Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for hit count in Panorama Object #388

Closed
devbollinger opened this issue Dec 3, 2021 · 12 comments
Closed

add support for hit count in Panorama Object #388

devbollinger opened this issue Dec 3, 2021 · 12 comments
Labels
enhancement released

Comments

@devbollinger
Copy link

devbollinger commented Dec 3, 2021
edited
Loading

Is your feature request related to a problem?

I would like to gather hit_count for security rules from Panorama. I've seen this feature implemented with the Firawall object and I was wondering if we could do the same for the Panoram object. Unless I missed something it seems that there is nothing similar for panorama.

Describe the solution you'd like

Something similar to this commit: 7a2e95b

Describe alternatives you've considered

I could pass an xml to Panorama.op but I rather work with object.

I see a panos.policies.RulebaseOpState imbricated in SecurityRule response and I trying to leverage this with no success.
I want to be able to retrieve security rules and their associated hit_count. If a process already exist please let me know how to do it.
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@shinmog
Copy link
Collaborator

shinmog commented Dec 15, 2021

This is present already, docs need to be clarified about opstate stuff. Say you want hit count info for all pre-rulebase security rules in device group "myDg":

from panos.panorama import Panorama, DeviceGroup
from panos.policies import PreRulebase, SecurityRule

pano = Panorama(....)

dg = DeviceGroup("myDg")
pano.add(dg)

base = PreRulebase()
dg.add(base)

info = dg.opstate.hit_count.refresh("security", all_rules=True)

If you just want hit count info for a specific rule, then use the opstate.hit_count on the object of that specific rule.

@devbollinger
Copy link
Author

devbollinger commented Dec 16, 2021
edited
Loading

Hello @shinmog
So I tried your code and I got an exception:

  File "api.py", line 19, in <module>
    info = device_group.opstate.hit_count.refresh("security", all_rules=True)
AttributeError: 'DeviceGroupOpState' object has no attribute 'hit_count'

Here is my full code:

from panos.policies import PostRulebase

pan = Panorama("hostname", "username", "pwd")

device_group = DeviceGroup("device group")
pan.add(device_group)

post_rule = PostRulebase()
device_group.add(post_rule)

info = device_group.opstate.hit_count.refresh("security", all_rules=True)

using pan-os-python==1.6.0

@shinmog
Copy link
Collaborator

shinmog commented Jan 5, 2022

My bad. Looks like device groups don't have a hit count op state; individual rules do, and the rulebases do (policies.PreRulebase, policies.Rulebase, policies.PostRulebase).

@AnthoBalitrand
Copy link
Contributor

Same here, would really help to be able to get hit counts for rules from Panorama.
Actually only managed to do that by grabbing it from each Firewall individually (with direct connection, not working when connecting via Panorama)

@rebelfish
Copy link

I tried the following and received an error:

pano = Panorama(hn, un, pw)
dg = pano.add(DeviceGroup('myDG'))
rb = dg.add(PreRulebase())
hc = rb.opstate.hit_count.refresh(rules='security', all_rules=True)

Traceback (most recent call last):
  File "...\Python\Python39\site-packages\panos\base.py", line 3661, in method
    super_method(self, *args, **kwargs)
  File "...\Python\Python39\site-packages\pan\xapi.py", line 951, in op
    self.__type_op(cmd, vsys, extra_qs)
  File "...\Python\Python39\site-packages\pan\xapi.py", line 974, in __type_op
    raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError:  show -> rule-hit-count -> vsys unexpected here
 show -> rule-hit-count  is unexpected 
 show  is unexpected 

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#14>", line 1, in <module>
    hc = rb.opstate.hit_count.refresh("security", all_rules=True)
  File "...\Python\Python39\site-packages\panos\policies.py", line 1020, in refresh
    res = dev.op(ET.tostring(cmd, encoding="utf-8"), cmd_xml=False)
  File "...\Python\Python39\site-packages\panos\panorama.py", line 441, in op
    return super(Panorama, self).op(
  File "...\Python\Python39\site-packages\panos\base.py", line 3822, in op
    element = self.xapi.op(
  File "...\Python\Python39\site-packages\panos\base.py", line 3682, in method
    raise the_exception
panos.errors.PanDeviceXapiError:  show -> rule-hit-count -> vsys unexpected here
 show -> rule-hit-count  is unexpected 
 show  is unexpected

@AnthoBalitrand AnthoBalitrand mentioned this issue Mar 15, 2022
Merged
4 tasks
github-actions bot pushed a commit that referenced this issue Mar 29, 2022
@semantic-release-bot
chore(release): 1.7.0
01abfe5 
## [1.7.0](v1.6.0...v1.7.0) (2022-03-29)

