Documentation ¶
Overview ¶
Package pango is a golang cross version mechanism for interacting with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). Versioning support is in place for PAN-OS 6.1 to 8.1.
To start, create a client connection with the desired parameters and then initialize the connection:
package main import ( "log" "github.com/PaloAltoNetworks/pango" ) func main() { var err error c := pango.Firewall{Client: pango.Client{ Hostname: "127.0.0.1", Username: "admin", Password: "admin", Logging: pango.LogAction | pango.LogOp, }} if err = c.Initialize(); err != nil { log.Printf("Failed to initialize client: %s", err) return } log.Printf("Initialize ok") }
Initializing the connection creates the API key (if it was not already specified), then performs "show system info" to get the PAN-OS version. Once the firewall client is created, you can query and configure the Palo Alto Networks device from the functions inside the various namespaces of the client connection. Namespaces correspond to the various configuration areas available in the GUI. For example:
err = c.Network.EthernetInterface.Set(...) myPolicies, err := c.Policies.Security.GetList(...)
Generally speaking, there are the following functions inside each namespace:
- Get / GetList / GetAll
- Show / ShowList / ShowAll
- Set
- Edit
- Delete
These functions correspond with PAN-OS Get, Show, Set, Edit, and Delete API calls. Get(), Set(), and Edit() take and return normalized, version independent objects. These version safe objects are typically named Entry, which corresponds to how the object is placed in the PAN-OS XPATH.
Some Entry objects have a special function, Defaults(). Invoking this function will initialize the object with some default values. Each Entry that implements Defaults() calls out in its documentation what parameters are affected by this, and what the defaults are.
For any version safe object, attempting to configure a parameter that your PAN-OS doesn't support will be safely ignored in the resultant XML sent to the firewall / Panorama.
Using Edit Functions ¶
The PAN-OS XML API Edit command can be used to both create as well as update existing config, however it can also truncate config for the given XPATH. Due to this, if you want to use Edit(), you need to make sure that you perform either a Get() or a Show() first, make your modification, then invoke Edit() using that object. If you don't do this, you will truncate any sub config.
To learn more about PAN-OS XML API, please refer to the Palo Alto Netowrks API documentation.
Example (CreateAddressGroup) ¶
Example_createAddressGroup is a Panorama example on how to create/delete a security policy with the associated address group and addresses
package main import ( "log" "github.com/PaloAltoNetworks/pango" "github.com/PaloAltoNetworks/pango/commit" "github.com/PaloAltoNetworks/pango/objs/addr" "github.com/PaloAltoNetworks/pango/objs/addrgrp" "github.com/PaloAltoNetworks/pango/poli/security" "github.com/PaloAltoNetworks/pango/util" ) func main() { var deviceGroup = "MyDeviceGroup" var tags = []string{"sometag"} var err error pan := &pango.Panorama{Client: pango.Client{ Hostname: "192.168.1.1", Username: "admin", Password: "admin", Logging: pango.LogAction | pango.LogOp, }} if err = pan.Initialize(); err != nil { log.Panic(err) return } // Create the addresses, address group and security policy addr1 := addr.Entry{ Name: "SampleAddress1", Value: "10.192.226.101/32", Type: addr.IpNetmask, Description: "First address of a sample address group", Tags: tags, } if err = pan.Objects.Address.Set(deviceGroup, addr1); err != nil { log.Panic(err) } addr2 := addr.Entry{ Name: "SampleAddress2", Value: "10.192.226.102/32", Type: addr.IpNetmask, Description: "Second address of a sample address group", Tags: tags, } if err = pan.Objects.Address.Set(deviceGroup, addr2); err != nil { log.Panic(err) } ag := addrgrp.Entry{ Name: "SampleAddressGroup", Description: "This in an example on how to use address groups", StaticAddresses: []string{addr1.Name, addr2.Name}, Tags: tags, } if err = pan.Objects.AddressGroup.Set(deviceGroup, ag); err != nil { log.Panic(err) } securityPolicy := security.Entry{ Name: "SamplePolicy", Description: "This is where the request number goes", Tags: tags, SourceZones: []string{"CORPEXT"}, SourceAddresses: []string{"any"}, DestinationZones: []string{"CORPDMZ"}, DestinationAddresses: []string{ag.Name}, Applications: []string{"ssl"}, Services: []string{"application-default"}, LogSetting: "Standard-Logging", Group: "Corp_Default", } securityPolicy.Defaults() if err = pan.Policies.Security.VerifiableSet(deviceGroup, util.PreRulebase, securityPolicy); err != nil { log.Panic(err) } panCommit := commit.PanoramaCommit{ Description: "Created example address group", Admins: nil, DeviceGroups: []string{deviceGroup}, } resp, bytes, err := pan.Commit(panCommit, "", nil) if err != nil { log.Panic(err) } log.Printf("Job ID: %v\n", resp) log.Printf("Response XML: %v\n", string(bytes)) // Delete the addresses, address group and security policy // Note that the Delete function can take their respective enty structs, or just a string with the name as shown below if err = pan.Policies.Security.Delete(deviceGroup, util.PreRulebase, securityPolicy.Name); err != nil { log.Panic(err) } if err = pan.Objects.AddressGroup.Delete(deviceGroup, ag.Name); err != nil { log.Panic(err) } if err = pan.Objects.Address.Delete(deviceGroup, addr1.Name); err != nil { log.Panic(err) } if err = pan.Objects.Address.Delete(deviceGroup, addr2.Name); err != nil { log.Panic(err) } panCommit = commit.PanoramaCommit{ Description: "Deleted sample address group", Admins: nil, DeviceGroups: []string{deviceGroup}, } resp, bytes, err = pan.Commit(panCommit, "", nil) if err != nil { log.Panic(err) } log.Printf("Job ID: %v\n", resp) log.Printf("Response XML: %v\n", string(bytes)) }
Output:
Example (CreateInterface) ¶
ExampleCreateInterface demonstrates how to use pango to create an interface if the interface is not already configured.
