xpath: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules
- value: '
<entry name="rule1">
<from><member>trust</member></from>
<to><member>untrust</member></to>
<source><member>10.0.0.1</member></source>
<destination><member>10.0.1.1</member></destination>
<service><member>tcp-22</member></service>
<application><member>any</member></application>
<action>allow</action>
<disabled>no</disabled>
</entry>'
- commit: False
panos/moveruletop:
panos.move_config:
- xpath: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']
- where: top
- commit: False
panos/removelock:
panos.remove_config_lock
panos/commit:
panos.commit_config
Version Specific Configurations
===============================
Palo Alto devices running different versions will have different supported features and different command structures. In
order to account for this, the proxy module can be leveraged to check if the panos device is at a specific revision
level.
The proxy['panos.is_required_version'] method will check if a panos device is currently running a version equal or
greater than the passed version. For example, proxy['panos.is_required_version']('7.0.0') would match both 7.1.0 and
8.0.0.
.. code-block:: jinja
{% if proxy['panos.is_required_version']('8.0.0') %}
panos/deviceconfig/system/motd-and-banner:
panos.set_config:
- xpath: /config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/motd-and-banner
- value: |
<banner-header>BANNER TEXT</banner-header>
<banner-header-color>color2</banner-header-color>
<banner-header-text-color>color18</banner-header-text-color>
<banner-header-footer-match>yes</banner-header-footer-match>
- commit: False
{% endif %}
.. seealso::
:py:mod:`Palo Alto Proxy Module <salt.proxy.panos>`
�����Nc��������������������C���s����d�t�v�r�d�S�d�S�)�N��panos.commitT)�Fz panos module could not be loaded)���__salt__��r����r�����E/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/panos.py��__virtual__]���s����������r����Fc��������������������C���sH���t�|�t���r�|�r
d�|�v�r
d�S�d�}�|�D�]
}�|�d�|���d���7�}�q�|�S�d�|���d���S�)�z>
Builds a member formatted string for XML operation.
��anyz�<member>any</member>��z�<member>z </member>)��
isinstance��list)���membersZ�anycheck��response��mr����r����r������_build_membersc���s����
���������������r����c��������������������C���s����|�i�d�d�d�d���}�|�S�)�z+
Set the default response values.
NFr����)���name��changes��commit��result��commentr������r������retr����r����r������_default_retu���s��������r����c��������������������C����"���d�d�|�|�d���}�t�d���|���}�t�|���S�)�z/
Sends an edit request to the device.
��configZ�edit����type��action��xpath��element�
panos.call��� __proxy__��_validate_response��r����r������queryr����r����r����r������_edit_config~��������������r$���c��������������������C���s����d�d�|�d���}�t�d���|���}�|�S�)�z.
Retrieves an xpath from the device.
r������get��r����r����r����r����)�r �����r����r#���r����r����r����r������_get_config����s����������r)���c��������������������C����$���d�d�|�d�|�d���}�t�d���|���}�t�|���S�)�z6
Moves an xpath to the after of its section.
r������move��after��r����r����r������where��dstr����r������r������targetr#���r����r����r����r������_move_after�������������������������r2���c��������������������C���r*���)��7
Moves an xpath to the bottom of its section.
r����r+�����beforer-���r����r����r0���r����r����r������_move_before����r3���r6���c��������������������C����"���d�d�|�d�d���}�t�d���|���}�t�|���S�)�r4���r����r+�����bottom��r����r����r����r.���r����r����r(���r����r����r������_move_bottom����r%���r:���c��������������������C���r7���)�z4
Moves an xpath to the top of its section.
r����r+�����topr9���r����r����r(���r����r����r����� _move_top����r%���r<���c��������������������C���r����)�z-
Sends a set request to the device.
r������setr����r����r����r"���r����r����r������_set_config����r%���r>���c��������������������C���s����|�s�d�S�d�|�v�r8d�|�d���v�r*|�d���d���d�k�r�d�|�f�S�|�d���d���d�k�r&d�|�f�S�d�|�f�S�|�d���d�k�r4d�|�f�S�d�|�f�S�d |�v�rJ|�d ��d
k�rFd�|�f�S�d�|�f�S�d�|�f�S�)�z\
Validates a response from a Palo Alto device. Used to verify success of commands.
