Security Rule Configuration Object
The SecurityRule
class manages Security Rules in Palo Alto Networks' Strata Cloud Manager.
It provides methods to create, retrieve, update, delete, list, and move Security Rule objects.
Creating an API client object
from scm.client import Scm
api_client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
)
api_client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
)
Importing the SecurityRule Class
from scm.config.security import SecurityRule
security_rule = SecurityRule(api_client)
security_rule = SecurityRule(api_client)
Methods
create(data: Dict[str, Any]) -> SecurityRuleResponseModel
Creates a new Security Rule object.
Example 1: Basic Allow Rule
rule_data = {
"name": "Allow_Web",
"folder": "Shared",
"from_": ["trust"],
"to": ["untrust"],
"source": ["any"],
"destination": ["any"],
"application": ["web-browsing", "ssl"],
"action": "allow",
"log_end": True
}
new_rule = security_rule.create(rule_data)
print(f"Created rule: {new_rule.name}")
"name": "Allow_Web",
"folder": "Shared",
"from_": ["trust"],
"to": ["untrust"],
"source": ["any"],
"destination": ["any"],
"application": ["web-browsing", "ssl"],
"action": "allow",
"log_end": True
}
new_rule = security_rule.create(rule_data)
print(f"Created rule: {new_rule.name}")
Example 2: Rule with Profile Settings
rule_data = {
"name": "Secure_Web",
"folder": "Shared",
"from_": ["trust"],
"to": ["untrust"],
"source": ["any"],
"destination": ["any"],
"application": ["web-browsing"],
"profile_setting": {
"group": ["strict-security"]
},
"action": "allow"
}
new_rule = security_rule.create(rule_data)
"name": "Secure_Web",
"folder": "Shared",
"from_": ["trust"],
"to": ["untrust"],
"source": ["any"],
"destination": ["any"],
"application": ["web-browsing"],
"profile_setting": {
"group": ["strict-security"]
},
"action": "allow"
}
new_rule = security_rule.create(rule_data)
move(rule_id: str, data: Dict[str, Any]) -> None
Moves a security rule to a new position within the rulebase.
Example:
move_data = {
"destination": "before",
"rulebase": "pre",
"destination_rule": "987fcdeb-51d3-a456-426655440000"
}
security_rule.move("123e4567-e89b-12d3-a456-426655440000", move_data)
"destination": "before",
"rulebase": "pre",
"destination_rule": "987fcdeb-51d3-a456-426655440000"
}
security_rule.move("123e4567-e89b-12d3-a456-426655440000", move_data)
list(folder: Optional[str] = None, snippet: Optional[str] = None, device: Optional[str] = None, offset: Optional[int] = None, limit: Optional[int] = None, name: Optional[str] = None, **filters) -> List[SecurityRuleResponseModel]
Lists Security Rule objects with optional filtering.
Example:
# List rules with paginationrules = security_rule.list(
folder="Shared",
offset=0,
limit=10,
name="Allow"
)
for rule in rules:
print(f"Rule: {rule.name}")
folder="Shared",
offset=0,
limit=10,
name="Allow"
)
for rule in rules:
print(f"Rule: {rule.name}")
update(object_id: str, data: Dict[str, Any]) -> SecurityRuleResponseModel
Updates an existing Security Rule object.
Example:
update_data = {
"description": "Updated rule description",
"application": ["web-browsing", "ssl", "http2"],
"tag": ["updated", "modified"]
}
updated_rule = security_rule.update(rule_id, update_data)
"description": "Updated rule description",
"application": ["web-browsing", "ssl", "http2"],
"tag": ["updated", "modified"]
}
updated_rule = security_rule.update(rule_id, update_data)
delete(object_id: str) -> None
Deletes a Security Rule object.
Example:
security_rule.delete(rule_id)
Complete Example: Managing Security Rules
from scm.client import Scm
from scm.config.security import SecurityRule
# Initialize clientapi_client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Create SecurityRule instancesecurity_rule = SecurityRule(api_client)
# Create a new rulerule_data = {
"name": "Comprehensive_Web_Rule",
"description": "Allow web traffic with security profiles",
"folder": "Shared",
"from_": ["trust", "internal"],
"to": ["untrust"],
"source": ["10.0.0.0/8"],
"destination": ["any"],
"application": ["web-browsing", "ssl", "http2"],
"service": ["application-default"],
"action": "allow",
"profile_setting": {
"group": ["strict-security"]
},
"tag": ["web", "internal"],
"log_setting": "default-logging",
"log_end": True
}
new_rule = security_rule.create(rule_data)
print(f"Created rule: {new_rule.name}")
# Move the rulemove_data = {
"destination": "top",
"rulebase": "pre"
}
security_rule.move(new_rule.id, move_data)
# Update the ruleupdate_data = {
"description": "Updated comprehensive web rule",
"application": ["web-browsing", "ssl", "http2", "webex-meeting"],
}
updated_rule = security_rule.update(new_rule.id, update_data)
# List rulesrules = security_rule.list(folder="Shared", limit=5)
for rule in rules:
print(f"Rule: {rule.name}")
# Clean upsecurity_rule.delete(new_rule.id)
from scm.config.security import SecurityRule
# Initialize clientapi_client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Create SecurityRule instancesecurity_rule = SecurityRule(api_client)
# Create a new rulerule_data = {
"name": "Comprehensive_Web_Rule",
"description": "Allow web traffic with security profiles",
"folder": "Shared",
"from_": ["trust", "internal"],
"to": ["untrust"],
"source": ["10.0.0.0/8"],
"destination": ["any"],
"application": ["web-browsing", "ssl", "http2"],
"service": ["application-default"],
"action": "allow",
"profile_setting": {
"group": ["strict-security"]
},
"tag": ["web", "internal"],
"log_setting": "default-logging",
"log_end": True
}
new_rule = security_rule.create(rule_data)
print(f"Created rule: {new_rule.name}")
# Move the rulemove_data = {
"destination": "top",
"rulebase": "pre"
}
security_rule.move(new_rule.id, move_data)
# Update the ruleupdate_data = {
"description": "Updated comprehensive web rule",
"application": ["web-browsing", "ssl", "http2", "webex-meeting"],
}
updated_rule = security_rule.update(new_rule.id, update_data)
# List rulesrules = security_rule.list(folder="Shared", limit=5)
for rule in rules:
print(f"Rule: {rule.name}")
# Clean upsecurity_rule.delete(new_rule.id)