package main import ( "log" "github.com/PaloAltoNetworks/pango" "github.com/PaloAltoNetworks/pango/netw/interface/eth" ) func main() { var err error // Connect to the firewall. fw := pango.Firewall{Client: pango.Client{ Hostname: "192.168.1.1", Username: "admin", Password: "admin", }} // Connect to the firewall and verify authentication params. if err = fw.Initialize(); err != nil { log.Fatalf("Failed to connect to %s: %s", fw.Hostname, err) } // Define the ethernet interface we want to configure. e := eth.Entry{ Name: "ethernet1/7", Mode: "layer3", Comment: "Made by pango", StaticIps: []string{"10.1.1.1/24", "10.2.1.1/24"}, } // If the interface is already present, leave it alone. ethList, err := fw.Network.EthernetInterface.GetList() if err != nil { log.Fatalf("Failed to get interface listing: %s", err) } for i := range ethList { if ethList[i] == e.Name { log.Printf("Interface %q already exists, quitting.", e.Name) return } } // Since the interface is not present, configure it. if err = fw.Network.EthernetInterface.Set("vsys1", e); err != nil { log.Fatalf("Failed to create %q: %s", e.Name, err) } log.Printf("Created %q ok", e.Name) }
Output:
Example (FirewallCommit) ¶
package main import ( "flag" "log" "strings" "time" "github.com/PaloAltoNetworks/pango" "github.com/PaloAltoNetworks/pango/commit" ) func main() { var ( err error configFile, hostname, username, password, apiKey, admins string edan, eso, epao, force bool jobId uint sleep int64 ) log.SetFlags(log.Ldate | log.Ltime | log.Lmicroseconds) flag.StringVar(&configFile, "config", "", "JSON config file with panos connection info") flag.StringVar(&hostname, "host", "", "PAN-OS hostname") flag.StringVar(&username, "user", "", "PAN-OS username") flag.StringVar(&password, "pass", "", "PAN-OS password") flag.StringVar(&apiKey, "key", "", "PAN-OS API key") flag.StringVar(&admins, "admins", "", "CSV of specific admins for partial config commit") flag.BoolVar(&edan, "exclude-device-and-network", false, "Exclude device and network") flag.BoolVar(&eso, "exclude-shared-objects", false, "Exclude shared objects") flag.BoolVar(&epao, "exclude-policy-and-objects", false, "Exclude policy and objects") flag.BoolVar(&force, "force", false, "Force a commit even if one isn't needed") flag.Int64Var(&sleep, "sleep", 0, "Seconds to sleep between checks for commit completion") flag.Parse() // Connect to the firewall. fw := &pango.Firewall{Client: pango.Client{ Hostname: hostname, Username: username, Password: password, ApiKey: apiKey, Logging: pango.LogOp | pango.LogAction, }} if err = fw.InitializeUsing(configFile, true); err != nil { log.Fatalf("Failed: %s", err) } // Build the commit to be performed. cmd := commit.FirewallCommit{ Description: flag.Arg(0), ExcludeDeviceAndNetwork: edan, ExcludeSharedObjects: eso, ExcludePolicyAndObjects: epao, Force: force, } admins = strings.TrimSpace(admins) if admins != "" { cmd.Admins = strings.Split(admins, ",") } sd := time.Duration(sleep) * time.Second // Perform the commit jobId, _, err = fw.Commit(cmd, "", nil) if err != nil { log.Fatalf("Error in commit: %s", err) } else if jobId == 0 { log.Printf("No commit needed") } else if err = fw.WaitForJob(jobId, sd, nil); err != nil { log.Printf("Error in commit: %s", err) } else { log.Printf("Committed config successfully") } }
Output:
Example (OutputApiKey) ¶
ExamplePanosInfo outputs various info about a PAN-OS device as JSON.
package main import ( "encoding/json" "fmt" "github.com/PaloAltoNetworks/pango" ) // About is a struct to hold information about the given PAN-OS device. type About struct { Hostname string `json:"hostname"` Type string `json:"type"` Model string `json:"model"` Version string `json:"version"` Serial string `json:"serial"` } // ExamplePanosInfo outputs various info about a PAN-OS device as // JSON. func main() { var out About conInfo := pango.Client{ Hostname: "192.168.1.1", Username: "admin", Password: "admin", Logging: pango.LogQuiet, } con, err := pango.Connect(conInfo) if err != nil { return } switch x := con.(type) { case *pango.Firewall: out = About{ Hostname: x.Hostname, Type: "NGFW", Model: x.SystemInfo["model"], Version: x.Version.String(), Serial: x.SystemInfo["serial"], } case *pango.Panorama: out = About{ Hostname: x.Hostname, Type: "Panorama", Model: x.SystemInfo["model"], Version: x.Version.String(), Serial: x.SystemInfo["serial"], } } b, err := json.Marshal(out) if err != nil { return } fmt.Printf("%s\n", b) }
Output:
Index ¶
- Constants
- func Connect(c Client) (interface{}, error)
- func ConnectUsing(c Client, filename string, chkenv bool) (interface{}, error)
- type Client
- func (c *Client) Clock() (time.Time, error)
- func (c *Client) Commit(cmd interface{}, action string, extras interface{}) (uint, []byte, error)
- func (c *Client) CommitLocks(vsys string) ([]util.Lock, error)
- func (c *Client) Communicate(data url.Values, ans interface{}) ([]byte, error)
- func (c *Client) CommunicateFile(content, filename, fp string, data url.Values, ans interface{}) ([]byte, error)
- func (c *Client) ConfigLocks(vsys string) ([]util.Lock, error)
- func (c *Client) Delete(path, extras, ans interface{}) ([]byte, error)
- func (c *Client) Edit(path, element, extras, ans interface{}) ([]byte, error)
- func (c *Client) EntryListUsing(fn util.Retriever, path []string) ([]string, error)
- func (c *Client) Get(path, extras, ans interface{}) ([]byte, error)
- func (c *Client) Import(cat, content, filename, fp string, extras map[string]string, ans interface{}) ([]byte, error)
- func (c *Client) Initialize() error
- func (c *Client) InitializeUsing(filename string, chkenv bool) error
- func (c *Client) IsImported(loc, tmpl, ts, vsys, name string) (bool, error)
