@Override public List<ConfigItem> generateConfig(final NetworkElementCommand cmd) { final SetFirewallRulesCommand command = (SetFirewallRulesCommand) cmd; final List<FirewallRule> rules = new ArrayList<FirewallRule>(); for (final FirewallRuleTO rule : command.getRules()) { final FirewallRule fwRule = new FirewallRule(rule.getId(), rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(), rule.getSrcPortRange(), rule.revoked(), rule.isAlreadyAdded(), rule.getSourceCidrList(), rule.getDestCidrList(), rule.getPurpose().toString(), rule.getIcmpType(), rule.getIcmpCode(), rule.getTrafficType().toString(), rule.getGuestCidr(), rule.isDefaultEgressPolicy()); rules.add(fwRule); } final FirewallRules ruleSet = new FirewallRules(rules.toArray(new FirewallRule[rules.size()])); return generateConfigItems(ruleSet); }
if (fwTO.revoked()) { StringBuilder sb = new StringBuilder(); sb.append(fwTO.getSrcIp()).append(":reverted:0:0:0:0:").append(fwTO.getId()).append(":"); String fwRuleEntry = sb.toString(); toAdd.add(fwRuleEntry); sb.append(fwTO.getSrcIp()).append(":").append(fwTO.getProtocol()).append(":"); if ("icmp".compareTo(fwTO.getProtocol()) == 0) { sb.append(fwTO.getIcmpType()).append(":").append(fwTO.getIcmpCode()).append(":"); } else if (fwTO.getStringSrcPortRange() == null) sb.append("0:0").append(":"); else sb.append(fwTO.getStringSrcPortRange()).append(":"); sCidr = fwTO.getSourceCidrList(); dCidr = fwTO.getDestCidrList(); if (sCidr == null || sCidr.isEmpty()) { sb.append("0.0.0.0/0"); //check if this is necessary because we are providing the source cidr by default??? sb.append(fwTO.getId()); sb.append(":"); String fwRuleEntry = sb.toString();
public boolean manageFirewallRule(ArrayList<IPaloAltoCommand> cmdList, PaloAltoPrimative prim, FirewallRuleTO rule) throws ExecutionException { String ruleName; if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { ruleName = genFirewallRuleName(rule.getId(), rule.getSrcVlanTag()); } else { ruleName = genFirewallRuleName(rule.getId()); String protocol = rule.getProtocol(); String action = "allow"; if (rule.getSrcPortRange() != null) { int startPort = rule.getSrcPortRange()[0]; int endPort = rule.getSrcPortRange()[1]; if (startPort == endPort) { portRange = String.valueOf(startPort); if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { // Egress Rule srcZone = _privateZone; dstZone = _publicZone; if (rule.getType() == FirewallRule.FirewallRuleType.System) { if (!rule.isDefaultEgressPolicy()) { // default of deny && system rule, so deny action = "deny"; if (rule.isDefaultEgressPolicy()) { // default is allow && user rule, so deny action = "deny"; srcZone = _publicZone; dstZone = _privateZone; dstAddressXML = "<member>" + rule.getSrcIp() + "</member>";
final String[] results = new String[cmd.getRules().length]; final FirewallRuleTO[] allrules = cmd.getRules(); final FirewallRule.TrafficType trafficType = allrules[0].getTrafficType(); final String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
private Answer execute(SetFirewallRulesCommand cmd, int numRetries) { FirewallRuleTO[] rules = cmd.getRules(); try { ArrayList<IPaloAltoCommand> commandList = new ArrayList<IPaloAltoCommand>(); for (FirewallRuleTO rule : rules) { if (!rule.revoked()) { manageFirewallRule(commandList, PaloAltoPrimative.ADD, rule); } else { manageFirewallRule(commandList, PaloAltoPrimative.DELETE, rule); } } boolean status = requestWithCommit(commandList); return new Answer(cmd); } catch (ExecutionException e) { s_logger.error(e); if (numRetries > 0 && refreshPaloAltoConnection()) { int numRetriesRemaining = numRetries - 1; s_logger.debug("Retrying SetFirewallRulesCommand. Number of retries remaining: " + numRetriesRemaining); return execute(cmd, numRetriesRemaining); } else { return new Answer(cmd, e); } } }