Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAPALM get_firewall_policies support #2011

Open
Architect333 opened this issue Sep 27, 2023 · 0 comments
Open

NAPALM get_firewall_policies support #2011

Architect333 opened this issue Sep 27, 2023 · 0 comments
Labels
core feature new method pending discussion
Milestone
DISCUSSION

Comments

@Architect333
Copy link

Architect333 commented Sep 27, 2023
edited
Loading

Hi Team!

Not really sure if this is the right way to start :)

Working on a network automation project with Juniper vSRX firewalls. One of the tasks I'm working on is to get firewall policies.

As per https://napalm.readthedocs.io/en/latest/support/, looks like this is a pending item for all platforms..

Just came up with a very simple version 0.1 extending JunOSDriver as follows:

### junos.py ###
from napalm.junos.junos import JunOSDriver

class CustomJunOSDriver(JunOSDriver):
    
    """EXTENDING NAPALM JunOS HANDLER TO PARSE FIREWALL POLICIES"""
    
    def get_firewall_policies(self):
        commands = ['show security policies']
        output = self.cli(commands)

        return_vars = {}
        policy_index = 1
        
        for line in output['show security policies'].splitlines():

            if 'From zone' in line:
                from_zone = line.split(",")[0].split(": ")[1].strip()
                to_zone = line.split(",")[1].split(": ")[1].strip()
            elif 'Policy' in line:
                policy = line.split(",")[0].split(": ")[1].strip()
            elif 'Source addresses' in line:
                source = line.split(":")[1].strip()
            elif 'Destination addresses' in line:
                destination = line.split(":")[1].strip()
            elif 'Applications' in line:
                application = line.split(":")[1].strip()
            elif 'Action' in line:
                if 'log' in line:
                    action = line.split(":")[1].split(",")[0].strip()
                    log = 'Yes'
                else:
                    action = line.split(":")[1].strip()
                    log = 'No'
                
                return_vars[policy_index] = {
                    'From Zone': from_zone,
                    'To Zone': to_zone,
                    'Policy Name': policy,
                    'Source': source,
                    'Destination': destination,
                    'Applications': application,
                    'Action': action,
                    'Log Enabled': log
                    }
                policy_index += 1
    
        return return_vars

To launch:

### ibnrisen_nr.py ###
from nornir import InitNornir
from nornir_napalm.plugins.tasks import napalm_get
from nornir_utils.plugins.functions import print_result

nr = InitNornir(config_file="nr_config.yaml")

def get_firewall_policies():
    policies_xls = nr.run(task=napalm_get, getters=['firewall_policies'])
    print_result(policies_xls)

if __name__ == '__main__':
    get_firewall_policies()

Sample output:

architect@architect-Virtual-Machine:~/Documents/ibnraisen_nr$ /bin/python3 /home/architect/Documents/ibnraisen_nr/ibnrisen_nr.py
napalm_get**********************************************************************

  • vSRX-Firewall ** changed : False *********************************************
    vvvv napalm_get ** changed : False vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
    { 'firewall_policies': { 1: { 'Action': 'permit',
    'Applications': 'any',
    'Destination': 'any',
    'From Zone': 'trust',
    'Log Enabled': 'No',
    'Policy Name': 'default-permit',
    'Source': 'any',
    'To Zone': 'trust'},
    2: { 'Action': 'permit',
    'Applications': 'any',
    'Destination': 'any',
    'From Zone': 'trust',
    'Log Enabled': 'No',
    'Policy Name': 'default-permit',
    'Source': 'any',
    'To Zone': 'untrust'},
    3: { 'Action': 'deny',
    'Applications': 'any',
    'Destination': 'any',
    'From Zone': 'ABC',
    'Log Enabled': 'Yes',
    'Policy Name': 'P1',
    'Source': 'any',
    'To Zone': 'XYZ'},
    4: { 'Action': 'deny',
    'Applications': 'any',
    'Destination': 'any',
    'From Zone': 'CDF',
    'Log Enabled': 'Yes',
    'Policy Name': 'P2',
    'Source': 'any',
    'To Zone': 'JKH'},
    5: { 'Action': 'deny',
    'Applications': 'APP1, APP22',
    'Destination': 'D1',
    'From Zone': 'ABC',
    'Log Enabled': 'Yes',
    'Policy Name': 'NAME1',
    'Source': 'S1',
    'To Zone': 'JKH'}}}
    ^^^^ END napalm_get ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    """

Any of this makes sense to you as a potential contribution??

Thanks!

Agustin

AGUSTIN CICILIANI
Network Solutions Consultant
CCIE #52116 | DevNet | Data Center | Python
Email: [email protected]
Mobile: +54 9 11 4969 3761
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core feature new method pending discussion
Projects
None yet
Milestone
DISCUSSION
Development

No branches or pull requests
2 participants
@mirceaulinic @Architect333