Merge branch 'release/0.14.0'

HISTORY.rst

@@ -3,6 +3,25 @@
 History
 =======
 
+0.14.0
+------
+
+Released: 2020-01-14
+
+Status: Alpha
+
+New Classes:
+
+- `objects.DynamicUserGroup`
+- `policies.PolicyBasedForwarding`
+
+Other Updates:
+
+- Added dynamic user group (DUG) support to the userid namespace
+- Fixes to `network.AggregateInterface`
+- Removed default value from `network.IkeGateway.peer_id_check`
+- Docstring updates
+
 0.13.0
 ------
 

pandevice/__init__.py

@@ -23,7 +23,7 @@
 
 __author__ = 'Palo Alto Networks'
 __email__ = '[email protected]'
-__version__ = '0.13.0'
+__version__ = '0.14.0'
 
 
 import logging

pandevice/device.py

@@ -118,6 +118,7 @@ class Vsys(VersionedPanObject):
         "objects.SecurityProfileGroup",
         "objects.CustomUrlCategory",
         "objects.LogForwardingProfile",
+        "objects.DynamicUserGroup",
         "policies.Rulebase",
         "network.EthernetInterface",
         "network.AggregateInterface",

pandevice/firewall.py

@@ -83,6 +83,7 @@ class Firewall(PanDevice):
         "objects.SecurityProfileGroup",
         "objects.CustomUrlCategory",
         "objects.LogForwardingProfile",
+        "objects.DynamicUserGroup",
         "policies.Rulebase",
         "network.EthernetInterface",
         "network.AggregateInterface",

pandevice/network.py

@@ -736,7 +736,7 @@ class Layer3Subinterface(Subinterface):
         management_profile (ManagementProfile): Interface Management Profile
         mtu(int): MTU for interface
         adjust_tcp_mss (bool): Adjust TCP MSS
-        netflow_profile (NetflowProfile): Netflow profile
+        netflow_profile (str): Netflow profile
         comment (str): The interface's comment
         ipv4_mss_adjust(int): TCP MSS adjustment for ipv4
         ipv6_mss_adjust(int): TCP MSS adjustment for ipv6
@@ -826,7 +826,7 @@ class Layer2Subinterface(Subinterface):
         tag (int): Tag for the interface, aka vlan id
         lldp_enabled (bool): Enable LLDP
         lldp_profile (str): Reference to an lldp profile
-        netflow_profile_l2 (NetflowProfile): Reference to a netflow profile
+        netflow_profile_l2 (str): Netflow profile
         comment (str): The interface's comment
 
     """
@@ -934,10 +934,10 @@ class EthernetInterface(PhysicalInterface):
             Profile
         mtu(int): Layer3: MTU for interface
         adjust_tcp_mss (bool): Layer3: Adjust TCP MSS
-        netflow_profile (NetflowProfile): Netflow profile
+        netflow_profile (str): Netflow profile
         lldp_enabled (bool): Layer2: Enable LLDP
         lldp_profile (str): Layer2: Reference to an lldp profile
-        netflow_profile_l2 (NetflowProfile): Netflow profile
+        netflow_profile_l2 (str): Netflow profile
         link_speed (str): Link speed: eg. auto, 10, 100, 1000
         link_duplex (str): Link duplex: eg. auto, full, half
         link_state (str): Link state: eg. auto, up, down
@@ -1109,7 +1109,7 @@ class AggregateInterface(PhysicalInterface):
         management_profile (ManagementProfile): Layer3: Interface Management Profile
         mtu(int): Layer3: MTU for interface
         adjust_tcp_mss (bool): Layer3: Adjust TCP MSS
-        netflow_profile (NetflowProfile): Netflow profile
+        netflow_profile (str): Netflow profile
         lldp_enabled (bool): Enable LLDP
         lldp_profile (str): Reference to an lldp profile
         comment (str): The interface's comment
@@ -1171,13 +1171,15 @@ def _setup(self):
             vartype='yesno', path='{mode}/adjust-tcp-mss/enable')
         params.append(VersionedParamPath(
             'netflow_profile',
-            condition={'mode': ['layer3', 'layer2', 'vwire']},
+            condition={'mode': ['layer3', 'layer2', 'virtual-wire']},
             path='{mode}/netflow-profile'))
         params.append(VersionedParamPath(
-            'lldp_enabled', condition={'mode': ['layer3', 'layer2', 'vwire']},
+            'lldp_enabled',
+            condition={'mode': ['layer3', 'layer2', 'virtual-wire']},
             path='{mode}/lldp/enable', vartype='yesno'))
         params.append(VersionedParamPath(
-            'lldp_profile', condition={'mode': ['layer3', 'layer2', 'vwire']},
+            'lldp_profile',
+            condition={'mode': ['layer3', 'layer2', 'virtual-wire']},
             path='{mode}/lldp/profile'))
         params.append(VersionedParamPath(
             'comment', path='comment'))
@@ -1231,7 +1233,7 @@ class VlanInterface(Interface):
         management_profile (ManagementProfile): Interface Management Profile
         mtu(int): MTU for interface
         adjust_tcp_mss (bool): Adjust TCP MSS
-        netflow_profile (NetflowProfile): Netflow profile
+        netflow_profile (str): Netflow profile
         comment (str): The interface's comment
         ipv4_mss_adjust(int): TCP MSS adjustment for ipv4
         ipv6_mss_adjust(int): TCP MSS adjustment for ipv6
@@ -1337,7 +1339,7 @@ class LoopbackInterface(Interface):
         management_profile (ManagementProfile): Interface Management Profile
         mtu(int): MTU for interface
         adjust_tcp_mss (bool): Adjust TCP MSS
-        netflow_profile (NetflowProfile): Netflow profile
+        netflow_profile (str): Netflow profile
         comment (str): The interface's comment
         ipv4_mss_adjust(int): TCP MSS adjustment for ipv4
         ipv6_mss_adjust(int): TCP MSS adjustment for ipv6
@@ -1399,7 +1401,7 @@ class TunnelInterface(Interface):
         ipv6_enabled (bool): IPv6 Enabled (requires IPv6Address child object)
         management_profile (ManagementProfile): Interface Management Profile
         mtu(int): MTU for interface
-        netflow_profile (NetflowProfile): Netflow profile
+        netflow_profile (str): Netflow profile
         comment (str): The interface's comment
 
