Vulnerability Protection Profile Models

Overview

The Vulnerability Protection Profile models provide a structured way to manage vulnerability protection profiles in Palo Alto Networks' Strata Cloud Manager. These models support defining rules and threat exceptions with various actions, severities, and categories. Profiles can be defined in folders, snippets, or devices. The models handle validation of inputs and outputs when interacting with the SCM API.

Models

The module provides the following Pydantic models:

• VulnerabilityProfileBaseModel: Base model with fields common to all profile operations
• VulnerabilityProfileCreateModel: Model for creating new vulnerability protection profiles
• VulnerabilityProfileUpdateModel: Model for updating existing vulnerability protection profiles
• VulnerabilityProfileResponseModel: Response model for vulnerability protection profile operations
• VulnerabilityProfileRuleModel: Model for vulnerability rules
• VulnerabilityProfileThreatExceptionModel: Model for threat exceptions
• VulnerabilityProfileBlockIpAction: Model for block IP action configuration
• VulnerabilityProfileTimeAttribute: Model for time attribute configuration
• VulnerabilityProfileExemptIpEntry: Model for exempt IP entries

All models use extra="forbid" configuration, which rejects any fields not explicitly defined in the model.

Model Attributes

VulnerabilityProfileBaseModel

Attribute	Type	Required	Default	Description
name	str	Yes	None	Profile name. Pattern: ^[a-zA-Z0-9._-]+$
rules	List[VulnerabilityProfileRuleModel]	Yes	None	List of vulnerability rules
threat_exception	List[VulnerabilityProfileThreatExceptionModel]	No	None	List of threat exceptions
description	str	No	None	Description of the profile
folder	str	No**	None	Folder location. Max 64 chars
snippet	str	No**	None	Snippet location. Max 64 chars
device	str	No**	None	Device location. Max 64 chars

** Exactly one container (folder/snippet/device) must be provided for create operations

VulnerabilityProfileCreateModel

Inherits all fields from VulnerabilityProfileBaseModel and enforces that exactly one of folder, snippet, or device is provided during creation.

VulnerabilityProfileUpdateModel

Extends VulnerabilityProfileBaseModel by adding:

Attribute	Type	Required	Default	Description
id	UUID	Yes	None	The unique identifier of the profile

VulnerabilityProfileResponseModel

Extends VulnerabilityProfileBaseModel by adding:

Attribute	Type	Required	Default	Description
id	UUID	Yes	None	The unique identifier of the profile

Enum Types

VulnerabilityProfileSeverity

Defines the severity levels:

Value	Description
critical	Critical severity
high	High severity
medium	Medium severity
low	Low severity
informational	Informational
any	Any severity level

VulnerabilityProfileCategory

Defines the vulnerability categories:

Value	Description
any	Any category
brute-force	Brute force attacks
code-execution	Code execution
code-obfuscation	Code obfuscation
command-execution	Command execution
dos	Denial of service
exploit-kit	Exploit kit
info-leak	Information leak
insecure-credentials	Insecure credentials
overflow	Buffer overflow
phishing	Phishing
protocol-anomaly	Protocol anomaly
scan	Scanning activity
sql-injection	SQL injection

VulnerabilityProfilePacketCapture

Defines the packet capture options:

Value	Description
disable	Disable packet capture
single-packet	Capture a single packet
extended-capture	Extended packet capture

VulnerabilityProfileHost

Defines the host options:

Value	Description
any	Any host
client	Client host
server	Server host

VulnerabilityProfileBlockIpTrackBy

Defines the block IP tracking options:

Value	Description
source-and-destination	Track by source and destination
source	Track by source only

VulnerabilityProfileTimeAttributeTrackBy

Defines the time attribute tracking options:

Value	Description
source	Track by source
destination	Track by destination
source-and-destination	Track by source and destination

Component Models

VulnerabilityProfileRuleModel

Attribute	Type	Required	Default	Description
name	str	Yes	None	Rule name
severity	List[VulnerabilityProfileSeverity]	Yes	None	List of severities
host	VulnerabilityProfileHost	Yes	None	Target host type
category	VulnerabilityProfileCategory	No	any	Vulnerability category
action	VulnerabilityProfileActionResponse	No	None	Action to take on match
packet_capture	VulnerabilityProfilePacketCapture	No	disable	Packet capture setting
cve	List[str]	No	["any"]	List of CVE identifiers
vendor_id	List[str]	No	["any"]	List of vendor IDs
threat_name	str	No	"any"	Specific threat name

VulnerabilityProfileThreatExceptionModel

Attribute	Type	Required	Default	Description
name	str	Yes	None	Threat exception name
packet_capture	VulnerabilityProfilePacketCapture	No	None	Packet capture setting
exempt_ip	List[VulnerabilityProfileExemptIpEntry]	No	None	Exempt IP list
time_attribute	VulnerabilityProfileTimeAttribute	No	None	Time attribute settings
notes	str	No	None	Notes

