Case

Netbox object Server01 is in an address group name Server-devices. Server-devices again is in an address group named NTP-access.

Currently

Only one nesting is supported.

To do

Add the ability to define the number of levels to support nesting. Finding the address groups within address groups requires plenty of loops and a natural performance hit. Make it user-definable as a variable in PLUGINS_CONFIG.

Example usage

NetBox object name is SERVER01 with the IP address of 10.20.30.254. On the firewall/Panorama the object is named SERVER01.30.254 to easily indicate the last two octets of the object. Make this object name configurable.

Use case

Not all objects will be present on all firewalls. Make a way of designating through the admin interface the attributes to match on.

If the firewall is down or not responding, the connection will hang and only timeout on the gunicorn timeout.

Check if it is possible to set a timeout on the connection in pandevice. If not in pandevice, see if it is possible to get the timeout value and make sure we terminate before it runs out.

Currently the search assumes the NetBox object has a corresponding object on the firewall. It is known that many rules are created without referencing objects, just using the IP of the device.

• Add the IP address of a device as a search term.

Add logging statements for easier debug.

NetBox 3.2.0 was just released and has a number of extension improvements.

Furthermore, a NetBox 3.2 plugin tutorial was released

If no firewall config is defined - print error message when trying to show rules.

If the firewall connection throws any errors, like invalid credentials or timeout, make sure to present this message to the user.

Trying to see firewall rules for an object without a defined primary address results in an Exception:

AttributeError at /plugins/paloalto/loading-fw02/
'NoneType' object has no attribute 'address'

URL: /plugins/paloalto/ currently requires a in the URL.

To do

Add a landing page with a text box where we can choose a device or virtual machine to create the url /plugins/paloalto/

Make sure to show the different device groups, and the pre and post rulebase.

Use case

To avoid having to create the object, show a small area on the device/vm page with information about the object. If it exists on the firewall/Panorama.

Check if the load times makes this feasible. If possible add a setting to turn on/off this view.

Scenario

Object Server01 is in both address group adr-group-1 and adr-group-2.

Problem

When listing rules the one rule with both address groups show up twice.

Solution

Make sure the rules are unique when listing them.

Investigate if it is possible to cache the firewall rules returned by the pandevice API calls.

Observed behaviour

When visiting /plugins/paloalto/Server01 and no rules match, the panel with "Firewalls/device groups" is still presented.

Expected behaviour

If none match, omit the panel and output a message saying there are no rules matching.