)�Fz(Unable to validate response from device.��msg��linez�already at the topTz�already at the bottomFz�command succeeded��status��successr����)�r����r����r����r����r!�������s"�������������������������������������r!���c��������������������C����"���t�|���}�|���t�d�����d�d�������|�S�)�z�
Prevent other users from changing configuration until the lock is released.
name: The name of the module function to execute.
SLS Example:
.. code-block:: yaml
panos/takelock:
panos.add_config_lock
z�panos.add_config_lockT��r����r������r������updater����r����r����r����r������add_config_lock���������������rG��������c��������������������C���sb���t�|���}�|�s�|���d�d�i�����|�S�t�d���|�|���d���} | r#d�| v�r#| d���} n�i�} d�}
|�r0d�|���d���}
n�|�r9d |���d
��}
n�|�rBd�|���d���}
n |���d�d
i�����|�S�|�rU|
d�|���d���7�}
d�|���d�|
��d���}�t���t���|���d���}�| |�k�ru|���d�d�d�������|�S�d���|�|���}
t�|
|���\�}�}�|�s�|���d�|�i�����|�S�|�d�u�r�|���| |�d���t�d�����d�d�d�������|�S�|���| |�d���d�d�d�������|�S�)�u� ��
Ensures that an address object exists in the configured state. If it does not exist or is not configured with the
specified attributes, it will be adjusted to match the specified values.
This module will only process a single address type (ip-netmask, ip-range, or fqdn). It will process the specified
value if the following order: ip-netmask, ip-range, fqdn. For proper execution, only specify a single address
type.
name: The name of the module function to execute.
addressname(str): The name of the address object. The name is case-sensitive and can have up to 31 characters,
which an be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on
Panorama, unique within its device group and any ancestor or descendant device groups.
vsys(str): The string representation of the VSYS ID. Defaults to VSYS 1.
ipnetmask(str): The IPv4 or IPv6 address or IP address range using the format ip_address/mask or ip_address where
the mask is the number of significant binary digits used for the network portion of the address. Ideally, for IPv6,
you specify only the network portion, not the host portion.
iprange(str): A range of addresses using the format ip_address–ip_address where both addresses can be IPv4 or both
can be IPv6.
fqdn(str): A fully qualified domain name format. The FQDN initially resolves at commit time. Entries are
subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the
entries are picked up at the refresh cycle.
description(str): A description for the policy (up to 255 characters).
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/address/h-10.10.10.10:
panos.address_exists:
- addressname: h-10.10.10.10
- vsys: 1
- ipnetmask: 10.10.10.10
- commit: False
panos/address/10.0.0.1-10.0.0.50:
panos.address_exists:
- addressname: r-10.0.0.1-10.0.0.50
- vsys: 1
- iprange: 10.0.0.1-10.0.0.50
- commit: False
panos/address/foo.bar.com:
panos.address_exists:
- addressname: foo.bar.com
- vsys: 1
- fqdn: foo.bar.com
- description: My fqdn object
- commit: False
r�����(The service name field must be provided.z�panos.get_addressr������entryr����z�<ip-netmask>z
</ip-netmask>z
<ip-range>z�</ip-range>z�<fqdn>z�</fqdn>z'A valid address type must be specified.�
<description>��</description>�
<entry name='��'>��</entry>Tz3Address object already exists. No changes required.��r����r����zi/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys{}']/address/entry[@name='{}']��r5���r,���r����z'Address object successfully configured.��r����r����r����r�����'Service object successfully configured.��r����r����r����) r����rF���r������xml��to_dict��ET�
fromstring��formatr$���)�r����Z�addressname��vsysZ ipnetmaskZ�iprangeZ�fqdn��descriptionr����r������addressr������full_elementZ�new_addressr����r����r?���r����r����r������address_exists����sf����D����������
�����������������������������������������������������������������������������������������r_���c��������������������C����@���t�|���}�|�s�|���d�d�i�����|�S�t�d���|�|���d���}�|�r#d�|�v�r#|�d���}�n�i�}�|�r1d�t�|�d�����d���}�n |���d�d i�����|�S�|�rD|�d
|���d���7�}�d�|���d
|���d���} t���t���| ��d���}
|�|
k�rd|���d�d�d�������|�S�d���|�|���}�t |�| ��\�}�}
|�s||���d�|
i�����|�S�|�d�u�r�|���|�|
d���t�d�����d�d�d�������|�S�|���|�|
d���d�d�d�������|�S�)�aC���
Ensures that an address group object exists in the configured state. If it does not exist or is not configured with
the specified attributes, it will be adjusted to match the specified values.
This module will enforce group membership. If a group exists and contains members this state does not include,
those members will be removed and replaced with the specified members in the state.
name: The name of the module function to execute.
groupname(str): The name of the address group object. The name is case-sensitive and can have up to 31 characters,
which an be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on
Panorama, unique within its device group and any ancestor or descendant device groups.
vsys(str): The string representation of the VSYS ID. Defaults to VSYS 1.
members(str, list): The members of the address group. These must be valid address objects or address groups on the
system that already exist prior to the execution of this state.
description(str): A description for the policy (up to 255 characters).
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/address-group/my-group:
panos.address_group_exists:
- groupname: my-group
- vsys: 1
- members:
- my-address-object
- my-other-address-group
- description: A group that needs to exist
- commit: False
r�����&The group name field must be provided.z�panos.get_address_groupr����rK���z�<static>Tz </static>�#The group members must be provided.rL���rM���rN���rO���rP���z9Address group object already exists. No changes required.rQ���zo/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys{}']/address-group/entry[@name='{}']rR���r����z-Address group object successfully configured.rS���rU����
r����rF���r����r����rV���rW���rX���rY���rZ���r$�����r����Z groupnamer[���r����r\���r����r������groupr����r^���Z new_groupr����r����r?���r����r����r������address_group_exists�����\����(����������
�������������������������������������������������������������������������������rf���c��������������������C����t���t�|���}�|�s�|�S�|�s�|�S�d�d�|�|�d���}�t�t�d���|�����\�}�}�|���|�|�d�������|�s)|�S�|�d�u�r8|���t�d�����d�d�������|�S�) a����
Clone a specific XPATH and set it to a new name.
name: The name of the module function to execute.
xpath(str): The XPATH of the configuration API tree to clone.
newname(str): The new name of the XPATH clone.
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/clonerule:
panos.clone_config:
- xpath: /config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules&from=/config/devices/
entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']
- value: rule2
- commit: True
r������clone��r����r����r������newnamer����rD���Tr������r����r������r����r!���r ���rF���r������r����r����rk���r����r����r#���r����r����r����r����r������clone_config����s������������������������������ro���c��������������������C���rC���)�z�
Commits the candidate configuration to the running configuration.
name: The name of the module function to execute.
SLS Example:
.. code-block:: yaml
panos/commit:
panos.commit_config
r����Trl���rE���r����r����r����r�����
commit_config:���rH���rp���c��������������������C���sj���t�|���}�|�s�|�S�d�d�|�d���}�t�t�d���|�����\�}�}�|���|�|�d�������|�s$|�S�|�d�u�r3|���t�d�����d�d�������|�S�) aW���
Deletes a Palo Alto XPATH to a specific value.
Use the xpath parameter to specify the location of the object to be deleted.
name: The name of the module function to execute.
xpath(str): The XPATH of the configuration API tree to control.
