cft_code.lib.pan package¶

Submodules¶

cft_code.lib.pan.asglib module¶

/*************************************************************************

Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
This Software is the property of Palo Alto Networks. The Software and all *
accompanying documentation are copyrighted. *

*************************************************************************/

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.lib.pan.asglib.choose_subnet(subnet, AvailabilityZone)¶

Method to identify the subnet id based upon the availability zone.

Parameters:	subnet – AvailabilityZone –
Returns:

cft_code.lib.pan.asglib.common_alarm_func_del(alarmname)¶

Parameters:	alarmname –
Returns:

cft_code.lib.pan.asglib.config_firewall_add_nat_rule(gcontext, gwMgmtIp, api_key, untrust_ip, nlb_port, nlb_ip, static_route, default_gw, commit)¶

Parameters:	gcontext – gwMgmtIp – api_key – untrust_ip – nlb_port – nlb_ip – static_route – default_gw – commit –
Returns:

cft_code.lib.pan.asglib.config_firewall_commit(gcontext, gwMgmtIp, api_key)¶

Parameters:	gcontext – gwMgmtIp – api_key –
Returns:

cft_code.lib.pan.asglib.config_firewall_delete_nat_rule(gcontext, gwMgmtIp, api_key, nlb_port, static_route, commit)¶

Parameters:	gcontext – gwMgmtIp – api_key – nlb_port – static_route – commit –
Returns:

cft_code.lib.pan.asglib.config_firewall_init_setting(gcontext, gwMgmtIp, api_key, asg_name, untrust_ip)¶

Parameters:	gcontext – gwMgmtIp – api_key – asg_name –
Returns:

cft_code.lib.pan.asglib.create_firewall_table(stack_name, region)¶

Parameters:	stack_name – region –
Returns:

cft_code.lib.pan.asglib.create_nlb_table(stack_name, region)¶

Parameters:	stack_name – region –
Returns:

cft_code.lib.pan.asglib.deactivate_fw_license(gcontext, instanceId, gwMgmtIp, fwApiKey)¶

Call the FW to deactivate the license from the licensing server

Parameters:	gcontext – ssl context instanceId – instance Id gwMgmtIP – The IP address of the FW fwApiKey – Api key of the FW
Returns:	Api call status
Return type:	bool

cft_code.lib.pan.asglib.delete_asg_stack(stackname, elbtg, bsS3Bucket, ScalingParameter, keyPanoramam, force, subnet_ids)¶

Parameters:	stackname – elbtg – bsS3Bucket – ScalingParameter – KeyPANWPanorama – force – subnet_ids –
Returns:

cft_code.lib.pan.asglib.delete_asg_stacks(stackname, elbtg, vpc_sg, bsS3Bucket, ScalingParameter, KeyPANWPanorama, subnet_ids)¶

Parameters:	stackname – elbtg – vpc_sg – bsS3Bucket – ScalingParameter – KeyPANWPanorama – subnet_ids –
Returns:

cft_code.lib.pan.asglib.delete_eni_lambda(vpc_sg)¶

Parameters:	vpc_sg –
Returns:

cft_code.lib.pan.asglib.delete_message_from_queue(queue_url, receipt_handle)¶

Delete a message from the SQS queue.

Parameters:	queue_url – The URL of the queue receipt_handle – The receipt handle of the message
Returns:	None

cft_code.lib.pan.asglib.delete_table(tablename)¶

Parameters:	tablename –
Returns:

cft_code.lib.pan.asglib.execute_api_request(gwMgmtIp, port, cmd)¶: Execute API requests against the FW. :param gwMgmtIp: :param port: :param cmd: :return:

cft_code.lib.pan.asglib.firewall_table_add_instance(stack_name, region, avail_zone, instance_id, state, term_state, asg_name, ip, pip, untrust_ip)¶

