Vulnerability Protection Profile Models

Overview

The Vulnerability Protection Profile models provide a structured way to manage vulnerability protection profiles in Palo Alto Networks' Strata Cloud Manager. These models support defining rules and threat exceptions with various actions, severities, and categories. Profiles can be defined in folders, snippets, or devices. The models handle validation of inputs and outputs when interacting with the SCM API.

Models

The module provides the following Pydantic models:

VulnerabilityProfileBaseModel: Base model with fields common to all profile operations
VulnerabilityProfileCreateModel: Model for creating new vulnerability protection profiles
VulnerabilityProfileUpdateModel: Model for updating existing vulnerability protection profiles
VulnerabilityProfileResponseModel: Response model for vulnerability protection profile operations
VulnerabilityProfileRuleModel: Model for vulnerability rules
VulnerabilityProfileThreatExceptionModel: Model for threat exceptions
VulnerabilityProfileBlockIpAction: Model for block IP action configuration
VulnerabilityProfileTimeAttribute: Model for time attribute configuration
VulnerabilityProfileExemptIpEntry: Model for exempt IP entries

All models use extra="forbid" configuration, which rejects any fields not explicitly defined in the model.

Model Attributes

VulnerabilityProfileBaseModel

Attribute	Type	Required	Default	Description
name	str	Yes	None	Profile name. Pattern: `^[a-zA-Z0-9._-]+$`
rules	List[VulnerabilityProfileRuleModel]	Yes	None	List of vulnerability rules
threat_exception	List[VulnerabilityProfileThreatExceptionModel]	No	None	List of threat exceptions
description	str	No	None	Description of the profile
folder	str	No**	None	Folder location. Max 64 chars
snippet	str	No**	None	Snippet location. Max 64 chars
device	str	No**	None	Device location. Max 64 chars

** Exactly one container (folder/snippet/device) must be provided for create operations

VulnerabilityProfileCreateModel

Inherits all fields from VulnerabilityProfileBaseModel and enforces that exactly one of folder, snippet, or device is provided during creation.

VulnerabilityProfileUpdateModel

Extends VulnerabilityProfileBaseModel by adding:

Attribute	Type	Required	Default	Description
id	UUID	Yes	None	The unique identifier of the profile

VulnerabilityProfileResponseModel

Extends VulnerabilityProfileBaseModel by adding:

Attribute	Type	Required	Default	Description
id	UUID	Yes	None	The unique identifier of the profile

Enum Types

VulnerabilityProfileSeverity

Defines the severity levels:

Value	Description
`critical`	Critical severity
`high`	High severity
`medium`	Medium severity
`low`	Low severity
`informational`	Informational
`any`	Any severity level

VulnerabilityProfileCategory

Defines the vulnerability categories:

Value	Description
`any`	Any category
`brute-force`	Brute force attacks
`code-execution`	Code execution
`code-obfuscation`	Code obfuscation
`command-execution`	Command execution
`dos`	Denial of service
`exploit-kit`	Exploit kit
`info-leak`	Information leak
`insecure-credentials`	Insecure credentials
`overflow`	Buffer overflow
`phishing`	Phishing
`protocol-anomaly`	Protocol anomaly
`scan`	Scanning activity
`sql-injection`	SQL injection

VulnerabilityProfilePacketCapture

Defines the packet capture options:

Value	Description
`disable`	Disable packet capture
`single-packet`	Capture a single packet
`extended-capture`	Extended packet capture

VulnerabilityProfileHost

Defines the host options:

Value	Description
`any`	Any host
`client`	Client host
`server`	Server host

VulnerabilityProfileBlockIpTrackBy

Defines the block IP tracking options:

Value	Description
`source-and-destination`	Track by source and destination
`source`	Track by source only

VulnerabilityProfileTimeAttributeTrackBy

Defines the time attribute tracking options:

Value	Description
`source`	Track by source
`destination`	Track by destination
`source-and-destination`	Track by source and destination

Supporting Models

VulnerabilityProfileRuleModel

Attribute	Type	Required	Default	Description
name	str	Yes	None	Rule name
severity	List[VulnerabilityProfileSeverity]	Yes	None	List of severities
host	VulnerabilityProfileHost	Yes	None	Target host type
category	VulnerabilityProfileCategory	No	any	Vulnerability category
action	VulnerabilityProfileActionResponse	No	None	Action to take on match
packet_capture	VulnerabilityProfilePacketCapture	No	disable	Packet capture setting
cve	List[str]	No	["any"]	List of CVE identifiers
vendor_id	List[str]	No	["any"]	List of vendor IDs
threat_name	str	No	"any"	Specific threat name

