Skip to content

Vulnerability Protection Profile Configuration Object

Table of Contents

  1. Overview
  2. Core Methods
  3. Profile Model Attributes
  4. Exceptions
  5. Basic Configuration
  6. Usage Examples
  7. Managing Configuration Changes
  8. Error Handling
  9. Best Practices
  10. Full Script Examples
  11. Related Models

Overview

The VulnerabilityProtectionProfile class provides functionality to manage vulnerability protection profiles in Palo Alto Networks' Strata Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting profiles that define rules and policies for detecting and preventing exploitation of known vulnerabilities.

Core Methods

Method Description Parameters Return Type
create() Creates a new profile data: Dict[str, Any] VulnerabilityProfileResponseModel
get() Retrieves a profile by ID object_id: str VulnerabilityProfileResponseModel
update() Updates an existing profile profile: VulnerabilityProfileUpdateModel VulnerabilityProfileResponseModel
delete() Deletes a profile object_id: str None
list() Lists profiles with filtering folder: str, **filters List[VulnerabilityProfileResponseModel]
fetch() Gets profile by name/container name: str, folder: str VulnerabilityProfileResponseModel

Profile Model Attributes

Attribute Type Required Description
name str Yes Profile name (pattern: ^[a-zA-Z0-9._-]+$)
id UUID Yes* Unique identifier (*response only)
rules List[RuleModel] Yes List of vulnerability rules
threat_exception List[ExceptionModel] No List of threat exceptions
description str No Profile description
folder str Yes** Folder location (**one container required)
snippet str Yes** Snippet location (**one container required)
device str Yes** Device location (**one container required)

Rule Model Attributes

Attribute Type Required Description
name str Yes Rule name
severity List[VulnerabilityProfileSeverity] Yes List of severities
category VulnerabilityProfileCategory Yes Vulnerability category
host VulnerabilityProfileHost Yes Target host type
action VulnerabilityProfileAction No Action to take on match
packet_capture VulnerabilityProfilePacketCapture No Packet capture setting
cve List[str] No List of CVE identifiers
vendor_id List[str] No List of vendor IDs
threat_name str No Specific threat name

Exceptions

Exception HTTP Code Description
InvalidObjectError 400 Invalid profile data or format
MissingQueryParameterError 400 Missing required parameters
NameNotUniqueError 409 Profile name already exists
ObjectNotPresentError 404 Profile not found
ReferenceNotZeroError 409 Profile still referenced
AuthenticationError 401 Authentication failed
ServerError 500 Internal server error

Basic Configuration

from scm.client import Scm

# Initialize client
client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Access vulnerability protection profiles directly through the client
# No need to initialize a separate VulnerabilityProtectionProfile object

Usage Examples

Creating Profiles

# Basic profile with critical severity rule
basic_profile = {
    "name": "basic-protection",
    "description": "Basic vulnerability protection",
    "folder": "Texas",
    "rules": [
        {
            "name": "critical-vulnerabilities",
            "severity": ["critical"],
            "category": "code-execution",
            "host": "any",
            "action": {"block_ip": {"track_by": "source", "duration": 300}}
        }
    ]
}

# Create basic profile using the client
basic_profile_obj = client.vulnerability_protection_profile.create(basic_profile)

# Advanced profile with multiple rules
advanced_profile = {
    "name": "advanced-protection",
    "description": "Advanced vulnerability protection",
    "folder": "Texas",
    "rules": [
        {
            "name": "critical-cves",
            "severity": ["critical", "high"],
            "category": "command-execution",
            "host": "server",
            "cve": ["CVE-2021-44228"],
            "action": {"reset_both": {}}
        },
        {
            "name": "sql-injection",
            "severity": ["medium"],
            "category": "sql-injection",
            "host": "any",
            "action": {"alert": {}}
        }
    ],
    "threat_exception": [
        {
            "name": "trusted-source",
            "packet_capture": "disable",
            "exempt_ip": [{"name": "trusted-server"}]
        }
    ]
}

