From ee2fcd2483530ce756737a16875e06704b8233b1 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Wed, 20 Sep 2023 17:55:17 +0200 Subject: [PATCH 01/35] start version 2.1.19 --- CHANGELOG.txt | 8 ++++++-- lib/misc-classes/PH.php | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index df65e828..01794d03 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,14 +1,18 @@ CHANGELOG -2.1.18 +2.1.19 UTIL: BUGFIX: -* type=address/service 'actions=move:shared,skipIfConflict' | bugfix as variable $findSubSystem was not declared for targetlocation 'shared' GENERAL: +2.1.18 (20230920) +BUGFIX: +* type=address/service 'actions=move:shared,skipIfConflict' | bugfix as variable $findSubSystem was not declared for targetlocation 'shared' + + 2.1.17 (20230920) UTIL: * type=certificate | extend to TemplateStack diff --git a/lib/misc-classes/PH.php b/lib/misc-classes/PH.php index 4cdc1ef9..c24fe4f3 100644 --- a/lib/misc-classes/PH.php +++ b/lib/misc-classes/PH.php @@ -182,7 +182,7 @@ function __construct($argv, $argc) private static $library_version_major = 2; private static $library_version_sub = 1; - private static $library_version_bugfix = 18; + private static $library_version_bugfix = 19; //BASIC AUTH PAN-OS 7.1 public static $softwareupdate_key = "658d787f293e631196dac9fb29490f1cc1bb3827"; From af1a76323ef825951f6a7736eb48f01d14c21a9b Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 21 Sep 2023 11:58:51 +0200 Subject: [PATCH 02/35] different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML --- CHANGELOG.txt | 1 + lib/device-and-system-classes/Sub.php | 4 ++-- migration/parser/SRX/SRX.php | 2 +- migration/parser/STONESOFT/STONESOFT.php | 2 +- migration/parser/lib/SHAREDNEW.php | 2 +- migration/parser/mapper/stonesoft_mapping.php | 2 +- utils/common/actions-device.php | 10 +++++----- utils/develop/migration/bluecoat.php | 2 +- utils/lib/IRONSKILLET_UPDATE__.php | 2 +- utils/lib/LICENSE__.php | 4 ++-- utils/lib/SOFTWARE_DOWNLOAD.php | 4 ++-- utils/lib/SOFTWARE_PREPARATION__.php | 2 +- 12 files changed, 19 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 01794d03..a5c23361 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -2,6 +2,7 @@ CHANGELOG 2.1.19 UTIL: +* different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML BUGFIX: diff --git a/lib/device-and-system-classes/Sub.php b/lib/device-and-system-classes/Sub.php index f5e7ca65..da8a9c1d 100644 --- a/lib/device-and-system-classes/Sub.php +++ b/lib/device-and-system-classes/Sub.php @@ -66,7 +66,7 @@ function createDefaultSecurityRule( ) $ownerDocument = $this->rulebaseroot->ownerDocument; $newdoc = new DOMDocument; - $newdoc->loadXML( $this->defaultSecurityRules_xml ); + $newdoc->loadXML( $this->defaultSecurityRules_xml, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $node = $ownerDocument->importNode($node, TRUE); @@ -82,7 +82,7 @@ function createPartialDefaultSecurityRule( $originalRuleNode ) $ownerDocument = $this->rulebaseroot->ownerDocument; $newdoc = new DOMDocument; - $newdoc->loadXML( $this->defaultSecurityRules_xml ); + $newdoc->loadXML( $this->defaultSecurityRules_xml, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $ruleNode = DH::findFirstElement('rules', $node); diff --git a/migration/parser/SRX/SRX.php b/migration/parser/SRX/SRX.php index 7a5ca716..9640d697 100644 --- a/migration/parser/SRX/SRX.php +++ b/migration/parser/SRX/SRX.php @@ -170,7 +170,7 @@ function clean_config() $doc = new DOMDocument(); - $doc->loadXML($data); + $doc->loadXML($data, XML_PARSE_BIG_LINES); $root = $doc->documentElement; // Root node diff --git a/migration/parser/STONESOFT/STONESOFT.php b/migration/parser/STONESOFT/STONESOFT.php index b6af38a7..4f262414 100644 --- a/migration/parser/STONESOFT/STONESOFT.php +++ b/migration/parser/STONESOFT/STONESOFT.php @@ -116,7 +116,7 @@ function clean_config() $doc = new DOMDocument(); - $doc->loadXML($data); + $doc->loadXML($data, XML_PARSE_BIG_LINES); $root = $doc->documentElement; // Root node diff --git a/migration/parser/lib/SHAREDNEW.php b/migration/parser/lib/SHAREDNEW.php index f5dcf677..50c9d8f8 100644 --- a/migration/parser/lib/SHAREDNEW.php +++ b/migration/parser/lib/SHAREDNEW.php @@ -1243,7 +1243,7 @@ public function load_custom_application() $doc = new DOMDocument(); - $doc->loadXML($app_string); + $doc->loadXML($app_string, XML_PARSE_BIG_LINES); $tmp = DH::findFirstElement('application', $doc); print "load appid\n"; $this->sub->appStore->load_application_custom_from_domxml($tmp); diff --git a/migration/parser/mapper/stonesoft_mapping.php b/migration/parser/mapper/stonesoft_mapping.php index cca4f914..ea76d7af 100644 --- a/migration/parser/mapper/stonesoft_mapping.php +++ b/migration/parser/mapper/stonesoft_mapping.php @@ -10,7 +10,7 @@ function stonesoft_checkfile( $fileName, &$firewalls, &$policy, &$mapping ) $stonesoft = file_get_contents($fileName); $doc = new DOMDocument(); - $doc->loadXML($stonesoft); + $doc->loadXML($stonesoft, XML_PARSE_BIG_LINES); $granted_policy_ref = $doc->getElementsByTagName('granted_policy_ref'); diff --git a/utils/common/actions-device.php b/utils/common/actions-device.php index aef3426c..256cfde5 100644 --- a/utils/common/actions-device.php +++ b/utils/common/actions-device.php @@ -1728,7 +1728,7 @@ $store = $sharedStore->$type; $profile = new $typeclass($name . "-" . $type_name, $store); $newdoc = new DOMDocument; - $newdoc->loadXML($context->$xmlString); + $newdoc->loadXML($context->$xmlString, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $node = DH::findFirstElementByNameAttr("entry", $name . "-" . $type_name, $node); @@ -1756,7 +1756,7 @@ $store = $sharedStore->$type; $profile = new $typeclass($name . "-" . $type_name, $store); $newdoc = new DOMDocument; - $newdoc->loadXML($context->$xmlString); + $newdoc->loadXML($context->$xmlString, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $node = DH::findFirstElementByNameAttr("entry", $name . "-" . $type_name, $node); @@ -2127,7 +2127,7 @@ $ownerDocument = $sub->xmlroot->ownerDocument; $newdoc = new DOMDocument; - $newdoc->loadXML( $lfp_bp_xmlstring ); + $newdoc->loadXML( $lfp_bp_xmlstring, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $node = DH::findFirstElementByNameAttr( "entry", "default", $node ); $node = $ownerDocument->importNode($node, TRUE); @@ -2225,7 +2225,7 @@ $ownerDocument = $sub->xmlroot->ownerDocument; $newdoc = new DOMDocument; - $newdoc->loadXML( $zpp_bp_xmlstring ); + $newdoc->loadXML( $zpp_bp_xmlstring, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $node = DH::findFirstElementByNameAttr( "entry", $entryProfileName, $node ); if( $node === false || $node === null ) @@ -2433,7 +2433,7 @@ $ownerDocument = $sub->xmlroot->ownerDocument; $newdoc = new DOMDocument; - $newdoc->loadXML( $defaultSecurityRules_xml ); + $newdoc->loadXML( $defaultSecurityRules_xml, XML_PARSE_BIG_LINES); $node = $newdoc->importNode($newdoc->firstChild, TRUE); $node = $ownerDocument->importNode($node, TRUE); $rulebase->appendChild( $node ); diff --git a/utils/develop/migration/bluecoat.php b/utils/develop/migration/bluecoat.php index c33fdca6..861b4652 100644 --- a/utils/develop/migration/bluecoat.php +++ b/utils/develop/migration/bluecoat.php @@ -206,7 +206,7 @@ function strpos_all($haystack, $needle) { if( isset(PH::$args['loadxmlfromfile']) ) $xmlDoc->load( $file."_BCorig1.xml" ); else - $xmlDoc->loadXML($xml); + $xmlDoc->loadXML($xml, XML_PARSE_BIG_LINES); $xmlString = $xmlDoc->saveXML(); file_put_contents($file."_BCorig2.xml", $xmlString); diff --git a/utils/lib/IRONSKILLET_UPDATE__.php b/utils/lib/IRONSKILLET_UPDATE__.php index 6173422d..e5d43a42 100644 --- a/utils/lib/IRONSKILLET_UPDATE__.php +++ b/utils/lib/IRONSKILLET_UPDATE__.php @@ -261,7 +261,7 @@ function __construct() //read new XML string $newdoc2 = new DOMDocument; - $newdoc2->loadXML($xmlString); + $newdoc2->loadXML($xmlString, XML_PARSE_BIG_LINES); /** @var DOMElement $rootNode2 */ $rootNode2 = $newdoc2->firstChild; diff --git a/utils/lib/LICENSE__.php b/utils/lib/LICENSE__.php index a5a0149d..baee872a 100644 --- a/utils/lib/LICENSE__.php +++ b/utils/lib/LICENSE__.php @@ -279,7 +279,7 @@ public function main( $argv, $argc) $dom = new DOMDocument; - $dom->loadXML($content); + $dom->loadXML($content, XML_PARSE_BIG_LINES); if( !$dom ) { echo 'problems by parsing the document'; @@ -370,7 +370,7 @@ public function main( $argv, $argc) derr("SERVER response: 'Serial Number doesn't belong to this support account. Use different License API key'", null, FALSE); $xmlDoc = new DOMDocument(); - $xmlDoc->loadXML($curl_response); + $xmlDoc->loadXML($curl_response, XML_PARSE_BIG_LINES); if( $debug ) diff --git a/utils/lib/SOFTWARE_DOWNLOAD.php b/utils/lib/SOFTWARE_DOWNLOAD.php index 0557b7da..77014226 100644 --- a/utils/lib/SOFTWARE_DOWNLOAD.php +++ b/utils/lib/SOFTWARE_DOWNLOAD.php @@ -281,7 +281,7 @@ public function main() $dom = new DOMDocument; - $dom->loadXML($content); + $dom->loadXML($content, XML_PARSE_BIG_LINES); if (!$dom) { echo 'problems by parsing the document'; exit; @@ -1139,7 +1139,7 @@ public function diff_dynamic_content( $key, $fields, $device, &$url_array ) $xmlDoc = new DOMDocument(); - $xmlDoc->loadXML($curl_response); + $xmlDoc->loadXML($curl_response, XML_PARSE_BIG_LINES); $x = $xmlDoc->documentElement; diff --git a/utils/lib/SOFTWARE_PREPARATION__.php b/utils/lib/SOFTWARE_PREPARATION__.php index c5cd24e5..8d52e399 100644 --- a/utils/lib/SOFTWARE_PREPARATION__.php +++ b/utils/lib/SOFTWARE_PREPARATION__.php @@ -199,7 +199,7 @@ public function main( $argv, $argc) $content = file_get_contents($input_file_name); $dom = new DOMDocument; - $dom->loadXML($content); + $dom->loadXML($content, XML_PARSE_BIG_LINES); if (!$dom) { echo 'problems by parsing the document'; exit; From 1678163da0dbd05ed57d33428557cdcb398ef8ea Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 21 Sep 2023 12:07:19 +0200 Subject: [PATCH 03/35] all type=XYZ | start supporting location=!shared --- CHANGELOG.txt | 1 + utils/lib/UTIL.php | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index a5c23361..1006ff33 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -3,6 +3,7 @@ CHANGELOG 2.1.19 UTIL: * different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML +* all type=XYZ | start supporting location=!shared BUGFIX: diff --git a/utils/lib/UTIL.php b/utils/lib/UTIL.php index 2c0af451..412caa49 100644 --- a/utils/lib/UTIL.php +++ b/utils/lib/UTIL.php @@ -1405,6 +1405,15 @@ public function location_filter() else $this->objectsLocation[$key] = 'any'; } + elseif( strtolower($location) == '!shared' ) + { + if( $this->configType == 'panos' ) + $tmp_locArray = $this->pan->getVirtualSystems(); + elseif( $this->configType == 'panorama' ) + $tmp_locArray = $this->pan->getDeviceGroups(); + foreach( $tmp_locArray as $loc ) + $this->objectsLocation[] = $loc->name(); + } } unset($location); From 61a02f0b61951482cbe06c88b34b8f2b280b5418 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 21 Sep 2023 14:06:06 +0200 Subject: [PATCH 04/35] revert implementation of 'location=!shared' --- CHANGELOG.txt | 1 - utils/lib/UTIL.php | 10 ---------- 2 files changed, 11 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 1006ff33..a5c23361 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -3,7 +3,6 @@ CHANGELOG 2.1.19 UTIL: * different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML -* all type=XYZ | start supporting location=!shared BUGFIX: diff --git a/utils/lib/UTIL.php b/utils/lib/UTIL.php index 412caa49..5c666660 100644 --- a/utils/lib/UTIL.php +++ b/utils/lib/UTIL.php @@ -1405,16 +1405,6 @@ public function location_filter() else $this->objectsLocation[$key] = 'any'; } - elseif( strtolower($location) == '!shared' ) - { - if( $this->configType == 'panos' ) - $tmp_locArray = $this->pan->getVirtualSystems(); - elseif( $this->configType == 'panorama' ) - $tmp_locArray = $this->pan->getDeviceGroups(); - foreach( $tmp_locArray as $loc ) - $this->objectsLocation[] = $loc->name(); - } - } unset($location); } From ca2526e403b0dd8692f256e71467ab7385200707 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 21 Sep 2023 14:39:12 +0200 Subject: [PATCH 05/35] class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg' --- CHANGELOG.txt | 1 + lib/device-and-system-classes/PANConf.php | 5 +++++ lib/device-and-system-classes/PanoramaConf.php | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index a5c23361..fc65fafc 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -3,6 +3,7 @@ CHANGELOG 2.1.19 UTIL: * different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML +* class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg' BUGFIX: diff --git a/lib/device-and-system-classes/PANConf.php b/lib/device-and-system-classes/PANConf.php index bfbf3633..40adbdf4 100644 --- a/lib/device-and-system-classes/PANConf.php +++ b/lib/device-and-system-classes/PANConf.php @@ -1077,5 +1077,10 @@ public function findSubSystemByName($location) return $this->findVirtualSystem($location); } + // this is for !shared + public function childDeviceGroups() + { + return $this->getVirtualSystems(); + } } diff --git a/lib/device-and-system-classes/PanoramaConf.php b/lib/device-and-system-classes/PanoramaConf.php index 268dd0b2..903bc43b 100644 --- a/lib/device-and-system-classes/PanoramaConf.php +++ b/lib/device-and-system-classes/PanoramaConf.php @@ -2362,6 +2362,10 @@ public function findSubSystemByName($location) return $this->findDeviceGroup($location); } + public function childDeviceGroups() + { + return $this->getDeviceGroups(); + } } From f4f680fc62943f5fb242dd09e27158e816d74ace Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 21 Sep 2023 15:29:59 +0200 Subject: [PATCH 06/35] class UTIL - extend help for argument location= --- utils/lib/UTIL.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/lib/UTIL.php b/utils/lib/UTIL.php index 5c666660..d3640826 100644 --- a/utils/lib/UTIL.php +++ b/utils/lib/UTIL.php @@ -258,7 +258,7 @@ public function supportedArguments() { $this->supportedArguments['in'] = array('niceName' => 'in', 'shortHelp' => 'input file or api. ie: in=config.xml or in=api://192.168.1.1 or in=api://0018CAEC3@panorama.company.com', 'argDesc' => '[filename]|[api://IP]|[api://serial@IP]'); $this->supportedArguments['out'] = array('niceName' => 'out', 'shortHelp' => 'output file to save config after changes. Only required when input is a file. ie: out=save-config.xml', 'argDesc' => '[filename]'); - $this->supportedArguments['location'] = array('niceName' => 'Location', 'shortHelp' => 'specify if you want to limit your query to a VSYS/DG. By default location=shared for Panorama, =vsys1 for PANOS. ie: location=any or location=vsys2,vsys1', 'argDesc' => 'sub1[,sub2]'); + $this->supportedArguments['location'] = array('niceName' => 'Location', 'shortHelp' => 'specify if you want to limit your query to a VSYS/DG. By default location=shared for Panorama, =vsys1 for PANOS. ie: location=any or location=vsys2,vsys1 or location={DGname}:excludeMaindg [only childDGs of {DGname}] or location={DGname}:includechilddgs [{DGname} + all childDGs]', 'argDesc' => 'sub1[,sub2]'); $this->supportedArguments['listactions'] = array('niceName' => 'ListActions', 'shortHelp' => 'lists available Actions'); $this->supportedArguments['listfilters'] = array('niceName' => 'ListFilters', 'shortHelp' => 'lists available Filters'); $this->supportedArguments['stats'] = array('niceName' => 'Stats', 'shortHelp' => 'display stats after changes'); From bac726da6fdc8c2413f1742cc361a2bed75768a3 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 10:24:23 +0200 Subject: [PATCH 07/35] class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly --- CHANGELOG.txt | 1 + lib/device-and-system-classes/PANConf.php | 5 ++++- lib/device-and-system-classes/VirtualSystem.php | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index fc65fafc..825f2511 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -6,6 +6,7 @@ UTIL: * class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg' BUGFIX: +* class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly GENERAL: diff --git a/lib/device-and-system-classes/PANConf.php b/lib/device-and-system-classes/PANConf.php index 40adbdf4..9a18ac5f 100644 --- a/lib/device-and-system-classes/PANConf.php +++ b/lib/device-and-system-classes/PANConf.php @@ -1074,7 +1074,10 @@ public function createVirtualSystem($vsysID, $displayName = '') public function findSubSystemByName($location) { - return $this->findVirtualSystem($location); + $vsys = $this->findVirtualSystem($location); + if( $vsys === null ) + $vsys = $this->findSharedGateway($location); + return $vsys; } // this is for !shared diff --git a/lib/device-and-system-classes/VirtualSystem.php b/lib/device-and-system-classes/VirtualSystem.php index ffb0a615..37e1f565 100644 --- a/lib/device-and-system-classes/VirtualSystem.php +++ b/lib/device-and-system-classes/VirtualSystem.php @@ -420,7 +420,7 @@ public function load_from_domxml($xml) // // Extract Tag objects // - if( $this->owner->version >= 60 ) + if( $this->owner->version >= 60 or (get_class($this->owner) == "SharedGatewayStore" and $this->owner->owner->version >= 60) ) { $tmp = DH::findFirstElement('tag', $xml); if( $tmp !== FALSE ) From 11ce883032b91cd2d13952e3b14b6a4c2acfa2cd Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 10:25:31 +0200 Subject: [PATCH 08/35] type=gcp | introduce argument 'namespace=XYZ' to specify and better filter for get pods --- CHANGELOG.txt | 1 + utils/lib/GCP.php | 20 +++++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 825f2511..e4c55b4f 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -4,6 +4,7 @@ CHANGELOG UTIL: * different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML * class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg' +* type=gcp | introduce argument 'namespace=XYZ' to specify and better filter for get pods BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/lib/GCP.php b/utils/lib/GCP.php index 7edf15b1..de42d92b 100644 --- a/utils/lib/GCP.php +++ b/utils/lib/GCP.php @@ -55,6 +55,7 @@ public function utilStart() $this->supportedArguments['region'] = Array('niceName' => 'Region', 'shortHelp' => 'specify the region | default: region=us-central1 | region=europe-west3', 'argDesc' => '=us-central1'); $this->supportedArguments['project'] = Array('niceName' => 'Project', 'shortHelp' => 'specify the project | default: project=ngfw-dev', 'argDesc' => '=ngfw-dev'); $this->supportedArguments['tenantid'] = Array('niceName' => 'TenantID', 'shortHelp' => 'TenantID you like to use. also possible to bring in a part script will do grep', 'argDesc' => '=123456789'); + $this->supportedArguments['namespace'] = Array('niceName' => 'Namespace', 'shortHelp' => 'specify the namespace you like to used | default: namespace=default', 'argDesc' => '=xyz'); $this->supportedArguments['actions'] = Array('niceName' => 'actions', 'shortHelp' => 'specify the action the script should trigger', 'argDesc' => 'actions=grep'); @@ -90,9 +91,18 @@ public function main() else $project = "ngfw-dev"; + if( isset(PH::$args['namespace']) ) + $namespace = PH::$args['namespace']; + else + $namespace = "default"; if( isset(PH::$args['tenantid']) ) + { $tenantID = PH::$args['tenantid']; + if( strpos( $tenantID, "toggle" ) !== false ) + $namespace = "adift"; + } + else derr( "argument tenantid=[ID] is missing", null, false ); @@ -148,7 +158,7 @@ public function main() $this->http_auth = "https://".