VulnerabilityProfileThreatExceptionModel

Attribute	Type	Required	Default	Description
name	str	Yes	None	Threat exception name
packet_capture	VulnerabilityProfilePacketCapture	No	None	Packet capture setting
exempt_ip	List[VulnerabilityProfileExemptIpEntry]	No	None	Exempt IP list
time_attribute	VulnerabilityProfileTimeAttribute	No	None	Time attribute settings
notes	str	No	None	Notes

VulnerabilityProfileBlockIpAction

Attribute	Type	Required	Default	Description
track_by	VulnerabilityProfileBlockIpTrackBy	Yes	None	Tracking method
duration	int	Yes	None	Duration in seconds (1-3600)

VulnerabilityProfileTimeAttribute

Attribute	Type	Required	Default	Description
interval	int	Yes	None	Interval in seconds (1-3600)
threshold	int	Yes	None	Threshold (1-65535)
track_by	VulnerabilityProfileTimeAttributeTrackBy	Yes	None	Tracking method

VulnerabilityProfileExemptIpEntry

Attribute	Type	Required	Default	Description
name	str	Yes	None	Exempt IP name

Exceptions

The Vulnerability Protection Profile models can raise the following exceptions during validation:

ValueError: Raised in several scenarios:
- When multiple container types (folder/snippet/device) are specified
- When no container type is specified for create operations
- When invalid action formats are provided (must be string or dict)
- When multiple actions are specified in a single rule
- When block_ip action is missing required fields (track_by, duration)
- When non-empty parameters are provided for simple actions
- When name pattern validation fails
- When container field pattern validation fails
- When field length limits are exceeded
- When invalid time attribute values are provided

Model Validators

Container Type Validation

For create operations, exactly one container type must be specified:

from scm.models.security import VulnerabilityProfileCreateModel

# Error: multiple containers specified
try:
    profile = VulnerabilityProfileCreateModel(
        name="invalid-profile",
        rules=[{
            "name": "rule1",
            "severity": ["critical"],
            "host": "any",
            "action": {"alert": {}}
        }],
        folder="Texas",
        device="fw01"  # Can't specify both folder and device
    )
except ValueError as e:
    print(e)  # "Exactly one of 'folder', 'snippet', or 'device' must be provided."

Action Validation

Actions must be properly formatted and validated:

from scm.models.security import VulnerabilityProfileActionRequest

# Invalid action format
try:
    action = VulnerabilityProfileActionRequest(root=["alert"])  # Must be string or dict
except ValueError as e:
    print(e)  # "Invalid action format; must be a string or dict."

# Multiple actions specified
try:
    action = VulnerabilityProfileActionRequest(root={
        "alert": {},
        "drop": {}  # Can't specify multiple actions
    })
except ValueError as e:
    print(e)  # "Exactly one action must be provided in 'action' field."

Usage Examples

Creating a Basic Profile

from scm.client import ScmClient

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Using dictionary
basic_dict = {
    "name": "basic-profile",
    "description": "Basic vulnerability protection profile",
    "folder": "Texas",
    "rules": [{
        "name": "rule1",
        "severity": ["critical", "high"],
        "category": "exploit-kit",
        "host": "any",
        "action": {"alert": {}}
    }]
}

response = client.vulnerability_protection_profile.create(basic_dict)
print(f"Created profile: {response.name}")

Creating a Profile with Threat Exceptions

from scm.client import ScmClient

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Using dictionary
advanced_dict = {
    "name": "advanced-profile",
    "description": "Profile with threat exceptions",
    "folder": "Texas",
    "rules": [{
        "name": "rule1",
        "severity": ["critical"],
        "category": "code-execution",
        "host": "server",
        "action": {
            "block_ip": {
                "track_by": "source",
                "duration": 3600
            }
        }
    }],
    "threat_exception": [{
        "name": "exception1",
        "exempt_ip": [{"name": "trusted-server"}],
        "time_attribute": {
            "interval": 300,
            "threshold": 5,
            "track_by": "source-and-destination"
        }
    }]
}

response = client.vulnerability_protection_profile.create(advanced_dict)
print(f"Created profile with {len(response.rules)} rules")

Updating a Vulnerability Protection Profile

from scm.client import ScmClient

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Fetch existing profile
existing = client.vulnerability_protection_profile.fetch(name="basic-profile", folder="Texas")

# Modify attributes using dot notation
existing.description = "Updated vulnerability protection profile"

# Update rule settings
if existing.rules:
    existing.rules[0].severity = ["critical", "high", "medium"]
    existing.rules[0].action = {"reset_both": {}}

# Add a new rule
existing.rules.append({
    "name": "new-rule",
    "severity": ["low"],
    "category": "info-leak",
    "host": "any",
    "action": {"alert": {}}
})

# Pass modified object to update()
updated = client.vulnerability_protection_profile.update(existing)
print(f"Updated profile: {updated.name}")