Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for hip-profiles has been removed in 10.1.5 and 10.2.x, but panos still tries to put the hip-profiles in security rules #441

Closed
2ps opened this issue Apr 6, 2022 · 6 comments
Closed

support for hip-profiles has been removed in 10.1.5 and 10.2.x, but panos still tries to put the hip-profiles in security rules #441

2ps opened this issue Apr 6, 2022 · 6 comments
Labels
bug

Comments

@2ps
Copy link
Contributor

2ps commented Apr 6, 2022

Describe the bug

When using ansible or the panos python sdk to create security rules, the panos python sdk will add a default element of hip-profiles with the value of Any into the request xml. Such requests will fail on 10.1.5 and 10.2.x because support for the hip-profiles element in security policies has been removed. This breaks all ansible playbooks that manage security policies on newer versions of panos. Yuck!

Expected behavior

Security policies creation or updates should succeed without failure.

Current behavior

security policy creation and commits fail because of extraneous hip-profiles elements in the request xml.

Possible solution

Modify versioning so that on version 10.1.5 and 10.2.x, hip-profiles elements are not submitted.

Steps to reproduce

  1. Start with a firewall running panos 10.1.5
  2. Try to create any security policy using the panos python sdk
  3. Cry as you realize that you can no longer do so, and find a dark quiet corner in which to be alone with your thoughts.
  4. Grab kleenex to wipe away the tears as you realize that your automation stacks no longer work.

Your Environment

AWS vm-series firewall running PanOS 10.1.5 (we were afraid to upgrade to 10.2.0 because of the whole "you might lose your ip addresses from time-to-time" issue.

  • Version used: 10.1.5
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): python3.8.10 panos==1.17.0
  • Operating System and version (desktop or mobile): wsl under windows 10 on desktop, focal 20.04.3
@2ps 2ps added the bug label Apr 6, 2022
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@chasingmonkeys
Copy link

chasingmonkeys commented Apr 10, 2022
edited
Loading

PAN-OS 10.1.5-h1
pan-os-python 1.7.1

Expected:
source-hip or destination-hip

Observed:
hip-profiles

Msg:
hip-profiles unexpected here

shinmog pushed a commit that referenced this issue Apr 11, 2022
@2ps
fix(panos.policies.SecurityRule): hip-profiles removed from v10.1.5+ (
ab4d088 
#442)

Fixies #441
github-actions bot pushed a commit that referenced this issue Apr 27, 2022
@semantic-release-bot
chore(release): 1.7.2
745b8c8 
### [1.7.2](v1.7.1...v1.7.2) (2022-04-27)

### Bug Fixes

* **panos.base.PanObject.refresh_variable:** Refresh works again for regular and attrib style params ([#446](#446)) ([20dd7b7](20dd7b7)), closes [#444](#444)
* **panos.policies.SecurityRule:** `hip-profiles` removed from v10.1.5+ ([#442](#442)) ([ab4d088](ab4d088)), closes [#441](#441)
@shinmog
Copy link
Collaborator

shinmog commented Apr 27, 2022

This is fixed in 1.7.2

@shinmog shinmog closed this as completed Apr 27, 2022
@mvfcva
Copy link

mvfcva commented May 9, 2022

Patch in SDK 1.7.2 fixes the issue for PAN-OS 10.1.5+
Same issue is also affecting PAN-OS 10.0.9, can you please also apply same patch to that release ?

@niket-shah-zocdoc
Copy link

Hi, the above issue was also observed on 11.0.2. how can we go ahead for resolution?

@niket-shah-zocdoc niket-shah-zocdoc mentioned this issue Aug 11, 2023
Open
@pengw00
Copy link

pengw00 commented Feb 5, 2024

Patch in SDK 1.7.2 fixes the issue for PAN-OS 10.1.5+ Same issue is also affecting PAN-OS 10.0.9, can you please also apply same patch to that release ?

How can I do a patch in SDK 1.7.2? do I have to replace the SDK version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@2ps @pengw00 @shinmog @mvfcva @chasingmonkeys @niket-shah-zocdoc