- func (c *Client) LockCommits(vsys, comment string) error
- func (c *Client) LockConfig(vsys, comment string) error
- func (c *Client) LogAction(msg string, i ...interface{})
- func (c *Client) LogOp(msg string, i ...interface{})
- func (c *Client) LogQuery(msg string, i ...interface{})
- func (c *Client) LogUid(msg string, i ...interface{})
- func (c *Client) MemberListUsing(fn util.Retriever, path []string) ([]string, error)
- func (c *Client) Move(path interface{}, where, dst string, extras, ans interface{}) ([]byte, error)
- func (c *Client) MultiConfig(element MultiConfigure, strict bool, extras interface{}) ([]byte, MultiConfigureResponse, error)
- func (c *Client) Op(req interface{}, vsys string, extras, ans interface{}) ([]byte, error)
- func (c *Client) Plugins() []PluginInfo
- func (c *Client) PositionFirstEntity(mvt int, rel, ent string, path, elms []string) error
- func (c *Client) PrepareMultiConfigure(capacity int)
- func (c *Client) Rename(path interface{}, newname string, extras, ans interface{}) ([]byte, error)
- func (c *Client) RequestPasswordHash(val string) (string, error)
- func (c *Client) RetrieveApiKey() error
- func (c *Client) RevertToRunningConfig() error
- func (c *Client) SendMultiConfigure(strict bool) (MultiConfigureResponse, error)
- func (c *Client) Set(path, element, extras, ans interface{}) ([]byte, error)
- func (c *Client) Show(path, extras, ans interface{}) ([]byte, error)
- func (c *Client) String() string
- func (c *Client) Uid(cmd interface{}, vsys string, extras, ans interface{}) ([]byte, error)
- func (c *Client) UnlockCommits(vsys, admin string) error
- func (c *Client) UnlockConfig(vsys string) error
- func (c *Client) ValidateConfig(sync bool, sleep time.Duration) (uint, error)
- func (c *Client) Versioning() version.Number
- func (c *Client) VsysImport(loc, tmpl, ts, vsys string, names []string) error
- func (c *Client) VsysUnimport(loc, tmpl, ts string, names []string) error
- func (c *Client) WaitForJob(id uint, sleep time.Duration, resp interface{}) error
- type Firewall
- type McreMsg
- type MultiConfigResponseElement
- type MultiConfigure
- type MultiConfigureRequest
- type MultiConfigureResponse
- type Panorama
- type PanosError
- type PluginInfo
- type VmAuthKey
Examples ¶
Constants ¶
const ( LogQuiet = 1 << (iota + 1) LogAction LogQuery LogOp LogUid LogXpath LogSend LogReceive )
These bit flags control what is logged by client connections. Of the flags available for use, LogSend and LogReceive will log ALL communication between the connection object and the PAN-OS XML API. The API key being used for communication will be blanked out, but no other sensitive data will be. As such, those two flags should be considered for debugging only. To disable all logging, set the logging level as LogQuiet.
The bit-wise flags are as follows:
- LogQuiet: disables all logging
- LogAction: action being performed (Set / Delete functions)
- LogQuery: queries being run (Get / Show functions)
- LogOp: operation commands (Op functions)
- LogUid: User-Id commands (Uid functions)
- LogXpath: the resultant xpath
- LogSend: xml docuemnt being sent
- LogReceive: xml responses being received
Variables ¶
This section is empty.
Functions ¶
func Connect ¶
Connect opens a connection to the PAN-OS client, then uses the "model" info to return a pointer to either a Firewall or Panorama struct.
The Initialize function is invoked as part of this discovery, so there is no need to Initialize() the Client connection prior to invoking this.
func ConnectUsing ¶ added in v0.5.0
ConnectUsing does Connect(), but takes in a filename that contains fallback authentication credentials if they aren't specified.
The order of preference for auth / connection settings is:
* explicitly set * environment variable (set chkenv to true to enable this) * json file
Types ¶
type Client ¶
type Client struct { // Connection properties. Hostname string `json:"hostname"` Username string `json:"username"` Password string `json:"password"` ApiKey string `json:"api_key"` Protocol string `json:"protocol"` Port uint `json:"port"` Timeout int `json:"timeout"` Target string `json:"target"` // Set to true if you want to check environment variables // for auth and connection properties. CheckEnvironment bool `json:"-"` // HTTP transport options. Note that the VerifyCertificate setting is // only used if you do not specify a HTTP transport yourself. VerifyCertificate bool `json:"verify_certificate"` Transport *http.Transport `json:"-"` // Variables determined at runtime. Version version.Number `json:"-"` SystemInfo map[string]string `json:"-"` Plugin []PluginInfo `json:"-"` MultiConfigure *MultiConfigure `json:"-"` // Logging level. Logging uint32 `json:"-"` LoggingFromInitialize []string `json:"logging"` // contains filtered or unexported fields }
Client is a generic connector struct. It provides wrapper functions for invoking the various PAN-OS XPath API methods. After creating the client, invoke Initialize() to prepare it for use.
Many of the functions attached to this struct will take a param named `extras`. Under normal circumstances this will just be nil, but if you have some extra values you need to send in with your request you can specify them here.
Likewise, a lot of these functions will return a slice of bytes. Under normal circumstances, you don't need to do anything with this, but sometimes you do, so you can find the raw XML returned from PAN-OS there.
func (*Client) Commit ¶
Commit performs PAN-OS commits.
The cmd param can be a properly formatted XML string, a struct that can be marshalled into XML, or one of the commit types that can be found in the commit package.
