cft_code package

Subpackages

• cft_code.dnslib package
  • Submodules
  • cft_code.dnslib.bimap module
  • cft_code.dnslib.bit module
  • cft_code.dnslib.buffer module
  • cft_code.dnslib.client module
  • cft_code.dnslib.digparser module
    • digparser
  • cft_code.dnslib.dns module
  • cft_code.dnslib.fixedresolver module
  • cft_code.dnslib.intercept module
  • cft_code.dnslib.label module
  • cft_code.dnslib.lex module
  • cft_code.dnslib.pan_client module
  • cft_code.dnslib.proxy module
  • cft_code.dnslib.ranges module
  • cft_code.dnslib.server module
  • cft_code.dnslib.shellresolver module
  • cft_code.dnslib.test_decode module
  • cft_code.dnslib.zoneresolver module
  • Module contents
    • dnslib
    • Classes
    • Usage
    • Changelog:
    • License:
    • Author:
    • Master Repository/Issues:
• cft_code.lib package
  • Subpackages
    • cft_code.lib.pan package
      • Submodules
      • cft_code.lib.pan.asglib module
      • Module contents
  • Module contents

Submodules

cft_code.dynamodb_evt module

cft_code.dynamodb_evt.lambda_handler(event, context)

cft_code.fw_init module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted. *

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.fw_init.abandon(context, asg_message)

Method to send a response to the auto scale life cycle action.

Parameters:

• context –
• asg_message –

Returns:

cft_code.fw_init.associateAddress(AllocId, nifId)

Parameters:

• AllocId –
• nifId –

Return bool:

cft_code.fw_init.attachEni(ec2Id, eniId, index)

Method to attach and ENI to an instance :param ec2Id: :param eniId: :param index: :return:

cft_code.fw_init.count_eni(msg, instanceId)

Parameters:

• msg –
• instanceId –

Returns:

cft_code.fw_init.createEni(subnetId, securityGroups, index)

Method to create and Elastic Network Interface :param subnetId: :param securityGroups: :param index: :return:

cft_code.fw_init.done(success, context, asg_message)

Method to send a successful response to an ASG lifecycle action.

Parameters:

• success –
• context –
• asg_message –

Returns:

cft_code.fw_init.getUnassociatedAddress(eip_list)

Parameters:eip_list – Returns:

cft_code.fw_init.get_eip(mgmt_eniId, mgmt_instanceId)

Parameters:

• mgmt_eniId –
• mgmt_instanceId –

Returns:

cft_code.fw_init.get_event_rule_name(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.fw_init.get_lambda_cloud_watch_func_name(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.fw_init.get_stack_params(queue_url)

Parameters:queue_url – Returns:

cft_code.fw_init.get_statement_id(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.fw_init.get_target_id_name(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.fw_init.handle_instance_termination(fwApiKey, instanceId, delicenseKey, fwMgmtIp)

Execute the sequence to deactivate the Firewall in the case of BYOL. :param fwApiKey: :param instanceId: :param delicenseKey: :param fwMgmtIp: :return bool:

cft_code.fw_init.lambda_handler(event, context)

The entry point when this lambda function gets invoked.

Note

The primary objective of this lambda funciton is to handle life-cycle hooks and to create / delete elastic network interfaces to assign / disassociate to / from instances.

Parameters:

• event – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.fw_init.random_string(string_length=10)

Parameters:string_length – Returns:

cft_code.fw_init.removeEni(eniId1)

Method to disassociate an ENI from an instance. :param eniId1: :return:

cft_code.fw_init.remove_eni(message)

Parameters:message – Returns:

cft_code.fw_init.remove_eni_in_subnet(subnet)

Parameters:subnet – Returns:

cft_code.fw_init.waitEniReady(eniId)

Method to check if an ENI is ready :param eniId: :return:

cft_code.init module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted. *

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.init.UpdateActiveSessions(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateDataPlaneBufferUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateDataPlaneCPUUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateGPActiveTunnels(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateGPGatewayUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateSessionSslProxyUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateSessionUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.common_alarm_func_update(asg_name, metricname, namespace, arn_scalein, arn_scaleout, alarmname, desc)

Method to create alarms to be monitored on instances in an ASG :param asg_name: :param metricname: :param namespace: :param arn_scalein: :param arn_scaleout: :param alarmname: :param desc: :return:

cft_code.init.create_resources(event)

This method is called from the lambda handler entry point. The following actions are performed:

• validate the AMI-ID
• deploys the `sched_evt1` lambda function.

