Route Access List Models¶
Overview¶
The Route Access List models provide a structured way to represent and validate route access list configuration data for Palo Alto Networks' Strata Cloud Manager. Route access lists are used to filter routes based on source and destination IP addresses with optional wildcard masks, commonly applied in BGP and OSPF routing policies.
Models¶
The module provides the following Pydantic models:
RouteAccessListBaseModel: Base model with fields common to all route access list operationsRouteAccessListCreateModel: Model for creating new route access listsRouteAccessListUpdateModel: Model for updating existing route access listsRouteAccessListResponseModel: Response model for route access list operationsRouteAccessListType: Access list type containerRouteAccessListIpv4: IPv4 access list containerRouteAccessListIpv4Entry: Individual IPv4 access list entryRouteAccessListSourceAddress: Source address with optional wildcard maskRouteAccessListDestinationAddress: Destination address with optional wildcard mask
The RouteAccessListBaseModel and RouteAccessListCreateModel / RouteAccessListUpdateModel use extra="forbid" configuration, which rejects any fields not explicitly defined in the model. The RouteAccessListResponseModel uses extra="ignore" to provide resilience against unexpected fields returned by the API.
Model Attributes¶
RouteAccessListBaseModel¶
This is the base model containing fields common to all route access list operations.
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
name |
str |
Yes | None | Route access list name. |
description |
str |
No | None | Description. |
type |
RouteAccessListType |
No | None | Access list type configuration. |
folder |
str |
No** | None | Folder location. Pattern: ^[a-zA-Z\d\-_. ]+$. Max 64 chars. |
snippet |
str |
No** | None | Snippet location. Pattern: ^[a-zA-Z\d\-_. ]+$. Max 64 chars. |
device |
str |
No** | None | Device location. Pattern: ^[a-zA-Z\d\-_. ]+$. Max 64 chars. |
** Exactly one container (folder/snippet/device) must be provided for create operations
RouteAccessListCreateModel¶
Inherits all fields from RouteAccessListBaseModel and enforces that exactly one of folder, snippet, or device is provided during creation.
RouteAccessListUpdateModel¶
Extends RouteAccessListBaseModel by adding:
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
id |
UUID |
Yes | None | The unique identifier of the route access list |
RouteAccessListResponseModel¶
Extends RouteAccessListBaseModel by adding:
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
id |
UUID |
Yes | None | The unique identifier of the route access list |
Note
The RouteAccessListResponseModel uses extra="ignore" instead of extra="forbid". This means it will silently ignore any extra fields returned by the API that are not defined in the model, providing resilience against API changes.
Supporting Models¶
RouteAccessListType¶
Container for the access list type.
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
ipv4 |
RouteAccessListIpv4 |
No | None | IPv4 access list. |
RouteAccessListIpv4¶
IPv4 access list container holding the list of entries.
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
ipv4_entry |
List[RouteAccessListIpv4Entry] |
No | None | IPv4 access list entries. |
RouteAccessListIpv4Entry¶
Individual IPv4 access list entry with sequence number, action, and address matching.
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
name |
int |
No | None | Sequence number (1-65535). |
action |
str |
No | None | Action: deny or permit. Pattern: ^(deny\|permit)$ |
source_address |
RouteAccessListSourceAddress |
No | None | Source address configuration. |
destination_address |
RouteAccessListDestinationAddress |
No | None | Destination address configuration. |
RouteAccessListSourceAddress¶
Source address configuration with optional wildcard mask.
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
address |
str |
No | None | Source IP address. |
wildcard |
str |
No | None | Source IP wildcard mask. |
RouteAccessListDestinationAddress¶
Destination address configuration with optional wildcard mask.
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
address |
str |
No | None | Destination IP address. |
wildcard |
str |
No | None | Destination IP wildcard mask. |
Exceptions¶
The models perform strict validation and will raise ValueError in scenarios such as:
- When creating a route access list (
RouteAccessListCreateModel), if not exactly one container (folder,snippet, ordevice) is provided. - When an entry sequence number is outside the valid range (1-65535).
- When an entry action is not
denyorpermit. - When container identifiers (folder, snippet, device) do not match the required pattern or exceed the maximum length.
Model Validators¶
Container Validation in RouteAccessListCreateModel¶
- validate_container_type:
After model initialization, this validator checks that exactly one of the container fields (
folder,snippet, ordevice) is provided. If not, it raises aValueError.
Usage Examples¶
Creating a Route Access List¶
Using a Dictionary¶
from scm.models.network import RouteAccessListCreateModel
acl_data = {
"name": "acl-1",
"description": "Block private networks",
"type": {
"ipv4": {
"ipv4_entry": [
{
"name": 10,
"action": "deny",
"source_address": {
"address": "10.0.0.0",
"wildcard": "0.255.255.255",
},
},
{
"name": 20,
"action": "deny",
"source_address": {
"address": "172.16.0.0",
"wildcard": "0.15.255.255",
},
},
{
"name": 30,
"action": "permit",
"source_address": {
"address": "0.0.0.0",
"wildcard": "255.255.255.255",
},
},
],
},
},
"folder": "Routing",
}
# Validate and create model instance
acl = RouteAccessListCreateModel(**acl_data)
payload = acl.model_dump(exclude_unset=True, by_alias=True)
print(payload)
Using the Model Directly¶
from scm.models.network import (
RouteAccessListCreateModel,
RouteAccessListType,
RouteAccessListIpv4,
RouteAccessListIpv4Entry,
RouteAccessListSourceAddress,
)
# Build access list entries
entries = [
RouteAccessListIpv4Entry(
name=10,
action="deny",
source_address=RouteAccessListSourceAddress(
address="10.0.0.0",
wildcard="0.255.255.255",
),
),
RouteAccessListIpv4Entry(
name=20,
action="permit",
source_address=RouteAccessListSourceAddress(
address="0.0.0.0",
wildcard="255.255.255.255",
),
),
]
# Create the access list
acl = RouteAccessListCreateModel(
name="acl-2",
description="Filter specific networks",
type=RouteAccessListType(
ipv4=RouteAccessListIpv4(ipv4_entry=entries),
),
folder="Routing",
)
payload = acl.model_dump(exclude_unset=True, by_alias=True)
print(payload)
Updating a Route Access List¶
from scm.client import Scm
# Initialize client
client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
)
# Fetch existing access list
existing = client.route_access_list.fetch(name="acl-1", folder="Routing")
# Modify description
existing.description = "Updated filter for private networks"
# Pass modified object to update()
updated = client.route_access_list.update(existing)
print(f"Updated access list: {updated.name}")