$this->http_auth_IP."/"; $get_auth = "gcloud container clusters get-credentials ".$cluster." --region ".$region." --project ".$project; - $this->get_all_pods = "kubectl ".$this->insecureValue." get pods"; + $this->get_all_pods = "kubectl ".$this->insecureValue." get pods -n ".$namespace; $cliArray = array(); $cliArray2 = array(); @@ -275,7 +285,7 @@ public function main() else $container = substr($tenantID, 0, -2); - $cli = "kubectl ".$this->insecureValue." cp ".$inputconfig." -c ".$container." ".$tenantID.":".$this->configPath.$outputfilename; + $cli = "kubectl ".$this->insecureValue." cp ".$inputconfig." -c ".$container." ".$tenantID.":".$this->configPath.$outputfilename. " -n ".$namespace; $this->execCLIWithOutput( $cli ); } elseif( $action == "download" ) @@ -296,7 +306,7 @@ public function main() else $container = substr($tenantID, 0, -2); - $cli = "kubectl ".$this->insecureValue." exec ".$tenantID." -c ".$container." -- cat ".$this->configPath.$inputconfig." > ".$outputfilename; + $cli = "kubectl ".$this->insecureValue." exec ".$tenantID." -c ".$container." -- cat ".$this->configPath.$inputconfig." -n ".$namespace." > ".$outputfilename; $this->execCLIWithOutput( $cli ); } elseif( $action == "validation" ) @@ -314,7 +324,7 @@ public function main() else $container = substr($tenantID, 0, -2); - $cli = "kubectl ".$this->insecureValue." exec ".$tenantID." -c ".$container." -- ".$validation_command; + $cli = "kubectl ".$this->insecureValue." exec ".$tenantID." -c ".$container." -n ".$namespace." -- ".$validation_command; $this->execCLI($cli, $output, $retValue); @@ -336,7 +346,7 @@ public function main() else $container = substr($tenantID, 0, -2); - $cli = "kubectl ".$this->insecureValue." describe pod ".$tenantID." | grep 'Image: '"; + $cli = "kubectl ".$this->insecureValue." describe pod ".$tenantID." -n ".$namespace." | grep 'Image: '"; //describe pod expedition-77b4c645b9-sxqrp | grep Image From e8d9e13930db8c9c6221d75274e918f954a4806b Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 11:08:18 +0200 Subject: [PATCH 09/35] Class VirtualSystem/SharedGatewayStore | better handling of version variable --- CHANGELOG.txt | 1 + lib/device-and-system-classes/VirtualSystem.php | 2 +- lib/network-classes/SharedGatewayStore.php | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index e4c55b4f..61649ae6 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -10,6 +10,7 @@ BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly GENERAL: +* Class VirtualSystem/SharedGatewayStore | better handling of version variable 2.1.18 (20230920) diff --git a/lib/device-and-system-classes/VirtualSystem.php b/lib/device-and-system-classes/VirtualSystem.php index 37e1f565..ffb0a615 100644 --- a/lib/device-and-system-classes/VirtualSystem.php +++ b/lib/device-and-system-classes/VirtualSystem.php @@ -420,7 +420,7 @@ public function load_from_domxml($xml) // // Extract Tag objects // - if( $this->owner->version >= 60 or (get_class($this->owner) == "SharedGatewayStore" and $this->owner->owner->version >= 60) ) + if( $this->owner->version >= 60 ) { $tmp = DH::findFirstElement('tag', $xml); if( $tmp !== FALSE ) diff --git a/lib/network-classes/SharedGatewayStore.php b/lib/network-classes/SharedGatewayStore.php index e637e9fe..7ae597fe 100644 --- a/lib/network-classes/SharedGatewayStore.php +++ b/lib/network-classes/SharedGatewayStore.php @@ -41,6 +41,8 @@ public function __construct($name, $owner) $this->name = $name; $this->owner = $owner; $this->classn = &self::$childn; + + $this->version = &$owner->version; } public function load_from_domxml(DOMElement $xml) From 23a88ed09d7bd86b46d6fc9d28f16a7d41f04ba2 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 11:45:46 +0200 Subject: [PATCH 10/35] type=device | introduce actions=virtualSystem-delete/sharedgateway-delete/sharedgateway-migrate-to-vsys --- CHANGELOG.txt | 1 + lib/device-and-system-classes/PANConf.php | 36 +++++++++ utils/common/actions-device.php | 97 +++++++++++++++++++++++ 3 files changed, 134 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 61649ae6..3b84f9b6 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -5,6 +5,7 @@ UTIL: * different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML * class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg' * type=gcp | introduce argument 'namespace=XYZ' to specify and better filter for get pods +* type=device | introduce actions=virtualSystem-delete/sharedgateway-delete/sharedgateway-migrate-to-vsys BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/lib/device-and-system-classes/PANConf.php b/lib/device-and-system-classes/PANConf.php index 9a18ac5f..c6884a58 100644 --- a/lib/device-and-system-classes/PANConf.php +++ b/lib/device-and-system-classes/PANConf.php @@ -1072,6 +1072,42 @@ public function createVirtualSystem($vsysID, $displayName = '') return $newVsys; } + /** + * Remove a VirtualSystem. + * @param VirtualSystem $vsys + **/ + public function removeVirtualSystem( $vsys ) + { + $VSYSname = $vsys->name(); + + //remove VSYS from XML + $xPath = "/config/devices/entry[@name='localhost.localdomain']/vsys"; + $dgNode = DH::findXPathSingleEntryOrDie($xPath, $this->xmlroot); + + $DGremove = DH::findFirstElementByNameAttrOrDie('entry', $VSYSname, $dgNode); + $dgNode->removeChild( $DGremove ); + + unset($this->virtualSystems[ $VSYSname ]); + } + + /** + * Remove a VirtualSystem. + * @param VirtualSystem $vsys + **/ + public function removeSharedGateway( $vsys ) + { + $VSYSname = $vsys->name(); + + //remove VSYS from XML + $xPath = "/config/devices/entry[@name='localhost.localdomain']/network/shared-gateway"; + $dgNode = DH::findXPathSingleEntryOrDie($xPath, $this->xmlroot); + + $DGremove = DH::findFirstElementByNameAttrOrDie('entry', $VSYSname, $dgNode); + $dgNode->removeChild( $DGremove ); + + unset($this->sharedGateways[ $VSYSname ]); + } + public function findSubSystemByName($location) { $vsys = $this->findVirtualSystem($location); diff --git a/utils/common/actions-device.php b/utils/common/actions-device.php index 256cfde5..cf66208e 100644 --- a/utils/common/actions-device.php +++ b/utils/common/actions-device.php @@ -593,6 +593,103 @@ ), ); +DeviceCallContext::$supportedActions['VirtualSystem-delete'] = array( + 'name' => 'virtualsystem-delete', + 'MainFunction' => function (DeviceCallContext $context) { + + $object = $context->object; + $name = $object->name(); + + $pan = $context->subSystem; + if( !$pan->isFirewall() ) + derr( "only supported on Firewall config" ); + + if( get_class($object) == "VirtualSystem" ) + { + $string =" * delete VirtualSystem: " . $name; + PH::ACTIONlog( $context, $string ); + + if( $context->isAPI ) + { + $con = findConnectorOrDie($object); + $xpath = DH::elementToPanXPath($object->xmlroot); + + $con->sendDeleteRequest($xpath); + } + + $pan->removeVirtualSystem($object); + } + } +); + +DeviceCallContext::$supportedActions['SharedGateway-delete'] = array( + 'name' => 'sharedgateway-delete', + 'MainFunction' => function (DeviceCallContext $context) { + + $object = $context->object; + $name = $object->name(); + + $pan = $context->subSystem; + if( !$pan->isFirewall() ) + derr( "only supported on Firewall config" ); + + if( get_class($object) == "VirtualSystem" ) + { + $string =" * delete SharedGateway: " . $name; + PH::ACTIONlog( $context, $string ); + + if( $context->isAPI ) + { + $con = findConnectorOrDie($object); + $xpath = DH::elementToPanXPath($object->xmlroot); + + $con->sendDeleteRequest($xpath); + } + + $pan->removeSharedGateway($object); + } + } +); + +DeviceCallContext::$supportedActions['SharedGateway-migrate-to-vsys'] = array( + 'name' => 'sharedgateway-migrate-to-vsys', + 'MainFunction' => function (DeviceCallContext $context) { + + $object = $context->object; + $name = $object->name(); + + $pan = $context->subSystem; + if( !$pan->isFirewall() ) + derr( "only supported on Firewall config", null, false ); + if( get_class($object->owner) !== "SharedGatewayStore" ) + derr( "this is not a SharedGateway", null, false ); + + if( get_class($object) == "VirtualSystem" ) + { + $newVSYSname = $context->arguments['name']; + $vsys_number = str_replace( "vsys", "", $newVSYSname); + + $string =" * migrate SharedGateway: " . $name." to vsys: ".$newVSYSname; + PH::ACTIONlog( $context, $string ); + + $vsys = $pan->createVirtualSystem($vsys_number); + + $clone = $object->xmlroot->cloneNode(true); + + $clone->setAttribute("name", "vsys".$vsys_number); + + $vsys->xmlroot->parentNode->appendChild($clone); + $vsys->xmlroot->parentNode->removeChild($vsys->xmlroot); + + $object->owner->xmlroot->removeChild($object->xmlroot); + } + }, + 'args' => array( + 'name' => array('type' => 'string', 'default' => 'false'), + ), +); + + DeviceCallContext::$supportedActions['ManagedDevice-create'] = array( 'name' => 'manageddevice-create', 'MainFunction' => function (DeviceCallContext $context) { From 781a6b5f04b4a2177ff7b8579a35a84df913f519 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 19:19:43 +0200 Subject: [PATCH 11/35] type=static-route | introduction of new type= | with 'filter=(nexthop-ip is.set)' / (nexthop-vr is.set) / nexthop-interface is.set) / (destination ip4.includes-full 172.33.10.0/23) 'filter=(nexthop-ip is.set)' 'filter=(nexthop-vr is.set)' 'filter=(nexthop-interface is.set)' 'filter=(destination ip4.includes-full 172.33.10.0/23)' --- CHANGELOG.txt | 1 + lib/misc-classes/PH.php | 3 +- lib/misc-classes/RQuery.php | 3 + lib/misc-classes/StaticRouteRQueryContext.php | 11 +++ .../filters/filters-Static-Route.php | 92 +++++++++++++++++++ lib/network-classes/StaticRoute.php | 51 ++++++++++ lib/network-classes/VirtualRouter.php | 8 ++ lib/pan_php_framework.php | 1 + utils/common/StaticRouteCallContext.php | 45 +++++++++ utils/common/actions-routing.php | 34 ++----- utils/common/actions-static-route.php | 36 ++++++++ utils/common/actions.php | 6 +- utils/develop/ui/json_array.js | 89 ++++++++++++++++++ utils/lib/NETWORKUTIL.php | 12 ++- utils/lib/UTIL.php | 4 + utils/lib/util_action_filter.json | 89 ++++++++++++++++++ 16 files changed, 454 insertions(+), 31 deletions(-) create mode 100644 lib/misc-classes/StaticRouteRQueryContext.php create mode 100644 lib/misc-classes/filters/filters-Static-Route.php create mode 100644 utils/common/StaticRouteCallContext.php create mode 100644 utils/common/actions-static-route.php diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3b84f9b6..e8cfa88b 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -6,6 +6,7 @@ UTIL: * class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg' * type=gcp | introduce argument 'namespace=XYZ' to specify and better filter for get pods * type=device | introduce actions=virtualSystem-delete/sharedgateway-delete/sharedgateway-migrate-to-vsys +* type=static-route | introduction of new type= | with 'filter=(nexthop-ip is.set)' / (nexthop-vr is.set) / nexthop-interface is.set) / (destination ip4.includes-full 172.33.10.0/23) BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/lib/misc-classes/PH.php b/lib/misc-classes/PH.php index c24fe4f3..ef3ba93a 100644 --- a/lib/misc-classes/PH.php +++ b/lib/misc-classes/PH.php @@ -942,7 +942,7 @@ public static function UTILdeprecated( $type, $argv, $argc, $PHP_FILE) "address", "service", "tag", "schedule", "application", "threat", "rule", "device", "securityprofile", "securityprofilegroup", - "zone", "interface", "virtualwire", "routing", "dhcp", "certificate", + "zone", "interface", "virtualwire", "routing", "dhcp", "certificate", "static-route", "key-manager", "address-merger", "addressgroup-merger", "service-merger", "servicegroup-merger", @@ -1036,6 +1036,7 @@ public static function callPANOSPHP( $type, $argv, $argc, $PHP_FILE, $_supported || $type == "virtualwire" || $type == "dhcp" || $type == "certificate" + || $type == "static-route" ) $util = new NETWORKUTIL($type, $argv, $argc,$PHP_FILE." type=".$type, $_supportedArguments, $_usageMsg, $projectfolder); diff --git a/lib/misc-classes/RQuery.php b/lib/misc-classes/RQuery.php index 88cbc1f1..499812db 100644 --- a/lib/misc-classes/RQuery.php +++ b/lib/misc-classes/RQuery.php @@ -107,6 +107,8 @@ public function __construct($objectType, $level = 0) $this->contextObject = new DHCPRQueryContext($this); elseif( $this->objectType == 'certificate' ) $this->contextObject = new CertificateRQueryContext($this); + elseif( $this->objectType == 'static-route' ) + $this->contextObject = new StaticRouteRQueryContext($this); else derr("unsupported object type '$objectType'"); } @@ -693,5 +695,6 @@ public function toString() require_once 'filters/filters-Device.php'; require_once 'filters/filters-DHCP.php'; require_once 'filters/filters-Certificate.php'; +require_once 'filters/filters-Static-Route.php'; diff --git a/lib/misc-classes/StaticRouteRQueryContext.php b/lib/misc-classes/StaticRouteRQueryContext.php new file mode 100644 index 00000000..de7412db --- /dev/null +++ b/lib/misc-classes/StaticRouteRQueryContext.php @@ -0,0 +1,11 @@ + + +RQuery::$defaultFilters['static-route']['name']['operators']['eq'] = Array( + 'Function' => function(StaticRouteRQueryContext $context ) + { + return $context->object->name() == $context->value; + }, + 'arg' => true, + 'ci' => Array( + 'fString' => '(%PROP% ethernet1/1)', + 'input' => 'input/panorama-8.0.xml' + ) +); + + +RQuery::$defaultFilters['static-route']['nexthop-ip']['operators']['is.set'] = Array( + 'Function' => function(StaticRouteRQueryContext $context ) + { + return $context->object->nexthopIP() !== null; + }, + 'arg' => false, + 'ci' => Array( + 'fString' => '(%PROP% ethernet1/1)', + 'input' => 'input/panorama-8.0.xml' + ) +); + +RQuery::$defaultFilters['static-route']['nexthop-vr']['operators']['is.set'] = Array( + 'Function' => function(StaticRouteRQueryContext $context ) + { + return $context->object->nexthopVR() !== null; + }, + 'arg' => false, + 'ci' => Array( + 'fString' => '(%PROP% ethernet1/1)', + 'input' => 'input/panorama-8.0.xml' + ) +); + +RQuery::$defaultFilters['static-route']['nexthop-interface']['operators']['is.set'] = Array( + 'Function' => function(StaticRouteRQueryContext $context ) + { + return $context->object->nexthopInterface() !== null; + }, + 'arg' => false, + 'ci' => Array( + 'fString' => '(%PROP% ethernet1/1)', + 'input' => 'input/panorama-8.0.xml' + ) +); + +RQuery::$defaultFilters['static-route']['destination']['operators']['ip4.includes-full'] = array( + 'Function' => function (StaticRouteRQueryContext $context) { + $object = $context->object; + + + if( $context->value === "RFC1918" ) + { + $values = array(); + $values[] = "10.0.0.0/8"; + $values[] = "172.16.0.0/12"; + $values[] = "192.168.0.0/16"; + } + else + $values = explode(',', $context->value); + + $mapping = new IP4Map(); + + $count = 0; + foreach( $values as $net ) + { + $net = trim($net); + if( strlen($net) < 1 ) + derr("empty network/IP name provided for argument #$count"); + $mapping->addMap(IP4Map::mapFromText($net)); + $count++; + } + + if( $mapping->includedInOtherMap($object->destinationIP4Map()) == 1 ) + return true; + + return false; + }, + 'arg' => TRUE, + 'ci' => array( + 'fString' => '(%PROP% 1.1.1.1)', + 'input' => 'input/panorama-8.0.xml' + ) +); +// \ No newline at end of file diff --git a/lib/network-classes/StaticRoute.php b/lib/network-classes/StaticRoute.php index 37087380..227f0180 100644 --- a/lib/network-classes/StaticRoute.php +++ b/lib/network-classes/StaticRoute.php @@ -194,6 +194,14 @@ public function destinationIPMapping() return cidr::stringToStartEnd($this->_destination); } + /** + * @return IP4Map + */ + public function destinationIP4Map() + { + return IP4Map::mapFromText($this->_destination); + } + public function nexthopIP() { return $this->_nexthopIP; @@ -239,4 +247,47 @@ public function rewriteInterface_XML() DH::createOrResetElement($this->xmlroot, 'interface', $this->_interface->name()); } + + public function display($virtualRouter, $includingName = false) + { + $text = ""; + + if( $includingName ) + $text .= " - '" . PH::boldText($this->name())."'".str_pad(" ", 30 - strlen($this->name()) ); + else + $text .= " "; + + $tmpArray[$this->name()]['name'] = $this->name(); + + $text .= " - DEST: " . str_pad($this->destination(), 20); + $tmpArray[$this->name()]['destination'] = $this->destination(); + + if( $this->nexthopIP() !== null ) + { + $text .= " - NEXTHOP: " . str_pad($this->nexthopIP(), 20); + $tmpArray[$this->name()]['nexthop'] = $this->nexthopIP(); + } + else + $text .= str_pad( " ", 30 ); + + if( $this->nexthopInterface() != null ) + { + $text .= "\n - NEXT INTERFACE: " . str_pad($this->nexthopInterface()->toString(), 20); + $tmpArray[$this->name()]['nexthopinterface'] = $this->nexthopInterface()->name(); + } + + if( $this->nexthopVR() != null ) + { + $text .= " - NEXT VR: " . str_pad($this->nexthopVR(), 20); + $tmpArray[$this->name()]['nexthopvr'] = $this->nexthopVR(); + } + + + if( $includingName ) + PH::$JSON_TMP['sub']['object'][$virtualRouter->name()]['staticroute'] = $tmpArray; + else + PH::$JSON_TMP['sub']['object'] = $tmpArray; + + return $text; + } } \ No newline at end of file diff --git a/lib/network-classes/VirtualRouter.php b/lib/network-classes/VirtualRouter.php index 0b604c91..dc44e7de 100644 --- a/lib/network-classes/VirtualRouter.php +++ b/lib/network-classes/VirtualRouter.php @@ -149,6 +149,14 @@ public function staticRoutes() return $this->_staticRoutes; } + /** + * @return int + */ + public function count() + { + return count($this->_staticRoutes); + } + public function addstaticRoute($staticRoute, $version = 'ip') { if( !is_object($staticRoute) ) diff --git a/lib/pan_php_framework.php b/lib/pan_php_framework.php index d848d2d8..3aeda9af 100644 --- a/lib/pan_php_framework.php +++ b/lib/pan_php_framework.php @@ -184,6 +184,7 @@ function my_shutdown() require_once $basedir . '/misc-classes/DHCPRQueryContext.php'; require_once $basedir . '/misc-classes/CertificateRQueryContext.php'; +require_once $basedir . '/misc-classes/StaticRouteRQueryContext.php'; require_once $basedir . '/misc-classes/CsvParser.php'; require_once $basedir . '/misc-classes/trait/PanSubHelperTrait.php'; diff --git a/utils/common/StaticRouteCallContext.php b/utils/common/StaticRouteCallContext.php new file mode 100644 index 00000000..ecac0a72 --- /dev/null +++ b/utils/common/StaticRouteCallContext.php @@ -0,0 +1,45 @@ + 'display', 'MainFunction' => function ( RoutingCallContext $context ) { - $object = $context->object; - PH::print_stdout(" * ".get_class($object)." '{$object->name()}'" ); - PH::$JSON_TMP['sub']['object'][$object->name()]['name'] = $object->name(); - PH::$JSON_TMP['sub']['object'][$object->name()]['type'] = get_class($object); + $virtualRouter = $context->object; + PH::print_stdout(" * ".get_class($virtualRouter)." '{$virtualRouter->name()}'" ); + PH::$JSON_TMP['sub']['object'][$virtualRouter->name()]['name'] = $virtualRouter->name(); + PH::$JSON_TMP['sub']['object'][$virtualRouter->name()]['type'] = get_class($virtualRouter); - foreach( $object->staticRoutes() as $staticRoute ) + foreach( $virtualRouter->staticRoutes() as $staticRoute ) { - PH::print_stdout(); - $text = ""; - $text .= " - NAME: " . str_pad($staticRoute->name(), 20); - PH::$JSON_TMP['sub']['object'][$object->name()]['staticroute'][$staticRoute->name()]['name'] = $staticRoute->name(); - - $text .