Parameters:	stack_name – region – avail_zone – instance_id – state – term_state – asg_name – ip – pip – untrust_ip –
Returns:

cft_code.lib.pan.asglib.firewall_table_delete_instance(stack_name, region, instance_id)¶

Parameters:	stack_name – region – instance_id –
Returns:

cft_code.lib.pan.asglib.firewall_table_delete_instance1(stack_name, region, instance_id)¶

Parameters:	stack_name – region – instance_id –
Returns:

cft_code.lib.pan.asglib.firewall_table_get_all_in_az_state(stack_name, region, state, avail_zone)¶

Parameters:	stack_name – region – state – avail_zone –
Returns:

cft_code.lib.pan.asglib.firewall_table_get_all_in_state(stack_name, region, state)¶

Parameters:	stack_name – region – state –
Returns:

cft_code.lib.pan.asglib.firewall_table_get_from_db(stack_name, region, instance_id)¶

Parameters:	stack_name – region – instance_id –
Returns:

cft_code.lib.pan.asglib.firewall_table_update_rule_mask(stack_name, region, instance_id, rule_mask)¶

Parameters:	stack_name – region – instance_id – rule_mask –
Returns:

cft_code.lib.pan.asglib.firewall_table_update_state(stack_name, region, instance_id, state)¶

Parameters:	stack_name – region – instance_id – state –
Returns:

cft_code.lib.pan.asglib.fix_subnets(data1)¶

Parameters:	data1 –
Returns:

cft_code.lib.pan.asglib.fix_unicode(data)¶: Method to convert opaque data from unicode to utf-8 :param data: Opaque data :return: utf-8 encoded data

cft_code.lib.pan.asglib.getASGTag(rid, key)¶

Set tags on a specified auto scale group.

Note

This method is important from the perspective that it allows the lambda function code to distinguish `PAN-FW` deployed ASG’s from other ASG’s that might already exist in the customer VPC.

Parameters:	rid – The name of the ASG key – The tag to retrieve
Returns:	None or str

cft_code.lib.pan.asglib.getAccountId(rid)¶

Parameters:	rid –
Returns:

cft_code.lib.pan.asglib.getAzs(subnet_ids)¶

Parameters:	subnet_ids –
Returns:

cft_code.lib.pan.asglib.getChassisReady(response)¶

Parameters:	response –
Returns:

cft_code.lib.pan.asglib.getDebugLevel(stackname, region, account)¶

Parameters:	stackname – region – account –
Returns:

cft_code.lib.pan.asglib.getDebugLevelFromMsg(msg)¶

Parameters:	msg –
Returns:

cft_code.lib.pan.asglib.getJobProgress(response)¶

Parameters:	response –
Returns:

cft_code.lib.pan.asglib.getJobResult(response)¶

Parameters:	response –
Returns:

cft_code.lib.pan.asglib.getJobStatus(response)¶

Parameters:	response –
Returns:

cft_code.lib.pan.asglib.getJobTfin(response)¶

Parameters:	response –
Returns:

cft_code.lib.pan.asglib.getRegion(rid)¶

Parameters:	rid –
Returns:

cft_code.lib.pan.asglib.getScalingValue(msg, ScalingParameter)¶

Parameters:	msg – ScalingParameter –
Returns:

cft_code.lib.pan.asglib.getSqs(stackname, region, account)¶

Parameters:	stackname – region – account –
Returns:

cft_code.lib.pan.asglib.getSqsMessages(stackname, account)¶

Parameters:	stackname – account –
Returns:

cft_code.lib.pan.asglib.getUntrustIP(instanceid, untrust)¶

Parameters:	instanceid – untrust –
Returns:

cft_code.lib.pan.asglib.get_asg_name(stackname, elbtg, az)¶

Construct asg name

Parameters:	stackname –

:param :elbtg :param az: :return: asg name

cft_code.lib.pan.asglib.get_cw_name_space(stackname, asg_name)¶

Parameters:	stackname – asg_name –
Returns:

cft_code.lib.pan.asglib.get_device_serial_no(gcontext, instanceId, gwMgmtIp, fwApiKey)¶

Retrieve the serial number from the FW.

