mitchos
[BUG]: Unable to delete udp/tcp ports in app segment
Describe the bug
SDK is natively unable to zeroize/delete tcp/udp port config, if empty list is send to update function.
To Reproduce Steps to reproduce the behavior: send tcp_ports/udp_ports = [] as kwarg to update_segment and try to delete UDP/TCP port config in cloud.
Expected behavior
if empty list is sent I would expect, that SDK would delete port config from specific app segment
Screenshots
app definition in cloud:
[{'name': 'TEST_testing3', 'domain_names': ['example.tld'], 'tcp_port_ranges': ['80', '80', '443', '443'], 'tcp_port_range': [{'from': '80', 'to': '80'}, {'from': '443', 'to': '443'},'udp_port_ranges': ['80', '80', '443', '443'], 'udp_port_range': [{'from': '80', 'to': '80'}, {'from': '443', 'to': '443'}}]
image situation that someone configured app in GUI, but you want to keep SSoT in git YAML format and update this app and remove udp port config as there is none specified in SSoT YAML format.
testing app format being passed to update_segment():
[{'name': 'TEST_testing3', 'domain_names': ['example.tld'], 'tcp_ports':[(80,80),(443,443)],'udp_ports':[]}]
As here you will omit that empty value, it will not be processed https://github.com/mitchos/pyZscaler/blob/4502dc838050c3e8020c831ce4eaba24de1bbf30/pyzscaler/zpa/app_segments.py#L230-L231
kwargs will be later on updated from payload gathered in https://github.com/mitchos/pyZscaler/blob/4502dc838050c3e8020c831ce4eaba24de1bbf30/pyzscaler/zpa/app_segments.py#L225
Kwargs passed to function: https://github.com/mitchos/pyZscaler/blob/4502dc838050c3e8020c831ce4eaba24de1bbf30/pyzscaler/zpa/app_segments.py#L237-L238
That means that you will update kwargs from payload, what will keep it UDP ports configured.
My current workaround is to send {'udp_port_range':[],'udp_port_ranges':[]} directly to update_segment function. Due to existence of those keys script will later on override them in the payload. I already opened an ticket in past and both va https://github.com/mitchos/pyZscaler/blob/4502dc838050c3e8020c831ce4eaba24de1bbf30/pyzscaler/zpa/app_segments.py#L160
Just an hint, it is not enough just to send empty value for udp_port_range, it needs both values to equals to []
Current issue is that with native options of SDK there is no option to keep udp/tcp ports synced from git (yaml) to gui (ensure that there is empty value in cloud)
Hi @martinkiska sorry for the long time on this one, I am clearing the backlog up now and will take a look at this.
Hi @egoruzmukhametov,
I can just share with you my very easy workaround in update_app function.
# relates to https://github.com/mitchos/pyZscaler/issues/189
# currently there is not an option to remove ports from cloud.
for app in app_segments_to_be_updated:
for key in ["tcp_port_", "udp_port_"]:
if not app.get(key + "range", []):
app[key + "range"] = []
app[key + "ranges"] = []
This easy code if it doesn't find tcp/udp port configured in my own YAML structure it just adds empty tcp/udp info via kwargs and it correctly zeroize it in cloud.
Hi @martinkiska Thank you for your answer, but still I would like to have a working module, not a workaround. I can also share my workaround method. In the case when I need to delete all tcp or udp ports from an application segment, I apply the bypass rule to this application segment, after which I apply the correct configuration.