= " - DEST: " . str_pad($staticRoute->destination(), 20); - PH::$JSON_TMP['sub']['object'][$object->name()]['staticroute'][$staticRoute->name()]['destination'] = $staticRoute->destination(); - - if( $staticRoute->nexthopIP() !== null ) - { - $text .= " - NEXTHOP: " . str_pad($staticRoute->nexthopIP(), 20); - PH::$JSON_TMP['sub']['object'][$object->name()]['staticroute'][$staticRoute->name()]['nexthop'] = $staticRoute->nexthopIP(); - } - - if( $staticRoute->nexthopInterface() != null ) - { - $text .= "\n - NEXT INTERFACE: " . str_pad($staticRoute->nexthopInterface()->toString(), 20); - PH::$JSON_TMP['sub']['object'][$object->name()]['staticroute'][$staticRoute->name()]['nexthopinterface'] = $staticRoute->nexthopInterface()->name(); - } - + $text = $staticRoute->display( $virtualRouter, true ); PH::print_stdout( $text ); } - - PH::print_stdout( "- - - - - - - - - - - - - - - -" ); - PH::print_stdout(); PH::print_stdout(); }, diff --git a/utils/common/actions-static-route.php b/utils/common/actions-static-route.php new file mode 100644 index 00000000..e6e310bc --- /dev/null +++ b/utils/common/actions-static-route.php @@ -0,0 +1,36 @@ + 'display', + 'MainFunction' => function ( StaticRouteCallContext $context ) + { + $staticRoute = $context->object; + PH::print_stdout(" * ".get_class($staticRoute)." '{$staticRoute->name()}'" ); + PH::$JSON_TMP['sub']['object'][$staticRoute->owner->name()]['name'] = $staticRoute->name(); + PH::$JSON_TMP['sub']['object'][$staticRoute->owner->name()]['type'] = get_class($staticRoute); + + $text = $staticRoute->display( $staticRoute->owner ); + PH::print_stdout( $text ); + }, +); + diff --git a/utils/common/actions.php b/utils/common/actions.php index 5d0f4fea..75327b4b 100644 --- a/utils/common/actions.php +++ b/utils/common/actions.php @@ -95,4 +95,8 @@ require_once ( "CertificateCallContext.php"); require_once "actions-certificate.php"; -CertificateCallContext::prepareSupportedActions(); \ No newline at end of file +CertificateCallContext::prepareSupportedActions(); + +require_once ( "StaticRouteCallContext.php"); +require_once "actions-static-route.php"; +StaticRouteCallContext::prepareSupportedActions(); \ No newline at end of file diff --git a/utils/develop/ui/json_array.js b/utils/develop/ui/json_array.js index 32dc3701..90e11133 100644 --- a/utils/develop/ui/json_array.js +++ b/utils/develop/ui/json_array.js @@ -42,6 +42,22 @@ var subjectObject = } } }, + "combine-addressgroups": { + "name": "combine-addressgroups", + "GlobalInitFunction": {}, + "MainFunction": {}, + "GlobalFinishFunction": {}, + "args": { + "new_addressgroup_name": { + "type": "string", + "default": "*nodefault*" + }, + "replace_groups": { + "type": "bool", + "default": false + } + } + }, "create-address": { "name": "create-address", "MainFunction": {}, @@ -572,6 +588,14 @@ var subjectObject = "is.in.file": { "Function": {}, "arg": true + }, + "same.as.region.predefined": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% new test 1)", + "input": "input\/panorama-8.0.xml" + } } } }, @@ -878,6 +902,15 @@ var subjectObject = "fString": "(%PROP% \/grp\/)", "input": "input\/panorama-8.0.xml" } + }, + "is.set": { + "Function": {}, + "arg": false, + "argObjectFinder": "$objectFind=null;\n$objectFind=$object->tags->parentCentralStore->find('!value!');", + "ci": { + "fString": "(%PROP% grp.shared-group1)", + "input": "input\/panorama-8.0.xml" + } } } }, @@ -1331,6 +1364,34 @@ var subjectObject = } }, "filter": { + "name": { + "operators": { + "eq": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% new test 1)", + "input": "input\/panorama-8.0.xml" + } + }, + "eq.nocase": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% new test 2)", + "input": "input\/panorama-8.0.xml" + } + }, + "contains": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% -)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, "publickey-algorithm": { "operators": { "is.rsa": { @@ -1739,6 +1800,20 @@ var subjectObject = } } }, + "sharedgateway-delete": { + "name": "sharedgateway-delete", + "MainFunction": {} + }, + "sharedgateway-migrate-to-vsys": { + "name": "sharedgateway-migrate-to-vsys", + "MainFunction": {}, + "args": { + "name": { + "type": "string", + "default": "false" + } + } + }, "sp_spg-create-alert-only-bp": { "name": "sp_spg-create-alert-only-bp", "GlobalInitFunction": {}, @@ -1835,6 +1910,10 @@ var subjectObject = "name": "template-delete", "MainFunction": {} }, + "virtualsystem-delete": { + "name": "virtualsystem-delete", + "MainFunction": {} + }, "xml-extract": { "name": "xml-extract", "GlobalInitFunction": {}, @@ -7009,6 +7088,16 @@ var subjectObject = "action": [], "filter": [] }, + "static-route": { + "name": "static-route", + "action": { + "display": { + "name": "display", + "MainFunction": {} + } + }, + "filter": [] + }, "stats": { "name": "stats", "action": [], diff --git a/utils/lib/NETWORKUTIL.php b/utils/lib/NETWORKUTIL.php index 9d56db00..35f6e251 100644 --- a/utils/lib/NETWORKUTIL.php +++ b/utils/lib/NETWORKUTIL.php @@ -83,6 +83,12 @@ public function location_filter_object() { $this->objectsToProcess[] = Array('store' => $this->pan->certificateStore, 'objects' => $this->pan->certificateStore->getAll()); } + elseif( $this->utilType == 'static-route' ) + { + foreach($this->pan->network->virtualRouterStore->getAll() as $vr ) + $this->objectsToProcess[] = Array('store' => $vr, 'objects' => $vr->staticRoutes()); + } + $locationFound = TRUE; @@ -201,7 +207,11 @@ public function location_filter_object() { $this->objectsToProcess[] = Array('store' => $template->certificateStore, 'objects' => $template->certificateStore->getAll()); } - + elseif( $this->utilType == 'static-route' ) + { + foreach($template->deviceConfiguration->network->virtualRouterStore->getAll() as $vr ) + $this->objectsToProcess[] = Array('store' => $vr, 'objects' => $vr->staticRoutes()); + } $locationFound = true; } diff --git a/utils/lib/UTIL.php b/utils/lib/UTIL.php index d3640826..74572232 100644 --- a/utils/lib/UTIL.php +++ b/utils/lib/UTIL.php @@ -428,6 +428,8 @@ public function supportedActions() $tmp_array = &DHCPCallContext::$supportedActions; elseif( $this->utilType == 'certificate' ) $tmp_array = &CertificateCallContext::$supportedActions; + elseif( $this->utilType == 'static-route' ) + $tmp_array = &StaticRouteCallContext::$supportedActions; return $tmp_array; } @@ -1203,6 +1205,8 @@ public function extracting_actions( $utilType = null) $context = new DHCPCallContext($tmp_array[$actionName], $explodedAction[1], $this->nestedQueries, $this); elseif( $this->utilType == 'certificate' ) $context = new CertificateCallContext($tmp_array[$actionName], $explodedAction[1], $this->nestedQueries, $this); + elseif( $this->utilType == 'static-route' ) + $context = new StaticRouteCallContext($tmp_array[$actionName], $explodedAction[1], $this->nestedQueries, $this); $context->baseObject = $this->pan; if( isset($this->configInput['type']) ) diff --git a/utils/lib/util_action_filter.json b/utils/lib/util_action_filter.json index 621b8dac..55ecd7e7 100644 --- a/utils/lib/util_action_filter.json +++ b/utils/lib/util_action_filter.json @@ -41,6 +41,22 @@ } } }, + "combine-addressgroups": { + "name": "combine-addressgroups", + "GlobalInitFunction": {}, + "MainFunction": {}, + "GlobalFinishFunction": {}, + "args": { + "new_addressgroup_name": { + "type": "string", + "default": "*nodefault*" + }, + "replace_groups": { + "type": "bool", + "default": false + } + } + }, "create-address": { "name": "create-address", "MainFunction": {}, @@ -571,6 +587,14 @@ "is.in.file": { "Function": {}, "arg": true + }, + "same.as.region.predefined": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% new test 1)", + "input": "input\/panorama-8.0.xml" + } } } }, @@ -877,6 +901,15 @@ "fString": "(%PROP% \/grp\/)", "input": "input\/panorama-8.0.xml" } + }, + "is.set": { + "Function": {}, + "arg": false, + "argObjectFinder": "$objectFind=null;\n$objectFind=$object->tags->parentCentralStore->find('!value!');", + "ci": { + "fString": "(%PROP% grp.shared-group1)", + "input": "input\/panorama-8.0.xml" + } } } }, @@ -1330,6 +1363,34 @@ } }, "filter": { + "name": { + "operators": { + "eq": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% new test 1)", + "input": "input\/panorama-8.0.xml" + } + }, + "eq.nocase": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% new test 2)", + "input": "input\/panorama-8.0.xml" + } + }, + "contains": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% -)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, "publickey-algorithm": { "operators": { "is.rsa": { @@ -1738,6 +1799,20 @@ } } }, + "sharedgateway-delete": { + "name": "sharedgateway-delete", + "MainFunction": {} + }, + "sharedgateway-migrate-to-vsys": { + "name": "sharedgateway-migrate-to-vsys", + "MainFunction": {}, + "args": { + "name": { + "type": "string", + "default": "false" + } + } + }, "sp_spg-create-alert-only-bp": { "name": "sp_spg-create-alert-only-bp", "GlobalInitFunction": {}, @@ -1834,6 +1909,10 @@ "name": "template-delete", "MainFunction": {} }, + "virtualsystem-delete": { + "name": "virtualsystem-delete", + "MainFunction": {} + }, "xml-extract": { "name": "xml-extract", "GlobalInitFunction": {}, @@ -7008,6 +7087,16 @@ "action": [], "filter": [] }, + "static-route": { + "name": "static-route", + "action": { + "display": { + "name": "display", + "MainFunction": {} + } + }, + "filter": [] + }, "stats": { "name": "stats", "action": [], From b009382d4abd18a5e2efb6ed177e6c5cd0106080 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 19:48:39 +0200 Subject: [PATCH 12/35] type=static-route actions=delete | introduce new action --- CHANGELOG.txt | 1 + lib/misc-classes/filters/filters-Static-Route.php | 11 +++++++++++ lib/network-classes/StaticRoute.php | 5 +++++ lib/network-classes/VirtualRouter.php | 7 ++++++- utils/common/StaticRouteCallContext.php | 2 +- utils/common/actions-static-route.php | 7 +++++++ 6 files changed, 31 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index e8cfa88b..d63a516b 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -7,6 +7,7 @@ UTIL: * type=gcp | introduce argument 'namespace=XYZ' to specify and better filter for get pods * type=device | introduce actions=virtualSystem-delete/sharedgateway-delete/sharedgateway-migrate-to-vsys * type=static-route | introduction of new type= | with 'filter=(nexthop-ip is.set)' / (nexthop-vr is.set) / nexthop-interface is.set) / (destination ip4.includes-full 172.33.10.0/23) +* type=static-route actions=delete | introduce new action BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/lib/misc-classes/filters/filters-Static-Route.php b/lib/misc-classes/filters/filters-Static-Route.php index a614f52e..9dbcdc9d 100644 --- a/lib/misc-classes/filters/filters-Static-Route.php +++ b/lib/misc-classes/filters/filters-Static-Route.php @@ -14,6 +14,17 @@ ) ); +RQuery::$defaultFilters['static-route']['virtualrouter-name']['operators']['eq'] = Array( + 'Function' => function(StaticRouteRQueryContext $context ) + { + return $context->object->owner->name() == $context->value; + }, + 'arg' => true, + 'ci' => Array( + 'fString' => '(%PROP% ethernet1/1)', + 'input' => 'input/panorama-8.0.xml' + ) +); RQuery::$defaultFilters['static-route']['nexthop-ip']['operators']['is.set'] = Array( 'Function' => function(StaticRouteRQueryContext $context ) diff --git a/lib/network-classes/StaticRoute.php b/lib/network-classes/StaticRoute.php index 227f0180..27f7b322 100644 --- a/lib/network-classes/StaticRoute.php +++ b/lib/network-classes/StaticRoute.php @@ -170,6 +170,11 @@ function create_staticroute_from_variables( $routename, $destination, $nexthop, return $tmpRoute; } + function remove() + { + $this->owner->removeStaticRoute($this, true); + } + /** * @return string */ diff --git a/lib/network-classes/VirtualRouter.php b/lib/network-classes/VirtualRouter.php index dc44e7de..be4428b5 100644 --- a/lib/network-classes/VirtualRouter.php +++ b/lib/network-classes/VirtualRouter.php @@ -85,6 +85,11 @@ public function load_from_domxml($xml) $newRoute = new StaticRoute('***tmp**', $this); $newRoute->load_from_xml($node->item($i)); $this->_staticRoutes[] = $newRoute; + + $ser = spl_object_hash($newRoute); + + $this->fastMemToIndex[$ser] = $newRoute; + $this->fastNameToIndex[$newRoute->name()] = $newRoute; } } } @@ -225,7 +230,7 @@ public function removeStaticRoute($staticRoute, $cleanInMemory = FALSE) if( !isset($this->fastNameToIndex[$staticRoute->name()]) ) { - mdeb('Tried to remove an object that is not part of this store'); + mwarning('Tried to remove an object that is not part of this store', null, false); return FALSE; } diff --git a/utils/common/StaticRouteCallContext.php b/utils/common/StaticRouteCallContext.php index ecac0a72..80447eb3 100644 --- a/utils/common/StaticRouteCallContext.php +++ b/utils/common/StaticRouteCallContext.php @@ -21,7 +21,7 @@ class StaticRouteCallContext extends CallContext { - /** @var Routing */ + /** @var StaticRoute */ public $object; diff --git a/utils/common/actions-static-route.php b/utils/common/actions-static-route.php index e6e310bc..41a75957 100644 --- a/utils/common/actions-static-route.php +++ b/utils/common/actions-static-route.php @@ -34,3 +34,10 @@ }, ); +StaticRouteCallContext::$supportedActions['delete'] = Array( + 'name' => 'delete', + 'MainFunction' => function ( StaticRouteCallContext $context ) + { + $context->object->remove(); + }, +); From f1133330ee7dda886e1e402eef3207e783950d74 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 19:50:43 +0200 Subject: [PATCH 13/35] Class AddressStore/ServiceStore/IPSecCryptoProfileStore - replce mdeb() with mwarning() --- lib/network-classes/IPSecCryptoProfileStore.php | 2 +- lib/object-classes/AddressStore.php | 2 +- lib/object-classes/ServiceStore.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/network-classes/IPSecCryptoProfileStore.php b/lib/network-classes/IPSecCryptoProfileStore.php index 8f3632ea..806b4f50 100644 --- a/lib/network-classes/IPSecCryptoProfileStore.php +++ b/lib/network-classes/IPSecCryptoProfileStore.php @@ -137,7 +137,7 @@ public function remove($s, $cleanInMemory = FALSE) if( !isset($this->_all[$objectName]) ) { - mdeb('Tried to remove an object that is not part of this store'); + mwarning('Tried to remove an object that is not part of this store', null, false); return FALSE; } diff --git a/lib/object-classes/AddressStore.php b/lib/object-classes/AddressStore.php index 3eb1c86b..f7ecaf8a 100644 --- a/lib/object-classes/AddressStore.php +++ b/lib/object-classes/AddressStore.php @@ -645,7 +645,7 @@ public function remove($s, $cleanInMemory = FALSE) if( !isset($this->_all[$objectName]) ) { - mdeb('Tried to remove an object that is not part of this store'); + mwarning('Tried to remove an object that is not part of this store', null, false); return FALSE; } diff --git a/lib/object-classes/ServiceStore.php b/lib/object-classes/ServiceStore.php index ae0e9166..c8d12497 100644 --- a/lib/object-classes/ServiceStore.php +++ b/lib/object-classes/ServiceStore.php @@ -460,7 +460,7 @@ public function remove($s, $cleanInMemory = FALSE) if( !isset($this->_all[$objectName]) ) { - mdeb('Tried to remove an object that is not part of this store'); + mwarning('Tried to remove an object that is not part of this store', null, false); return FALSE; } From be13190f224cfa49ed0ec3b3b260f202e4da4ea7 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 22 Sep 2023 21:16:28 +0200 Subject: [PATCH 14/35] type=xml-issue | bugfix to display read-only DeviceGroup duplicate address-group definition correctly in summary --- CHANGELOG.txt | 1 + utils/lib/XMLISSUE.php | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index d63a516b..41a62536 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -11,6 +11,7 @@ UTIL: BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly +* type=xml-issue | bugfix to display read-only DeviceGroup duplicate address-group fixes correctly in summary GENERAL: * Class VirtualSystem/SharedGatewayStore | better handling of version variable diff --git a/utils/lib/XMLISSUE.php b/utils/lib/XMLISSUE.php index 99892cab..0118eaaa 100644 --- a/utils/lib/XMLISSUE.php +++ b/utils/lib/XMLISSUE.php @@ -157,6 +157,7 @@ public function main() $countMissconfiguredSecRuleServiceAppDefaultObjects = 0; $fixedReadOnlyDeviceGroupobjects=0; + $fixedReadOnlyAddressGroupobjects=0; $fixedReadOnlyTemplateobjects=0; $fixedReadOnlyTemplateStackobjects=0; @@ -1452,7 +1453,7 @@ public function main() ///config/readonly/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='mn053-mnr-int']/address-group /// /// - PH::print_stdout( " - Scanning for /config/readonly/devices/entry[@name='localhost.localdomain']/device-group/ for duplicate address-group ..."); + PH::print_stdout( " - Scanning for /config/readonly/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='".$locationName."'] for duplicate address-group ..."); $tmpReadOnly = DH::findXPath("/config/readonly/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='".$locationName."']", $this->xmlDoc); $readOnly = array(); @@ -1485,6 +1486,7 @@ public function main() $readonlyAddressgroups->removeChild($objectAddressGroup); $text .= PH::boldText(" (removed)"); PH::print_stdout($text); + $fixedReadOnlyAddressGroupobjects++; } else $readonlyDGAddressgroups[$objectAddressGroupName] = $objectAddressGroup; @@ -1595,6 +1597,7 @@ public function main() $readonlyAddressgroups->removeChild($objectAddressGroup); $text .=PH::boldText(" (removed)"); PH::print_stdout($text); + $fixedReadOnlyAddressGroupobjects++; } else $readonlyDGAddressgroups[$objectAddressGroupName] = $objectAddressGroup; @@ -1755,6 +1758,7 @@ public function main() PH::print_stdout( " - FIXED: SecRule with duplicate category members: {$fixedSecRuleCategoryObjects}"); PH::print_stdout( " - FIXED: SecRule with duplicate tag members: {$fixedSecRuleTagObjects}"); + PH::print_stdout( "\n - FIXED: ReadOnly duplicate AddressGroup : {$fixedReadOnlyAddressGroupobjects}"); PH::print_stdout( "\n - FIXED: ReadOnly duplicate DeviceGroup : {$fixedReadOnlyDeviceGroupobjects}"); PH::print_stdout( "\n - FIXED: ReadOnly duplicate Template : {$fixedReadOnlyTemplateobjects}"); PH::print_stdout( " - FIXED: ReadOnly duplicate TemplateStack : {$fixedReadOnlyTemplateStackobjects}"); From 85d6da48ae9b412f58a9f8c9fc8b64a1b4b78932 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Mon, 25 Sep 2023 09:10:39 +0200 Subject: [PATCH 15/35] type=address-merger | bugfix - do not merger address objects if tag count of planned merged object exceeds PAN-OS limit of 64 tag members --- CHANGELOG.txt | 1 + lib/object-classes/Address.php | 1 + utils/lib/MERGER.php | 23 ++++++++++++++++++++++- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 41a62536..ff601625 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -12,6 +12,7 @@ UTIL: BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly * type=xml-issue | bugfix to display read-only DeviceGroup duplicate address-group fixes correctly in summary +* type=address-merger | bugfix - do not merger address objects if tag count of planned merged object exceeds PAN-OS limit of 64 tag members GENERAL: * Class VirtualSystem/SharedGatewayStore | better handling of version variable diff --git a/lib/object-classes/Address.php b/lib/object-classes/Address.php index 909ab6a8..2f5d5263 100644 --- a/lib/object-classes/Address.php +++ b/lib/object-classes/Address.php @@ -37,6 +37,7 @@ class Address /** @var TagRuleContainer */ public $tags; + public $tagLimit = 64; const TypeTmp = 0; const TypeIpNetmask = 1; diff --git a/utils/lib/MERGER.php b/utils/lib/MERGER.php index ac9454f5..5b553895 100644 --- a/utils/lib/MERGER.php +++ b/utils/lib/MERGER.php @@ -276,7 +276,7 @@ function merger_location_array($utilType, $objectsLocation, $pan) if( !