# Create advanced profile
advanced_profile_obj = client.vulnerability_protection_profile.create(advanced_profile)

Retrieving Profiles

# Fetch by name and folder
profile = client.vulnerability_protection_profile.fetch(name="basic-protection", folder="Texas")
print(f"Found profile: {profile.name}")
print(f"Number of rules: {len(profile.rules)}")

# Get by ID
profile_by_id = client.vulnerability_protection_profile.get(profile.id)
print(f"Retrieved profile: {profile_by_id.name}")

Updating Profiles

# Fetch existing profile
existing_profile = client.vulnerability_protection_profile.fetch(
    name="basic-protection",
    folder="Texas"
)

# Update profile attributes
existing_profile.description = "Updated protection profile"
existing_profile.rules[0].severity = ["critical", "high"]
existing_profile.rules[0].action = {"reset_both": {}}

# Add new rule
existing_profile.rules.append({
    "name": "new-vulnerabilities",
    "severity": ["medium"],
    "category": "exploit-kit",
    "host": "any",
    "action": {"alert": {}}
})

# Perform update
updated_profile = client.vulnerability_protection_profile.update(existing_profile)

Listing Profiles

# List with direct filter parameters
filtered_profiles = client.vulnerability_protection_profile.list(
    folder='Texas',
    severity=['critical', 'high']
)

# Process results
for profile in filtered_profiles:
    print(f"Name: {profile.name}")
    for rule in profile.rules:
        print(f"Rule: {rule.name}")
        print(f"Severity: {rule.severity}")

# Define filter parameters as dictionary
list_params = {
    "folder": "Texas",
    "severity": ["critical"],
    "category": ["code-execution"]
}

# List with filters as kwargs
filtered_profiles = client.vulnerability_protection_profile.list(**list_params)

Filtering Responses

The list() method supports additional parameters to refine your query results even further. Alongside basic filters (like types, values, and tags), you can leverage the exact_match, exclude_folders, exclude_snippets, and exclude_devices parameters to control which objects are included or excluded after the initial API response is fetched.

Parameters:

  • exact_match (bool): When True, only objects defined exactly in the specified container (folder, snippet, or device) are returned. Inherited or propagated objects are filtered out.
  • exclude_folders (List[str]): Provide a list of folder names that you do not want included in the results.
  • exclude_snippets (List[str]): Provide a list of snippet values to exclude from the results.
  • exclude_devices (List[str]): Provide a list of device values to exclude from the results.

Examples:

# Only return vulnerability_protection_profiles defined exactly in 'Texas'
exact_vulnerability_protection_profiles = client.vulnerability_protection_profile.list(
    folder='Texas',
    exact_match=True
)

for app in exact_vulnerability_protection_profiles:
    print(f"Exact match: {app.name} in {app.folder}")

# Exclude all vulnerability_protection_profiles from the 'All' folder
no_all_vulnerability_protection_profiles = client.vulnerability_protection_profile.list(
    folder='Texas',
    exclude_folders=['All']
)

for app in no_all_vulnerability_protection_profiles:
    assert app.folder != 'All'
    print(f"Filtered out 'All': {app.name}")

# Exclude vulnerability_protection_profiles that come from 'default' snippet
no_default_snippet = client.vulnerability_protection_profile.list(
    folder='Texas',
    exclude_snippets=['default']
)

for app in no_default_snippet:
    assert app.snippet != 'default'
    print(f"Filtered out 'default' snippet: {app.name}")

# Exclude vulnerability_protection_profiles associated with 'DeviceA'
no_deviceA = client.vulnerability_protection_profile.list(
    folder='Texas',
    exclude_devices=['DeviceA']
)

for app in no_deviceA:
    assert app.device != 'DeviceA'
    print(f"Filtered out 'DeviceA': {app.name}")

# Combine exact_match with multiple exclusions
combined_filters = client.vulnerability_protection_profile.list(
    folder='Texas',
    exact_match=True,
    exclude_folders=['All'],
    exclude_snippets=['default'],
    exclude_devices=['DeviceA']
)

for app in combined_filters:
    print(f"Combined filters result: {app.name} in {app.folder}")

Controlling Pagination with max_limit

The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000. If you set max_limit higher than 5000, it will be capped to the API's maximum. The list() method will continue to iterate through all objects until all results have been retrieved. Adjusting max_limit can help manage retrieval performance and memory usage when working with large datasets.