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/deletegroup:
panos.delete_config:
- xpath: /config/devices/entry/vsys/entry[@name='vsys1']/address-group/entry[@name='test']
- commit: True
r������deleter'���r����rD���Tr����rl���rm���)�r����r����r����r����r#���r����r����r����r����r�����
delete_configO���s��������������������������rr���c��������������������C���sH���t�|���}�|�d�u�r
t�d�������t�d�����d���}�d�|�v�s&d�|�d���v�s&d�|�d���d���v�r0|���d�d d
������|�S�|�d���d���d���D�]�}�|�d���|�k�rN|�d���d
k�rN|���d�d�d
������|�����S�|���d�t�d���|�|�d���i�����t�d�����d���}�d�|�v�sxd�|�d���v�sxd�|�d���d���v�r�|���d�d i�����|�S�|�d���d���d���D�]�}�|�d���|�k�r�|�d���d
k�r�|���d�d�i�����|�����S�|�S�)�a����
Ensures that a software version is downloaded.
name: The name of the module function to execute.
version(str): The software version to check. If this version is not already downloaded, it will attempt to download
the file from Palo Alto.
synch(bool): If true, after downloading the file it will be synched to its peer.
check(bool): If true, the PANOS device will first attempt to pull the most recent software inventory list from Palo
Alto.
SLS Example:
.. code-block:: yaml
panos/version8.0.0:
panos.download_software:
- version: 8.0.0
- synch: False
- check: True
Tz�panos.check_softwarez�panos.get_software_infor����z
sw-updates��versionsrK���z9Software version is not found in the local software list.FrQ�����versionZ
downloadedZ�yesz'Software version is already downloaded.r����z�panos.download_software_version)�rt�����synch)�r����r����rF���)�r����rt���ru�����checkr����rs���rK���r����r����r������download_softwarey���sH�������
�������������������������������������������������������������������rw���c��������������������C���s����t�|���}�|���d���}�t�|���d�k�r�|�d���}�d�|�v�r�|���d���d���}�t�d���|���d���}�|�r3|�r3|�|�v�r3|�|���}�n�i�}�t���t���|���d���}�|�|�k�rL|���d�d�d ������|�S�t |�|���\�} }
|���|
| d ������| s_|�S�|�d�u�rt|���|�|�d
��t�d�����d�d�������|�S�|���|�|�d
��d�d
������|�S�)�a'���
Edits a Palo Alto XPATH to a specific value. This will always overwrite the existing value, even if it is not
changed.
You can replace an existing object hierarchy at a specified location in the configuration with a new value. Use
the xpath parameter to specify the location of the object, including the node to be replaced.
This is the recommended state to enforce configurations on a xpath.
name: The name of the module function to execute.
xpath(str): The XPATH of the configuration API tree to control.
value(str): The XML value to edit. This must be a child to the XPATH.
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/addressgroup:
panos.edit_config:
- xpath: /config/devices/entry/vsys/entry[@name='vsys1']/address-group/entry[@name='test']
- value: <static><entry name='test'><member>abc</member><member>xyz</member></entry></static>
- commit: True
��/r���������[z�panos.get_xpathr����Tz.XPATH is already equal to the specified value.rQ���rR���r����)�r����r����r����rD���)
r������split��lenr����rV���rW���rX���rY���rF���r$���)�r����r������valuer����r����Z�xpath_split��headZ�current_elementZ�new_elementr����r?���r����r����r������edit_config����sH�����
�������������
�������������������������������������������������������r���c��������������������C���s����t�|���}�|�s�|�S�|�s�|�S�|�d�k�r�t�|�|���\�}�}�n!|�d�k�r$t�|�|���\�}�}�n�|�d�k�r/t�|���\�}�}�n
|�d�k�r9t�|���\�}�}�|���|�|�d�������|�sE|�S�|�d�u�rT|���t�d�����d�d�������|�S�) a����
Moves a XPATH value to a new location.
Use the xpath parameter to specify the location of the object to be moved, the where parameter to
specify type of move, and dst parameter to specify the destination path.
name: The name of the module function to execute.
xpath(str): The XPATH of the configuration API tree to move.
where(str): The type of move to execute. Valid options are after, before, top, bottom. The after and before
options will require the dst option to specify the destination of the action. The top action will move the
XPATH to the top of its structure. The botoom action will move the XPATH to the bottom of its structure.
dst(str): Optional. Specifies the destination to utilize for a move action. This is ignored for the top
or bottom action.
commit(bool): If true the firewall will commit the changes, if false do not commit changes. If the operation is
not successful, it will not commit.
