Skip to content

Fix bypass pair validation to allow default bypass pair conflicts#11

Open
hildebrau wants to merge 1 commit intoPaloAltoNetworks:masterfrom
hildebrau:fix-bypass-pair-validation
Open

Fix bypass pair validation to allow default bypass pair conflicts#11
hildebrau wants to merge 1 commit intoPaloAltoNetworks:masterfrom
hildebrau:fix-bypass-pair-validation

Conversation

@hildebrau
Copy link

@hildebrau hildebrau commented Nov 21, 2025

Fix bypass pair validation to allow default bypass pair conflicts

Fixes #10

  • Modified get_parent_child_dict() to distinguish between real port conflicts and false positives from default bypass pairs
  • Allows bypass pairs to use ports already in used_parent_name_list if those ports belong to other bypass pairs (which will be removed)
  • Fixes round-trip workflow (pull_site -> do_site) broken in SDK 6.6.1b1
  • Resolves issue where user-specified bypass pairs were incorrectly flagged as conflicts with default bypass pairs

Description

This PR fixes a validation error in get_parent_child_dict() that incorrectly flags user-specified bypass pairs as conflicts when they use ports that are already in used_parent_name_list from default bypass pairs.

The Problem:
When processing config_interfaces_defaults (which includes both default model interfaces and user-specified interfaces), default bypass pairs are processed first and add their WAN/LAN ports to used_parent_name_list. When user-specified bypass pairs are processed later, the validation incorrectly flags them as conflicts, even though the default bypass pairs will be removed (as they should be when user specifies a config).

The Solution:
Modified the validation logic to check if a port conflict is with another bypass pair before throwing an error. This allows bypass pairs to use ports that are already in used_parent_name_list if those ports belong to other bypass pairs, while still preventing real conflicts with subinterfaces, PPPoE interfaces, virtual interfaces, etc.

Code Changes:

  • Modified prisma_config/do.py lines 5570-5603 in function get_parent_child_dict()
  • Added logic to distinguish between bypass pair conflicts (allowed) and non-bypass pair conflicts (real errors)

Motivation and Context

This PR addresses issue #10. After upgrading to prisma_sase 6.6.1b1 with prisma_config 6.5.1b2, the round-trip workflow (pull_sitedo_site) fails with:

ERROR: Bypass pair bp_45 is using a port that is a parent of another interface

This breaks critical workflows:

  • Configuration backup and restore
  • Configuration version control
  • CI/CD pipelines that validate configurations
  • Testing configuration changes

The configuration is valid in the controller (it was exported from there), but do_site rejects it during validation. This is a regression that prevents users from performing basic configuration management tasks.

How Has This Been Tested?

Test Environment:

  • prisma_config version: 6.5.1b2
  • prisma_sase SDK version: 6.6.1b1
  • Python version: 3.9
  • Operating System: Linux (RHEL 9.6)
  • Test site: ITLAB1 (contains bypass pairs with servicelink interfaces)

Test Cases:

  1. Existing YAML file: Ran do_site on an existing YAML file that previously failed - SUCCESS
  2. Round-trip test: pull_site -S ITLAB1 --output ITLAB1_test.yml followed by do_site ITLAB1_test.yml - SUCCESS
  3. Configuration application: Verified configuration applied correctly to both elements in the site

Testing Limitations:

  • Testing was performed on a single site (ITLAB1) with bypass pairs and servicelink interfaces
  • The fix was validated for the specific error scenario described in issue Bypass Pair Validation Error After SDK Upgrade #10
  • Limited regression testing was performed - only confirmed that the specific bypass pair validation error was resolved and that the site configuration applied successfully
  • Additional testing across different site configurations, interface types, and edge cases would be beneficial

Test Output:

No Change for Site ITLAB1.
...
Updated Interface bp_45(45) (Etag 7 -> 8).
...
DONE

The fix successfully allows bypass pairs to be processed without false validation errors while still preventing real conflicts.

Screenshots (if appropriate)

N/A - Terminal output provided in testing section above.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have updated the documentation accordingly. (N/A - no documentation changes needed)
  • I have read the CONTRIBUTING document. (Will review before submitting)
  • I have added tests to cover my changes if appropriate. (N/A - manual testing performed, no test framework in place)
  • All new and existing tests passed. (Manual testing on specific use case confirms fix works - see Testing Limitations above)

@hildebrau
Fix bypass pair validation to allow default bypass pair conflicts
9367318 
- Modified get_parent_child_dict() to distinguish between real port conflicts
  and false positives from default bypass pairs
- Allows bypass pairs to use ports already in used_parent_name_list if
  those ports belong to other bypass pairs (which will be removed)
- Fixes round-trip workflow (pull_site -> do_site) broken in SDK 6.6.1b1
- Resolves issue where user-specified bypass pairs were incorrectly
  flagged as conflicts with default bypass pairs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bypass Pair Validation Error After SDK Upgrade

1 participant

@hildebrau