# Initialize the client with a custom max_limit for vulnerability protection profiles
# This will retrieve up to 4321 objects per API call, up to the API limit of 5000.
client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id",
    vulnerability_protection_profile_max_limit=4321
)

# Now when we call list(), it will use the specified max_limit for each request
# while auto-paginating through all available objects.
all_profiles = client.vulnerability_protection_profile.list(folder='Texas')

# 'all_profiles' contains all objects from 'Texas', fetched in chunks of up to 4321 at a time.

Deleting Profiles

# Delete by ID
profile_id = "123e4567-e89b-12d3-a456-426655440000"
client.vulnerability_protection_profile.delete(profile_id)

Managing Configuration Changes

Performing Commits

# Prepare commit parameters
commit_params = {
    "folders": ["Texas"],
    "description": "Updated vulnerability protection profiles",
    "sync": True,
    "timeout": 300  # 5 minute timeout
}

# Commit the changes directly using the client
result = client.commit(**commit_params)

print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

# Get status of specific job using the client
job_status = client.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")

# List recent jobs using the client
recent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
    print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.exceptions import (
    InvalidObjectError,
    MissingQueryParameterError,
    NameNotUniqueError,
    ObjectNotPresentError,
    ReferenceNotZeroError
)

try:
    # Create profile configuration
    profile_config = {
        "name": "test-profile",
        "description": "Test vulnerability protection",
        "folder": "Texas",
        "rules": [
            {
                "name": "test-rule",
                "severity": ["critical"],
                "category": "code-execution",
                "host": "any",
                "action": {"alert": {}}
            }
        ]
    }

    # Create the profile using the client
    new_profile = client.vulnerability_protection_profile.create(profile_config)

    # Commit changes using the client
    result = client.commit(
        folders=["Texas"],
        description="Added test profile",
        sync=True
    )

    # Check job status using the client
    status = client.get_job_status(result.job_id)

except InvalidObjectError as e:
    print(f"Invalid profile data: {e.message}")
except NameNotUniqueError as e:
    print(f"Profile name already exists: {e.message}")
except ObjectNotPresentError as e:
    print(f"Profile not found: {e.message}")
except ReferenceNotZeroError as e:
    print(f"Profile still in use: {e.message}")
except MissingQueryParameterError as e:
    print(f"Missing parameter: {e.message}")

Best Practices

  1. Rule Configuration

    • Use appropriate severity levels
    • Configure specific categories
    • Set proper packet capture settings
    • Define clear threat exceptions
    • Document CVE references

  2. Container Management

    • Always specify exactly one container
    • Use consistent container names
    • Validate container existence
    • Group related profiles

  3. Client Usage

    • Use the unified client interface (client.vulnerability_protection_profile) for simpler code
    • Perform commits directly on the client (client.commit())
    • Monitor jobs using client methods (client.get_job_status(), client.list_jobs())
    • Initialize the client once and reuse across different object types

  4. Error Handling

    • Validate rule configurations
    • Handle specific exceptions
    • Log error details
    • Monitor commit status
    • Track job completion

  5. Performance

    • Use appropriate pagination
    • Cache frequently accessed profiles
    • Implement proper retry logic
    • Monitor packet capture impact

  6. Security

    • Follow least privilege principle
    • Validate input data
    • Use secure connection settings
    • Implement proper authentication
    • Review profile actions

Full Script Examples

Refer to the vulnerability_protection_profile.py example.