Vulnerability Protection Profile Configuration Object

Overview

The VulnerabilityProtectionProfile class provides functionality to manage vulnerability protection profiles in Palo Alto Networks' Strata Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting profiles that define rules and policies for detecting and preventing exploitation of known vulnerabilities.

Core Methods

Method	Description	Parameters	Return Type
`create()`	Creates a new profile	`data: Dict[str, Any]`	`VulnerabilityProfileResponseModel`
`get()`	Retrieves a profile by ID	`object_id: str`	`VulnerabilityProfileResponseModel`
`update()`	Updates an existing profile	`profile: VulnerabilityProfileUpdateModel`	`VulnerabilityProfileResponseModel`
`delete()`	Deletes a profile	`object_id: str`	`None`
`list()`	Lists profiles with filtering	`folder: str`, `**filters`	`List[VulnerabilityProfileResponseModel]`
`fetch()`	Gets profile by name/container	`name: str`, `folder: str`	`VulnerabilityProfileResponseModel`

Profile Model Attributes

Attribute	Type	Required	Description
`name`	str	Yes	Profile name (pattern: ^[a-zA-Z0-9._-]+$)
`id`	UUID	Yes*	Unique identifier (*response only)
`rules`	List[RuleModel]	Yes	List of vulnerability rules
`threat_exception`	List[ExceptionModel]	No	List of threat exceptions
`description`	str	No	Profile description
`folder`	str	Yes**	Folder location (**one container required)
`snippet`	str	Yes**	Snippet location (**one container required)
`device`	str	Yes**	Device location (**one container required)

Rule Model Attributes

Attribute	Type	Required	Description
`name`	str	Yes	Rule name
`severity`	List[VulnerabilityProfileSeverity]	Yes	List of severities
`category`	VulnerabilityProfileCategory	Yes	Vulnerability category
`host`	VulnerabilityProfileHost	Yes	Target host type
`action`	VulnerabilityProfileAction	No	Action to take on match
`packet_capture`	VulnerabilityProfilePacketCapture	No	Packet capture setting
`cve`	List[str]	No	List of CVE identifiers
`vendor_id`	List[str]	No	List of vendor IDs
`threat_name`	str	No	Specific threat name

Exceptions

Exception	HTTP Code	Description
`InvalidObjectError`	400	Invalid profile data or format
`MissingQueryParameterError`	400	Missing required parameters
`NameNotUniqueError`	409	Profile name already exists
`ObjectNotPresentError`	404	Profile not found
`ReferenceNotZeroError`	409	Profile still referenced
`AuthenticationError`	401	Authentication failed
`ServerError`	500	Internal server error

Basic Configuration

from scm.client import Scm
from scm.config.security import VulnerabilityProtectionProfile
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize VulnerabilityProtectionProfile objectvulnerability_profiles = VulnerabilityProtectionProfile(client)

Usage Examples

Creating Profiles

# Basic profile with critical severity rulebasic_profile = {
"name": "basic-protection",
"description": "Basic vulnerability protection",
"folder": "Texas",
"rules": [
{
"name": "critical-vulnerabilities",
"severity": ["critical"],
"category": "code-execution",
"host": "any",
"action": {"block_ip": {"track_by": "source", "duration": 300}}
}
]
}
# Create basic profilebasic_profile_obj = vulnerability_profiles.create(basic_profile)
# Advanced profile with multiple rulesadvanced_profile = {
"name": "advanced-protection",
"description": "Advanced vulnerability protection",
"folder": "Texas",
"rules": [
{
"name": "critical-cves",
"severity": ["critical", "high"],
"category": "command-execution",
"host": "server",
"cve": ["CVE-2021-44228"],
"action": {"reset_both": {}}
},
{
"name": "sql-injection",
"severity": ["medium"],
"category": "sql-injection",
"host": "any",
"action": {"alert": {}}
}
],
"threat_exception": [
{
"name": "trusted-source",
"packet_capture": "disable",
"exempt_ip": [{"name": "trusted-server"}]
}
]
}
# Create advanced profileadvanced_profile_obj = vulnerability_profiles.create(advanced_profile)

Retrieving Profiles

# Fetch by name and folderprofile = vulnerability_profiles.fetch(name="basic-protection", folder="Texas")
print(f"Found profile: {profile.name}")
print(f"Number of rules: {len(profile.rules)}")
# Get by IDprofile_by_id = vulnerability_profiles.get(profile.id)
print(f"Retrieved profile: {profile_by_id.name}")

Updating Profiles

# Fetch existing profileexisting_profile = vulnerability_profiles.fetch(
name="basic-protection",
folder="Texas"
)
# Update profile attributesexisting_profile.description = "Updated protection profile"
existing_profile.rules[0].severity = ["critical", "high"]
existing_profile.rules[0].action = {"reset_both": {}}
# Add new ruleexisting_profile.rules.append({
"name": "new-vulnerabilities",
"severity": ["medium"],
"category": "exploit-kit",
"host": "any",
"action": {"alert": {}}
})
# Perform updateupdated_profile = vulnerability_profiles.update(existing_profile)

Listing Profiles

# List with direct filter parametersfiltered_profiles = vulnerability_profiles.list(
folder='Texas',
severity=['critical', 'high']
)
# Process resultsfor profile in filtered_profiles:
print(f"Name: {profile.name}")
for rule in profile.rules:
print(f"Rule: {rule.name}")
print(f"Severity: {rule.severity}")
# Define filter parameters as dictionarylist_params = {
"folder": "Texas",
"severity": ["critical"],
"category": ["code-execution"]
}
# List with filters as kwargsfiltered_profiles = vulnerability_profiles.list(**list_params)

Filtering Responses

The list() method supports additional parameters to refine your query results even further. Alongside basic filters (like types, values, and tags), you can leverage the exact_match, exclude_folders, exclude_snippets, and exclude_devices parameters to control which objects are included or excluded after the initial API response is fetched.