$pan->isFawkes() && !$pan->isBuckbeak() ) { $objectsLocations = $objectsLocation; - print "location count: ".count($objectsLocations); + #print "location count: ".count($objectsLocations); foreach( $objectsLocations as $key => $objectsLocation ) { if( $objectsLocation == "shared" ) @@ -1706,6 +1706,13 @@ function address_merging() continue; } + if( $object->tags->count() + $tmp_address->tags->count() > $object->tagLimit ) + { + PH::print_stdout(" - SKIP: tag count of name '{$tmp_address->_PANC_shortName()}' [with value '{$tmp_address->value()}'] added with object name from upperlevel '{$object->_PANC_shortName()}' [with value '{$object->value()}'] exceed PAN-OS limit ".$object->tagLimit); + $this->skippedObject( $index, $object, $tmp_address); + continue; + } + PH::print_stdout(" - replacing '{$object->_PANC_shortName()}' ..."); $success = true; if( $this->action === "merge" ) @@ -1785,6 +1792,13 @@ function address_merging() continue; } + if( $pickedObject->tags->count() + $ancestor->tags->count() > $pickedObject->tagLimit ) + { + PH::print_stdout(" - SKIP: tag count of name '{$ancestor->_PANC_shortName()}' [with value '{$ancestor->value()}'] added with object name from upperlevel '{$pickedObject->_PANC_shortName()}' [with value '{$pickedObject->value()}'] exceed PAN-OS limit ".$pickedObject->tagLimit); + $this->skippedObject( $index, $pickedObject, $ancestor); + continue; + } + if( $this->action === "merge" ) $object->merge_tag_description_to($ancestor, $this->apiMode); @@ -1864,6 +1878,13 @@ function address_merging() if( $pickedObject->isType_TMP() ) continue; + if( $object->tags->count() + $pickedObject->tags->count() > $object->tagLimit ) + { + PH::print_stdout(" - SKIP: tag count of name '{$pickedObject->_PANC_shortName()}' [with value '{$pickedObject->value()}'] added with object name from upperlevel '{$object->_PANC_shortName()}' [with value '{$object->value()}'] exceed PAN-OS limit ".$object->tagLimit); + $this->skippedObject( $index, $object, $pickedObject); + continue; + } + PH::print_stdout(" - replacing '{$object->_PANC_shortName()}' ..."); PH::print_stdout(" - deleting '{$object->_PANC_shortName()}'"); From d139f29a98608ea145ad52b652a40b58f77ba4f5 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Mon, 25 Sep 2023 16:26:18 +0200 Subject: [PATCH 16/35] type=rule | introduce actions=from-/to-remove-from-file:FILE.txt --- CHANGELOG.txt | 1 + utils/common/RuleCallContext.php | 1 + utils/common/actions-rule.php | 138 +++++++++++++++++++++++++++++++ 3 files changed, 140 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index ff601625..7745c374 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -8,6 +8,7 @@ UTIL: * type=device | introduce actions=virtualSystem-delete/sharedgateway-delete/sharedgateway-migrate-to-vsys * type=static-route | introduction of new type= | with 'filter=(nexthop-ip is.set)' / (nexthop-vr is.set) / nexthop-interface is.set) / (destination ip4.includes-full 172.33.10.0/23) * type=static-route actions=delete | introduce new action +* type=rule | introduce actions=from-/to-remove-from-file:FILE.txt BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/common/RuleCallContext.php b/utils/common/RuleCallContext.php index 3b27e6d3..439b3695 100644 --- a/utils/common/RuleCallContext.php +++ b/utils/common/RuleCallContext.php @@ -27,6 +27,7 @@ class RuleCallContext extends CallContext public $fields; public $ruleList; + public $cachedList; static public function prepareSupportedActions() { diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php index 4aa01a62..4cf5107a 100644 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -707,6 +707,75 @@ }, 'args' => array('zoneName' => array('type' => 'string', 'default' => '*nodefault*')), ); +RuleCallContext::$supportedActions[] = array( + 'name' => 'from-Remove-from-file', + 'section' => 'zone', + 'MainFunction' => function (RuleCallContext $context) { + $rule = $context->object; + if( $rule->isDefaultSecurityRule() ) + { + $string = "DefaultSecurityRule - action not supported"; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + if( $rule->isDoSRule() && $rule->isZoneBasedTo() ) + { + $string = "TO is Zone based, not supported yet."; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + if( $rule->isPbfRule() ) + { + $string = "there is no TO in PBF Rules."; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + + + //open file + //per line do: + if( !isset($context->cachedList) ) + { + $text = file_get_contents($context->arguments['fileName']); + + if( $text === FALSE ) + derr("cannot open file '{$context->arguments['fileName']}"); + + $lines = explode("\n", $text); + foreach( $lines as $line ) + { + $line = trim($line); + if( strlen($line) == 0 ) + continue; + $list[$line] = TRUE; + } + + $context->cachedList = &$list; + } + else + $list = &$context->cachedList; + foreach( $list as $zone => $truefalse ) + { + if( !$rule->from->hasZone($zone) ) + { + $string = "no zone with requested name was found"; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + + $objectFind = $rule->from->parentCentralStore->find($zone); + if( $objectFind === null ) + derr("zone named '{$zone}' not found"); + + if( $context->isAPI ) + $rule->to->API_removeZone($objectFind); + else + $rule->to->removeZone($objectFind); + } + + }, + 'args' => array('fileName' => array('type' => 'string', 'default' => '*nodefault*')), +); RuleCallContext::$supportedActions[] = array( 'name' => 'from-Remove-Force-Any', 'section' => 'zone', @@ -891,6 +960,75 @@ }, 'args' => array('zoneName' => array('type' => 'string', 'default' => '*nodefault*')), ); +RuleCallContext::$supportedActions[] = array( + 'name' => 'to-Remove-from-file', + 'section' => 'zone', + 'MainFunction' => function (RuleCallContext $context) { + $rule = $context->object; + if( $rule->isDefaultSecurityRule() ) + { + $string = "DefaultSecurityRule - action not supported"; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + if( $rule->isDoSRule() && $rule->isZoneBasedTo() ) + { + $string = "TO is Zone based, not supported yet."; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + if( $rule->isPbfRule() ) + { + $string = "there is no TO in PBF Rules."; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + + + //open file + //per line do: + if( !isset($context->cachedList) ) + { + $text = file_get_contents($context->arguments['fileName']); + + if( $text === FALSE ) + derr("cannot open file '{$context->arguments['fileName']}"); + + $lines = explode("\n", $text); + foreach( $lines as $line ) + { + $line = trim($line); + if( strlen($line) == 0 ) + continue; + $list[$line] = TRUE; + } + + $context->cachedList = &$list; + } + else + $list = &$context->cachedList; + foreach( $list as $zone => $truefalse ) + { + if( !$rule->to->hasZone($zone) ) + { + $string = "no zone with requested name was found"; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + + $objectFind = $rule->from->parentCentralStore->find($zone); + if( $objectFind === null ) + derr("zone named '{$zone}' not found"); + + if( $context->isAPI ) + $rule->to->API_removeZone($objectFind); + else + $rule->to->removeZone($objectFind); + } + + }, + 'args' => array('fileName' => array('type' => 'string', 'default' => '*nodefault*')), +); RuleCallContext::$supportedActions[] = array( 'name' => 'to-Remove-Force-Any', 'section' => 'zone', From 7088aed5fe30d4d488283f8cf3f54ca25c9dd745 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Mon, 25 Sep 2023 16:46:04 +0200 Subject: [PATCH 17/35] Update actions-rule.php --- utils/common/actions-rule.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php index 4cf5107a..f706fc14 100644 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -756,16 +756,22 @@ $list = &$context->cachedList; foreach( $list as $zone => $truefalse ) { + /* if( !$rule->from->hasZone($zone) ) { - $string = "no zone with requested name was found"; + $string = "no zone with requested name '".$zone."' was found"; PH::ACTIONstatus( $context, "SKIPPED", $string ); - return; + continue; } + */ $objectFind = $rule->from->parentCentralStore->find($zone); if( $objectFind === null ) - derr("zone named '{$zone}' not found"); + { + mwarning("zone named '{$zone}' not found"); + continue; + } + if( $context->isAPI ) $rule->to->API_removeZone($objectFind); @@ -1009,16 +1015,22 @@ $list = &$context->cachedList; foreach( $list as $zone => $truefalse ) { + /* if( !$rule->to->hasZone($zone) ) { - $string = "no zone with requested name was found"; + $string = "no zone with requested name '".$zone."' was found"; PH::ACTIONstatus( $context, "SKIPPED", $string ); - return; + continue; } + */ $objectFind = $rule->from->parentCentralStore->find($zone); if( $objectFind === null ) - derr("zone named '{$zone}' not found"); + { + mwarning("zone named '{$zone}' not found"); + continue; + } + if( $context->isAPI ) $rule->to->API_removeZone($objectFind); From fd5ce317f7e0d63080667e10c2970f8fa470266b Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Mon, 25 Sep 2023 22:17:21 +0200 Subject: [PATCH 18/35] type=address-merger | bugfix for removing tag objects from upper level, if adr merged objects are using them and tag is also available at address level --- CHANGELOG.txt | 1 + lib/container-classes/ObjRuleContainer.php | 5 ++++ lib/object-classes/Address.php | 31 +++------------------- 3 files changed, 10 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 7745c374..46502c6d 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -14,6 +14,7 @@ BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly * type=xml-issue | bugfix to display read-only DeviceGroup duplicate address-group fixes correctly in summary * type=address-merger | bugfix - do not merger address objects if tag count of planned merged object exceeds PAN-OS limit of 64 tag members +* type=address-merger | bugfix for removing tag objects from upper level, if adr merged objects are using them and tag is also available at address level GENERAL: * Class VirtualSystem/SharedGatewayStore | better handling of version variable diff --git a/lib/container-classes/ObjRuleContainer.php b/lib/container-classes/ObjRuleContainer.php index 6623bab7..0cb11de9 100644 --- a/lib/container-classes/ObjRuleContainer.php +++ b/lib/container-classes/ObjRuleContainer.php @@ -115,6 +115,10 @@ public function getFastHashComp() protected function has($obj, $caseSensitive = TRUE) { + $tmpObj = $obj; + if( !is_string($obj) ) + $obj = $obj->name(); + if( is_string($obj) ) { if( !$caseSensitive ) @@ -138,6 +142,7 @@ protected function has($obj, $caseSensitive = TRUE) return FALSE; } + $obj = $tmpObj; foreach( $this->o as $o ) { if( $o === $obj ) diff --git a/lib/object-classes/Address.php b/lib/object-classes/Address.php index 2f5d5263..9f60036f 100644 --- a/lib/object-classes/Address.php +++ b/lib/object-classes/Address.php @@ -704,13 +704,7 @@ public function merge_tag_description_to( $pickedObject, $apiMode = false ) if( $tag !== $newTag) { $tag->replaceMeGlobally($newTag); - - if( get_class($tag->owner->owner) !== "PanoramaConf" ) - { - $tagDG_childDGS = $tag->owner->owner->childDeviceGroups(TRUE); - if( !in_array($newTag->owner->owner->name(), $tagDG_childDGS) ) - $tag->owner->API_removeTag($tag); - } + #$tag->owner->API_removeTag($tag); } } else @@ -720,26 +714,9 @@ public function merge_tag_description_to( $pickedObject, $apiMode = false ) if( $tag !== $newTag) { $tag->replaceMeGlobally($newTag); - if( $tag->owner !== null ) - { - /* - if( $upperLevelTag === null ) - { - PH::print_stdout( " - delete old tag from: ".$tag->owner->_PANC_shortName() ); - $tag->owner->removeTag($tag); - }*/ - if( get_class($tag->owner->owner) !== "PanoramaConf" ) - { - $tagDG_childDGS = $tag->owner->owner->childDeviceGroups(true); - if( !in_array( $newTag->owner->owner->name(), $tagDG_childDGS ) ) - { - //do not delete TAG if TAG is from upperlevel DG and newtag is from childDG - PH::print_stdout( " - delete old tag from: ".$tag->owner->_PANC_shortName() ); - $tag->owner->removeTag($tag); - } - } - - } + + #if( $tag->owner !== null ) + # $tag->owner->removeTag($tag); } } } From 59a7f034a6fc8e20da2ae14492b03425321882e9 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Tue, 26 Sep 2023 12:35:43 +0200 Subject: [PATCH 19/35] type=XYZ | introduce new arguments: shadow-loadreduce - to not update TAG object related address-groups | debugloadtime - display load time for specific XML sections --- CHANGELOG.txt | 1 + lib/container-classes/TagRuleContainer.php | 29 +++-- lib/device-and-system-classes/DeviceGroup.php | 31 ++++- lib/device-and-system-classes/PANConf.php | 25 +++- .../PanoramaConf.php | 25 +++- lib/misc-classes/PH.php | 23 ++++ lib/object-classes/AddressGroup.php | 115 +++++++++--------- utils/lib/CONFIGSIZE.php | 7 +- utils/lib/UTIL.php | 18 ++- 9 files changed, 190 insertions(+), 84 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 46502c6d..bbe3a4d4 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -9,6 +9,7 @@ UTIL: * type=static-route | introduction of new type= | with 'filter=(nexthop-ip is.set)' / (nexthop-vr is.set) / nexthop-interface is.set) / (destination ip4.includes-full 172.33.10.0/23) * type=static-route actions=delete | introduce new action * type=rule | introduce actions=from-/to-remove-from-file:FILE.txt +* type=XYZ | introduce new arguments: shadow-loadreduce - to not update TAG object related address-groups | debugloadtime - display load time for specific XML sections BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/lib/container-classes/TagRuleContainer.php b/lib/container-classes/TagRuleContainer.php index 05cef47f..9ef4e5b7 100644 --- a/lib/container-classes/TagRuleContainer.php +++ b/lib/container-classes/TagRuleContainer.php @@ -211,21 +211,24 @@ public function load_from_domxml($xml) $f = $this->parentCentralStore->findOrCreate($node->textContent, $this); $this->o[] = $f; - //$f TAG -> if $f has reference of dynamic addressgroup, also add dynamic Addressgroup as reference to $this - $refClass = get_class($this->owner); - if( $refClass == "Address" || $refClass == "AddressGroup" ) - foreach( $f->refrules as $ref ) - { - #PH::print_stdout( ' - ' . $ref->toString() ); - $refClass = get_class($ref); - #PH::print_stdout( "refclass: " . $refClass ); - if( $refClass == 'AddressGroup' ) + if( !PH::$shadow_loadreduce ) + { + //$f TAG -> if $f has reference of dynamic addressgroup, also add dynamic Addressgroup as reference to $this + $refClass = get_class($this->owner); + if( $refClass == "Address" || $refClass == "AddressGroup" ) + foreach( $f->refrules as $ref ) { - /** @var AddressGroup $ref */ - if( $ref->isDynamic() ) - $this->owner->addReference($ref); + #PH::print_stdout( ' - ' . $ref->toString() ); + $refClass = get_class($ref); + #PH::print_stdout( "refclass: " . $refClass ); + if( $refClass == 'AddressGroup' ) + { + /** @var AddressGroup $ref */ + if( $ref->isDynamic() ) + $this->owner->addReference($ref); + } } - } + } } } diff --git a/lib/device-and-system-classes/DeviceGroup.php b/lib/device-and-system-classes/DeviceGroup.php index 3170c8a1..701e26f1 100644 --- a/lib/device-and-system-classes/DeviceGroup.php +++ b/lib/device-and-system-classes/DeviceGroup.php @@ -319,7 +319,7 @@ public function load_from_templateXml() * !! Should not be used outside of a PanoramaConf constructor. !! * @param DOMElement $xml */ - public function load_from_domxml($xml) + public function load_from_domxml($xml, $debugLoadTime = false) { $this->xmlroot = $xml; @@ -328,6 +328,8 @@ public function load_from_domxml($xml) if( $this->name === FALSE ) derr("VirtualSystem name not found\n"); + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("tag"); // // Extract Tag objects // @@ -340,6 +342,8 @@ public function load_from_domxml($xml) // End of Tag objects extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("region"); // // Extract region objects // @@ -349,6 +353,8 @@ public function load_from_domxml($xml) //print "VSYS '".$this->name."' address objectsloaded\n" ; // End of address objects extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("address"); // // Extract address objects // @@ -358,6 +364,8 @@ public function load_from_domxml($xml) // End of address objects extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("address-group"); // // Extract address groups in this DV // @@ -367,7 +375,8 @@ public function load_from_domxml($xml) // End of address groups extraction - + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("service"); // // // Extract service objects in this VirtualSystem // // // @@ -377,6 +386,8 @@ public function load_from_domxml($xml) // End of extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("service-group"); // // // Extract service groups in this VirtualSystem // // // @@ -385,6 +396,8 @@ public function load_from_domxml($xml) $this->serviceStore->load_servicegroups_from_domxml($tmp); // End of extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("application"); // // Extract application // @@ -393,6 +406,8 @@ public function load_from_domxml($xml) $this->appStore->load_application_custom_from_domxml($tmp); // End of application extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("application-filter"); // // Extract application filter // @@ -401,6 +416,8 @@ public function load_from_domxml($xml) $this->appStore->load_application_filter_from_domxml($tmp); // End of application filter groups extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("application-group"); // // Extract application groups // @@ -410,6 +427,8 @@ public function load_from_domxml($xml) // End of application groups extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("profiles"); // Extract SecurityProfiles objects // $this->securityProfilebaseroot = DH::findFirstElement('profiles', $xml); @@ -576,6 +595,8 @@ public function load_from_domxml($xml) } + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("profile-group"); // // Extract SecurityProfile groups in this DV // @@ -585,6 +606,8 @@ public function load_from_domxml($xml) // End of address groups extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("schedule"); // // Extract schedule objects // @@ -594,6 +617,8 @@ public function load_from_domxml($xml) // End of address groups extraction + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("pre-/post-rulebase"); // // Extracting policies // @@ -972,6 +997,8 @@ public function load_from_domxml($xml) } } + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("nestedPointOfView"); $this->addressStore->nestedPointOfView(); $this->serviceStore->nestedPointOfView(); $this->tagStore->nestedPointOfView(); diff --git a/lib/device-and-system-classes/PANConf.php b/lib/device-and-system-classes/PANConf.php index c6884a58..b071de70 100644 --- a/lib/device-and-system-classes/PANConf.php +++ b/lib/device-and-system-classes/PANConf.php @@ -271,7 +271,7 @@ public function load_from_xmlstring(&$xml) * @param $xml DOMElement|DOMDocument * @throws Exception */ - public function load_from_domxml($xml) + public function load_from_domxml($xml, $debugLoadTime = false) { if( $xml->nodeType == XML_DOCUMENT_NODE ) @@ -287,14 +287,13 @@ public function load_from_domxml($xml) #$tmp_doc = DH::findFirstElementOrDie('config', $tmp_root); $dom = new DOMDocument(); - $domNode = $dom->importNode( $xml, true ); + $domNode = $dom->importNode($xml, TRUE); - $dom->appendChild( $domNode ); + $dom->appendChild($domNode); $this->xmldoc = $dom; } - if( $this->owner !