-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is get_firewall_policies() implemented correctly? #39
Comments
@ebeahan This is the same issue I messaged about in the Slack channel. |
@ktbyers Thanks! I'm taking a look. |
On FortiOS CLI firewall policies are created within the I do see an issue with the One possible fix would be initializing an https://github.com/napalm-automation/napalm-fortios/blob/develop/napalm_fortios/fortios.py#L272 |
So with FortiOS is there only one firewall policy? For example, on an ASA, I could have multiple firewall policies that would map to ACL names and could be bound to different interfaces. I was expecting the 'policy_name' to correspond more to this. What is the use of policy id in fortios. Is it just a way to reference the entries in the one firewall policy (so that you can delete them, move them, change them)? |
Yes, there is only one firewall policy. Rules apply always to inbound/outbound interfaces pairs (which can be wildcards) but they are configured under a single flat list (the UI let's you filter/organize by interfaces) |
I still think this use of policy name doesn't make sense for FortiOS. The policy name for FortiOS should be something like The FortiOS policy id corresponds more to ACL sequence number (on Cisco ASA; Cisco IOS firewall)...and doesn't correspond to Here is what I think it should be for FortiOS (which would work reasonable well for Cisco ASA and Cisco IOS firewall).
position should be removed and should be indicated instead by position in the list. Also, there is only Note, We also should have someone that is familiar with Juniper SRX review to make sure we are covering the major NAPALM firewall platforms. Also probably need to consider zone based firewall on Cisco IOS and make sure it covers that reasonably well. I am also open to just eliminating this and re-implementing later (since current implementation has a lot of problems) and since FortiOS is currently the only platform it is implemented on. |
@ktbyers Agree with what you're proposing. I was interpreting policies as the individual firewall rules vs a collection of rules. As you pointed out, it's really indifferent in terms of FortiOS so whatever approach will apply best across the board can be adopted. Also prefer the idea of dumping position and allowing the index position with the list to serve the same purpose. |
I have no particular opinion about this. If you plan to modify the definition of the object, could you contact the people involved in the original PR to synch with them, please? |
@dbarrosop Yes, that makes sense. |
@awlx @DiogoAndre We had some discussion here on whether to modify napalm-automation/napalm-base#136 Any thoughts? Like @dbarrosop mentioned above we wanted to sync up with those involved in the original PRs to add the feature. |
@ebeahan I am totally fine with your idea to modify the behaviour of The The implementation of |
Hey guys, I have a couple of thoughts to add to this:
|
|
|
Anyone at RIPE74 maybe it's better to discuss somethings of this in person. |
I am but probably not the best person to talk with about this topic. Maybe @mirceaulinic. |
I am seeing some test failures on get_firewall_policies in napalm-fortios.
napalm-base defines get_firewall_polices as:
This is from base.py file.
The unit tests for napalm-fortios (mocked data) have the following for 'show firewall policy'
The napalm-fortios driver returns the following (on get_firewall_policy):
The key names being '1' and '2' looks wrong to me (should map to the policy_name per the definition in base.py).
The text was updated successfully, but these errors were encountered: