Application Group Configuration Object
Table of Contents
- Overview
- Core Methods
- Application Group Model Attributes
- Exceptions
- Basic Configuration
- Usage Examples
- Managing Configuration Changes
- Error Handling
- Best Practices
- Full Script Examples
- Related Models
Overview
The ApplicationGroup class provides functionality to manage application groups in Palo Alto Networks' Strata Cloud
Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting
application groups that organize collections of applications for use in security policies.
Core Methods
| Method | Description | Parameters | Return Type |
|---|---|---|---|
create() |
Creates a new app group | data: Dict[str, Any] |
ApplicationGroupResponseModel |
get() |
Retrieves a group by ID | object_id: str |
ApplicationGroupResponseModel |
update() |
Updates an existing group | app_group: ApplicationGroupUpdateModel |
ApplicationGroupResponseModel |
delete() |
Deletes a group | object_id: str |
None |
list() |
Lists groups with filtering | folder: str, **filters |
List[ApplicationGroupResponseModel] |
fetch() |
Gets group by name and folder | name: str, folder: str |
ApplicationGroupResponseModel |
Application Group Model Attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
str | Yes | Name of group (max 63 chars) |
id |
UUID | Yes* | Unique identifier (*response only) |
members |
List[str] | Yes | List of application names |
folder |
str | Yes** | Folder location (**one container required) |
snippet |
str | Yes** | Snippet location (**one container required) |
device |
str | Yes** | Device location (**one container required) |
Exceptions
| Exception | HTTP Code | Description |
|---|---|---|
InvalidObjectError |
400 | Invalid group data or format |
MissingQueryParameterError |
400 | Missing required parameters |
NameNotUniqueError |
409 | Group name already exists |
ObjectNotPresentError |
404 | Group not found |
ReferenceNotZeroError |
409 | Group still referenced by policies |
AuthenticationError |
401 | Authentication failed |
ServerError |
500 | Internal server error |
Basic Configuration
from scm.client import ScmClient
# Initialize client using the unified client approach
client = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Access the application_group module directly through the client
# client.application_group is automatically initialized for you
You can also use the traditional approach if preferred:
from scm.client import Scm
from scm.config.objects import ApplicationGroup
# Initialize client
client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize ApplicationGroup object
application_groups = ApplicationGroup(client)
Usage Examples
Creating Application Groups
# Basic application group configuration
basic_group = {
"name": "web-apps",
"members": ["ssl", "web-browsing"],
"folder": "Texas"
}
# Create basic group
basic_group_obj = client.application_group.create(basic_group)
# Microsoft 365 application group
ms365_group = {
"name": "microsoft-365",
"members": [
"ms-office365",
"ms-exchange-online",
"ms-sharepoint-online"
],
"folder": "Texas"
}
# Create Microsoft 365 group
ms365_group_obj = client.application_group.create(ms365_group)
Retrieving Application Groups
# Fetch by name and folder
group = client.application_group.fetch(name="web-apps", folder="Texas")
print(f"Found group: {group.name}")
# Get by ID
group_by_id = client.application_group.get(group.id)
print(f"Retrieved group: {group_by_id.name}")
print(f"Members: {', '.join(group_by_id.members)}")
Updating Application Groups
# Fetch existing group
existing_group = client.application_group.fetch(name="web-apps", folder="Texas")
# Update members
existing_group.members = ["ssl", "web-browsing", "dns"]
# Perform update
updated_group = client.application_group.update(existing_group)
Listing Application Groups
# List with direct filter parameters
filtered_groups = client.application_group.list(
folder='Texas',
members=['ssl']
)
# Process results
for group in filtered_groups:
print(f"Name: {group.name}")
print(f"Members: {', '.join(group.members)}")
# Define filter parameters as dictionary
list_params = {
"folder": "Texas",
"members": ["ms-office365"]
}
# List with filters as kwargs
filtered_groups = client.application_group.list(**list_params)
Filtering Responses
# Only return application groups defined exactly in 'Texas'
exact_application_groups = client.application_group.list(
folder='Texas',
exact_match=True
)
for app in exact_application_groups:
print(f"Exact match: {app.name} in {app.folder}")
# Exclude all application groups from the 'All' folder
no_all_application_groups = client.application_group.list(
folder='Texas',
exclude_folders=['All']
)
for app in no_all_application_groups:
assert app.folder != 'All'