SLS Example:
.. code-block:: yaml
panos/moveruletop:
panos.move_config:
- xpath: /config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']
- where: top
- commit: True
panos/moveruleafter:
panos.move_config:
- xpath: /config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']
- where: after
- dst: rule2
- commit: True
r,���r5���r;���r8���)�r����r����Tr����rl���)�r����r2���r6���r<���r:���rF���r����)�r����r����r.���r/���r����r����r����r?���r����r����r������move_config����s&����'������������������������������������r����c��������������������C���rC���)�z�
Release config lock previously held.
name: The name of the module function to execute.
SLS Example:
.. code-block:: yaml
panos/takelock:
panos.remove_config_lock
z�panos.remove_config_lockTrD���rE���r����r����r����r������remove_config_lock_���rH���r����c��������������������C���rh���) a����
Rename a Palo Alto XPATH to a specific value. This will always rename the value even if a change is not needed.
name: The name of the module function to execute.
xpath(str): The XPATH of the configuration API tree to control.
newname(str): The new name of the XPATH value.
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/renamegroup:
panos.rename_config:
- xpath: /config/devices/entry/vsys/entry[@name='vsys1']/address/entry[@name='old_address']
- value: new_address
- commit: True
r������renamerj���r����rD���Tr����rl���rm���rn���r����r����r�����
rename_configt���s������������������������������r������1c������������*�������C���s����t�|���}�|�s�|�S�t�d���|�|���d���}�|�r�d�|�v�r�|�d���}�n�i�}�d�}�|�r.|�d�t�|�d�����d���7�}�n |���d�d i�����|�S�|�rE|�d
t�|�d�����d���7�}�n |���d�d�i�����|�S�|�r\|�d
t�|�d�����d���7�}�n |���d�d�i�����d�S�|�rr|�d���t�|�d�����7�}�n |���d�d�i�����|�S�| r�|�d���t�| d�����7�}�n |���d�d�i�����|�S�|
r�|�d�t�|
d�����d���7�}�n |���d�d�i�����|�S�|�r�|�d�|���d���7�}�n |���d�d�i�����|�S�|�d�u�r�|�r�|�d�7�}�n�|�d�7�}�|�r�|�d�|���d���7�}�|�r�|�d�|���d ��7�}�|
d�u�r�|
r�|�d!7�}�n�|�d"7�}�|�d�u�r�|�r�|�d#7�}�n�|�d$7�}�|�d�u���r�|���r
|�d%7�}�n�|�d&7�}�|�d�u���r�|���r�|�d'7�}�n�|�d(7�}�d�}�|���r+d)|���d*��}�nWd�} |���r7| d+��|���7�} |���rB| d,|���d-��7�} |���rM| d.|���d/��7�} |���rX| d0|���d1��7�} |���rc| d2|���d3��7�} |���rm| d4��|���7�} |���rw| d5��|���7�} | d�k���r�d6| ��d7��}�|���r�|�d8|���d9��7�}�d:|���d;|���d<��}!t���t���|!��d���}"d=}#|�|"k���r�|���d�d>i�����n&d�}#d?��|�|���}$t |$|!��\�}%}&|%��s�|���d�|&i�����|�S�|���|�|"d@��dAdB������|���r9d?��|�|���}'d=}(d�})|�dCk���r�|���r�t
|'|���\�}(})n$|�dDk���r�t�|'|���\�}(})n�|�dEk���r
t�|'��\�}(})n�|�dFk���r�t
|'��\�}(})|#��r$|���dG|�|"|)dH��i�����n |���dGdI|)i�i�����|(��s9|���d�|)i�����|�S�|�d�u���rK|���t�dJ����d�dK������|�S�|���d�d�i�����|�S�)La����
Ensures that a security rule exists on the device. Also, ensure that all configurations are set appropriately.