== null ) { $this->version = $this->owner->owner->version; @@ -346,6 +345,9 @@ public function load_from_domxml($xml) if( $this->owner === null ) { + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("shared"); + $this->sharedroot = DH::findFirstElementOrDie('shared', $this->xmlroot); // // Extract Tag objects @@ -363,7 +365,7 @@ public function load_from_domxml($xml) // Extract region objects // $tmp = DH::findFirstElement('region', $xml); - if( $tmp !== false ) + if( $tmp !== FALSE ) $this->addressStore->load_regions_from_domxml($tmp); //print "VSYS '".$this->name."' address objectsloaded\n" ; // End of address objects extraction @@ -584,7 +586,11 @@ public function load_from_domxml($xml) // $tmp = DH::findFirstElement('network', $this->localhostroot); if( $tmp !== FALSE ) + { + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("network"); $this->network->load_from_domxml($tmp); + } // // Now listing and extracting all VirtualSystem configurations @@ -613,6 +619,9 @@ public function load_from_domxml($xml) else $localVsys = new VirtualSystem($this); + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("vsys"); + $localVsys->load_from_domxml($node); $this->virtualSystems[] = $localVsys; @@ -659,7 +668,7 @@ public function load_from_domxml($xml) if( $timezone ) { $this->timezone = $timezone->textContent; - date_default_timezone_set( $timezone->textContent ); + date_default_timezone_set($timezone->textContent); } } } @@ -671,7 +680,11 @@ public function load_from_domxml($xml) // $tmp = DH::findFirstElement('network', $this->localhostroot); if( $tmp !== FALSE ) + { + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("network part 2"); $this->network->load_from_domxml_2($tmp); + } // } diff --git a/lib/device-and-system-classes/PanoramaConf.php b/lib/device-and-system-classes/PanoramaConf.php index 903bc43b..557d89d3 100644 --- a/lib/device-and-system-classes/PanoramaConf.php +++ b/lib/device-and-system-classes/PanoramaConf.php @@ -373,7 +373,7 @@ public function load_from_xmlstring(&$xml) * @param DOMElement|DOMDocument $xml * @throws Exception */ - public function load_from_domxml($xml) + public function load_from_domxml($xml, $debugLoadTime = false) { if( $xml->nodeType == XML_DOCUMENT_NODE ) { @@ -402,6 +402,9 @@ public function load_from_domxml($xml) } + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("mgt-config"); + $tmp = DH::findFirstElementOrCreate('mgt-config', $this->xmlroot); $tmp = DH::findFirstElement('devices', $tmp); if( $tmp !== false ) @@ -446,6 +449,9 @@ public function load_from_domxml($xml) $this->templatestackroot = DH::findFirstElementOrCreate('template-stack', $this->localhostroot); $this->logcollectorgrouproot = DH::findFirstElement('log-collector-group', $this->localhostroot); + + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("shared objects"); // // Extract Tag objects // @@ -1066,6 +1072,8 @@ public function load_from_domxml($xml) // + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("Template"); // // loading templates // @@ -1082,6 +1090,8 @@ public function load_from_domxml($xml) // end of Templates // + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("TemplateStack"); // // loading templatestacks // @@ -1100,6 +1110,8 @@ public function load_from_domxml($xml) // end of Templates // + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("DeviceGroup"); // // loading Device Groups now // @@ -1112,7 +1124,7 @@ public function load_from_domxml($xml) //PH::print_stdout( "Device Group '$lvname' found" ); $ldv = new DeviceGroup($this); - $ldv->load_from_domxml($node); + $ldv->load_from_domxml($node, $debugLoadTime); $this->deviceGroups[] = $ldv; } } @@ -1251,7 +1263,10 @@ public function load_from_domxml($xml) } } - $ldv->load_from_domxml($deviceGroupNodes[$dgName]); + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("DeviceGroup - ".$dgName); + + $ldv->load_from_domxml($deviceGroupNodes[$dgName], $debugLoadTime); $this->deviceGroups[] = $ldv; } @@ -1261,6 +1276,8 @@ public function load_from_domxml($xml) // End of DeviceGroup loading // + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("LogCollectorGroup"); // // loading LogCollectorGroup // @@ -1284,6 +1301,8 @@ public function load_from_domxml($xml) // + if( $debugLoadTime ) + PH::print_DEBUG_loadtime("Device config"); // // Extract setting related configs // diff --git a/lib/misc-classes/PH.php b/lib/misc-classes/PH.php index ef3ba93a..15b01870 100644 --- a/lib/misc-classes/PH.php +++ b/lib/misc-classes/PH.php @@ -131,6 +131,14 @@ function __construct($argv, $argc) $argc--; continue; } + elseif( $arg == 'shadow-loadreduce' ) + { + PH::$shadow_loadreduce = TRUE; + unset(PH::$argv[$argIndex]); + if( !isset( $_SERVER['REQUEST_METHOD'] ) ) + $argc--; + continue; + } } unset($argIndex); unset($arg); @@ -172,6 +180,8 @@ function __construct($argv, $argc) public static $shadow_displayxmlnode = FALSE; + public static $shadow_loadreduce = FALSE; + public static $JSON_OUT = array(); public static $JSON_TMP = array(); public static $JSON_OUTlog = ""; @@ -198,6 +208,8 @@ function __construct($argv, $argc) public static $license_user_encrypt_digest = "6gtYixyTgBf/lBfxPzor8hqI8cmrvtn06UskXAb5EWBhQHuJm7/0J9WfZbH8lk3AAWnUhpaG/NWlGdDevT5PMKPSQUawo4V2Tl8IbNB2Nnw="; public static $license_pw_encrypt__digest = "hdRb8p8a8vKDpuhdfDnDkDWaZRUthNCE0EDqZSBx2mNy+gqakPa74GJJAINJfC+HCZqtYs0ut/uxs1nOAcEXQlRqppEXuy+s1MNoMULt4DM="; + public static $loadStartTime; + public static $loadStartMem; static public function decrypt($ciphertext, $key) { @@ -685,6 +697,17 @@ static public function print_stdout( $text = "", $printArray = false, $arrayKey } + static public function print_DEBUG_loadtime( $type ) + { + $loadEndTime = microtime(TRUE); + $loadEndMem = memory_get_usage(TRUE); + $loadElapsedTime = number_format(($loadEndTime - PH::$loadStartTime), 2, '.', ''); + #$loadUsedMem = convert($loadEndMem - PH::$loadStartMem, PH::$loadArrayMem); + + PH::print_stdout( "debugLoadTime - start ". $type); + PH::print_stdout( "runtime: ".$loadElapsedTime ); + } + static public function ACTIONstatus( $context, $status, $string ) { PH::print_stdout( $context->padding . " *** ".$status." : ".$string ); diff --git a/lib/object-classes/AddressGroup.php b/lib/object-classes/AddressGroup.php index a2885e1c..c413cf12 100644 --- a/lib/object-classes/AddressGroup.php +++ b/lib/object-classes/AddressGroup.php @@ -160,85 +160,88 @@ public function load_from_domxml($xml) $tmp_filter = DH::findFirstElement('filter', $tmp); $this->filter = $tmp_filter->nodeValue; - $patterns = array( "@'(.*?)'@", "@\"(.*?)\"@"); - $tagFilter = $this->filter; - - $memberName = trim( $tagFilter ); - - foreach( $patterns as $pattern) + if( !PH::$shadow_loadreduce ) { - $names = array(); + $patterns = array("@'(.*?)'@", "@\"(.*?)\"@"); + $tagFilter = $this->filter; - $is_match = preg_match_all($pattern, $tagFilter, $names); + $memberName = trim($tagFilter); - foreach( $names[1] as $key => $replaceTXT ) + foreach( $patterns as $pattern ) { - if( !empty($replaceTXT) ) - { - $replaceTXT2 = $replaceTXT; - TAG::replaceNamewith( $replaceTXT2 ); + $names = array(); - $pattern = $names[0][$key]; - $replacements = "(tag has " . $replaceTXT2 . ")"; + $is_match = preg_match_all($pattern, $tagFilter, $names); - $tagFilter = str_replace($pattern, $replacements, $tagFilter); - - $tag = $this->owner->owner->tagStore->find($replaceTXT); - if( $tag !== null ) + foreach( $names[1] as $key => $replaceTXT ) + { + if( !empty($replaceTXT) ) { - $tag->addReference($this); + $replaceTXT2 = $replaceTXT; + TAG::replaceNamewith($replaceTXT2); + + $pattern = $names[0][$key]; + $replacements = "(tag has " . $replaceTXT2 . ")"; + + $tagFilter = str_replace($pattern, $replacements, $tagFilter); + + $tag = $this->owner->owner->tagStore->find($replaceTXT); + if( $tag !== null ) + { + $tag->addReference($this); + } + else + { + #Todo: what if TAG is in parent tagStore? + #stop throwing WARNING - as it could be that DAG filter is not based on TAG, e.g. VMware info + #mwarning( "TAG not found: ".$test." - for DAG: '".$this->name()."' in location: ".$this->owner->owner->name(), null, false ); + } } else - { - #Todo: what if TAG is in parent tagStore? - #stop throwing WARNING - as it could be that DAG filter is not based on TAG, e.g. VMware info - #mwarning( "TAG not found: ".$test." - for DAG: '".$this->name()."' in location: ".$this->owner->owner->name(), null, false ); - } + mwarning("dynamic AddressGroup with name: " . $this->name() . " has an empty filter, you should review your XML config file", $this->xmlroot, FALSE, FALSE); } - else - mwarning("dynamic AddressGroup with name: " . $this->name() . " has an empty filter, you should review your XML config file", $this->xmlroot, false, false); } - } - if( !empty($tagFilter) && $tagFilter !== "(tag has )" ) - { - #print "|".$tagFilter."|\n"; - if( strpos( $tagFilter, '(tag has' ) === false ) + if( !empty($tagFilter) && $tagFilter !== "(tag has )" ) { - $tagFilter = "(tag has ".$tagFilter.")"; - } + #print "|".$tagFilter."|\n"; + if( strpos($tagFilter, '(tag has') === FALSE ) + { + $tagFilter = "(tag has " . $tagFilter . ")"; + } - $this->filter = $tagFilter; + $this->filter = $tagFilter; - $tmp_found_addresses = $this->owner->all($tagFilter); + $tmp_found_addresses = $this->owner->all($tagFilter); - $tmpParentStore = $this->owner->parentCentralStore; - while(true) - { - if( $tmpParentStore !== null ) + $tmpParentStore = $this->owner->parentCentralStore; + while( TRUE ) { - $tmp_found_addresses2 = $tmpParentStore->all($tagFilter); - $tmp_found_addresses = array_merge( $tmp_found_addresses, $tmp_found_addresses2 ); + if( $tmpParentStore !== null ) + { + $tmp_found_addresses2 = $tmpParentStore->all($tagFilter); + $tmp_found_addresses = array_merge($tmp_found_addresses, $tmp_found_addresses2); - if( $tmpParentStore->parentCentralStore != null ) - $tmpParentStore = $tmpParentStore->parentCentralStore; + if( $tmpParentStore->parentCentralStore != null ) + $tmpParentStore = $tmpParentStore->parentCentralStore; + else + break; + } else break; } - else - break; - } - foreach( $tmp_found_addresses as $address ) - { - if( $this->name() == $address->name() ) - { - mwarning("dynamic AddressGroup with name: " . $this->name() . " is added as subgroup to itself, you should review your XML config file", $this->xmlroot, false, false); - } - else + foreach( $tmp_found_addresses as $address ) { - $this->members[] = $address; - $address->addReference($this); + if( $this->name() == $address->name() ) + { + mwarning("dynamic AddressGroup with name: " . $this->name() . " is added as subgroup to itself, you should review your XML config file", $this->xmlroot, FALSE, FALSE); + } + else + { + $this->members[] = $address; + $address->addReference($this); + } } } } diff --git a/utils/lib/CONFIGSIZE.php b/utils/lib/CONFIGSIZE.php index e63e8451..1ffa91d7 100644 --- a/utils/lib/CONFIGSIZE.php +++ b/utils/lib/CONFIGSIZE.php @@ -97,9 +97,9 @@ public function main() $this->xmlDoc->preserveWhiteSpace = false; $this->xmlDoc->formatOutput = true; - - - $xml = &DH::dom_to_xml( $this->xmlDoc ); + //these are the default values + //$xml = &DH::dom_to_xml( $this->xmlDoc, $indentingXml = 0, $lineReturn = TRUE, -1, $indentingXmlIncreament = 1 ); + $xml = &DH::dom_to_xml( $this->xmlDoc); $xml_reduced = &DH::dom_to_xml( $this->xmlDoc, $this->indentingXml, $this->lineReturn, -1, $this->indentingXmlIncreament ); $len_xml = strlen( $xml ); @@ -148,6 +148,7 @@ public function supportedArguments() $this->supportedArguments['in'] = Array('niceName' => 'in', 'shortHelp' => 'input file or api. ie: in=config.xml or in=api://192.168.1.1 or in=api://0018CAEC3@panorama.company.com', 'argDesc' => '[filename]|[api://IP]|[api://serial@IP]'); $this->supportedArguments['out'] = Array('niceName' => 'out', 'shortHelp' => 'output file to save config after changes. Only required when input is a file. ie: out=save-config.xml', 'argDesc' => '[filename]'); $this->supportedArguments['debugapi'] = Array('niceName' => 'DebugAPI', 'shortHelp' => 'prints API calls when they happen'); + $this->supportedArguments['debugloadtime'] = array('niceName' => 'DebugLoadTime', 'shortHelp' => 'print LoadTime of specific config parts'); $this->supportedArguments['help'] = Array('niceName' => 'help', 'shortHelp' => 'this message'); $this->supportedArguments['location'] = Array('niceName' => 'Location', 'shortHelp' => 'specify if you want to limit your query to a VSYS/DG. By default location=shared for Panorama, =vsys1 for PANOS. ie: location=any or location=vsys2,vsys1', 'argDesc' => 'sub1[,sub2]'); $this->supportedArguments['minkilobyte'] = Array('niceName' => 'MinKilobyte', 'shortHelp' => 'the amount of kB, where script start displaying XML information', 'argDesc' => '1000'); diff --git a/utils/lib/UTIL.php b/utils/lib/UTIL.php index 74572232..13e71ed3 100644 --- a/utils/lib/UTIL.php +++ b/utils/lib/UTIL.php @@ -113,6 +113,7 @@ class UTIL public $objectsFilter = null; public $errorMessage = ''; public $debugAPI = FALSE; + public $debugLoadTime = FALSE; public $projectFolder = null; @@ -264,6 +265,7 @@ public function supportedArguments() $this->supportedArguments['stats'] = array('niceName' => 'Stats', 'shortHelp' => 'display stats after changes'); $this->supportedArguments['actions'] = array('niceName' => 'Actions', 'shortHelp' => 'action to apply on each rule matched by Filter. ie: actions=from-Add:net-Inside,netDMZ', 'argDesc' => 'action:arg1[,arg2]'); $this->supportedArguments['debugapi'] = array('niceName' => 'DebugAPI', 'shortHelp' => 'prints API calls when they happen'); + $this->supportedArguments['debugloadtime'] = array('niceName' => 'DebugLoadTime', 'shortHelp' => 'print LoadTime of specific config parts'); $this->supportedArguments['filter'] = array('niceName' => 'Filter', 'shortHelp' => "filters objects based on a query. ie: 'filter=((from has external) or (source has privateNet1) and (to has external))'", 'argDesc' => '(field operator [value])'); $this->supportedArguments['loadplugin'] = array('niceName' => 'loadPlugin', 'shortHelp' => 'a PHP file which contains a plugin to expand capabilities of this script', 'argDesc' => '[filename]'); $this->supportedArguments['help'] = array('niceName' => 'help', 'shortHelp' => 'this message'); @@ -857,6 +859,11 @@ public function inDebugapiArgument() $this->debugAPI = TRUE; } + if( isset(PH::$args['debugloadtime']) ) + { + $this->debugLoadTime = TRUE; + } + } public function inputValidation() @@ -1272,7 +1279,7 @@ public function load_config() $this->loadStart(); if( $this->configInput['type'] !== "sase-api" ) - $this->pan->load_from_domxml($this->xmlDoc, XML_PARSE_BIG_LINES); + $this->pan->load_from_domxml($this->xmlDoc, $this->debugLoadTime); if( isset(PH::$args['outputformatset']) ) { @@ -1368,6 +1375,9 @@ public function loadStart() { $this->loadStartMem = memory_get_usage(TRUE); $this->loadStartTime = microtime(TRUE); + + PH::$loadStartTime = $this->loadStartTime; + PH::$loadStartMem = $this->loadStartMem; } public function loadEnd() @@ -1969,6 +1979,12 @@ public function save_our_work($additional_output = FALSE, $printMessage = TRUE, $lineReturn = false; $indentingXml = -1; $indentingXmlIncreament = 0; + + //remove empty XML nodes + $xpath = new DOMXPath($this->pan->xmlroot->ownerDocument); + foreach( $xpath->query('//*[not(node())]') as $node ) + $node->parentNode->removeChild($node); + } From d12b250c9fafbae637868b5d8927b40b97d33ab8 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Tue, 26 Sep 2023 15:27:46 +0200 Subject: [PATCH 20/35] bugfix for argument 'location=shared:excludemaindg' on FW config file --- utils/lib/UTIL.php | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/utils/lib/UTIL.php b/utils/lib/UTIL.php index 13e71ed3..b6c72312 100644 --- a/utils/lib/UTIL.php +++ b/utils/lib/UTIL.php @@ -1433,11 +1433,30 @@ public function location_filter() $rootDG = $loc_explode[0]; $opt_argument = strtolower($loc_explode[1]); - $DG = $this->pan->findDeviceGroup( $rootDG ); - if( $DG === null ) - $this->locationNotFound($rootDG); + if( $this->configType == 'panos' ) + { + if( $rootDG == "shared" ) + { + $DG = $this->pan; + $childDGs = $this->pan->getVirtualSystems(); + } + else + { + $DG = $this->pan->findVirtualSystem( $rootDG ); + if( $DG === null ) + $this->locationNotFound($rootDG); + $childDGs = array(); + } + } + elseif($this->configType == 'panorama') + { + $DG = $this->pan->findDeviceGroup( $rootDG ); + if( $DG === null ) + $this->locationNotFound($rootDG); + + $childDGs = $DG->childDeviceGroups( TRUE ); + } - $childDGs = $DG->childDeviceGroups( TRUE ); $this->objectsLocation = array(); From e7195fdcc0e94198b17386f36f6f931111782a63 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Tue, 26 Sep 2023 19:35:06 +0200 Subject: [PATCH 21/35] Update CHANGELOG.txt --- CHANGELOG.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index bbe3a4d4..1b5ae1b5 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -16,6 +16,7 @@ BUGFIX: * type=xml-issue | bugfix to display read-only DeviceGroup duplicate address-group fixes correctly in summary * type=address-merger | bugfix - do not merger address objects if tag count of planned merged object exceeds PAN-OS limit of 64 tag members * type=address-merger | bugfix for removing tag objects from upper level, if adr merged objects are using them and tag is also available at address level +* bugfix for argument 'location=shared:excludemaindg' on FW config file GENERAL: * Class VirtualSystem/SharedGatewayStore | better handling of version variable From 89ae92ef859adf8746b90d98c532a8c5a770b4ae Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Wed, 27 Sep 2023 15:23:38 +0200 Subject: [PATCH 22/35] develop | introduce config_validation.php --- CHANGELOG.txt | 1 + utils/develop/config_validation.php | 227 ++++++++++++++++++++++++++++ 2 files changed, 228 insertions(+) create mode 100644 utils/develop/config_validation.php diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 1b5ae1b5..0617af67 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -10,6 +10,7 @@ UTIL: * type=static-route actions=delete | introduce new action * type=rule | introduce actions=from-/to-remove-from-file:FILE.txt * type=XYZ | introduce new arguments: shadow-loadreduce - to not update TAG object related address-groups | debugloadtime - display load time for specific XML sections +* develop | introduce config_validation.php BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/develop/config_validation.php b/utils/develop/config_validation.php new file mode 100644 index 00000000..f3b17b79 --- /dev/null +++ b/utils/develop/config_validation.php @@ -0,0 +1,227 @@ + 'in', 'shortHelp' => 'input file or api. ie: in=config.xml or in=api://192.168.1.1 or in=api://0018CAEC3@panorama.company.com', 'argDesc' => '[filename]|[api://IP]|[api://serial@IP]'); +$supportedArguments['debugapi'] = Array('niceName' => 'DebugAPI', 'shortHelp' => 'prints API calls when they happen'); +$supportedArguments['help'] = Array('niceName' => 'help', 'shortHelp' => 'this message'); +$supportedArguments['zonelist'] = Array('niceName' => 'test', 'shortHelp' => 'zonelist filter '); +$supportedArguments['location'] = array('niceName' => 'Location', 'shortHelp' => 'specify if you want to limit your query to a VSYS/DG. By default location=shared for Panorama, =vsys1 for PANOS. ie: location=any or location=vsys2,vsys1 or location={DGname}:excludeMaindg [only childDGs of {DGname}] or location={DGname}:includechilddgs [{DGname} + all childDGs]', 'argDesc' => 'sub1[,sub2]'); +$supportedArguments['cycleconnectedfirewalls'] = array('niceName' => 'cycleConnectedFirewalls', 'shortHelp' => 'a listing of all devices connected to Panorama will be collected through API then each firewall will be queried for overrides'); + +$usageMsg = PH::boldText('USAGE: ')."php ".basename(__FILE__)." in=api:://[Panorama-MGMT-IP] [zone] " . + " + - for Firewalls where Interfaces or other config is from Panorama Device-Group / Template please use in=api://FW-MGMT-ip/merged-config"; + +try +{ + $util = new UTIL("custom", $argv, $argc, __FILE__, $supportedArguments, $usageMsg); + $util->useException(); + $util->utilInit(); + $util->load_config(); + + $util->location_filter(); +} +catch(Exception $e) +{ + PH::print_stdout(" ***** API Error occured : ".