Parameters:	gcontext – ssl context instanceId – instance Id gwMgmtIP – The IP address of the FW fwApiKey – Api key of the FW
Returns:	The serial number of the FW
Return type:	str

cft_code.lib.pan.asglib.get_event_rule_name(stackname, instanceId)¶

Generate the name of the event rule.

Parameters:	stackname – instanceId –
Returns:	str

cft_code.lib.pan.asglib.get_firewall_table_name(stackname, region)¶

Parameters:	stackname – region –
Returns:

cft_code.lib.pan.asglib.get_from_nlb_queue(queue_url, visiblity_timeout=10, waittimes_seconds=0)¶

Retrieve a message from nlb queue

Parameters:	queue_url – visiblity_timeout – waittimes_seconds –
Returns:	msg or None

cft_code.lib.pan.asglib.get_from_sqs_queue(queue_url, visiblity_timeout=10, waittimes_seconds=5)¶

Retrieve data from a queue

Parameters:	queue_url – URL of the queue visiblity_timeout – The duration during which the message will not be available to other consumers waittimes_seconds – Wait timeout
Returns:	None

cft_code.lib.pan.asglib.get_lambda_cloud_watch_func_name(stackname, asg_name, instanceId)¶: Generate the name of the cloud watch metrics as a function of the ASG name and the instance id. :param stackname: :param asg_name: :param instanceId: :return: str

cft_code.lib.pan.asglib.get_lambda_statement_id(stackname, elbtg)¶

Parameters:	stackname – elbtg –
Returns:

cft_code.lib.pan.asglib.get_lc_name(stackname, elbtg, az)¶

Parameters:	stackname – elbtg – az –
Returns:

cft_code.lib.pan.asglib.get_nlb_table_name(stackname, region)¶

Parameters:	stackname – region –
Returns:

cft_code.lib.pan.asglib.get_panorama_version(gcontext, gwMgmtIp, apiKey)¶

Retrieve the software version of Panorama.

Parameters:	gcontext – ssl context gwMgmtIP – The IP address of the FW apiKey – Api key of the Panorama
Returns:	The software version of the Panorama
Return type:	str

cft_code.lib.pan.asglib.get_s3_bucket_name(stackname, ilbtag)¶

Parameters:	stackname – ilbtag –
Returns:

cft_code.lib.pan.asglib.get_s3_bucket_name1(stackname, ilbtag, ip_address)¶

cft_code.lib.pan.asglib.get_sched_func_name(stackname, elbtg)¶

Parameters:	stackname – elbtg –
Returns:

cft_code.lib.pan.asglib.get_ssl_context()¶: Create default ssl context

cft_code.lib.pan.asglib.get_statement_id(stackname, instanceId)¶

Parameters:	stackname – instanceId –
Returns:

cft_code.lib.pan.asglib.get_subnet_and_gw(ip_cidr)¶

Extract subnet and gateway from subnet cidr in AWS

Parameters:	ip_cidr –
Returns:

cft_code.lib.pan.asglib.get_target_id_name(stackname, instanceId)¶

Parameters:	stackname – instanceId –
Returns:

cft_code.lib.pan.asglib.get_values_from_init_cfg(contents)¶: Retrieve the keys from the init-cfg file :param contents: :return: dict

cft_code.lib.pan.asglib.int2ip(addr)¶

Parameters:	addr –
Returns:

cft_code.lib.pan.asglib.ip2int(addr)¶

Parameters:	addr –
Returns:

cft_code.lib.pan.asglib.is_firewall_auto_commit_done(gcontext, gwMgmtIp, api_key)¶