print(f"Filtered out 'All': {app.name}")
# Exclude application groups that come from 'default' snippet
no_default_snippet = client.application_group.list(
folder='Texas',
exclude_snippets=['default']
)
for app in no_default_snippet:
assert app.snippet != 'default'
print(f"Filtered out 'default' snippet: {app.name}")
# Exclude application groups associated with 'DeviceA'
no_deviceA = client.application_group.list(
folder='Texas',
exclude_devices=['DeviceA']
)
for app in no_deviceA:
assert app.device != 'DeviceA'
print(f"Filtered out 'DeviceA': {app.name}")
# Combine exact_match with multiple exclusions
combined_filters = client.application_group.list(
folder='Texas',
exact_match=True,
exclude_folders=['All'],
exclude_snippets=['default'],
exclude_devices=['DeviceA']
)
for app in combined_filters:
print(f"Combined filters result: {app.name} in {app.folder}")
Controlling Pagination with max_limit
The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000. If you set max_limit higher than 5000, it will be capped to the API's maximum. The list() method will continue to iterate through all objects until all results have been retrieved. Adjusting max_limit can help manage retrieval performance and memory usage when working with large datasets.
# Initialize the ScmClient with a custom max_limit for application groups
# This will retrieve up to 4321 objects per API call, up to the API limit of 5000.
client = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
application_group_max_limit=4321
)
# Now when we call list(), it will use the specified max_limit for each request
# while auto-paginating through all available objects.
all_groups = client.application_group.list(folder='Texas')
# 'all_groups' contains all objects from 'Texas', fetched in chunks of up to 4321 at a time.
Deleting Application Groups
# Delete by ID
group_id = "123e4567-e89b-12d3-a456-426655440000"
client.application_group.delete(group_id)
Managing Configuration Changes
Performing Commits
# Prepare commit parameters
commit_params = {
"folders": ["Texas"],
"description": "Updated application groups",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changes directly on the client
# Note: All commit operations should be performed on the client directly
result = client.commit(**commit_params)
print(f"Commit job ID: {result.job_id}")
Monitoring Jobs
# Get status of specific job directly on the client
job_status = client.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobs directly on the client
recent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")
Error Handling
from scm.client import ScmClient
from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)
# Initialize client
client = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
try:
# Create group configuration
group_config = {
"name": "test_group",
"members": ["ssl", "web-browsing"],
"folder": "Texas"
}
# Create the group using the unified client
new_group = client.application_group.create(group_config)
# Commit changes directly on the client
result = client.commit(
folders=["Texas"],
description="Added test group",
sync=True
)
# Check job status on the client
status = client.get_job_status(result.job_id)
except InvalidObjectError as e:
print(f"Invalid group data: {e.message}")
except NameNotUniqueError as e:
print(f"Group name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Group not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"Group still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")
Best Practices
-
Client Usage
- Use the unified
ScmClientapproach for simpler code - Access application group operations via
client.application_groupproperty - Perform commit operations directly on the client
- Monitor jobs directly on the client
- Set appropriate max_limit parameters for large datasets using
application_group_max_limit
- Use the unified
-
Group Management
- Use descriptive group names
- Organize related applications together
- Keep member lists current
- Document group purposes
- Review group memberships regularly
-
Container Management
- Always specify exactly one container (folder, snippet, or device)
- Use consistent container names
- Validate container existence
- Group related configurations
-
Error Handling
- Implement comprehensive error handling
- Check job status after commits
- Handle specific exceptions
- Log error details
- Monitor commit status
-
Performance
- Use appropriate pagination
- Cache frequently accessed groups
- Implement proper retry logic
- Batch related changes
-
Security
- Follow the least privilege principle
- Validate input data
- Use secure connection settings
- Implement proper authentication
- Monitor policy references
Full Script Examples
Refer to the application_group.py example.