The action param is the commit action to be taken. If you are using one of the commit structs as the `cmd` param and the action param is an empty string, then the action is taken from the commit struct passed in.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
Commits result in a job being submitted to the backend. The job ID, assuming the commit action was successfully submitted, the response from the server, and if an error was encountered or not are all returned from this function.
func (*Client) CommitLocks ¶
CommitLocks returns any commit locks that are currently in place.
If vsys is an empty string, then the vsys will default to "shared".
func (*Client) Communicate ¶
Communicate sends the given data to PAN-OS.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
Even if an answer struct is given, we first check for known error formats. If a known error format is detected, unmarshalling into the answer struct is not performed.
If the API key is set, but not present in the given data, then it is added in.
func (*Client) CommunicateFile ¶
func (c *Client) CommunicateFile(content, filename, fp string, data url.Values, ans interface{}) ([]byte, error)
CommunicateFile does a file upload to PAN-OS.
The content param is the content of the file you want to upload.
The filename param is the basename of the file you want to specify in the multipart form upload.
The fp param is the name of the param for the file upload.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
Even if an answer struct is given, we first check for known error formats. If a known error format is detected, unmarshalling into the answer struct is not performed.
If the API key is set, but not present in the given data, then it is added in.
func (*Client) ConfigLocks ¶
ConfigLocks returns any config locks that are currently in place.
If vsys is an empty string, then the vsys will default to "shared".
func (*Client) Delete ¶
Delete runs a "delete" type command, removing the supplied xpath and everything underneath it.
The path param should be either a string or a slice of strings.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) Edit ¶
Edit runs a "edit" type command, modifying what is at the given xpath with the supplied element.
The path param should be either a string or a slice of strings.
The element param can be either a string of properly formatted XML to send or a struct which can be marshaled into a string.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) EntryListUsing ¶
EntryListUsing retrieves an list of entries using the given function, either Get or Show.
func (*Client) Get ¶
Get runs a "get" type command.
The path param should be either a string or a slice of strings.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) Import ¶
func (c *Client) Import(cat, content, filename, fp string, extras map[string]string, ans interface{}) ([]byte, error)
Import performs an import type command.
The cat param is the category.
The content param is the content of the file you want to upload.
The filename param is the basename of the file you want to specify in the multipart form upload.
The fp param is the name of the param for the file upload.
The extras param is any additional key/value file upload params.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) Initialize ¶
Initialize does some initial setup of the Client connection, retrieves the API key if it was not already present, then performs "show system info" to get the PAN-OS version. The full results are saved into the client's SystemInfo map.
If not specified, the following is assumed:
- Protocol: https
- Port: (unspecified)
- Timeout: 10
- Logging: LogAction | LogUid
func (*Client) InitializeUsing ¶ added in v0.5.0
InitializeUsing does Initialize(), but takes in a filename that contains fallback authentication credentials if they aren't specified.
The order of preference for auth / connection settings is:
* explicitly set * environment variable (set chkenv to true to enable this) * json file
func (*Client) IsImported ¶
IsImported checks if the importable object is actually imported in the specified location.
func (*Client) LockCommits ¶
LockCommits locks commits for the given scope with the given comment.
If vsys is an empty string, the scope defaults to "shared".
func (*Client) LockConfig ¶
LockConfig locks the config for the given scope with the given comment.
If vsys is an empty string, the scope defaults to "shared".
func (*Client) LogAction ¶
LogAction writes a log message for SET/DELETE operations if LogAction is set.
func (*Client) MemberListUsing ¶
MemberListUsing retrieves an list of members using the given function, either Get or Show.
func (*Client) MultiConfig ¶ added in v0.5.0
func (c *Client) MultiConfig(element MultiConfigure, strict bool, extras interface{}) ([]byte, MultiConfigureResponse, error)
MultiConfig does a "multi-config" type command.
Param strict should be true if you want strict transactional support.
Note that the error returned from this function is only if there was an error unmarshaling the response into the the multi config response struct. If the multi config itself failed, then the reason can be found in its results.
func (*Client) Op ¶
Op runs an operational or "op" type command.
The req param can be either a properly formatted XML string or a struct that can be marshalled into XML.
The vsys param is the vsys the op command should be executed in, if any.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) Plugins ¶ added in v0.2.0
func (c *Client) Plugins() []PluginInfo
Plugins returns the plugin information.
func (*Client) PositionFirstEntity ¶
PositionFirstEntity moves an element before another one using the Move API command.
Param `mvt` is a util.Move* constant.
Param `rel` is the relative entity that `mvt` is in relation to.
Param `ent` is the entity that is to be positioned.
Param `path` is the XPATH of `ent`.
Param `elms` is the ordered list of entities that should include both `rel` and `ent`. be found.
func (*Client) PrepareMultiConfigure ¶ added in v0.5.0
PrepareMultiConfigure will start a multi config command.
Capacity is the initial capacity of the requests to be sent.
func (*Client) RequestPasswordHash ¶
RequestPasswordHash requests a password hash of the given string.
func (*Client) RetrieveApiKey ¶
RetrieveApiKey retrieves the API key, which will require that both the username and password are defined.
The currently set ApiKey is forgotten when invoking this function.
func (*Client) RevertToRunningConfig ¶
RevertToRunningConfig discards any changes made and reverts to the last config committed.
func (*Client) SendMultiConfigure ¶ added in v0.5.0
func (c *Client) SendMultiConfigure(strict bool) (MultiConfigureResponse, error)
SendMultiConfigure will send the accumulated multi configure request.
Param strict should be true if you want strict transactional support.
Note that the error returned from this function is only if there was an error unmarshaling the response into the the multi config response struct. If the multi config itself failed, then the reason can be found in its results.
func (*Client) Set ¶
Set runs a "set" type command, creating the element at the given xpath.
The path param should be either a string or a slice of strings.