### Features

*  Add Prisma Access support ([#419](#419)) ([f93416e](f93416e)), closes [#406](#406) [#413](#413) [#396](#396)
* Add decryption rule target and negate_target ([#404](#404)) ([88a2903](88a2903))
* Add hierarchy retrieval info ([#366](#366)) ([a290b31](a290b31))
* Add hit count support for Panorama / device group rulebases ([#429](#429)) ([057822a](057822a)), closes [#388](#388)
* **panos.panorama.Panorama:** Add `refresh_shared_objects()` ([#436](#436)) ([11327a4](11327a4)), closes [#428](#428)
* Add alternative quoting for `op()` ([#367](#367)) ([b8d0379](b8d0379)), closes [#234](#234)
* Add Cloud Services plugin support ([683f3b5](683f3b5))
* Add Local User Database objects ([#385](#385)) ([d39b6de](d39b6de))
* Add objects.ApplicationOverride ([#405](#405)) ([98db86a](98db86a))
* Add policies.AuthenticationRule ([#415](#415)) ([0d70d3f](0d70d3f))
* ApplicationTag - tag predefined applications ([#414](#414)) ([cfee6e3](cfee6e3))
* Make opstate more discoverable for users ([#413](#413)) ([f4f08d0](f4f08d0)), closes [#396](#396)

### Bug Fixes

* **panos.objects.ApplicationFilter:** Fix tag path  ([#381](#381)) ([a0991f8](a0991f8))
* `delete_similar()` now breaks delete calls into chunks ([#435](#435)) ([4333377](4333377))
* Fixes `refresh()` for attrib style params ([#395](#395)) ([0b47a3a](0b47a3a)), closes [#392](#392)
* Modify show_highavailability_state method xpath for Panorama ([#430](#430)) ([37ed2ca](37ed2ca))
* **AggregateInterface:** Correct lacp_passive_pre_negotiation xpath ([6a67320](6a67320)), closes [#406](#406)
@github-actions
Copy link

🎉 This issue has been resolved in version 1.7.0 🎉

The release is available on PyPI and GitHub release

Posted by semantic-release bot

@ajmartins
Copy link

Hi @shinmog, just following up on this. It appears I'm unable to get the hitcounts (updated version to 1.7.2).

I tried the following but it returns an empty dictionary:

`from panos.panorama import Panorama, DeviceGroup
from panos.policies import PostRulebase, SecurityRule

us = "xxx"
pw = "xxx"
hn = "xxx"
pano = Panorama(hostname=hn, api_username=us, api_password=pw)

dg = DeviceGroup("my-DG")
pano.add(dg)

rb = PostRulebase()
pano.add(rb)

hc = rb.opstate.hit_count.refresh("security", all_rules=True)
print(hc.items())`

@AnthoBalitrand
Copy link
Contributor

@ajmartins replace the following :

pano.add(rb)

by

dg.add(rb)

And it should help.

However, please not that you'll get the "rule_creation_timestamp" and "rule_modification_timestamp", but not the "hit_count", "last_hit_timestamp", or "last_reset_timestamp" are those are not tracked by Panorama.
You need to connect directly to the appliance (using a Firewall() instance) to get it.

@kevinhuy
Copy link
Contributor

kevinhuy commented Jan 27, 2023
edited
Loading

hello @AnthoBalitrand

the hit count seems to be track in rule usage in panorama.
when you click on "used" , it will show the hit count by firewall.

image

@Wyko
Copy link

Wyko commented Nov 8, 2023

Any update on this?
image
It's clearly possible to see hit counts via Panorama. If you log into it via CLI, and run this command, you can see the same data:
show rule-hit-count device-group eagn.... post-rulebase security rules rule-name "MD..."

But there isn't an obvious way to get this data via the API.

@SimoneR2
Copy link

SimoneR2 commented Jan 7, 2025

I'm resuming this old issue because I encountered the same problem. As a workaround I found that is possibile to perform this action to get hitcount for rule. For example if I want to extract the hitcount for a rule in post-rulebase section for a device-group-name I can perform:

xml_answer = panoramaclass.op(cmd="<show><rule-hit-count><device-group><entry name='**DEVICE_GROUP_NAME**'><post-rulebase><entry name='security'><rules><rule-name><entry name='**RULE-NAME**'/></rule-name></rules></entry></post-rulebase></entry></device-group></rule-hit-count></show>", cmd_xml=False, xml=False)

It will return an xml ElementTree that can be iterated. I'm not a guru in python so please correct my example:

most_recent_hit = 0 #This is used to select the most recent hit from all the firewalls that form the device-group
for elem in xml_answer.findall(".//last-hit-timestamp"):
    if most_recent_hit < int(elem.text):
         most_recent_hit = int(elem.text)`

I hope that this will help other users with the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@Wyko @devbollinger @shinmog @rebelfish @SimoneR2 @AnthoBalitrand @ajmartins @kevinhuy