Parameters:event – Returns:None

cft_code.init.delete_resources(event)

Method to handle the delete of resources when the CFT stack is deleted.

Parameters:event – Returns:

cft_code.init.get_event_rule_name(stackname)

Method to create a unique name for the event rules.

Note

The event name is constructed by appending a fixed string to the stack name.

Parameters:stackname – Returns:

cft_code.init.get_sha(bucket, folder, lambda_sha)

Method to compute the SHA-256 encoding for the contents of the given file :param bucket: :param folder: :param lambda_sha: :return:

cft_code.init.get_target_id_name(stackname)

Parameters:stackname – Returns:

cft_code.init.lambda_handler(event, context)

Note

This function is the entry point for the `init` Lambda function. This function performs the following actions:

• invokes `create | delete | update_resources()` based on the action

  required.

• creates the `sched_evt1` lambda function

  and configures the same.

• validates that the PAN FW AMI-ID specified as input

  is valid and supported.

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.init.no_asgs(elbname)

Parameters:elbname – Returns:

cft_code.init.random_string(string_length=10)

Parameters:string_length – Returns:

cft_code.init.read_s3_object(bucket, key)

Method to read data from and S3 bucket.

Note

This method is used to read bootstrap information, in order to license and configure the firewall.

Parameters:

• bucket –
• key –

Returns:

cft_code.init.remove_sched_func(stackname, elbtg)

Remove the sched_evt function, in order to cleanup when the CFT stack is deleted.

Parameters:stackname – Returns:

cft_code.init.send_response(event, context, responseStatus)

Method to send a response back to the CFT process.

Parameters:

• event –
• context –
• responseStatus –

Returns:

cft_code.init.update_alarm(stackname, asg_name, event)

Method to update alarm parameters if they have been changed when the CFT stack was updated.

Parameters:

• stackname –
• asg_name –
• event –

Returns:

cft_code.init.update_resources(event)

Method to handle any updates to the CFT templates.

Parameters:event – CFT input parameters Returns:None

cft_code.init.validate_ami_id(event)

Validate that the AMI-ID provided is a valid PAN FW AMI. :param event: The CFT event params :return: bool

cft_code.sched_evt1 module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted. *

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.sched_evt1.AddActiveSessions(asg_name, arn_scalein, arn_scaleout)

Method to create the ActiveSessions Alarm. This alarm will trigger when the Active Sessions exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddDataPlaneBufferUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the DataPlaneBufferUtilization Alarm. This alarm will trigger when the DataPlaneBufferUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddDataPlaneCPUUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the DataPlaneCPUUtilization Alarm. This alarm will trigger when the Data Plane CPU Utilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddGPActiveTunnels(asg_name, arn_scalein, arn_scaleout)

Method to create the GPActiveTunnels Alarm. This alarm will trigger when the GP Active Tunnels exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddGPGatewayUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the GPGatewayUtilization Alarm. This alarm will trigger when the GPGatewayUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddSessionSslProxyUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the SessionSslProxyUtilization Alarm. This alarm will trigger when the SessionSslProxyUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddSessionUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the SessionUtilization Alarm. This alarm will trigger when the SessionUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.DelActiveSessions(asg_name)

Method to delete the Active Sessions alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelDataPlaneBufferUtilization(asg_name)

Method to delete the DatePlaneBufferUtilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelDataPlaneCPUUtilization(asg_name)

Method to delete the DataPlaneCPUUtilization Alarm. This alarm will trigger when the Data Plane CPU Utilization exceeds the specified threshold.