The element param can be either a string of properly formatted XML to send or a struct which can be marshaled into a string.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) Show ¶
Show runs a "show" type command.
The path param should be either a string or a slice of strings.
The extras param should be either nil or a url.Values{} to be mixed in with the constructed request.
The ans param should be a pointer to a struct to unmarshal the response into or nil.
Any response received from the server is returned, along with any errors encountered.
func (*Client) String ¶
String is the string representation of a client connection. Both the password and API key are replaced with stars, if set, making it safe to print the client connection in log messages.
func (*Client) UnlockCommits ¶
UnlockCommits removes the commit lock on the given scope owned by the given admin, if this admin is someone other than the current acting admin.
If vsys is an empty string, the scope defaults to "shared".
func (*Client) UnlockConfig ¶
UnlockConfig removes the config lock on the given scope.
If vsys is an empty string, the scope defaults to "shared".
func (*Client) ValidateConfig ¶
ValidateConfig performs a commit config validation check.
Setting sync to true means that this function will block until the job finishes.
The sleep param is an optional sleep duration to wait between polling for job completion. This param is only used if sync is set to true.
This function returns the job ID and if any errors were encountered.
func (*Client) Versioning ¶
Versioning returns the client version number.
func (*Client) VsysImport ¶
VsysImport imports the given names into the specified template / vsys.
func (*Client) VsysUnimport ¶
VsysUnimport removes the given names from all (template, optional) vsys.
func (*Client) WaitForJob ¶
WaitForJob polls the device, waiting for the specified job to finish.
The sleep param is the length of time to wait between polling for job completion.
If you want to unmarshal the response into a struct, then pass in a pointer to the struct for the "resp" param. If you just want to know if the job completed with a status other than "FAIL", you only need to check the returned error message.
In the case that there are multiple errors returned from the job, the first error is returned as the error string, and no unmarshaling is attempted.
type Firewall ¶
type Firewall struct { Client // Namespaces Predefined *predefined.Firewall Network *netw.FwNetw Device *dev.FwDev Policies *poli.FwPoli Objects *objs.FwObjs Licensing *licen.Licen UserId *userid.UserId }
Firewall is a firewall specific client, providing version safe functions for the PAN-OS Xpath API methods. After creating the object, invoke Initialize() to prepare it for use.
It has the following namespaces:
- Predefined
- Network
- Device
- Policies
- Objects
- Licensing
- UserId
func (*Firewall) GetDhcpInfo ¶
GetDhcpInfo returns the DHCP client information about the given interface.
func (*Firewall) Initialize ¶
Initialize does some initial setup of the Firewall connection, retrieves the API key if it was not already present, then performs "show system info" to get the PAN-OS version. The full results are saved into the client's SystemInfo map.
If not specified, the following is assumed:
- Protocol: https
- Port: (unspecified)
- Timeout: 10
- Logging: LogAction | LogUid
func (*Firewall) InitializeUsing ¶ added in v0.5.0
InitializeUsing does Initialize(), but takes in a filename that contains fallback authentication credentials if they aren't specified.
The order of preference for auth / connection settings is:
* explicitly set * environment variable (set chkenv to true to enable this) * json file
type MultiConfigResponseElement ¶ added in v0.5.0
type MultiConfigResponseElement struct { XMLName xml.Name `xml:"response"` Status string `xml:"status,attr"` Code int `xml:"code,attr"` Id string `xml:"id,attr,omitempty"` Msg McreMsg `xml:"msg"` }
func (*MultiConfigResponseElement) Message ¶ added in v0.5.0
func (m *MultiConfigResponseElement) Message() string
func (*MultiConfigResponseElement) Ok ¶ added in v0.5.0
func (m *MultiConfigResponseElement) Ok() bool
type MultiConfigure ¶ added in v0.5.0
type MultiConfigure struct { XMLName xml.Name `xml:"multi-configure-request"` Reqs []MultiConfigureRequest }
func (*MultiConfigure) IncrementalIds ¶ added in v0.5.0
func (m *MultiConfigure) IncrementalIds()
type MultiConfigureRequest ¶ added in v0.5.0
type MultiConfigureResponse ¶ added in v0.5.0
type MultiConfigureResponse struct { XMLName xml.Name `xml:"response"` Status string `xml:"status,attr"` Code int `xml:"code,attr"` Results []MultiConfigResponseElement `xml:"response"` }
func (*MultiConfigureResponse) Error ¶ added in v0.5.0
func (m *MultiConfigureResponse) Error() string
func (*MultiConfigureResponse) Ok ¶ added in v0.5.0
func (m *MultiConfigureResponse) Ok() bool
type Panorama ¶
type Panorama struct { Client // Namespaces Predefined *predefined.Panorama Device *dev.PanoDev Licensing *licen.Licen UserId *userid.UserId Panorama *pnrm.Pnrm Objects *objs.PanoObjs Policies *poli.PanoPoli Network *netw.PanoNetw }
Panorama is a panorama specific client, providing version safe functions for the PAN-OS Xpath API methods. After creating the object, invoke Initialize() to prepare it for use.
It has the following namespaces:
- Licensing
- UserId
func (*Panorama) CreateVmAuthKey ¶ added in v0.4.0
CreateVmAuthKey creates a VM auth key to bootstrap a VM-Series firewall.
VM auth keys are only valid for the number of hours specified.
func (*Panorama) GetVmAuthKeys ¶ added in v0.4.0
GetVmAuthKeys gets the list of VM auth keys.
func (*Panorama) Initialize ¶
Initialize does some initial setup of the Panorama connection, retrieves the API key if it was not already present, then performs "show system info" to get the PAN-OS version. The full results are saved into the client's SystemInfo map.
If not specified, the following is assumed:
- Protocol: https
- Port: (unspecified)
- Timeout: 10
- Logging: LogAction | LogUid
func (*Panorama) InitializeUsing ¶ added in v0.5.0
InitializeUsing does Initialize(), but takes in a filename that contains fallback authentication credentials if they aren't specified.