     """
@@ -3060,7 +3062,7 @@ def _setup(self):
         params.append(VersionedParamPath(
             'peer_id_value', path='peer-id/id'))
         params.append(VersionedParamPath(
-            'peer_id_check', default='exact',
+            'peer_id_check',
             values=('exact', 'wildcard'), path='peer-id/matching'))
         params.append(VersionedParamPath(
             'local_cert', condition={'auth_type': 'certificate'},

pandevice/objects.py

@@ -702,3 +702,35 @@ def _setup(self):
             condition={'action_type': 'tagging'})
 
         self._params = tuple(params)
+
+
+class DynamicUserGroup(VersionedPanObject):
+    """Dynamic user group.
+
+    Note:  PAN-OS 9.1+
+
+    Args:
+        name: Name of the dynamic user group
+        description (str): Description of this object
+        filter: Tag-based filter.
+        tag (list): Administrative tags
+
+    """
+    ROOT = Root.VSYS
+    SUFFIX = ENTRY
+
+    def _setup(self):
+        # xpaths
+        self._xpaths.add_profile(value='/dynamic-user-group')
+
+        # params
+        params = []
+
+        params.append(VersionedParamPath(
+            'description', path='description'))
+        params.append(VersionedParamPath(
+            'filter', path='filter'))
+        params.append(VersionedParamPath(
+            'tag', path='tag', vartype='member'))
+
+        self._params = tuple(params)

pandevice/policies.py

@@ -39,8 +39,9 @@ class Rulebase(VersionedPanObject):
     """
     ROOT = Root.VSYS
     CHILDTYPES = (
-        "policies.SecurityRule",
         "policies.NatRule",
+        "policies.PolicyBasedForwarding",
+        "policies.SecurityRule",
     )
 
     def _setup(self):
@@ -112,6 +113,7 @@ class SecurityRule(VersionedPanObject):
             (applies to panorama/device groups only)
         target (list): Apply this policy to the listed firewalls only
             (applies to panorama/device groups only)
+        uuid (str): (PAN-OS 9.0+) The UUID for this rule.
 
     """
     # TODO: Add QoS variables
@@ -249,6 +251,7 @@ class NatRule(VersionedPanObject):
         target (list): Apply this policy to the listed firewalls only
             (applies to panorama/device groups only)
         tag (list): Administrative tags
+        uuid (str): (PAN-OS 9.0+) The UUID for this rule.
 
     """
     SUFFIX = ENTRY
@@ -442,3 +445,141 @@ def _setup(self):
             vartype='attrib', path='uuid')
 
