Skip to content

Vulnerability Protection Profile Configuration Object

Manages vulnerability protection profiles for detecting and preventing exploitation of known vulnerabilities in Palo Alto Networks Strata Cloud Manager.

Class Overview

The VulnerabilityProtectionProfile class inherits from BaseObject and provides CRUD operations for vulnerability protection profiles that define rules and policies for detecting and preventing exploitation of known vulnerabilities.

Methods

Method Description Parameters Return Type
create() Creates a new profile data: Dict[str, Any] VulnerabilityProfileResponseModel
get() Retrieves a profile by ID object_id: str VulnerabilityProfileResponseModel
update() Updates an existing profile profile: VulnerabilityProfileUpdateModel VulnerabilityProfileResponseModel
delete() Deletes a profile object_id: str None
list() Lists profiles with filtering folder: str, **filters List[VulnerabilityProfileResponseModel]
fetch() Gets profile by name/container name: str, folder: str VulnerabilityProfileResponseModel

Model Attributes

Attribute Type Required Default Description
name str Yes None Profile name. Pattern: ^[a-zA-Z0-9._-]+$
id UUID Yes* None Unique identifier (*response/update only)
rules List[VulnerabilityProfileRuleModel] Yes None List of vulnerability rules
threat_exception List[VulnerabilityProfileThreatExceptionModel] No None List of threat exceptions
description str No None Profile description
folder str No** None Folder location. Max 64 chars
snippet str No** None Snippet location. Max 64 chars
device str No** None Device location. Max 64 chars

* Only required for response and update models ** Exactly one container (folder, snippet, or device) must be provided for create operations

Rule Model Attributes

Attribute Type Required Default Description
name str Yes None Rule name
severity List[VulnerabilityProfileSeverity] Yes None List of severities
host VulnerabilityProfileHost Yes None Target host type
category VulnerabilityProfileCategory No any Vulnerability category
action VulnerabilityProfileActionResponse No None Action to take on match
packet_capture VulnerabilityProfilePacketCapture No disable Packet capture setting
cve List[str] No ["any"] List of CVE identifiers
vendor_id List[str] No ["any"] List of vendor IDs
threat_name str No "any" Specific threat name

Exceptions

Exception HTTP Code Description
InvalidObjectError 400 Invalid profile data or format
MissingQueryParameterError 400 Missing required parameters
NameNotUniqueError 409 Profile name already exists
ObjectNotPresentError 404 Profile not found
ReferenceNotZeroError 409 Profile still referenced
AuthenticationError 401 Authentication failed
ServerError 500 Internal server error

Basic Configuration

from scm.client import Scm

client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

profiles = client.vulnerability_protection_profile

Methods

List Vulnerability Protection Profiles

filtered_profiles = client.vulnerability_protection_profile.list(
    folder='Texas',
    severity=['critical', 'high']
)

for profile in filtered_profiles:
    print(f"Name: {profile.name}")
    for rule in profile.rules:
        print(f"Rule: {rule.name}, Severity: {rule.severity}")

Filtering responses:

exact_profiles = client.vulnerability_protection_profile.list(
    folder='Texas',
    exact_match=True
)

combined_filters = client.vulnerability_protection_profile.list(
    folder='Texas',
    exact_match=True,
    exclude_folders=['All'],
    exclude_snippets=['default'],
    exclude_devices=['DeviceA']
)

Controlling pagination with max_limit:

client.vulnerability_protection_profile.max_limit = 4000

all_profiles = client.vulnerability_protection_profile.list(folder='Texas')

Fetch a Vulnerability Protection Profile

profile = client.vulnerability_protection_profile.fetch(name="basic-protection", folder="Texas")
print(f"Found profile: {profile.name}")
print(f"Number of rules: {len(profile.rules)}")

Create a Vulnerability Protection Profile

# Basic profile with critical severity rule
basic_profile = {
    "name": "basic-protection",
    "description": "Basic vulnerability protection",
    "folder": "Texas",
    "rules": [
        {
            "name": "critical-vulnerabilities",
            "severity": ["critical"],
            "category": "code-execution",
            "host": "any",
            "action": {"block_ip": {"track_by": "source", "duration": 300}}
        }
    ]
}
basic_profile_obj = client.vulnerability_protection_profile.create(basic_profile)

# Advanced profile with multiple rules and exceptions
advanced_profile = {
    "name": "advanced-protection",
    "description": "Advanced vulnerability protection",
    "folder": "Texas",
    "rules": [
        {
            "name": "critical-cves",
            "severity": ["critical", "high"],
            "category": "command-execution",
            "host": "server",
            "cve": ["CVE-2021-44228"],
            "action": {"reset_both": {}}
        },
        {
            "name": "sql-injection",
            "severity": ["medium"],
            "category": "sql-injection",
            "host": "any",
            "action": {"alert": {}}
        }
    ],
    "threat_exception": [
        {
            "name": "trusted-source",
            "packet_capture": "disable",
            "exempt_ip": [{"name": "trusted-server"}]
        }
    ]
}
advanced_profile_obj = client.vulnerability_protection_profile.create(advanced_profile)

Update a Vulnerability Protection Profile

existing_profile = client.vulnerability_protection_profile.fetch(
    name="basic-protection",
    folder="Texas"
)

existing_profile.description = "Updated protection profile"
existing_profile.rules[0].severity = ["critical", "high"]
existing_profile.rules[0].action = {"reset_both": {}}
existing_profile.rules.append({
    "name": "new-vulnerabilities",
    "severity": ["medium"],
    "category": "exploit-kit",
    "host": "any",
    "action": {"alert": {}}
})

updated_profile = client.vulnerability_protection_profile.update(existing_profile)

Delete a Vulnerability Protection Profile

client.vulnerability_protection_profile.delete("123e4567-e89b-12d3-a456-426655440000")

Get a Vulnerability Protection Profile by ID

profile_by_id = client.vulnerability_protection_profile.get(profile.id)
print(f"Retrieved profile: {profile_by_id.name}")

Use Cases

Committing Changes

result = client.commit(
    folders=["Texas"],
    description="Updated vulnerability protection profiles",
    sync=True,
    timeout=300
)
print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

job_status = client.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")

recent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
    print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.exceptions import (
    InvalidObjectError,
    MissingQueryParameterError,
    NameNotUniqueError,
    ObjectNotPresentError,
    ReferenceNotZeroError
)

try:
    profile_config = {
        "name": "test-profile",
        "description": "Test vulnerability protection",
        "folder": "Texas",
        "rules": [
            {
                "name": "test-rule",
                "severity": ["critical"],
                "category": "code-execution",
                "host": "any",
                "action": {"alert": {}}
            }
        ]
    }
    new_profile = client.vulnerability_protection_profile.create(profile_config)
    result = client.commit(
        folders=["Texas"],
        description="Added test profile",
        sync=True
    )
    status = client.get_job_status(result.job_id)

except InvalidObjectError as e:
    print(f"Invalid profile data: {e.message}")
except NameNotUniqueError as e:
    print(f"Profile name already exists: {e.message}")
except ObjectNotPresentError as e:
    print(f"Profile not found: {e.message}")
except ReferenceNotZeroError as e:
    print(f"Profile still in use: {e.message}")
except MissingQueryParameterError as e:
    print(f"Missing parameter: {e.message}")