VulnerabilityProfileBlockIpAction

Attribute	Type	Required	Default	Description
track_by	VulnerabilityProfileBlockIpTrackBy	Yes	None	Tracking method
duration	int	Yes	None	Duration in seconds (1-3600)

VulnerabilityProfileTimeAttribute

Attribute	Type	Required	Default	Description
interval	int	Yes	None	Interval in seconds (1-3600)
threshold	int	Yes	None	Threshold (1-65535)
track_by	VulnerabilityProfileTimeAttributeTrackBy	Yes	None	Tracking method

VulnerabilityProfileExemptIpEntry

Attribute	Type	Required	Default	Description
name	str	Yes	None	Exempt IP name

Exceptions

The Vulnerability Protection Profile models can raise the following exceptions during validation:

• ValueError: Raised in several scenarios:
  • When multiple container types (folder/snippet/device) are specified
  • When no container type is specified for create operations
  • When invalid action formats are provided (must be string or dict)
  • When multiple actions are specified in a single rule
  • When block_ip action is missing required fields (track_by, duration)
  • When non-empty parameters are provided for simple actions
  • When name pattern validation fails
  • When container field pattern validation fails
  • When field length limits are exceeded
  • When invalid time attribute values are provided

Model Validators

Container Type Validation

For create operations, exactly one container type must be specified:

from scm.models.security import VulnerabilityProfileCreateModel

# Error: multiple containers specified
try:
    profile = VulnerabilityProfileCreateModel(
        name="invalid-profile",
        rules=[{
            "name": "rule1",
            "severity": ["critical"],
            "host": "any",
            "action": {"alert": {}}
        }],
        folder="Texas",
        device="fw01"  # Can't specify both folder and device
    )
except ValueError as e:
    print(e)  # "Exactly one of 'folder', 'snippet', or 'device' must be provided."

Action Validation

Actions must be properly formatted and validated:

from scm.models.security import VulnerabilityProfileActionRequest

# Invalid action format
try:
    action = VulnerabilityProfileActionRequest(root=["alert"])  # Must be string or dict
except ValueError as e:
    print(e)  # "Invalid action format; must be a string or dict."

# Multiple actions specified
try:
    action = VulnerabilityProfileActionRequest(root={
        "alert": {},
        "drop": {}  # Can't specify multiple actions
    })
except ValueError as e:
    print(e)  # "Exactly one action must be provided in 'action' field."

Usage Examples

Creating a Basic Profile

from scm.client import Scm

# Initialize client
client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Using dictionary
basic_dict = {
    "name": "basic-profile",
    "description": "Basic vulnerability protection profile",
    "folder": "Texas",
    "rules": [{
        "name": "rule1",
        "severity": ["critical", "high"],
        "category": "exploit-kit",
        "host": "any",
        "action": {"alert": {}}
    }]
}

response = client.vulnerability_protection_profile.create(basic_dict)
print(f"Created profile: {response.name}")

Creating a Profile with Threat Exceptions

from scm.client import Scm

# Initialize client
client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Using dictionary
advanced_dict = {
    "name": "advanced-profile",
    "description": "Profile with threat exceptions",
    "folder": "Texas",
    "rules": [{
        "name": "rule1",
        "severity": ["critical"],
        "category": "code-execution",
        "host": "server",
        "action": {
            "block_ip": {
                "track_by": "source",
                "duration": 3600
            }
        }
    }],
    "threat_exception": [{
        "name": "exception1",
        "exempt_ip": [{"name": "trusted-server"}],
        "time_attribute": {
            "interval": 300,
            "threshold": 5,
            "track_by": "source-and-destination"
        }
    }]
}

response = client.vulnerability_protection_profile.create(advanced_dict)
print(f"Created profile with {len(response.rules)} rules")

Updating a Vulnerability Protection Profile

from scm.client import Scm

# Initialize client
client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Fetch existing profile
existing = client.vulnerability_protection_profile.fetch(name="basic-profile", folder="Texas")

# Modify attributes using dot notation
existing.description = "Updated vulnerability protection profile"

# Update rule settings
if existing.rules:
    existing.rules[0].severity = ["critical", "high", "medium"]
    existing.rules[0].action = {"reset_both": {}}

# Add a new rule
existing.rules.append({
    "name": "new-rule",
    "severity": ["low"],
    "category": "info-leak",
    "host": "any",
    "action": {"alert": {}}
})

# Pass modified object to update()
updated = client.vulnerability_protection_profile.update(existing)
print(f"Updated profile: {updated.name}")