Parameters:

exact_match (bool): When True, only objects defined exactly in the specified container (folder, snippet, or device) are returned. Inherited or propagated objects are filtered out.
exclude_folders (List[str]): Provide a list of folder names that you do not want included in the results.
exclude_snippets (List[str]): Provide a list of snippet values to exclude from the results.
exclude_devices (List[str]): Provide a list of device values to exclude from the results.

Examples:

# Only return vulnerability_protection_profiles defined exactly in 'Texas'exact_vulnerability_protection_profiles = vulnerability_profiles.list(
folder='Texas',
exact_match=True
)

for app in exact_vulnerability_protection_profiles:
print(f"Exact match: {app.name} in {app.folder}")
# Exclude all vulnerability_protection_profiles from the 'All' folderno_all_vulnerability_protection_profiles = vulnerability_profiles.list(
folder='Texas',
exclude_folders=['All']
)

for app in no_all_vulnerability_protection_profiles:
assert app.folder != 'All'
print(f"Filtered out 'All': {app.name}")
# Exclude vulnerability_protection_profiles that come from 'default' snippetno_default_snippet = vulnerability_profiles.list(
folder='Texas',
exclude_snippets=['default']
)

for app in no_default_snippet:
assert app.snippet != 'default'
print(f"Filtered out 'default' snippet: {app.name}")
# Exclude vulnerability_protection_profiles associated with 'DeviceA'no_deviceA = vulnerability_profiles.list(
folder='Texas',
exclude_devices=['DeviceA']
)

for app in no_deviceA:
assert app.device != 'DeviceA'
print(f"Filtered out 'DeviceA': {app.name}")
# Combine exact_match with multiple exclusionscombined_filters = vulnerability_profiles.list(
folder='Texas',
exact_match=True,
exclude_folders=['All'],
exclude_snippets=['default'],
exclude_devices=['DeviceA']
)

for app in combined_filters:
print(f"Combined filters result: {app.name} in {app.folder}")

Controlling Pagination with max_limit

The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000. If you set max_limit higher than 5000, it will be capped to the API's maximum. The list() method will continue to iterate through all objects until all results have been retrieved. Adjusting max_limit can help manage retrieval performance and memory usage when working with large datasets.

# Initialize the VulnerabilityProtectionProfile object with a custom max_limit# This will retrieve up to 4321 objects per API call, up to the API limit of 5000.profile_client = VulnerabilityProtectionProfile(api_client=client, max_limit=4321)
# Now when we call list(), it will use the specified max_limit for each request# while auto-paginating through all available objects.all_profiles = profile_client.list(folder='Texas')
# 'all_profiles' contains all objects from 'Texas', fetched in chunks of up to 4321 at a time.

Deleting Profiles

# Delete by IDprofile_id = "123e4567-e89b-12d3-a456-426655440000"
vulnerability_profiles.delete(profile_id)

Managing Configuration Changes

Performing Commits

# Prepare commit parameterscommit_params = {
"folders": ["Texas"],
"description": "Updated vulnerability protection profiles",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = vulnerability_profiles.commit(**commit_params)

print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

# Get status of specific jobjob_status = vulnerability_profiles.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = vulnerability_profiles.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)

try:
# Create profile configuration
profile_config = {
"name": "test-profile",
"description": "Test vulnerability protection",
"folder": "Texas",
"rules": [
{
"name": "test-rule",
"severity": ["critical"],
"category": "code-execution",
"host": "any",
"action": {"alert": {}}
}
]
}

# Create the profile
new_profile = vulnerability_profiles.create(profile_config)

# Commit changes
result = vulnerability_profiles.commit(
folders=["Texas"],
description="Added test profile",
sync=True
)

# Check job status
status = vulnerability_profiles.get_job_status(result.job_id)

except InvalidObjectError as e:
print(f"Invalid profile data: {e.message}")
except NameNotUniqueError as e:
print(f"Profile name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Profile not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"Profile still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")

Best Practices

Rule Configuration
- Use appropriate severity levels
- Configure specific categories
- Set proper packet capture settings
- Define clear threat exceptions
- Document CVE references
Container Management
- Always specify exactly one container
- Use consistent container names
- Validate container existence
- Group related profiles
Error Handling
- Validate rule configurations
- Handle specific exceptions
- Log error details
- Monitor commit status
- Track job completion
Performance
- Use appropriate pagination
- Cache frequently accessed profiles
- Implement proper retry logic
- Monitor packet capture impact
Security
- Follow least privilege principle
- Validate input data
- Use secure connection settings
- Implement proper authentication
- Review profile actions

Full Script Examples

Refer to the vulnerability_protection_profile.py example.