$e->getMessage() ); + exit(); +} + + + +#if( $util->pan->isFirewall() ) +# derr( "only PAN-OS Panorama is supported" ); + + +if( !$util->apiMode ) + derr( "only PAN-OS API connection is supported" ); + +$inputConnector = $util->pan->connector; +$cycleConnectedFirewalls = FALSE; + +if( isset(PH::$args['cycleconnectedfirewalls']) ) + $cycleConnectedFirewalls = TRUE; + +$argument = array(); +if( isset(PH::$args['zonelist']) ) + $argument = explode( ",", PH::$args['zonelist']); + +else + derr( "argument 'argument' missing" ); + + +$array = array(); + +if( $cycleConnectedFirewalls && $util->pan->isPanorama() ) +{ + #print_r($util->objectsLocation); + + $devices_array = array(); + if( count($util->objectsLocation) == 1 ) + { + $dg = $util->pan->findDeviceGroup($util->objectsLocation[0]); + $devices_array = $dg->getDevicesInGroup(true); + } + else + { + foreach( $util->objectsLocation as $location ) + { + $dg = $util->pan->findDeviceGroup($location); + $tmp_devices_array = $dg->getDevicesInGroup(false); + $devices_array = array_merge( $devices_array, $tmp_devices_array ); + } + } + + + /* + foreach($devices_array as $key => $device) + { + #print "name: ".$device['serial']."\n"; + print "name: ".$key."\n"; + } + */ + + $firewallSerials = $inputConnector->panorama_getConnectedFirewallsSerials(); + + foreach( $firewallSerials as $fw ) + { + //validate if FWserial is in scope + //check if serial is in $devices_array + /* + print "filtered:\n"; + print_r($devices_array); + print "filtered: serials:\n"; + print_r( array_keys($devices_array) ); + + print "connected:\n"; + print_r( $fw ); + */ + + if( !in_array( $fw['serial'], array_keys($devices_array) ) ) + continue; + + $argv = array(); + $argc = array(); + PH::$args = array(); + PH::$argv = array(); + + $argv[0] = "test"; + $argv[] = "in=api://".$fw['serial']."@".$inputConnector->info_mgmtip."/merged-config"; + + PH::print_stdout( "--------------------------------------------------------------------------------" ); + + try + { + #PH::resetCliArgs( $argv ); + $util2 = new UTIL("custom", $argv, $argc, __FILE__); + $util2->useException(); + $util2->utilInit(); + $util2->load_config(); + + config_validation( $util2->pan, $argument, $array ); + } + catch(Exception $e) + { + PH::print_stdout(" ***** API Error occured : ".$e->getMessage() ); + + $array[ $fw['serial'] ][ "error" ]['name'] = "error"; + $array[ $fw['serial'] ][ "error" ]['ip'] = "connection"; + + PH::print_stdout(); + PH::print_stdout( $fw['serial'].",error,connection" ); + PH::print_stdout( "--------------------------------------------------------------------------------" ); + } + } +} +elseif( $util->pan->isFirewall() ) +{ + $pan = $util->pan; + + config_validation( $util->pan, $argument, $array ); +} + +PH::print_stdout( "--------------------------------------------------------------------------------" ); +PH::print_stdout( "--------------------------------------------------------------------------------" ); +PH::print_stdout( "--------------------------------------------------------------------------------" ); + +if( PH::$shadow_json ) + print json_encode( $array, JSON_PRETTY_PRINT ); + #print json_encode( $array, JSON_PRETTY_PRINT|JSON_FORCE_OBJECT ); +else +{ + #print_r( $array ); + foreach( $array as $device => $allvsys ) + { + #print_r($allvsys); + foreach( $allvsys as $vsys => $zones ) + { + #print_r($zones); + foreach( $zones as $key => $zone ) + PH::print_stdout( $device.",".$vsys.",".$zone ); + } + } + +} + + + + + +function config_validation( $pan, $argument, &$array ) +{ + $zone_array = $argument; + + /** @var PANConf $pan */ + $inputConnector = $pan->connector; + + $inputConnector->refreshSystemInfos( true ); + + //todo: what about multi-vsys? + #$vsys = $pan->findVirtualSystem("vsys1"); + $all_vsys = $pan->getVirtualSystems(); + foreach($all_vsys as $vsys) + { + foreach( $zone_array as $zoneName ) + { + $zoneInternet = $vsys->zoneStore->find($zoneName); + + if( $zoneInternet === null ) + { + $array[ $inputConnector->info_hostname ][ $vsys->name() ][] = $zoneName; + + PH::print_stdout(); + PH::print_stdout( $inputConnector->info_hostname.", ".$vsys->name().", ".$zoneName." not available" ); + PH::print_stdout( "--------------------------------------------------------------------------------" ); + } + } + } +} \ No newline at end of file From e8c00af040b37d5177565568d34b978e79dd80be Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Wed, 27 Sep 2023 15:29:41 +0200 Subject: [PATCH 23/35] Update config_validation.php --- utils/develop/config_validation.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/utils/develop/config_validation.php b/utils/develop/config_validation.php index f3b17b79..5bfa6576 100644 --- a/utils/develop/config_validation.php +++ b/utils/develop/config_validation.php @@ -102,13 +102,13 @@ } - /* + foreach($devices_array as $key => $device) { #print "name: ".$device['serial']."\n"; - print "name: ".$key."\n"; + #print "name: ".$key."\n"; + PH::print_stdout( "FW-serial: ".$device['serial']." in scope"); } - */ $firewallSerials = $inputConnector->panorama_getConnectedFirewallsSerials(); @@ -127,7 +127,11 @@ */ if( !in_array( $fw['serial'], array_keys($devices_array) ) ) + { + PH::print_stdout( "FW-serial: ".$fw['serial']." not in location scope - skipped"); continue; + } + $argv = array(); $argc = array(); From 01d8fa7c9b8f880e5470ebc514a329ce52fd254b Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Wed, 27 Sep 2023 15:47:13 +0200 Subject: [PATCH 24/35] Update config_validation.php --- utils/develop/config_validation.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/utils/develop/config_validation.php b/utils/develop/config_validation.php index 5bfa6576..5f74db6e 100644 --- a/utils/develop/config_validation.php +++ b/utils/develop/config_validation.php @@ -205,9 +205,9 @@ function config_validation( $pan, $argument, &$array ) $zone_array = $argument; /** @var PANConf $pan */ - $inputConnector = $pan->connector; + $inputConnector2 = $pan->connector; - $inputConnector->refreshSystemInfos( true ); + #$inputConnector2->refreshSystemInfos( true ); //todo: what about multi-vsys? #$vsys = $pan->findVirtualSystem("vsys1"); @@ -220,10 +220,10 @@ function config_validation( $pan, $argument, &$array ) if( $zoneInternet === null ) { - $array[ $inputConnector->info_hostname ][ $vsys->name() ][] = $zoneName; + $array[ $inputConnector2->info_hostname ][ $vsys->name() ][] = $zoneName; PH::print_stdout(); - PH::print_stdout( $inputConnector->info_hostname.", ".$vsys->name().", ".$zoneName." not available" ); + PH::print_stdout( $inputConnector2->info_hostname.", ".$vsys->name().", ".$zoneName." not available" ); PH::print_stdout( "--------------------------------------------------------------------------------" ); } } From ed6fa252ac2d5328207c10c66cbf5b1de4fa902e Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Wed, 27 Sep 2023 16:11:37 +0200 Subject: [PATCH 25/35] Update config_validation.php --- utils/develop/config_validation.php | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/utils/develop/config_validation.php b/utils/develop/config_validation.php index 5f74db6e..e988a267 100644 --- a/utils/develop/config_validation.php +++ b/utils/develop/config_validation.php @@ -22,7 +22,6 @@ require_once dirname(__FILE__)."/../../lib/pan_php_framework.php"; require_once dirname(__FILE__)."/../../utils/lib/UTIL.php"; - PH::print_stdout(); PH::print_stdout( "***********************************************" ); PH::print_stdout( "************ config validation UTILITY ****************" ); @@ -66,6 +65,7 @@ derr( "only PAN-OS API connection is supported" ); $inputConnector = $util->pan->connector; +$panoramaMGMTip = $inputConnector->info_mgmtip; $cycleConnectedFirewalls = FALSE; if( isset(PH::$args['cycleconnectedfirewalls']) ) @@ -114,21 +114,9 @@ foreach( $firewallSerials as $fw ) { - //validate if FWserial is in scope - //check if serial is in $devices_array - /* - print "filtered:\n"; - print_r($devices_array); - print "filtered: serials:\n"; - print_r( array_keys($devices_array) ); - - print "connected:\n"; - print_r( $fw ); - */ - if( !in_array( $fw['serial'], array_keys($devices_array) ) ) { - PH::print_stdout( "FW-serial: ".$fw['serial']." not in location scope - skipped"); + #PH::print_stdout( "FW-serial: ".$fw['serial']." not in location scope - skipped"); continue; } @@ -139,7 +127,8 @@ PH::$argv = array(); $argv[0] = "test"; - $argv[] = "in=api://".$fw['serial']."@".$inputConnector->info_mgmtip."/merged-config"; + //must be fixed value from above $panoramaMGMTip, if not ->refreshSystemInfos later on is updating to FW MGMT IP + $argv[] = "in=api://".$fw['serial']."@".$panoramaMGMTip."/merged-config"; PH::print_stdout( "--------------------------------------------------------------------------------" ); @@ -207,7 +196,7 @@ function config_validation( $pan, $argument, &$array ) /** @var PANConf $pan */ $inputConnector2 = $pan->connector; - #$inputConnector2->refreshSystemInfos( true ); + $inputConnector2->refreshSystemInfos( true ); //todo: what about multi-vsys? #$vsys = $pan->findVirtualSystem("vsys1"); From 66adeaa02bcb24522cacc89802eca9287e5a079a Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Wed, 27 Sep 2023 16:16:11 +0200 Subject: [PATCH 26/35] Update interface_getIP.php --- utils/develop/interface_getIP.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/utils/develop/interface_getIP.php b/utils/develop/interface_getIP.php index dfeb33f5..6a4e293a 100644 --- a/utils/develop/interface_getIP.php +++ b/utils/develop/interface_getIP.php @@ -62,6 +62,7 @@ derr( "only PAN-OS API connection is supported" ); $inputConnector = $util->pan->connector; +$panoramaMGMTip = $inputConnector->info_mgmtip; $cycleConnectedFirewalls = FALSE; if( isset(PH::$args['cycleconnectedfirewalls']) ) @@ -86,7 +87,8 @@ PH::$argv = array(); $argv[0] = "test"; - $argv[] = "in=api://".$fw['serial']."@".$inputConnector->info_mgmtip."/merged-config"; + //must be fixed value from above $panoramaMGMTip, if not ->refreshSystemInfos later on is updating to FW MGMT IP + $argv[] = "in=api://".$fw['serial']."@".$panoramaMGMTip."/merged-config"; PH::print_stdout( "--------------------------------------------------------------------------------" ); From 6ba998ace25be63080337d6a15b70dc2f026d84a Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 28 Sep 2023 08:04:20 +0200 Subject: [PATCH 27/35] type=appid-toolbox | improvements for further. new features - example rule address/service report generator --- CHANGELOG.txt | 1 + appid-toolbox/lib/common.php | 152 ++++++++++++++---- appid-toolbox/lib/trait/lib_1_rule_marker.php | 15 +- .../lib/trait/lib_2_report_generator.php | 89 +++++++++- .../trait/ObjectWithDescription.php | 2 +- lib/rule-classes/SecurityRule.php | 43 ++++- utils/common/actions-rule.php | 58 ++++++- 7 files changed, 303 insertions(+), 57 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 0617af67..2a88abeb 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -11,6 +11,7 @@ UTIL: * type=rule | introduce actions=from-/to-remove-from-file:FILE.txt * type=XYZ | introduce new arguments: shadow-loadreduce - to not update TAG object related address-groups | debugloadtime - display load time for specific XML sections * develop | introduce config_validation.php +* type=appid-toolbox | improvements for further. new features - example rule address/service report generator BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/appid-toolbox/lib/common.php b/appid-toolbox/lib/common.php index 3e6fb067..a77dcf5c 100644 --- a/appid-toolbox/lib/common.php +++ b/appid-toolbox/lib/common.php @@ -57,20 +57,26 @@ class DeviceGroupRuleAppUsage { public $logs = Array(); + public $logsSrcDst = Array(); - public function load_from_file($filename) + public function load_from_file($filename, $SrcDst = false) { $xmlDoc = new DOMDocument(); $xmlDoc->Load($filename); $recordsNode = DH::findFirstElementOrDie('records', $xmlDoc); + if( $SrcDst ) + $keyword = "ips"; + else + $keyword = "apps"; + foreach( $recordsNode->childNodes as $entryNode ) { if( $entryNode->nodeType != XML_ELEMENT_NODE ) continue; - $logRecord = Array( 'apps' => Array() ); + $logRecord = Array( $keyword => Array() ); /** @var DOMElement $entryNode */ @@ -88,27 +94,55 @@ public function load_from_file($filename) /** @var DOMElement $appNode */ - $logRecord['apps'][$appNode->getAttribute('name')] = Array( 'name' => $appNode->getAttribute('name'), 'count' => $appNode->getAttribute('count')); + $logRecord[$keyword][$appNode->getAttribute('name')] = Array( 'name' => $appNode->getAttribute('name'), 'count' => $appNode->getAttribute('count')); } - $this->logs[$ruleName] = &$logRecord; + if( $SrcDst ) + $this->logsSrcDst[$ruleName] = &$logRecord; + else + $this->logs[$ruleName] = &$logRecord; unset($logRecord); } } - public function save_to_file($filename) + public function save_to_file($filename, $SrcDst = false) { $xml = "\n"; - foreach($this->logs as $name => &$log) + if($SrcDst) + { + $logArray = $this->logsSrcDst; + $keyWord = "ips"; + } + else + { + $logArray = $this->logs; + $keyWord = "apps"; + } + + + foreach($logArray as $name => &$log) { $xml .= " \n"; - foreach( $log['apps'] as &$app ) + foreach( $log[$keyWord] as $key => &$app ) { - $xml .= " \n"; + if( $keyWord == "apps") + { + $xml .= " <".$keyWord." name=\"{$app['name']}\" count=\"{$app['count']}\"/>\n"; + } + else + { + #$xml .= " <".$keyWord.">\n"; + foreach( $app as $ip ) + { + $xml .= " <".$keyWord."-".$key." name=\"{$ip['name']}\" count=\"{$ip['count']}\"/>\n"; + } + + #$xml .= " \n"; + } } $xml .= " \n"; @@ -119,6 +153,7 @@ public function save_to_file($filename) file_put_contents($filename, $xml); } + public function addRuleStats($ruleName , $appName, $hitCount) { if( isset($this->logs[$ruleName]) ) @@ -139,33 +174,75 @@ public function addRuleStats($ruleName , $appName, $hitCount) $record['apps'][$appName] = Array('name'=>$appName, 'count' => $hitCount); } + public function addRuleStats_SrcDst($ruleName , $srcOrDst, $ip, $hitCount) + { + if( isset($this->logsSrcDst[$ruleName]) ) + { + $record = &$this->logsSrcDst[$ruleName]; + } + else + { + $SrcDstArray = array('src', 'dst'); + $record = Array( 'ips' => $SrcDstArray ); + $this->logsSrcDst[$ruleName] = &$record; + } + + $record['timestamp'] = time(); + + if( isset($record['ips'][$srcOrDst][$ip]) ) + $record['ips'][$srcOrDst][$ip]['count'] += $hitCount; + else + $record['ips'][$srcOrDst][$ip] = Array('name'=>$ip, 'count' => $hitCount); + } + /** * @param string $ruleName * @return null|int */ - public function getRuleUpdateTimestamp($ruleName) + public function getRuleUpdateTimestamp($ruleName, $SrcDst = false) { - if( isset($this->logs[$ruleName]) ) - { - return $this->logs[$ruleName]['timestamp']; - } + if( $SrcDst ) + if( isset($this->logsSrcDst[$ruleName]) ) + { + return $this->logsSrcDst[$ruleName]['timestamp']; + } + else + if( isset($this->logs[$ruleName]) ) + { + return $this->logs[$ruleName]['timestamp']; + } + return null; } - public function resetRulesStats($ruleName) + public function resetRulesStats($ruleName, $SrcDst = false) { - if( isset($this->logs[$ruleName]) ) - unset($this->logs[$ruleName]); + if( $SrcDst ) + if( isset($this->logsSrcDst[$ruleName]) ) + unset($this->logsSrcDst[$ruleName]); + else + if( isset($this->logs[$ruleName]) ) + unset($this->logs[$ruleName]); } - public function getRuleStats($ruleName) + public function getRuleStats($ruleName, $SrcDst = false) { - if( !isset($this->logs[$ruleName]) ) - return null; + if( $SrcDst ) + { + if( !isset($this->logsSrcDst[$ruleName]) ) + return null; + + return $this->logsSrcDst[$ruleName]['ips']; + } + else + { + if( !isset($this->logs[$ruleName]) ) + return null; - return $this->logs[$ruleName]['apps']; + return $this->logs[$ruleName]['apps']; + } } public function isRuleUsed($ruleName, $ignoreApps = Array('incomplete', 'non-syn-tcp') ) @@ -183,21 +260,34 @@ public function isRuleUsed($ruleName, $ignoreApps = Array('incomplete', 'non-syn } - public function createRuleStats($ruleName) + public function createRuleStats($ruleName, $SrcDst = false) { - if( !isset($this->logs[$ruleName]) ) - { - $record = Array( 'apps' => Array(), 'timestamp' => time() ); - $this->logs[$ruleName] = &$record; - } + if( $SrcDst ) + if( !isset($this->logsSrcDst[$ruleName]) ) + { + $record = Array( 'ips' => Array(), 'timestamp' => time() ); + $this->logsSrcDst[$ruleName] = &$record; + } + else + if( !isset($this->logs[$ruleName]) ) + { + $record = Array( 'apps' => Array(), 'timestamp' => time() ); + $this->logs[$ruleName] = &$record; + } } - public function updateRuleUpdateTimestamp($ruleName) + public function updateRuleUpdateTimestamp($ruleName, $SrcDst = false) { - if( isset($this->logs[$ruleName]) ) - { - $this->logs[$ruleName]['timestamp'] = time(); - } + if( $SrcDst ) + if( isset($this->logsSrcDst[$ruleName]) ) + { + $this->logsSrcDst[$ruleName]['timestamp'] = time(); + } + else + if( isset($this->logs[$ruleName]) ) + { + $this->logs[$ruleName]['timestamp'] = time(); + } } diff --git a/appid-toolbox/lib/trait/lib_1_rule_marker.php b/appid-toolbox/lib/trait/lib_1_rule_marker.php index 54671c0e..54e594a9 100644 --- a/appid-toolbox/lib/trait/lib_1_rule_marker.php +++ b/appid-toolbox/lib/trait/lib_1_rule_marker.php @@ -42,7 +42,7 @@ function ruleMarker_Phase1_init() if( isset(PH::$args['help']) ) $this->display_usage_and_exit_p1(); - $supportedOptions = array('phase', 'in', 'out', 'help', 'location'); + $supportedOptions = array('phase', 'in', 'out', 'help', 'location', 'debugapi'); $supportedOptions = array_flip($supportedOptions); foreach( PH::$args as $arg => $argvalue ) @@ -54,6 +54,10 @@ function ruleMarker_Phase1_init() $debugAPI = FALSE; + if( isset(PH::$args['debugapi']) ) + { + $debugAPI = TRUE; + } $return = AppIDToolbox_common::location(); $configInput = $return['configInput']; @@ -99,11 +103,12 @@ function ruleMarker_Phase1_main($subSystem, $configInput, $pan, $inputConnector, foreach( $rules as $rule ) { + PH::print_stdout(); PH::print_stdout(" - rule '{$rule->name()}'"); if( $ridTagLibrary->ruleIsTagged($rule) ) { - PH::print_stdout(" SKIPPED : already tagged"); + PH::print_stdout(" SKIPPED : already tagged"); $alreadyMarked++; continue; } @@ -112,7 +117,7 @@ function ruleMarker_Phase1_main($subSystem, $configInput, $pan, $inputConnector, $newTagName = $ridTagLibrary->findAvailableTagName('appRID#'); - PH::print_stdout(); + PH::print_stdout(" * creating Virtual TAG '$newTagName' ... "); PH::print_stdout(" * applying tag to rule description... "); @@ -129,10 +134,10 @@ function ruleMarker_Phase1_main($subSystem, $configInput, $pan, $inputConnector, $xmlPreRules .