The order of preference for auth / connection settings is:
* explicitly set * environment variable (set chkenv to true to enable this) * json file
func (*Panorama) RevokeVmAuthKey ¶ added in v0.5.0
RemoveVmAuthKey revokes a VM auth key.
type PanosError ¶
PanosError is the error struct returned from the Communicate method.
func (PanosError) ObjectNotFound ¶
func (e PanosError) ObjectNotFound() bool
ObjectNotFound returns true on missing object error.
type PluginInfo ¶ added in v0.5.0
type PluginInfo struct { Name string Version string ReleaseDate string ReleaseNoteUrl string PackageFile string Size string Platform string Installed string Downloaded string }
PluginInfo is information on plugin packages available to PAN-OS.
type VmAuthKey ¶ added in v0.4.0
type VmAuthKey struct { AuthKey string `xml:"vm-auth-key"` Expiry string `xml:"expiry-time"` Expires time.Time }
VmAuthKey is a VM auth key paired with when it expires.
The Expiry field is the string returned from PAN-OS, while the Expires field is an attempt at parsing the Expiry field.
func (*VmAuthKey) ParseExpires ¶ added in v0.4.0
ParseExpires sets Expires from the Expiry field.
Since PAN-OS does not output timezone information with the expirations, the current PAN-OS time is retrieved, which does contain timezone information. Then in the string parsing for Expires, the location information of the system clock is applied.
Directories ¶
Path | Synopsis |
---|---|
Package commit contains normalizations for firewall and Panorama commits.
|
Package commit contains normalizations for firewall and Panorama commits. |
Package dev is the client.Device namespace.
|
Package dev is the client.Device namespace. |
general
Package general is the client.Device.GeneralSettings namespace.
|
Package general is the client.Device.GeneralSettings namespace. |
ha
Package ha is the client.Device.HaConfig namespace.
|
Package ha is the client.Device.HaConfig namespace. |
ha/monitor/link
Package link is the client.Device.HaLinkMonitorGroup namespace.
|
Package link is the client.Device.HaLinkMonitorGroup namespace. |
profile/email
Package email is the client.Object.EmailServerProfile namespace.
|
Package email is the client.Object.EmailServerProfile namespace. |
profile/email/server
Package server is the client.Object.EmailServer namespace.
|
Package server is the client.Object.EmailServer namespace. |
profile/http
Package http is the client.Object.HttpServerProfile namespace.
|
Package http is the client.Object.HttpServerProfile namespace. |
profile/http/header
Package header is the client.Object.HttpHeader namespace.
|
Package header is the client.Object.HttpHeader namespace. |
profile/http/param
Package param is the client.Object.HttpParam namespace.
|
Package param is the client.Object.HttpParam namespace. |
profile/http/server
Package server is the client.Object.HttpServer namespace.
|
Package server is the client.Object.HttpServer namespace. |
profile/snmp
Package snmp is the client.Object.SnmpServerProfile namespace.
|
Package snmp is the client.Object.SnmpServerProfile namespace. |
profile/snmp/v2c
Package v2c is the client.Object.SnmpV2cServer namespace.
|
Package v2c is the client.Object.SnmpV2cServer namespace. |
profile/snmp/v3
Package v3 is the client.Object.SnmpV3Server namespace.
|
Package v3 is the client.Object.SnmpV3Server namespace. |
profile/syslog
Package syslog is the client.Object.SyslogServerProfile namespace.
|
Package syslog is the client.Object.SyslogServerProfile namespace. |
profile/syslog/server
Package server is the client.Object.SyslogServer namespace.
|
Package server is the client.Object.SyslogServer namespace. |
telemetry
Package telemetry is the firewall.Device.Telemetry namespace.
|
Package telemetry is the firewall.Device.Telemetry namespace. |
Package licen is the client.Licensing namespace.
|
Package licen is the client.Licensing namespace. |
Package namespace contains common workflows between most namespaces.
|
Package namespace contains common workflows between most namespaces. |
Package netw is the client.Network namespace.
|
Package netw is the client.Network namespace. |
dhcp
Package dhcp is the client.Network.Dhcp namespace.
|
Package dhcp is the client.Network.Dhcp namespace. |
ikegw
Package ikegw is the client.Network.IkeGateway namespace.
|
Package ikegw is the client.Network.IkeGateway namespace. |
interface/aggregate
Package aggregate is the client.Network.AggregateInterface namespace.
|
Package aggregate is the client.Network.AggregateInterface namespace. |
interface/arp
Package arp is the client.Network.Arp namespace.
|
Package arp is the client.Network.Arp namespace. |
interface/eth
Package eth is the client.Network.EthernetInterface namespace.
|
Package eth is the client.Network.EthernetInterface namespace. |
interface/ipv6/address
Package address is the client.Network.Ipv6Address namespace.
|
Package address is the client.Network.Ipv6Address namespace. |
interface/ipv6/neighbor
Package neighbor is the client.Network.Ipv6NeighborDiscovery namespace.
|
Package neighbor is the client.Network.Ipv6NeighborDiscovery namespace. |
interface/loopback
Package loopback is the client.Network.LoopbackInterface namespace.
|
Package loopback is the client.Network.LoopbackInterface namespace. |
interface/subinterface/layer2
Package layer2 is the client.Network.Layer2Subinterface namespace.
|
Package layer2 is the client.Network.Layer2Subinterface namespace. |
interface/subinterface/layer3
Package layer3 is the client.Network.Layer3Subinterface namespace.
|
Package layer3 is the client.Network.Layer3Subinterface namespace. |
interface/tunnel
Package loopback is the client.Network.TunnelInterface namespace.
|
Package loopback is the client.Network.TunnelInterface namespace. |
interface/vlan
Package vlan is the client.Network.VlanInterface namespace.
|
Package vlan is the client.Network.VlanInterface namespace. |
ipsectunnel
Package ipsectunnel is the client.Network.IpsecTunnel namespace.