         self._params = tuple(params)
+
+
+class PolicyBasedForwarding(VersionedPanObject):
+    """PBF rule.
+
+    Args:
+        description (str): The descripton
+        tags (str/list): List of tags
+        from_type (str): Source from type.  Valid values are 'zone' (default)
+            or 'interface'.
+        from_values (str/list): The source values for the given type.
+        source_addresses (str/list): List of source IP addresses.
+        source_users (str/list): List of source users.
+        negate_source (bool): Set to negate the source.
+        destination_addresses (str/list): List of destination addresses.
+        negate_destination (bool): Set to negate the destination.
+        applications (str/list): List of applications.
+        services (str/list): List of services.
+        schedule (str): The schedule.
+        disabled (bool): Set to disable this rule.
+        action (str): The action to take.  Valid values are 'forward'
+            (default), 'forward-to-vsys', 'discard', or 'no-pbf'.
+        forward_vsys (str): The vsys to forward to if action is set to
+            forward to a vsys.
+        forward_egress_interface (str): The egress interface.
+        forward_next_hop_type (str): The next hop type.  Valid values
+            are 'ip-address', 'fqdn', or None (default).
+        forward_next_hop_value (str): The next hop value if the forward
+            next hop type is not None.
+        forward_monitor_profile (str): The monitor profile to use.
+        forward_monitor_ip_address (str): The monitor IP address.
+        forward_monitor_disable_if_unreachable (bool): Set to disable
+            this rule if nexthop / monitor IP is unreachable.
+        enable_enforce_symmetric_return (bool): Set to enforce
+            symmetric return.
+        symmetric_return_addresses (str/list): List of symmetric return
+            addresses.
+        target (list): Apply this policy to the listed firewalls only
+            (applies to panorama/device groups only)
+        negate_target (bool): Target all but the listed target firewalls
+            (applies to panorama/device groups only)
+        uuid (str): (PAN-OS 9.0+) The UUID for this rule.
+
+    """
+    SUFFIX = ENTRY
+    ROOT = Root.VSYS
+
+    def _setup(self):
+        # xpaths
+        self._xpaths.add_profile(value='/pbf/rules')
+
+        # params
+        params = []
+
+        params.append(VersionedParamPath(
+            'description', path='description'))
+        params.append(VersionedParamPath(
+            'tags', vartype='member', path='tag'))
+        params.append(VersionedParamPath(
+            'from_type', default='zone',
+            values=['zone', 'interface'], path='from/{from_type}'))
+        params.append(VersionedParamPath(
+            'from_value',  vartype='member',
+            path='from/{from_type}'))
+        params.append(VersionedParamPath(
+            'source_addresses', vartype='member', path='source'))
+        params.append(VersionedParamPath(
+            'source_users', vartype='member', path='source-user'))
+        params.append(VersionedParamPath(
+            'negate_source', vartype='yesno', path='negate-source'))
+        params.append(VersionedParamPath(
+            'destination_addresses', vartype='member', path='destination'))
+        params.append(VersionedParamPath(
+            'negate_destination', vartype='yesno', path='negate-destination'))
+        params.append(VersionedParamPath(
+            'applications', vartype='member', path='application'))
+        params.append(VersionedParamPath(
+            'services', vartype='member', path='service'))
+        params.append(VersionedParamPath(
+            'schedule', path='schedule'))
+        params.append(VersionedParamPath(
+            'disabled', vartype='yesno', path='disabled'))
+        params.append(VersionedParamPath(
+            'action', default='forward',
+            values=['forward', 'forward-to-vsys', 'discard', 'no-pbf'],
+            path='action/{action}'))
+        params.append(VersionedParamPath(
+            'forward_vsys',
+            condition={'action': 'forward-to-vsys'},
+            path='action/{action}/forward-to-vsys'))
+        params.append(VersionedParamPath(
+            'forward_egress_interface',
+            condition={'action': 'forward'},
+            path='action/{action}/egress-interface'))
+        params.append(VersionedParamPath(
+            'forward_next_hop_type',
+            condition={'action': 'forward'},
+            values=['ip-address', 'fqdn', None],
+            path='action/{action}/nexthop/{forward_next_hop_type}'))
+        params.append(VersionedParamPath(
+            'forward_next_hop_value',
+            condition={
+                'action': 'forward',
+                'forward_next_hop_type': ['ip-address', 'fqdn'],
+            },
+            path='action/{action}/nexthop/{forward_next_hop_type}'))
+        params.append(VersionedParamPath(
+            'forward_monitor_profile',
+            condition={'action': 'forward'},
+            path='action/{action}/monitor/profile'))
+        params.append(VersionedParamPath(
+            'forward_monitor_ip_address',
+            condition={'action': 'forward'},
+            path='action/{action}/monitor/ip-address'))
+        params.append(VersionedParamPath(
+            'forward_monitor_disable_if_unreachable', vartype='yesno',
+            condition={'action': 'forward'},
+            path='action/{action}/monitor/disable-if-unreachable'))
+        params.append(VersionedParamPath(
+            'enable_enforce_symmetric_return', vartype='yesno',
+            path='enforce-symmetric-return/enabled'))
+        params.append(VersionedParamPath(
+            'symmetric_return_addresses', vartype='entry',
+            path='enforce-symmetric-return/nexthop-address-list'))
+        params.append(VersionedParamPath(
+            'active_active_device_binding',
+            path='active-active-device-binding'))
+        params.append(VersionedParamPath(
+            'target', vartype='entry', path='target/devices'))
+        params.append(VersionedParamPath(
+            'negate_target', vartype='yesno', path='target/negate'))
+        params.append(VersionedParamPath(
+            'uuid', exclude=True))
+        params[-1].add_profile(
+            '9.0.0',
+            vartype='attrib', path='uuid')
+
+        self._params = tuple(params)