= "name()}\">" . htmlspecialchars($rule->description()) . ""; } - PH::print_stdout("\n\nNumber of rules marked: {$markedRules} (vs already marked: {$alreadyMarked}"); + PH::print_stdout("\n\nNumber of rules marked: '{$markedRules}' (vs already marked: '{$alreadyMarked}')"); if( $markedRules < 1 ) - PH::print_stdout("\n\n No change to push as not rule is set to be marked"); + PH::print_stdout("\n\nNo change to push as no rule is set to be marked"); else { if( $configInput['type'] == 'api' ) diff --git a/appid-toolbox/lib/trait/lib_2_report_generator.php b/appid-toolbox/lib/trait/lib_2_report_generator.php index e44fb756..558012f6 100644 --- a/appid-toolbox/lib/trait/lib_2_report_generator.php +++ b/appid-toolbox/lib/trait/lib_2_report_generator.php @@ -183,17 +183,24 @@ function logAnalysis_Phase2() $inputConnector->refreshSystemInfos(); $ruleStatFile = $inputConnector->info_serial . '-' . $location . '-stats.xml'; + $ruleStatFile_SrcDst = $inputConnector->info_serial . '-' . $location . '-statsSrcDst.xml'; $ruleStatHtmlFile = $inputConnector->info_serial . '-' . $location . '-stats.html'; if( file_exists($ruleStatFile) ) { PH::print_stdout(" - Previous rule stats found, loading from file $ruleStatFile... "); $ruleStats->load_from_file($ruleStatFile); - } else PH::print_stdout(" - No cached stats found (missing file '$ruleStatFile')"); + if( file_exists($ruleStatFile_SrcDst) ) + { + PH::print_stdout(" - Previous rule stats found, loading from file $ruleStatFile_SrcDst... "); + $ruleStats->load_from_file($ruleStatFile_SrcDst, true); + } + else + PH::print_stdout(" - No cached stats found (missing file '$ruleStatFile_SrcDst')"); // // Cooking additional query parameters @@ -218,8 +225,7 @@ function logAnalysis_Phase2() $additionalQueryString = ' and ( ' . $additionalQueryString . ' )'; - $rules = $subSystem->securityRules->rules("(description regex /" . RuleIDTagLibrary::$tagBaseName . "/) and !(tag has " . TH::$tag_misc_ignore . " )" . $additionalQueryString - ); + $rules = $subSystem->securityRules->rules("(description regex /" . RuleIDTagLibrary::$tagBaseName . "/) and !(tag has " . TH::$tag_misc_ignore . " )" . $additionalQueryString ); PH::print_stdout(" - Found " . count($rules) . " rules which will potentially be processed for log statistics"); @@ -237,6 +243,7 @@ function logAnalysis_Phase2() if( $rule->isDisabled() ) { PH::print_stdout(" * SKIPPED : it's disabled"); + PH::print_stdout(); continue; } @@ -245,6 +252,7 @@ function logAnalysis_Phase2() if( $stats !== null && !$updatePreviousData && !$resetPreviousData ) { PH::print_stdout(" * SKIPPED : found in cache"); + PH::print_stdout(); continue; } @@ -253,6 +261,7 @@ function logAnalysis_Phase2() { $lastReportTime = round($lastReportTime, 2); PH::print_stdout(" * SKIPPED : last report was run {$lastReportTime} days ago which is less then skipIfLastReportLessThanXDays value"); + PH::print_stdout(); continue; } @@ -283,7 +292,7 @@ function logAnalysis_Phase2() // if container of app is valid, we want to use this container rather than $container = array_pop($line); - if( strlen($container) > 0 && $container != 'none' ) + if( $container != null && strlen($container) > 0 && $container != 'none' && $container != '(null)' ) $app = $container; PH::print_stdout(" - $app ($count)"); @@ -291,13 +300,77 @@ function logAnalysis_Phase2() $ruleStats->addRuleStats($rule->name(), $app, $count); } - $ruleStats->save_to_file($ruleStatFile); + //not performant to write file for each rule + #$ruleStats->save_to_file($ruleStatFile); PH::print_stdout(); + + ####################################################### + //enalbe if fully published + $srcOrDst = false; + if( $srcOrDst ) + { + PH::print_stdout(" * Generating SRC report... "); + $reports = $rule->API_getAddressStats(time() - ($logHistory * 24 * 3600), time() + 0, 'src', TRUE); + #print_r($reports); + PH::print_stdout(" * Results (" . count($reports) . "):"); + + + $ruleStats->createRuleStats($rule->name(), true); + $ruleStats->updateRuleUpdateTimestamp($rule->name(), true); + + + foreach( $reports as $line ) + { + $count = array_pop($line); + $app = array_pop($line); + + // if container of app is valid, we want to use this container rather than + $container = array_pop($line); + if( $container != null && strlen($container) > 0 && $container != 'none' && $container != '(null)' ) + $app = $container; + + PH::print_stdout(" - $app ($count)"); + + $ruleStats->addRuleStats_SrcDst($rule->name(), 'src', $app, $count); + } + + PH::print_stdout(" * Generating DST report... "); + $reports_dst = $rule->API_getAddressStats(time() - ($logHistory * 24 * 3600), time() + 0, 'dst', TRUE); + #print_r($reports_dst); + PH::print_stdout(" * Results (" . count($reports_dst) . "):"); + + foreach( $reports_dst as $line ) + { + $count = array_pop($line); + $app = array_pop($line); + + // if container of app is valid, we want to use this container rather than + $container = array_pop($line); + if( $container != null && strlen($container) > 0 && $container != 'none' && $container != '(null)' ) + $app = $container; + + PH::print_stdout(" - $app ($count)"); + + $ruleStats->addRuleStats_SrcDst($rule->name(), 'dst', $app, $count); + } + ################### + + + //not performant to write file for each rule + $ruleStats->save_to_file($ruleStatFile_SrcDst, true); + } } -//Todo - export not working for HTML but tool is using XML file - HTML is only for user -#PH::print_stdout( "\n\nExporting stats to html file '{$ruleStatHtmlFile}'... " ); -#$ruleStats->exportToCSV($ruleStatHtmlFile); + + $ruleStats->save_to_file($ruleStatFile); + + if( $srcOrDst ) + $ruleStats->save_to_file($ruleStatFile_SrcDst, true); + + + //Todo - export not working for HTML but tool is using XML file - HTML is only for user + #PH::print_stdout( "\n\nExporting stats to html file '{$ruleStatHtmlFile}'... " ); + #$ruleStats->exportToCSV($ruleStatHtmlFile); } } diff --git a/lib/misc-classes/trait/ObjectWithDescription.php b/lib/misc-classes/trait/ObjectWithDescription.php index fb4fe290..a78ce4e8 100644 --- a/lib/misc-classes/trait/ObjectWithDescription.php +++ b/lib/misc-classes/trait/ObjectWithDescription.php @@ -92,7 +92,7 @@ public function API_setDescription($newDescription, $tagName = "description") if( $con->isAPI() ) { /** @var PanAPIConnector $con */ - if( strlen($this->_description) < 1 ) + if( $this->_description == null ) //|| strlen($this->_description) < 1 ) $con->sendDeleteRequest($xpath); else $con->sendSetRequest($this->getXPath(), '<' . $tagName . '>' . htmlspecialchars($this->_description) . ''); diff --git a/lib/rule-classes/SecurityRule.php b/lib/rule-classes/SecurityRule.php index c8087949..454285ed 100644 --- a/lib/rule-classes/SecurityRule.php +++ b/lib/rule-classes/SecurityRule.php @@ -1509,7 +1509,8 @@ public function &API_getAppContainerStats2($startTimestamp, $endTimestamp = null } - public function &API_getServiceStats($timePeriod = 'last-30-days', $fastMode = TRUE, $limit = 50, $specificApps = null) + #public function &API_getServiceStats($timePeriod = 'last-30-days', $fastMode = TRUE, $limit = 50, $specificApps = null) + public function &API_getServiceStats($startTimestamp, $endTimestamp = null, $fastMode = TRUE, $limit = 50, $specificApps = null) { $con = findConnectorOrDie($this); @@ -1575,9 +1576,21 @@ public function &API_getServiceStats($timePeriod = 'last-30-days', $fastMode = T $dvq = '(' . array_to_devicequery($devices) . ')'; } + $startString = date('Y/m/d H:i:00', $startTimestamp); + + if( $endTimestamp === null ) + { + $endString = date('Y/m/d H:00:00'); + } + else + $endString = date('Y/m/d H:00:00', $endTimestamp); + $query = "" . "<" . $type . ">protodport" - . "" . $timePeriod . "" + . "" + #. "" . $timePeriod . "" + . "{$startString}" + . "{$endString}" . "{$limit}50untitled" . "" . "$dvq $query_appfilter and (rule eq '" . $this->name . "')"; @@ -1593,7 +1606,8 @@ public function &API_getServiceStats($timePeriod = 'last-30-days', $fastMode = T return $ret; } - public function &API_getAddressStats($timePeriod = 'last-30-days', $srcORdst = 'src', $fastMode = TRUE, $limit = 50, $excludedAddresses = array()) + #public function &API_getAddressStats($timePeriod = 'last-30-days', $srcORdst = 'src', $fastMode = TRUE, $limit = 50, $excludedAddresses = array()) + public function &API_getAddressStats($startTimestamp, $endTimestamp = null, $srcORdst = 'src', $fastMode = TRUE, $limit = 50, $excludedAddresses = array()) { $con = findConnectorOrDie($this); @@ -1629,23 +1643,36 @@ public function &API_getAddressStats($timePeriod = 'last-30-days', $srcORdst = ' $dvq = '(' . array_to_devicequery($devices) . ')'; } - $excludedAppsString = ''; + $excludedAddressString = ''; $first = TRUE; foreach( $excludedAddresses as &$e ) { if( !$first ) - $excludedAppsString .= ' and '; + $excludedAddressString .= ' and '; - $excludedAppsString .= "(app neq $e)"; + $excludedAddressString .= "(app neq $e)"; $first = FALSE; } + $startString = date('Y/m/d H:i:00', $startTimestamp); + + if( $endTimestamp === null ) + { + $endString = date('Y/m/d H:00:00'); + } + else + $endString = date('Y/m/d H:00:00', $endTimestamp); + $query = "" . "<" . $type . ">" . $srcORdst . "" - . "" . $timePeriod . "" + . "sessions" + . "" + #. "" . $timePeriod . "" + . "{$startString}" + . "{$endString}" . "{$limit}50untitled" - . "" . "$dvq {$excludedAppsString} and (rule eq '" . $this->name . "')"; + . "" . "$dvq {$excludedAddressString} and (rule eq '" . $this->name . "')"; $apiArgs = array(); diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php index f706fc14..597ed1d9 100644 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -3059,6 +3059,8 @@ $object = $context->object; + $pregReplace = FALSE; + $characterToreplace = $context->arguments['search']; if( strpos($characterToreplace, '$$comma$$') !== FALSE ) $characterToreplace = str_replace('$$comma$$', ",", $characterToreplace); @@ -3070,6 +3072,12 @@ $characterToreplace = str_replace('$$pipe$$', "|", $characterToreplace); if( strpos($characterToreplace, '$$newline$$') !== FALSE ) $characterToreplace = str_replace('$$newline$$', "\n", $characterToreplace); + if( strpos($characterToreplace, '$$appRID#$$') !== FALSE ) + { + $characterToreplace = str_replace('$$appRID#$$', "appRID#[0-9]+", $characterToreplace); + $pregReplace = TRUE; + } + $characterForreplace = $context->arguments['replace']; if( strpos($characterForreplace, '$$comma$$') !== FALSE ) @@ -3085,9 +3093,14 @@ $description = $object->description(); - $newDescription = str_replace($characterToreplace, $characterForreplace, $description); - //todo add regex replacement 20210305 - //$desc = preg_replace('/appRID#[0-9]+/', '', $rule->description()); + if( $pregReplace ) + { + //todo add regex replacement 20210305 + $newDescription = preg_replace('/ appRID#[0-9]+/', $characterForreplace, $description); + } + else + $newDescription = str_replace($characterToreplace, $characterForreplace, $description); + if( $description == $newDescription ) { @@ -3110,7 +3123,7 @@ 'search' => array('type' => 'string', 'default' => '*nodefault*'), 'replace' => array('type' => 'string', 'default' => '') ), - 'help' => 'possible variable $$comma$$ or $$forwardslash$$ or $$colon$$ or $$pipe$$ or $$newline$$; example "actions=description-Replace-Character:$$comma$$word1"' + 'help' => 'possible variable $$comma$$ or $$forwardslash$$ or $$colon$$ or $$pipe$$ or $$newline$$ or $$appRID#$$; example "actions=description-Replace-Character:$$comma$$word1"' ); // // @@ -5704,3 +5717,40 @@ } ); +RuleCallContext::$supportedActions[] = array( + 'name' => 'appid-toolbox-cleanup', + 'MainFunction' => function (RuleCallContext $context) { + $object = $context->object; + + ######################################################################## + //delete cloned rules + if( strpos( $object->name(), "-app" ) && $object->isDisabled() ) + { + if( $context->isAPI ) + $object->owner->API_remove($object); + else + $object->owner->remove($object); + } + + ######################################################################## + //remove description + $description = $object->description(); + $newDescription = preg_replace('/ appRID#[0-9]+/', "", $description); + + + if( $description == $newDescription ) + { + $string = "new and old description are the same" ; + PH::ACTIONstatus( $context, "SKIPPED", $string ); + return; + } + + $string = "new description will be '{$newDescription}'"; + PH::ACTIONlog( $context, $string ); + + if( $context->isAPI ) + $object->API_setDescription($newDescription); + else + $object->setDescription($newDescription); + } +); \ No newline at end of file From f476a1185d18d390f1baf8d23e0bf2c859ec028a Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 29 Sep 2023 08:55:35 +0200 Subject: [PATCH 28/35] type=rule actions=name-replace-character | set default value for replace to '' --- CHANGELOG.txt | 1 + utils/common/actions-rule.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 2a88abeb..aa0d0402 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -12,6 +12,7 @@ UTIL: * type=XYZ | introduce new arguments: shadow-loadreduce - to not update TAG object related address-groups | debugloadtime - display load time for specific XML sections * develop | introduce config_validation.php * type=appid-toolbox | improvements for further. new features - example rule address/service report generator +* type=rule actions=name-replace-character | set default value for replace to '' BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php index 597ed1d9..ed84eae4 100644 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -3911,7 +3911,7 @@ 'default' => '*nodefault*'), 'replace' => array( 'type' => 'string', - 'default' => '*nodefault*') + 'default' => '') ), 'help' => '' ); From 5df3fda025c19a2ff411ca8419cba401cbd3ad82 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 29 Sep 2023 12:15:46 +0200 Subject: [PATCH 29/35] type=rule | introduce new actions=appid-stats-fastapi:-90days/service-stats-fastapi:/address-source-stats-fastapi/address-destionation-stats-fastapi/address-stats-fastapi/traffic-stats-fastapi --- CHANGELOG.txt | 1 + lib/rule-classes/SecurityRule.php | 46 ++++- utils/common/actions-rule.php | 279 ++++++++++++++++++++++++++++++ 3 files changed, 322 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index aa0d0402..c2d624a5 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -13,6 +13,7 @@ UTIL: * develop | introduce config_validation.php * type=appid-toolbox | improvements for further. new features - example rule address/service report generator * type=rule actions=name-replace-character | set default value for replace to '' +* type=rule | introduce new actions=appid-stats-fastapi:-90days/service-stats-fastapi:/address-source-stats-fastapi/address-destination-stats-fastapi/address-stats-fastapi/traffic-stats-fastapi BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/lib/rule-classes/SecurityRule.php b/lib/rule-classes/SecurityRule.php index 454285ed..11634c84 100644 --- a/lib/rule-classes/SecurityRule.php +++ b/lib/rule-classes/SecurityRule.php @@ -1576,6 +1576,11 @@ public function &API_getServiceStats($startTimestamp, $endTimestamp = null, $fas $dvq = '(' . array_to_devicequery($devices) . ')'; } + $repeatOrCount = 'sessions'; + + if( !$fastMode ) + $repeatOrCount = 'repeatcnt'; + $startString = date('Y/m/d H:i:00', $startTimestamp); if( $endTimestamp === null ) @@ -1586,7 +1591,15 @@ public function &API_getServiceStats($startTimestamp, $endTimestamp = null, $fas $endString = date('Y/m/d H:00:00', $endTimestamp); $query = "" - . "<" . $type . ">protodport" + . "<" . $type . ">"; + if( !$fastMode ) + $query .= "proto"; + + $query .= "dport"; + $query .= "app"; + + $query .= "" + . "{$repeatOrCount}" . "" #. "" . $timePeriod . "" . "{$startString}" @@ -1655,6 +1668,11 @@ public function &API_getAddressStats($startTimestamp, $endTimestamp = null, $src $first = FALSE; } + $repeatOrCount = 'sessions'; + + if( !$fastMode ) + $repeatOrCount = 'repeatcnt'; + $startString = date('Y/m/d H:i:00', $startTimestamp); if( $endTimestamp === null ) @@ -1665,9 +1683,29 @@ public function &API_getAddressStats($startTimestamp, $endTimestamp = null, $src $endString = date('Y/m/d H:00:00', $endTimestamp); $query = "" - . "<" . $type . ">" . $srcORdst . "" - . "sessions" - . "" + . "<" . $type . ">"; + + if( $srcORdst == "both" or $srcORdst == "srcdstsrv" ) + { + $query .= "src"; + $query .= "dst"; + } + else + $query .= "" . $srcORdst . ""; + + $query .= "" + . ""; + if( $srcORdst == "srcdstsrv" ) + { + $query .= "dport"; + $query .= "app"; + if( !$fastMode ) + $query .= "proto"; + } + + $query .= "{$repeatOrCount}"; + + $query .= "" #. "" . $timePeriod . "" . "{$startString}" . "{$endString}" diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php index ed84eae4..204b236a 100644 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -5753,4 +5753,283 @@ else $object->setDescription($newDescription); } +); + +RuleCallContext::$supportedActions[] = Array( + 'name' => 'appid-stats-FastAPI', + 'section' => 'application', + 'MainFunction' => function(RuleCallContext $context) + { + $rule = $context->object; + $customLogHistory = $context->arguments['logHistory']; + if( $customLogHistory == "last-15-minutes" ) + $logHistory = 15 * 60; + elseif( is_int($customLogHistory) ) + $logHistory = $customLogHistory * 24 * 3600; + else + $logHistory = strtotime($customLogHistory); + + + if( $context->isAPI ) + { + $report = $rule->API_getAppContainerStats2( time() - ($logHistory), time() + 0, false ); + if( count( $report ) > 0 ) + { + PH::print_stdout( " - found APPID traffic: ".count($report)); + foreach($report as $entry) + { + $string = " - ".$entry['app']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + + } + } + else + derr( 'only supported in API mode' ); + }, + 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), + 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', +); + +RuleCallContext::$supportedActions[] = Array( + 'name' => 'service-stats-FastAPI', + 'section' => 'service', + 'MainFunction' => function(RuleCallContext $context) + { + $rule = $context->object; + $customLogHistory = $context->arguments['logHistory']; + if( $customLogHistory == "last-15-minutes" ) + $logHistory = 15 * 60; + elseif( is_int($customLogHistory) ) + $logHistory = $customLogHistory * 24 * 3600; + else + $logHistory = strtotime($customLogHistory); + + + if( $context->isAPI ) + { + $report = $rule->API_getServiceStats( time() - ($logHistory), time() + 0, false ); + if( count( $report ) > 0 ) + { + PH::print_stdout( " - found SRV traffic: ".count($report)); + foreach($report as $entry) + { + $string = " - ".