This method will create the rule if it does not exist. If the rule does exist, it will ensure that the
configurations are set appropriately.
If the rule does not exist and is created, any value that is not provided will be provided as the default.
The action, to, from, source, destination, application, and service fields are mandatory and must be provided.
This will enforce the exact match of the rule. For example, if the rule is currently configured with the log-end
option, but this option is not specified in the state method, it will be removed and reset to the system default.
It is strongly recommended to specify all options to ensure proper operation.
When defining the profile group settings, the device can only support either a profile group or individual settings.
If both are specified, the profile group will be preferred and the individual settings are ignored. If neither are
specified, the value will be set to system default of none.
name: The name of the module function to execute.
rulename(str): The name of the security rule. The name is case-sensitive and can have up to 31 characters, which
can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama,
unique within its device group and any ancestor or descendant device groups.
vsys(str): The string representation of the VSYS ID. Defaults to VSYS 1.
action(str): The action that the security rule will enforce. Valid options are: allow, deny, drop, reset-client,
reset-server, reset-both.
disabled(bool): Controls if the rule is disabled. Set 'True' to disable and 'False' to enable.
sourcezone(str, list): The source zone(s). The value 'any' will match all zones.
destinationzone(str, list): The destination zone(s). The value 'any' will match all zones.
source(str, list): The source address(es). The value 'any' will match all addresses.
destination(str, list): The destination address(es). The value 'any' will match all addresses.
application(str, list): The application(s) matched. The value 'any' will match all applications.
service(str, list): The service(s) matched. The value 'any' will match all services. The value
'application-default' will match based upon the application defined ports.
description(str): A description for the policy (up to 255 characters).
logsetting(str): The name of a valid log forwarding profile.
logstart(bool): Generates a traffic log entry for the start of a session (disabled by default).
logend(bool): Generates a traffic log entry for the end of a session (enabled by default).
negatesource(bool): Match all but the specified source addresses.
negatedestination(bool): Match all but the specified destination addresses.
profilegroup(str): A valid profile group name.
datafilter(str): A valid data filter profile name. Ignored with the profilegroup option set.
fileblock(str): A valid file blocking profile name. Ignored with the profilegroup option set.
spyware(str): A valid spyware profile name. Ignored with the profilegroup option set.
urlfilter(str): A valid URL filtering profile name. Ignored with the profilegroup option set.
virus(str): A valid virus profile name. Ignored with the profilegroup option set.
vulnerability(str): A valid vulnerability profile name. Ignored with the profilegroup option set.
wildfire(str): A valid vulnerability profile name. Ignored with the profilegroup option set.
move(str): An optional argument that ensure the rule is moved to a specific location. Valid options are 'top',
'bottom', 'before', or 'after'. The 'before' and 'after' options require the use of the 'movetarget' argument
to define the location of the move request.
movetarget(str): An optional argument that defines the target of the move operation if the move argument is
set to 'before' or 'after'.
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/rulebase/security/rule01:
panos.security_rule_exists:
- rulename: rule01
- vsys: 1
- action: allow
- disabled: False
- sourcezone: untrust
- destinationzone: trust
- source:
- 10.10.10.0/24
- 1.1.1.1
- destination:
- 2.2.2.2-2.2.2.4
- application:
- any
- service:
- tcp-25
- description: My test security rule
- logsetting: logprofile
- logstart: False
- logend: True
- negatesource: False
- negatedestination: False
- profilegroup: myprofilegroup
- move: top
- commit: False
panos/rulebase/security/rule01:
panos.security_rule_exists:
- rulename: rule01
- vsys: 1
- action: allow
- disabled: False
- sourcezone: untrust
- destinationzone: trust
- source:
- 10.10.10.0/24
- 1.1.1.1
- destination:
- 2.2.2.2-2.2.2.4
- application:
- any
- service:
- tcp-25
- description: My test security rule
- logsetting: logprofile
- logstart: False
- logend: False
- datafilter: foobar
- fileblock: foobar
- spyware: foobar
- urlfilter: foobar
- virus: foobar
- vulnerability: foobar
- wildfire: foobar
- move: after
- movetarget: rule02
- commit: False
z�panos.get_security_ruler����rK���r����z�<from>Tz�</from>r����z&The sourcezone field must be provided.z�<to>z�</to>z+The destinationzone field must be provided.z�<source>z </source>z"The source field must be provided.Nz�<destination>{}</destination>z'The destination field must be provided.z�<application>{}</application>z'The application field must be provided.z <service>z
</service>z#The service field must be provided.z�<action>z </action>z"The action field must be provided.z�<disabled>yes</disabled>z�<disabled>no</disabled>rL���rM���z
<log-setting>z�</log-setting>z�<log-start>yes</log-start>z�<log-start>no</log-start>z�<log-end>yes</log-end>z�<log-end>no</log-end>z"<negate-source>yes</negate-source>z!<negate-source>no</negate-source>z,<negate-destination>yes</negate-destination>z+<negate-destination>no</negate-destination>z�<group><member>z�</member></group>z4<data-filtering><member>{}</member></data-filtering>z�<file-blocking><member>z�</member></file-blocking>z�<spyware><member>z�</member></spyware>z�<url-filtering><member>z�</member></url-filtering>z�<virus><member>z�</member></virus>z2<vulnerability><member>{}</member></vulnerability>z:<wildfire-analysis><member>{}</member></wildfire-analysis>z
<profiles>z�</profiles>z�<profile-setting>z�</profile-setting>rN���rO���rP���Fz2Security rule already exists. No changes required.zy/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys{}']/rulebase/security/rules/entry[@name='{}']rR���z$Security rule verified successfully.)�r����r����r5���r,���r;���r8���r����)�r5���r,���r+���r+���r����rl���)�r����r����r����rF���rZ���rV���rW���rX���rY���r$���r6���r2���r<���r:���)*r����Z�rulenamer[���r������disabledZ
sourcezoneZ�destinationzone��sourceZ�destinationZ�application��servicer\���Z
logsettingZ�logstartZ�logendZ�negatesourceZ�negatedestinationZ�profilegroupZ
datafilterZ fileblockZ�spywareZ urlfilterZ�virusZ
vulnerabilityZ�wildfirer+���Z
movetargetr����r����Z�ruler����Z�profile_stringZ
member_stringr^���Z�new_ruleZ
config_changer����r����r?���Z�movepathZ�move_resultZ�move_msgr����r����r������security_rule_exists����s(�����/��������
�������������������������������������������������������������������������
���������������
�������
���
���
���
���
���������������������������
�����������
�������������������������������
�������������
���������������������������������������������
���
���
�������������������
���������r����c��������������������C���sV���t�|���}�|�s�|���d�d�i�����|�S�t�d���|�|���d���}�|�r#d�|�v�r#|�d���}�n�i�}�|�s4|�d�v�r4|���d�d�i�����|�S�|�s?|���d�d�i�����|�S�d ��|�|���} |�rO| d
|���d���7�} d�|���d
| ��d���}
t���t���|
��d���}�|�|�k�ro|���d�d�d�������|�S�d���|�|���}�t�|�|
��\�}
}�|
s�|���d�|�i�����|�S�|�d�u�r�|���|�|�d���t�d�����d�d�d�������|�S�|���|�|�d���d�d�d�������|�S�)�aO���
Ensures that a service object exists in the configured state. If it does not exist or is not configured with the
specified attributes, it will be adjusted to match the specified values.
name: The name of the module function to execute.
servicename(str): The name of the security object. The name is case-sensitive and can have up to 31 characters,
which an be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on
Panorama, unique within its device group and any ancestor or descendant device groups.
vsys(str): The string representation of the VSYS ID. Defaults to VSYS 1.
protocol(str): The protocol that is used by the service object. The only valid options are tcp and udp.
port(str): The port number that is used by the service object. This can be specified as a single integer or a
valid range of ports.
description(str): A description for the policy (up to 255 characters).