Parameters:	gcontext – gwMgmtIp – api_key –
Returns:

cft_code.lib.pan.asglib.is_firewall_ready(gcontext, gwMgmtIp, api_key)¶

Parameters:	gcontext – gwMgmtIp – api_key –
Returns:

cft_code.lib.pan.asglib.nlb_table_add_entry(stack_name, region, nlb_ip, port, nlb_state, nlb_zone_name, nlb_subnet_id, total_avail_zones, avail_zone_index, dns_name, nlb_name)¶

Parameters:	stack_name – region – nlb_ip – port – nlb_state – nlb_zone_name – nlb_subnet_id – total_avail_zones – avail_zone_index – dns_name – nlb_name –
Returns:

cft_code.lib.pan.asglib.nlb_table_delete_entry(stack_name, region, nlb_ip)¶

Parameters:	stack_name – region – nlb_ip –
Returns:

cft_code.lib.pan.asglib.nlb_table_delete_entry_by_dnsname(stack_name, region, dns_name)¶

Parameters:	stack_name – region – dns_name –
Returns:

cft_code.lib.pan.asglib.nlb_table_get_all_in_state(stack_name, region, state)¶

Parameters:	stack_name – region – state –
Returns:

cft_code.lib.pan.asglib.nlb_table_get_entry_by_dnsname(stack_name, region, dns_name)¶

Parameters:	stack_name – region – dns_name –
Returns:

cft_code.lib.pan.asglib.nlb_table_get_from_db(stack_name, region, nlb_ip)¶

Parameters:	stack_name – region – nlb_ip –
Returns:

cft_code.lib.pan.asglib.nlb_table_get_next_avail_port(stack_name, region)¶

Parameters:	stack_name – region –
Returns:

cft_code.lib.pan.asglib.nlb_table_update_state(stack_name, region, nlb_ip, nlb_state)¶

Parameters:	stack_name – region – nlb_ip – nlb_state –
Returns:

cft_code.lib.pan.asglib.pan_print(s)¶

Parameters:	s –
Returns:

cft_code.lib.pan.asglib.panorama_delete_stack(bsS3Bucket, asg_name, keyPanoramam)¶

Parameters:	bsS3Bucket – asg_name – keyPanoramam –
Returns:

cft_code.lib.pan.asglib.panorama_remove_serial_and_ip(stackname, r, pdict)¶

Parameters:	stackname – r – pdict –
Returns:

cft_code.lib.pan.asglib.panorama_save_serial_and_ip(stackname, r)¶

Parameters:	stackname – r –
Returns:

cft_code.lib.pan.asglib.purge_stack_queue(queue_url)¶

Delete all the messages in the queue

Parameters:	queue_url – URL of the queue
Returns:	None

cft_code.lib.pan.asglib.random_string(string_length=10)¶

Parameters:	string_length –
Returns:

cft_code.lib.pan.asglib.read_s3_object(bucket, key)¶

Parameters:	bucket – key –
Returns:

cft_code.lib.pan.asglib.release_eip(stackname, instanceId)¶

Parameters:	stackname – instanceId –
Returns:

cft_code.lib.pan.asglib.remove_alarm(asg_name)¶

Parameters:	asg_name –
Returns:

cft_code.lib.pan.asglib.remove_asg(stackname, elbtg, az, ScalingParameter, KeyPANWPanorama, force, delete_stack)¶

Parameters:	stackname – elbtg – az – ScalingParameter – KeyPANWPanorama – force – delete_stack –
Returns:

cft_code.lib.pan.asglib.remove_asg_life_cycle(asg_name)¶

Parameters:	asg_name –
Returns:

cft_code.lib.pan.asglib.remove_asg_vms(stackname, asg_grp_name, KeyPANWPanorama, delete_stack)¶

Parameters:	stackname – :asg_grp_name – :KeyPANWPanorama – :delete_stack –
Returns:

cft_code.lib.pan.asglib.remove_device(stackname, remove, PanoramaIP, api_key, dev_group, tp_group, serial_no, gwMgmtIp)¶

Method to remove a device from Panorama.

