Skip to main content

Unified Firewall Abstraction laYer for Automation

Project description

UFAYA

Unified Firewall Abstraction laYer for Automation

CI PyPI version Python versions License: MIT

UFAYA is a Python SDK that provides a single, consistent interface for interacting with firewalls from multiple vendors. Instead of writing separate automation scripts for each firewall platform, UFAYA exposes a unified abstraction layer that normalizes firewall operations across different systems.

The design follows the same architectural principle used by tools like NAPALM, which provide a unified API to interact with devices from different vendors through an abstraction layer.

Supported Vendors

Vendor Driver Status
Juniper SRX juniper_srx Read-only XML ingestion + firewall-rule JSON export with live policy hit counts + XML-first NAT JSON export
Palo Alto paloalto Planned
Fortinet fortinet Planned
Cisco cisco Planned

Drivers can also be contributed out-of-tree and registered via the ufaya.drivers entry-point group; see CONTRIBUTING.md.

Juniper SRX exports

JuniperSRXDriver.export_rules_json(output_dir, mode=...) writes a context-grouped JSON document for parsed security policies.

  • Export modes remain minimal, enriched, and debug.
  • Export payloads now use schema_version: 3.
  • Each exported rule includes a canonical hit_count field.
  • In live mode, UFAYA fetches show security policies hit-count | display xml | no-more and populates hit_count when that operational snapshot is available.
  • The live hit-count parser supports both older policy-information responses and newer Junos operational XML variants such as multi-routing-engine-results with policy-hit-count-entry records.
  • In file mode, or when the live hit-count snapshot cannot be collected, rules still include hit_count: null.
  • Live exports that successfully collect hit counts also include a top-level hit_counts_collected_at UTC timestamp.
  • Hit-count parser maintenance notes live in JUNIPER_HIT_COUNTS.md.

JuniperSRXDriver.export_nat_json(output_dir, mode=...) writes a context-grouped JSON document for parsed Junos NAT rules.

  • NAT export is XML-first in both modes:
    • live mode fetches show configuration | display xml | no-more
    • file mode reads the XML file passed via config_path
  • NAT parsing walks <security><nat><source>, <destination>, and <static> from configuration XML.
  • NAT export modes are also minimal, enriched, and debug.
  • NAT payloads use schema_version: 2.
  • Exported NAT rules use a vendor-agnostic, rule-centric shape with explicit conditions (traffic match) and mapping (before/after rewrite) blocks.
  • conditions describes which packets the rule selects; mapping describes what field is rewritten, from which addresses/ports, to which addresses/ports.
  • Each mapping step includes a human-readable summary, original/translated sides, mapping_kind (fixed/pool/interface_address), determinism (exact/set_based/dynamic), and resolution_status (resolved/unresolved).
  • Static NAT exports both forward (inbound destination rewrite) and reverse (outbound source rewrite) mapping steps.
  • Unconstrained NAT address selectors export explicitly as ["any"] in conditions.
  • NAT application references are resolved into canonical protocol/port condition fields while preserving raw application names.
  • Enriched and debug NAT exports also include referenced translation pools under supporting_objects.translation_pools.
  • supporting_objects.translation_pools remains scoped to pools actually referenced by exported rules, not the full device inventory.
  • Referenced translation pools export the same normalized address/port values used by rule-level mapping targets, including supported address-range forms.
  • NAT lookup metadata records Juniper precedence as static, then destination, then source.

Installation

pip install ufaya

Usage

import ufaya

# File mode: parse a saved Junos XML config.
driver = ufaya.get_firewall_driver(
    "juniper_srx",
    config_path="srx-prod.xml",
)
rules = driver.get_rules()

# Live mode: SSH to the device. Use as a context manager so a single SSH
# session is shared across get_rules() and get_nat_rules() (and any future
# operational reads).
driver = ufaya.get_firewall_driver(
    "juniper_srx",
    host="srx-prod.example.com",
    username="readonly",
    password="...",
)
with driver:
    rules = driver.get_rules()
    nat_rules = driver.get_nat_rules()

# Capability discovery: ask what the driver can do, rather than calling and
# catching NotImplementedError.
from ufaya.firewall.base import NatReader, FirewallWriter
assert isinstance(driver, NatReader)        # supports NAT reads
assert not isinstance(driver, FirewallWriter)  # read-only

Out-of-tree drivers can register themselves via ufaya.register_driver(...) or by declaring a [project.entry-points."ufaya.drivers"] entry in their own pyproject.toml. See CONTRIBUTING.md.

JSON Schemas

The schemas/ directory publishes the canonical contract for each export type:

Both are strict (additionalProperties: false) Draft 2020-12 schemas. Downstream consumers can use them with any JSON Schema validator. The repo's CI fails any change that violates the contract; see CONTRIBUTING.md for the development flow.

Contributing

See CONTRIBUTING.md for guidelines.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ufaya-0.7.0.tar.gz (71.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ufaya-0.7.0-py3-none-any.whl (31.1 kB view details)

Uploaded Python 3

File details

Details for the file ufaya-0.7.0.tar.gz.

File metadata

  • Download URL: ufaya-0.7.0.tar.gz
  • Upload date:
  • Size: 71.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ufaya-0.7.0.tar.gz
Algorithm Hash digest
SHA256 673649237324c0ea865f2826a8cc9cad4894c35fe0b9d2f9985bcee6cfa142b2
MD5 05bde1a0ee59cfbc55511fd0f6431f64
BLAKE2b-256 72199a88ee8a645193e0cf30bc9fcb6b0f3f46124085461824f1f6d82dd87213

See more details on using hashes here.

Provenance

The following attestation bundles were made for ufaya-0.7.0.tar.gz:

Publisher: publish.yml on A-Khanafer/ufaya

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ufaya-0.7.0-py3-none-any.whl.

File metadata

  • Download URL: ufaya-0.7.0-py3-none-any.whl
  • Upload date:
  • Size: 31.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ufaya-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ff741cf8e003ff047dacd2e3fcb0e2d1f305807883625cd68afd1c8a1eb0e05e
MD5 6b67ac26af9e0ec358cb38f677fab217
BLAKE2b-256 92d6b4517c69c82022f8c046f3e5c9915c18e4e12d237cef9c3b4b897b82317a

See more details on using hashes here.

Provenance

The following attestation bundles were made for ufaya-0.7.0-py3-none-any.whl:

Publisher: publish.yml on A-Khanafer/ufaya

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page