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/service/tcp-80:
panos.service_exists:
- servicename: tcp-80
- vsys: 1
- protocol: tcp
- port: 80
- description: Hypertext Transfer Protocol
- commit: False
panos/service/udp-500-550:
panos.service_exists:
- servicename: udp-500-550
- vsys: 3
- protocol: udp
- port: 500-550
- commit: False
r����rJ���z�panos.get_servicer����rK���)�Z�tcpZ�udpz5The protocol must be provided and must be tcp or udp.z The port field must be provided.z0<protocol><{0}><port>{1}</port></{0}></protocol>rL���rM���rN���rO���rP���Tz3Service object already exists. No changes required.rQ���zi/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys{}']/service/entry[@name='{}']rR���r����rT���rS���rU���) r����rF���r����rZ���rV���rW���rX���rY���r$���)�r����Z�servicenamer[�����protocol��portr\���r����r����r����r����r^���Z�new_servicer����r����r?���r����r����r������service_exists����sb����4����������
�������������������������������������������������������������������������������������r����c��������������������C���r`���)�a2���
Ensures that a service group object exists in the configured state. If it does not exist or is not configured with
the specified attributes, it will be adjusted to match the specified values.
This module will enforce group membership. If a group exists and contains members this state does not include,
those members will be removed and replaced with the specified members in the state.
name: The name of the module function to execute.
groupname(str): The name of the service group object. The name is case-sensitive and can have up to 31 characters,
which an be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on
Panorama, unique within its device group and any ancestor or descendant device groups.
vsys(str): The string representation of the VSYS ID. Defaults to VSYS 1.
members(str, list): The members of the service group. These must be valid service objects or service groups on the
system that already exist prior to the execution of this state.
description(str): A description for the policy (up to 255 characters).
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/service-group/my-group:
panos.service_group_exists:
- groupname: my-group
- vsys: 1
- members:
- tcp-80
- custom-port-group
- description: A group that needs to exist
- commit: False
r����ra���z�panos.get_service_groupr����rK���z <members>Tz
</members>rb���rL���rM���rN���rO���rP���z9Service group object already exists. No changes required.rQ���zo/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys{}']/service-group/entry[@name='{}']rR���r����z-Service group object successfully configured.rS���rU���rc���rd���r����r����r������service_group_exists����rg���r����c��������������������C���sP���t�|���}�t�|�|���\�}�}�|���|�|�d�������|�s�|�S�|�d�u�r&|���t�d�����d�d�������|�S�)�au���
Sets a Palo Alto XPATH to a specific value. This will always overwrite the existing value, even if it is not
changed.
You can add or create a new object at a specified location in the configuration hierarchy. Use the xpath parameter
to specify the location of the object in the configuration
name: The name of the module function to execute.
xpath(str): The XPATH of the configuration API tree to control.
value(str): The XML value to set. This must be a child to the XPATH.
commit(bool): If true the firewall will commit the changes, if false do not commit changes.
SLS Example:
.. code-block:: yaml
panos/hostname:
panos.set_config:
- xpath: /config/devices/entry[@name='localhost.localdomain']/deviceconfig/system
- value: <hostname>foobar</hostname>
- commit: True
rQ���Tr����rl���)�r����r>���rF���r����)�r����r����r}���r����r����r����r?���r����r����r�����
set_config����s��������������������r����)�F)�NrI���NNNNF)�NrI���NNF)�NNF)�NF)�NFF)�NNNF)�Nr����NNNNNNNNNNNNNNNNNNNNNNNNF)�NrI���NNNF)'��__doc__��loggingZ�xml.etree.ElementTreeZ�etreeZ�ElementTreerX���Z�salt.utils.xmlutil��utilsZ�xmlutilrV���� getLogger��__name__��logr����r����r����r$���r)���r2���r6���r:���r<���r>���r!���rG���r_���rf���ro���rp���rr���rw���r���r����r����r����r����r����r����r����r����r����r����r������<module>����s�������T����
���
���� ������������������������������
����
�
m�/
�
*
N
U�C
��0����������������������������������������������������
����|����������
��}
��m