Parameters:	stackname – remove – PanoramaIP – api_key – dev_group – tp_group – serial_no – gwMgmtIp –
Returns:	None or str

cft_code.lib.pan.asglib.remove_fw_from_panorama(instanceId, KeyPANWPanorama, gwMgmtIp, PanoramaIP, PanoramaDG, PanoramaTPL)¶

Parameters:	instanceId – KeyPANWPanorama – gwMgmtIp – PanoramaIP – PanoramaDG – PanoramaTPL –
Returns:

cft_code.lib.pan.asglib.remove_s3_bucket(s3_bucket_name)¶

Parameters:	s3_bucket_name –
Returns:

cft_code.lib.pan.asglib.retrieve_fw_ip(instance_id)¶

Retrieve the IP of the Instance

Parameters:	instance_id (str) – The id of the instance

cft_code.lib.pan.asglib.runCommand(gcontext, cmd, gwMgmtIp, api_key)¶

Method to run generic API commands against a PAN Firewall.

Note

This is a generic method to interact with PAN firewalls to execute api calls.

Parameters:	gcontext – SSL Context cmd – Command to execute gwMgmtIp – Management IP of the PAN FW api_key – API key of the Firewall
Returns:	None or str

cft_code.lib.pan.asglib.runShutdownCommand(gcontext, cmd, gwMgmtIp, api_key)¶

Method to shutdown a device.

Parameters:	gcontext – cmd – gwMgmtIp – api_key –
Returns:	bool

cft_code.lib.pan.asglib.scalein_asg(stackname, elbtg, az)¶

cft_code.lib.pan.asglib.send_command(conn, req_url)¶

An alternative interface to interact with the PAN FW’s

Parameters:	conn – req_url –
Returns:	dict

cft_code.lib.pan.asglib.send_message_to_nlb_queue(queue_url, str_message)¶

Send a message on the Network Load Balancer queue.

Parameters:	queue_url – The URL of the queue str_message – Message to send to the queue
Returns:	None

cft_code.lib.pan.asglib.send_message_to_queue(queue_url, str_message)¶

Send a message on the specified queue.

Parameters:	queue_url – The URL of the queue str_message – Message to send to the queue
Returns:	None

cft_code.lib.pan.asglib.setASGTag(rid, key, value)¶

Set `PAN-FW` specific tags on an ASG.

Note

This method is important from the perspective that it allows the lambda function code to distinguish `PAN-FW` deployed ASG’s from other ASG’s that might already exist in the customer VPC.

Parameters:	rid – Name of the ASG key – Tag value – Tag Value
Returns:	None

cft_code.lib.pan.asglib.setDebugLevelFromMsg(logger, lvl)¶

Parameters:	logger – lvl –
Returns:

cft_code.lib.pan.asglib.setLoggerLevel(logger, stackname, account)¶

Parameters:	logger – stackname – account –
Returns:

cft_code.lib.pan.asglib.set_deactivate_api_key(gcontext, instanceId, gwMgmtIp, fwApiKey, deactivateApiKey)¶: Setup the deactivate api key to allow the FW deactivate sequence :param instanceId: :param gwMgmtIp: :param fwApiKey: :param deactivateApiKey: :return: bool

cft_code.lib.pan.asglib.set_queue_attributes(queue_url, retention_period)¶

Set the queue attributes

Parameters:	queue_url – URL of the queue retention_period – Duration of time that the message will be retained for.
Returns:	None

cft_code.lib.pan.asglib.shutdown_fw_device(gcontext, instanceId, gwMgmtIp, fwApiKey)¶

Shutdown the firewall device

Parameters:	gcontext – ssl context instanceId – instance Id gwMgmtIP – The IP address of the FW fwApiKey – Api key of the FW
Returns:	Api call status
Return type:	bool

cft_code.lib.pan.asglib.substring_after(s, delim)¶

Parameters:	s – delim –
Returns:

cft_code.lib.pan package¶

Submodules¶

cft_code.lib.pan.asglib module¶

Module contents¶