|
Package ipsectunnel is the client.Network.IpsecTunnel namespace. |
ipsectunnel/proxyid/ipv4
Package ipv4 is the client.Network.IpsecTunnelProxyId namespace.
|
Package ipv4 is the client.Network.IpsecTunnelProxyId namespace. |
profile/bfd
Package bfd is the client.Network.BfdProfile namespace.
|
Package bfd is the client.Network.BfdProfile namespace. |
profile/ike
Package ike is the client.Network.IkeCryptoProfile namespace.
|
Package ike is the client.Network.IkeCryptoProfile namespace. |
profile/ipsec
Package ipsec is the client.Network.IpsecCryptoProfile namespace.
|
Package ipsec is the client.Network.IpsecCryptoProfile namespace. |
profile/mngtprof
Package mngtprof is the client.Network.ManagementProfile namespace.
|
Package mngtprof is the client.Network.ManagementProfile namespace. |
profile/monitor
Package monitor is the client.Network.MonitorProfile namespace.
|
Package monitor is the client.Network.MonitorProfile namespace. |
routing/profile/redist/ipv4
Package ipv4 is the client.Network.RedistributionProfile namespace.
|
Package ipv4 is the client.Network.RedistributionProfile namespace. |
routing/protocol/bgp
Package bgp is the client.Network.BgpConfig namespace.
|
Package bgp is the client.Network.BgpConfig namespace. |
routing/protocol/bgp/aggregate
Package aggregate is the client.Network.BgpAggregation namespace.
|
Package aggregate is the client.Network.BgpAggregation namespace. |
routing/protocol/bgp/aggregate/filter/advertise
Package advertise is the client.Network.BgpAggAdvertiseFilter namespace.
|
Package advertise is the client.Network.BgpAggAdvertiseFilter namespace. |
routing/protocol/bgp/aggregate/filter/suppress
Package suppress is the client.Network.BgpAggSuppressFilter namespace.
|
Package suppress is the client.Network.BgpAggSuppressFilter namespace. |
routing/protocol/bgp/conadv
Package conadv is the client.Network.BgpConditionalAdv namespace.
|
Package conadv is the client.Network.BgpConditionalAdv namespace. |
routing/protocol/bgp/conadv/filter/advertise
Package advertise is the client.Network.BgpConAdvAdvertiseFilter namespace.
|
Package advertise is the client.Network.BgpConAdvAdvertiseFilter namespace. |
routing/protocol/bgp/conadv/filter/nonexist
Package nonexist is the client.Network.BgpConAdvNonExistFilter namespace.
|
Package nonexist is the client.Network.BgpConAdvNonExistFilter namespace. |
routing/protocol/bgp/exp
Package exp is the client.Network.BgpExport namespace.
|
Package exp is the client.Network.BgpExport namespace. |
routing/protocol/bgp/imp
Package imp is the client.Network.BgpImport namespace.
|
Package imp is the client.Network.BgpImport namespace. |
routing/protocol/bgp/peer
Package peer is the client.Network.BgpPeer namespace.
|
Package peer is the client.Network.BgpPeer namespace. |
routing/protocol/bgp/peer/group
Package group is the client.Network.BgpPeerGroup namespace.
|
Package group is the client.Network.BgpPeerGroup namespace. |
routing/protocol/bgp/profile/auth
Package auth is the client.Network.BgpAuthProfile namespace.
|
Package auth is the client.Network.BgpAuthProfile namespace. |
routing/protocol/bgp/profile/dampening
Package dampening is the client.Network.BgpDampeningProfile namespace.
|
Package dampening is the client.Network.BgpDampeningProfile namespace. |
routing/protocol/bgp/redist
Package redist is the client.Network.BgpRedistRule namespace.
|
Package redist is the client.Network.BgpRedistRule namespace. |
routing/protocol/ospf
Package ospf is the client.Network.OspfConfig namespace.
|
Package ospf is the client.Network.OspfConfig namespace. |
routing/protocol/ospf/area
Package area is the client.Network.OspfArea namespace.
|
Package area is the client.Network.OspfArea namespace. |
routing/protocol/ospf/area/iface
Package iface is the client.Network.OspfAreaInterface namespace.
|
Package iface is the client.Network.OspfAreaInterface namespace. |
routing/protocol/ospf/area/vlink
Package vlink is the client.Network.OspfAreaVirtualLink namespace.
|
Package vlink is the client.Network.OspfAreaVirtualLink namespace. |
routing/protocol/ospf/exp
Package exp is the client.Network.OspfExport namespace.
|
Package exp is the client.Network.OspfExport namespace. |
routing/protocol/ospf/profile/auth
Package auth is the client.Network.OspfAuthProfile namespace.
|
Package auth is the client.Network.OspfAuthProfile namespace. |
routing/route/static/ipv4
Package ipv4 is the client.Network.StaticRoute namespace.
|
Package ipv4 is the client.Network.StaticRoute namespace. |
routing/route/static/ipv6
Package ipv6 is the client.Network.Ipv6StaticRoute namespace.
|
Package ipv6 is the client.Network.Ipv6StaticRoute namespace. |
routing/router
Package router is the client.Network.VirtualRouter namespace.
|
Package router is the client.Network.VirtualRouter namespace. |
tunnel/gre
Package gre is the client.Network.GreTunnel namespace.
|
Package gre is the client.Network.GreTunnel namespace. |
vlan
Package vlan is the client.Network.Vlan namespace.
|
Package vlan is the client.Network.Vlan namespace. |
zone
Package zone is the client.Network.Zone namespace.
|
Package zone is the client.Network.Zone namespace. |
Package objs is the client.Objects namespace.
|
Package objs is the client.Objects namespace. |
addr
Package addr is the ngfw.Objects.Address namespace.
|
Package addr is the ngfw.Objects.Address namespace. |
addrgrp
Package addrgrp is the client.Objects.AddressGroup namespace.