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelGPActiveTunnels(asg_name)

Method to delete the GP GPActiveTunnels alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelGPGatewayUtilization(asg_name)

Method to delete the GP Session Utilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelSessionSslProxyUtilization(asg_name)

Method to delete the SessionSslProxyUtilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelSessionUtilization(asg_name)

Method to delete the Session Utilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.check_and_send_message_to_queue(queue_url, str_message)

Method to retrieve the IP addresses that are configured on an ILB.

Parameters:

• event –
• content –
• response_ilb –

Returns:

str

cft_code.sched_evt1.common_alarm_func_add(asg_name, metricname, namespace, arn_scalein, arn_scaleout, alarmname, desc, Unit)

Method that supports a common interface to add cloud watch alarms along with the associated threshold metrics.

Parameters:

• asg_name – Name of the ASG that this alarm is associated with.
• metricname – Name of the metric.
• namespace – Name of the namespace.
• arn_scalein – ARN of the scale-in metric.
• arn_scaleout – ARN of the scale-out metric.
• alarmname – Name of the alarm that will be raised.
• desc – Description of the alarm
• Unit – The unit to be used.

Returns:

bool

cft_code.sched_evt1.common_alarm_func_del(alarmname)

Common interface to delete alarms :param alarmname: Name of the alarm to delete. :return: None

cft_code.sched_evt1.create_asg(AvailabilityZone)

Method to create an Auto Scale Group with the configuration provided.

Note

This method performs the following critical functions

• reads in configuration from an S3 bucket
• creates a launch configuration
• creates an ASG
• associates the policies with the ASG
• registers to ASG life-cycle hook events and provides handlers for these events.

Parameters:AvailabilityZone – Returns:

cft_code.sched_evt1.create_asg_life_cycle(asg_name, AvailabilityZone)

Method to register ASG life cycle hook actions.

When and ASG lifecycle hook is triggered the targets as registered by this method get triggered with the appropriate data fields.

Parameters:

• asg_name – Name of the ASG.
• AvailabilityZone – Name of the AZ
• ip_address – IP address of the instance

Returns:

bool

cft_code.sched_evt1.firewall_asg_update(event, context)

Method to monitor the asg in the supported AZs.

The actions performed by this function are:

• if asg doesn’t exist, create asg.
• Before create asg, it will remove the launch config if exists. Then create new launch config.

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.sched_evt1.firewall_init_config(event, context)

Method to monitor the firewall of INIT state in firewall table and set state to COMMIT if firewall auto commit completes

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.sched_evt1.getAz(ip, response_ilb)

Method to return the availability zone that a configured IP address belongs to.

Parameters:

• ip –
• response_ilb –

Returns:

cft_code.sched_evt1.lambda_handler(event, context)

Note

This function is the entry point for the `sched_event1` Lambda function.

This function performs the following actions: firewall_asg_update(event, context) firewall_init_config(event, context) network_load_balancer_update(event, context)

invokes `check_and_send_message_to_queue()`

desc: Checks the messages on the queue to ensure its up to date

and for any changes as the case maybe.

invokes `firewall_asg_update()`

desc: monitor firewall asg and create asg if not exist

invokes `firewall_init_config()`

desc: monitor firewall in INIT state and move it to COMMIT if

firewall auto commit is done

invokes `network_load_balancer_update()`

desc: update firewall nat rules based on info in firewall table

nlb table

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.sched_evt1.network_load_balancer_update(event, context)

Method to monitor NLB sqs and update firewall nat rules

The actions performed by this function are:

• find all firewalls of COMMIT state in firewall table and apply nat rules of all NLB IPs in NLB table
• read new msg from NLB sqs and update nlb table and firewall rules

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.sched_evt1.random_string(string_length=10)

Parameters:string_length – Returns:

cft_code.sha module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted. *

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.sha.code_sha(filename)

Method to compute the SHA-256 encoding for the contents of the file specified by the filename.

Parameters:filename – Returns:str

Module contents