Trying to copy security rules from one panorama to another

[jcrubaugh]

My apologies for the newby questions. Ive been a network engineer for 25 years, but only recently started using python. and I only started using this sdk on over this past weekend.

Here is my scenario. We have 31 panorama managed firewalls in AWS. We have decided to switch to GWLB and autoscaling groups in AWS. I have created 2 new panorama clusters . one which represents all NON prod environments and one with represents just PROD.

What im attempting to do is use code to move all the things ( tags, servcie objects, service groups, address objects, address groups, custom url categories, schedules, decryption policies and security polices over via scripts.

i have written and tested successfull my code for (tags, service objects, service groups, address objects, address groups) now im starting on policies ( yes i know i need url categories and schedules before i can use this, but this one seems harder so im spending time on it now.

Basically i want to query my existing panorama, select a device group, find the policies, then copy them over to the new panorama under a new device group with everything the same except source/destination zones... with GWLB we will just have one zone on the FW. In this code were im tyring to push to the new panorama and device grop im restricting it to the first entry, just so during testing the results will be quick. I think my logic is off on how to add security polices which are panorama managed . I do know it makes them in PreRulebase, but i just dont know what im doing to be honest. Any feedback is greatly appreciated.

import panos
from panos import panorama
from panos.policies import PreRulebase
from panos.policies import SecurityRule



device = 'my existing panorama'
auth_key = 'mykey'
devicegroup = 'original device group'  #this will change every time we migrate a new environment

# This defines how we will connect to panorama
mypanorama = panorama.Panorama(device, api_key=auth_key)
# This defines the device group we will be connecting to
palo_device_group = panorama.DeviceGroup(devicegroup)
mypanorama.add(palo_device_group)
rulebase = PreRulebase()
palo_device_group.add(rulebase)

existing_policies = SecurityRule.refreshall(rulebase)

gwlb_prerule_policies =[]
for policy in existing_policies:  
    gwlb_prerule_policies.append(policy.about())

print(gwlb_prerule_policies[0])   
 
#next we want to swtich to the new panorama-np.corp.alkamitech.com instance and use the gwlb_objects list above 
# and create these exact objects in the gwlb-egress device group
device = 'new destination panorama'
auth_key =mykey'
devicegroup = 'new device group'

# This defines how we will connect to panorama
mypanorama = panorama.Panorama(device, api_key=auth_key)
# This defines the device group we will be connecting to
palo_device_group = panorama.DeviceGroup(devicegroup)
mypanorama.add(palo_device_group)
rulebase = PreRulebase()
palo_device_group.add(rulebase)


for p in gwlb_prerule_policies[0:1]:
    gwlb_policy = SecurityRule(name=p['name'], source=p['source'], source_user=p['source_user'],destination=p['destination'], application=p['appliation'], service=p['service'],
    category=p['cateogry'], action=p['action'], log_setting=p['log_setting'], log_start=p['log_start'], log_end=p['log_end'], description=p['description'], type=p['type'],
    tag=p['tag'],disabled=p['disabled'], negate_source=p['negate_source'], negate_destination=p['negate_destination'], disabled=p['disabled'], schedule=p['schedule'],
    icmp_unreachable=p['icmp_uncreachable'], disable_server_response_inspection=p['disable_server_response_inspection'], group=p['group'], virus=p['virus'], spyware=p['spyware'],
    vulnerability=p['vulnerability'], url_filtering=p['url_filtering'], file_blocking=p['file_blocking'], wildfire_analysis=p['wildfire_analysis'], data_filtering=p['data_filtering'],
    negate_target=p['negate_target'], target=p['target'])
    rulebase.add(gwlb_policy)
    gwlb_policy.create()

[jcrubaugh]

I got my issue resolved