|
Package addrgrp is the client.Objects.AddressGroup namespace. |
app
Package app is the client.Objects.Application namespace.
|
Package app is the client.Objects.Application namespace. |
app/group
Package group is the client.Objects.AppGroup namespace.
|
Package group is the client.Objects.AppGroup namespace. |
app/signature
Package signature is the client.Objects.AppSignature namespace.
|
Package signature is the client.Objects.AppSignature namespace. |
app/signature/andcond
Package andcond is the client.Objects.AppSigAndCond namespace.
|
Package andcond is the client.Objects.AppSigAndCond namespace. |
app/signature/orcond
Package orcond is the client.Objects.AppSigAndCondOrCond namespace.
|
Package orcond is the client.Objects.AppSigAndCondOrCond namespace. |
custom/data
Package data is the client.Object.DataPattern namespace.
|
Package data is the client.Object.DataPattern namespace. |
dug
Package dug is the client.Objects.DynamicUserGroup namespace.
|
Package dug is the client.Objects.DynamicUserGroup namespace. |
edl
Package edl is the ngfw.Objects.Edl namespace.
|
Package edl is the ngfw.Objects.Edl namespace. |
profile/logfwd
Package logfwd is the client.Object.LogForwardingProfile namespace.
|
Package logfwd is the client.Object.LogForwardingProfile namespace. |
profile/logfwd/matchlist
Package matchlist is the client.Object.LogForwardingProfileMatchList namespace.
|
Package matchlist is the client.Object.LogForwardingProfileMatchList namespace. |
profile/logfwd/matchlist/action
Package action is the client.Object.LogForwardingProfileMatchListAction namespace.
|
Package action is the client.Object.LogForwardingProfileMatchListAction namespace. |
profile/security/data
Package data is the client.Object.DataFilteringProfile namespace.
|
Package data is the client.Object.DataFilteringProfile namespace. |
profile/security/dos
Package dos is the client.Object.DosProtectionProfile namespace.
|
Package dos is the client.Object.DosProtectionProfile namespace. |
profile/security/file
Package file is the client.Object.FileBlockingProfile namespace.
|
Package file is the client.Object.FileBlockingProfile namespace. |
profile/security/spyware
Package spyware is the client.Object.AntiSpywareProfile namespace.
|
Package spyware is the client.Object.AntiSpywareProfile namespace. |
profile/security/url
Package url is the client.Object.UrlFilteringProfile namespace.
|
Package url is the client.Object.UrlFilteringProfile namespace. |
profile/security/virus
Package virus is the client.Object.AntivirusProfile namespace.
|
Package virus is the client.Object.AntivirusProfile namespace. |
profile/security/vulnerability
Package vulnerability is the client.Object.VulnerabilityProfile namespace.
|
Package vulnerability is the client.Object.VulnerabilityProfile namespace. |
profile/security/wildfire
Package wildfire is the client.Object.WildfireAnalysisProfile namespace.
|
Package wildfire is the client.Object.WildfireAnalysisProfile namespace. |
srvc
Package srvc is the client.Objects.Services namespace.
|
Package srvc is the client.Objects.Services namespace. |
srvcgrp
Package srvcgrp is the client.Objects.ServiceGroup namespace.
|
Package srvcgrp is the client.Objects.ServiceGroup namespace. |
tags
Package tags is the client.Objects.Tags namespace.
|
Package tags is the client.Objects.Tags namespace. |
Package pnrm is the client.Panorama namespace.
|
Package pnrm is the client.Panorama namespace. |
dg
Package dg is the client.Panorama.DeviceGroup namespace.
|
Package dg is the client.Panorama.DeviceGroup namespace. |
plugins/gcp/account
Package account is the client.Panorama.GcpAccount namespace.
|
Package account is the client.Panorama.GcpAccount namespace. |
plugins/gcp/gke/cluster
Package cluster is the client.Panorama.GkeCluster namespace.
|
Package cluster is the client.Panorama.GkeCluster namespace. |
plugins/gcp/gke/cluster/group
Package group is the client.Panorama.GkeClusterGroup namespace.
|
Package group is the client.Panorama.GkeClusterGroup namespace. |
template
Package template is the client.Panorama.Template namespace.
|
Package template is the client.Panorama.Template namespace. |
template/stack
Package stack is the client.Panorama.TemplateStack namespace.
|
Package stack is the client.Panorama.TemplateStack namespace. |
template/variable
Package variable is the client.Panorama.TemplateVariable namespace.
|
Package variable is the client.Panorama.TemplateVariable namespace. |
Package poli is the client.Policies namespace.
|
Package poli is the client.Policies namespace. |
nat
Package nat is the client.Policies.Nat namespace.
|
Package nat is the client.Policies.Nat namespace. |
pbf
Package pbf is the client.Policies.PolicyBasedForwarding namespace.
|
Package pbf is the client.Policies.PolicyBasedForwarding namespace. |
security
Package security is the client.Policies.Security namespace.
|
Package security is the client.Policies.Security namespace. |
dlp/filetype
Package filetype is the client.Predefined.DlpFileType namespace.
|
Package filetype is the client.Predefined.DlpFileType namespace. |
tdb/filetype
Package filetype is the client.Predefined.TdbFileType namespace.
|
Package filetype is the client.Predefined.TdbFileType namespace. |
threat
Package threat is the ngfw.Predefined.Threat namespace.
|
Package threat is the ngfw.Predefined.Threat namespace. |
Package userid is the client.UserId namespace, for interacting with the User-ID API.
|
Package userid is the client.UserId namespace, for interacting with the User-ID API. |
Package util contains various shared structs and functions used across the pango package.
|
Package util contains various shared structs and functions used across the pango package. |
Package version contains a version number struct that pango uses to make decisions on the specific structs to use when sending XML to the PANOS device.
|
Package version contains a version number struct that pango uses to make decisions on the specific structs to use when sending XML to the PANOS device. |