$entry['dport']." - ".$entry['app']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + if( isset($entry['proto']) ) + $string .= " - protocol: ".$entry['proto']; + + PH::print_stdout( $string ); + } + + } + } + else + derr( 'only supported in API mode' ); + }, + 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), + 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', +); +RuleCallContext::$supportedActions[] = Array( + 'name' => 'address-source-stats-FastAPI', + 'section' => 'address', + 'MainFunction' => function(RuleCallContext $context) + { + $rule = $context->object; + $customLogHistory = $context->arguments['logHistory']; + if( $customLogHistory == "last-15-minutes" ) + $logHistory = 15 * 60; + elseif( is_int($customLogHistory) ) + $logHistory = $customLogHistory * 24 * 3600; + else + $logHistory = strtotime($customLogHistory); + + if( $context->isAPI ) + { + $report_src = $rule->API_getAddressStats( time() - ($logHistory ), time() + 0, 'src', false ); + if( count( $report_src ) > 0 ) + { + PH::print_stdout( " - found SRC traffic: ".count($report_src)); + foreach($report_src as $entry) + { + $string = " - ".$entry['src']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + } + } + else + derr( 'only supported in API mode' ); + }, + 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), + 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', +); +RuleCallContext::$supportedActions[] = Array( + 'name' => 'address-destination-stats-FastAPI', + 'section' => 'address', + 'MainFunction' => function(RuleCallContext $context) + { + $rule = $context->object; + $customLogHistory = $context->arguments['logHistory']; + if( $customLogHistory == "last-15-minutes" ) + $logHistory = 15 * 60; + elseif( is_int($customLogHistory) ) + $logHistory = $customLogHistory * 24 * 3600; + else + $logHistory = strtotime($customLogHistory); + + if( $context->isAPI ) + { + $report_dst = $rule->API_getAddressStats( time() - ($logHistory), time() + 0 , 'dst', false ); + if( count( $report_dst ) > 0 ) + { + PH::print_stdout( " - found DST traffic: ".count($report_dst)); + foreach($report_dst as $entry) + { + $string = " - ".$entry['dst']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + } + } + else + derr( 'only supported in API mode' ); + }, + 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), + 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', +); +RuleCallContext::$supportedActions[] = Array( + 'name' => 'address-stats-FastAPI', + 'section' => 'address', + 'MainFunction' => function(RuleCallContext $context) + { + $rule = $context->object; + $customLogHistory = $context->arguments['logHistory']; + if( $customLogHistory == "last-15-minutes" ) + $logHistory = 15 * 60; + elseif( is_int($customLogHistory) ) + $logHistory = $customLogHistory * 24 * 3600; + else + $logHistory = strtotime($customLogHistory); + + if( $context->isAPI ) + { + $report_src = $rule->API_getAddressStats( time() - ($logHistory), time() + 0 , 'src', false ); + $report_dst = $rule->API_getAddressStats( time() - ($logHistory), time() + 0 , 'dst', false ); + + if( count( $report_src ) > 0 ) + { + PH::print_stdout( " - found SRC traffic: ".count($report_src)); + foreach($report_src as $entry) + { + $string = " - ".$entry['src']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + } + + PH::print_stdout(); + + if( count( $report_dst ) > 0 ) + { + PH::print_stdout( " - found DST traffic: ".count($report_dst)); + foreach($report_dst as $entry) + { + $string = " - ".$entry['dst']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + } + + $report = $rule->API_getAddressStats( time() - ($logHistory), time() + 0 , 'both', false ); + + PH::print_stdout(); + + if( count( $report ) > 0 ) + { + PH::print_stdout( " - found SRC -> DST traffic: ".count($report)); + foreach($report as $flow) + { + $string = " - ".$entry['src']." -> ".$entry['dst']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + } + } + else + derr( 'only supported in API mode' ); + }, + 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), + 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', +); + +RuleCallContext::$supportedActions[] = Array( + 'name' => 'traffic-stats-FastAPI', + 'section' => 'address', + 'MainFunction' => function(RuleCallContext $context) + { + $rule = $context->object; + $customLogHistory = $context->arguments['logHistory']; + if( $customLogHistory == "last-15-minutes" ) + $logHistory = 15 * 60; + elseif( is_int($customLogHistory) ) + $logHistory = $customLogHistory * 24 * 3600; + else + $logHistory = strtotime($customLogHistory); + + if( $context->isAPI ) + { + $report = $rule->API_getAddressStats( time() - ($logHistory), time() + 0 , 'srcdstsrv', false ); + + if( count( $report ) > 0 ) + { + PH::print_stdout( " - found SRC -> DST -> SRV traffic: ".count($report)); + foreach($report as $entry) + { + $string = " - ".$entry['src']." -> ".$entry['dst']; + $string .= " - port: ".$entry['dport'];//." - app: ".$entry['app']; + if( isset($entry['proto']) ) + $string .= " - protocol: ".$entry['proto']; + if( isset($entry['repeatcnt']) ) + $string .= " - count: ".$entry['repeatcnt']; + elseif( isset($entry['session']) ) + $string .= " - session: ".$entry['sessions']; + + PH::print_stdout( $string ); + } + } + } + else + derr( 'only supported in API mode' ); + }, + 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), + 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', ); \ No newline at end of file From 938efd93e3d63b539574ab04bec8158ea746da64 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 29 Sep 2023 13:13:09 +0200 Subject: [PATCH 30/35] type=rule new actions rename - start with "stats-" --- CHANGELOG.txt | 2 +- utils/common/actions-rule.php | 12 +- utils/develop/ui/json_array.js | 181 +++++++++++++++++++++++++++++- utils/lib/util_action_filter.json | 181 +++++++++++++++++++++++++++++- 4 files changed, 363 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index c2d624a5..cbf05603 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -13,7 +13,7 @@ UTIL: * develop | introduce config_validation.php * type=appid-toolbox | improvements for further. new features - example rule address/service report generator * type=rule actions=name-replace-character | set default value for replace to '' -* type=rule | introduce new actions=appid-stats-fastapi:-90days/service-stats-fastapi:/address-source-stats-fastapi/address-destination-stats-fastapi/address-stats-fastapi/traffic-stats-fastapi +* type=rule | introduce new actions=stats-appid-fastapi:-90days/stats-service-fastapi:/stats-address-source-fastapi/stats-address-destination-fastapi/stats-address-fastapi/stats-traffic-fastapi BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php index 204b236a..910186c2 100644 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -5756,7 +5756,7 @@ ); RuleCallContext::$supportedActions[] = Array( - 'name' => 'appid-stats-FastAPI', + 'name' => 'stats-appid-FastAPI', 'section' => 'application', 'MainFunction' => function(RuleCallContext $context) { @@ -5797,7 +5797,7 @@ ); RuleCallContext::$supportedActions[] = Array( - 'name' => 'service-stats-FastAPI', + 'name' => 'stats-service-FastAPI', 'section' => 'service', 'MainFunction' => function(RuleCallContext $context) { @@ -5839,7 +5839,7 @@ 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', ); RuleCallContext::$supportedActions[] = Array( - 'name' => 'address-source-stats-FastAPI', + 'name' => 'stats-address-source-FastAPI', 'section' => 'address', 'MainFunction' => function(RuleCallContext $context) { @@ -5877,7 +5877,7 @@ 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', ); RuleCallContext::$supportedActions[] = Array( - 'name' => 'address-destination-stats-FastAPI', + 'name' => 'stats-address-destination-FastAPI', 'section' => 'address', 'MainFunction' => function(RuleCallContext $context) { @@ -5915,7 +5915,7 @@ 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', ); RuleCallContext::$supportedActions[] = Array( - 'name' => 'address-stats-FastAPI', + 'name' => 'stats-address-FastAPI', 'section' => 'address', 'MainFunction' => function(RuleCallContext $context) { @@ -5992,7 +5992,7 @@ ); RuleCallContext::$supportedActions[] = Array( - 'name' => 'traffic-stats-FastAPI', + 'name' => 'stats-traffic-FastAPI', 'section' => 'address', 'MainFunction' => function(RuleCallContext $context) { diff --git a/utils/develop/ui/json_array.js b/utils/develop/ui/json_array.js index 90e11133..4597abc6 100644 --- a/utils/develop/ui/json_array.js +++ b/utils/develop/ui/json_array.js @@ -2288,6 +2288,10 @@ var subjectObject = "section": "app", "MainFunction": {} }, + "appid-toolbox-cleanup": { + "name": "appid-toolbox-cleanup", + "MainFunction": {} + }, "bidirnat-split": { "name": "biDirNat-Split", "MainFunction": {}, @@ -2393,7 +2397,7 @@ var subjectObject = "default": "" } }, - "help": "possible variable $$comma$$ or $$forwardslash$$ or $$colon$$ or $$pipe$$ or $$newline$$; example \"actions=description-Replace-Character:$$comma$$word1\"" + "help": "possible variable $$comma$$ or $$forwardslash$$ or $$colon$$ or $$pipe$$ or $$newline$$ or $$appRID#$$; example \"actions=description-Replace-Character:$$comma$$word1\"" }, "disabled-set": { "name": "disabled-Set", @@ -2684,6 +2688,17 @@ var subjectObject = } } }, + "from-remove-from-file": { + "name": "from-Remove-from-file", + "section": "zone", + "MainFunction": {}, + "args": { + "fileName": { + "type": "string", + "default": "*nodefault*" + } + } + }, "from-replace": { "name": "from-Replace", "section": "zone", @@ -2953,7 +2968,7 @@ var subjectObject = }, "replace": { "type": "string", - "default": "*nodefault*" + "default": "" } }, "help": "" @@ -3275,6 +3290,78 @@ var subjectObject = "section": "address", "MainFunction": {} }, + "stats-address-destination-fastapi": { + "name": "stats-address-destination-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-address-fastapi": { + "name": "stats-address-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-address-source-fastapi": { + "name": "stats-address-source-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-appid-fastapi": { + "name": "stats-appid-FastAPI", + "section": "application", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-service-fastapi": { + "name": "stats-service-FastAPI", + "section": "service", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-traffic-fastapi": { + "name": "stats-traffic-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, "tag-add": { "name": "tag-Add", "section": "tag", @@ -3455,6 +3542,17 @@ var subjectObject = } } }, + "to-remove-from-file": { + "name": "to-Remove-from-file", + "section": "zone", + "MainFunction": {}, + "args": { + "fileName": { + "type": "string", + "default": "*nodefault*" + } + } + }, "to-replace": { "name": "to-Replace", "section": "zone", @@ -7091,12 +7189,89 @@ var subjectObject = "static-route": { "name": "static-route", "action": { + "delete": { + "name": "delete", + "MainFunction": {} + }, "display": { "name": "display", "MainFunction": {} } }, - "filter": [] + "filter": { + "destination": { + "operators": { + "ip4.includes-full": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% 1.1.1.1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "name": { + "operators": { + "eq": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "nexthop-interface": { + "operators": { + "is.set": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "nexthop-ip": { + "operators": { + "is.set": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "nexthop-vr": { + "operators": { + "is.set": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "virtualrouter-name": { + "operators": { + "eq": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + } + } }, "stats": { "name": "stats", diff --git a/utils/lib/util_action_filter.json b/utils/lib/util_action_filter.json index 55ecd7e7..d0183440 100644 --- a/utils/lib/util_action_filter.json +++ b/utils/lib/util_action_filter.json @@ -2287,6 +2287,10 @@ "section": "app", "MainFunction": {} }, + "appid-toolbox-cleanup": { + "name": "appid-toolbox-cleanup", + "MainFunction": {} + }, "bidirnat-split": { "name": "biDirNat-Split", "MainFunction": {}, @@ -2392,7 +2396,7 @@ "default": "" } }, - "help": "possible variable $$comma$$ or $$forwardslash$$ or $$colon$$ or $$pipe$$ or $$newline$$; example \"actions=description-Replace-Character:$$comma$$word1\"" + "help": "possible variable $$comma$$ or $$forwardslash$$ or $$colon$$ or $$pipe$$ or $$newline$$ or $$appRID#$$; example \"actions=description-Replace-Character:$$comma$$word1\"" }, "disabled-set": { "name": "disabled-Set", @@ -2683,6 +2687,17 @@ } } }, + "from-remove-from-file": { + "name": "from-Remove-from-file", + "section": "zone", + "MainFunction": {}, + "args": { + "fileName": { + "type": "string", + "default": "*nodefault*" + } + } + }, "from-replace": { "name": "from-Replace", "section": "zone", @@ -2952,7 +2967,7 @@ }, "replace": { "type": "string", - "default": "*nodefault*" + "default": "" } }, "help": "" @@ -3274,6 +3289,78 @@ "section": "address", "MainFunction": {} }, + "stats-address-destination-fastapi": { + "name": "stats-address-destination-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-address-fastapi": { + "name": "stats-address-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-address-source-fastapi": { + "name": "stats-address-source-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-appid-fastapi": { + "name": "stats-appid-FastAPI", + "section": "application", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-service-fastapi": { + "name": "stats-service-FastAPI", + "section": "service", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, + "stats-traffic-fastapi": { + "name": "stats-traffic-FastAPI", + "section": "address", + "MainFunction": {}, + "args": { + "logHistory": { + "type": "string", + "default": "last-15-minutes" + } + }, + "help": "returns TRUE if rule name matches the specified timestamp MM\/DD\/YYYY [american] \/ DD-MM-YYYY [european] \/ 21 September 2021 \/ -90 days" + }, "tag-add": { "name": "tag-Add", "section": "tag", @@ -3454,6 +3541,17 @@ } } }, + "to-remove-from-file": { + "name": "to-Remove-from-file", + "section": "zone", + "MainFunction": {}, + "args": { + "fileName": { + "type": "string", + "default": "*nodefault*" + } + } + }, "to-replace": { "name": "to-Replace", "section": "zone", @@ -7090,12 +7188,89 @@ "static-route": { "name": "static-route", "action": { + "delete": { + "name": "delete", + "MainFunction": {} + }, "display": { "name": "display", "MainFunction": {} } }, - "filter": [] + "filter": { + "destination": { + "operators": { + "ip4.includes-full": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% 1.1.1.1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "name": { + "operators": { + "eq": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "nexthop-interface": { + "operators": { + "is.set": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "nexthop-ip": { + "operators": { + "is.set": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "nexthop-vr": { + "operators": { + "is.set": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + }, + "virtualrouter-name": { + "operators": { + "eq": { + "Function": {}, + "arg": true, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } + } + } }, "stats": { "name": "stats", From 5887d31828b0f6fb78738b53cdbf0761a6d0e1c2 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Tue, 3 Oct 2023 09:15:50 +0200 Subject: [PATCH 31/35] type=routing | introduce actions=exporttoexcel:file.html | 'filter=(protocol.bgp is.enabled)' --- CHANGELOG.txt | 2 + lib/misc-classes/RQuery.php | 2 + lib/misc-classes/filters/filters-Routing.php | 14 +++ lib/network-classes/VirtualRouter.php | 18 +++ utils/common/CallContext.php | 3 + utils/common/RuleCallContext.php | 33 +++++ utils/common/actions-routing.php | 122 +++++++++++++++++++ utils/common/actions-rule.php | 71 +++++++++++ 8 files changed, 265 insertions(+) mode change 100644 => 100755 CHANGELOG.txt mode change 100644 => 100755 lib/misc-classes/RQuery.php mode change 100644 => 100755 lib/misc-classes/filters/filters-Routing.php mode change 100644 => 100755 lib/network-classes/VirtualRouter.php mode change 100644 => 100755 utils/common/CallContext.php mode change 100644 => 100755 utils/common/RuleCallContext.php mode change 100644 => 100755 utils/common/actions-routing.php mode change 100644 => 100755 utils/common/actions-rule.php diff --git a/CHANGELOG.txt b/CHANGELOG.txt old mode 100644 new mode 100755 index cbf05603..fd3852c5 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -14,6 +14,8 @@ UTIL: * type=appid-toolbox | improvements for further. new features - example rule address/service report generator * type=rule actions=name-replace-character | set default value for replace to '' * type=rule | introduce new actions=stats-appid-fastapi:-90days/stats-service-fastapi:/stats-address-source-fastapi/stats-address-destination-fastapi/stats-address-fastapi/stats-traffic-fastapi +* type=routing | introduce actions=exporttoexcel:file.html +* type=routing | introduce 'filter=(protocol.bgp is.enabled)' BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/lib/misc-classes/RQuery.php b/lib/misc-classes/RQuery.php old mode 100644 new mode 100755 index 499812db..332d2b13 --- a/lib/misc-classes/RQuery.php +++ b/lib/misc-classes/RQuery.php @@ -103,6 +103,8 @@ public function __construct($objectType, $level = 0) $this->contextObject = new ThreatRQueryContext($this); elseif( $this->objectType == 'interface' ) $this->contextObject = new InterfaceRQueryContext($this); + elseif( $this->objectType == 'routing' ) + $this->contextObject = new RoutingRQueryContext($this); elseif( $this->objectType == 'dhcp' ) $this->contextObject = new DHCPRQueryContext($this); elseif( $this->objectType == 'certificate' ) diff --git a/lib/misc-classes/filters/filters-Routing.php b/lib/misc-classes/filters/filters-Routing.php old mode 100644 new mode 100755 index 5f1fd7f7..5eb17706 --- a/lib/misc-classes/filters/filters-Routing.php +++ b/lib/misc-classes/filters/filters-Routing.php @@ -14,6 +14,20 @@ ) ); +RQuery::$defaultFilters['routing']['protocol.bgp']['operators']['is.enabled'] = Array( + 'Function' => function(RoutingRQueryContext $context ) + { + $object = $context->object; + if( isset( $object->routingProtocols['bgp'] ) and $object->routingProtocols['bgp']['enabled'] == "yes" ) + return TRUE; + return FALSE; + }, + 'arg' => false, + 'ci' => Array( + 'fString' => '(%PROP% ethernet1/1)', + 'input' => 'input/panorama-8.0.xml' + ) +); // \ No newline at end of file diff --git a/lib/network-classes/VirtualRouter.php b/lib/network-classes/VirtualRouter.php old mode 100644 new mode 100755 index be4428b5..21e733b6 --- a/lib/network-classes/VirtualRouter.php +++ b/lib/network-classes/VirtualRouter.php @@ -33,6 +33,8 @@ class VirtualRouter /** @var InterfaceContainer */ public $attachedInterfaces; + public $routingProtocols = array(); + protected $xmlroot_protocol = false; protected $fastMemToIndex; @@ -63,6 +65,22 @@ public function load_from_domxml($xml) $this->xmlroot_protocol = DH::findFirstElement('protocol', $xml); + if( $this->xmlroot_protocol !== False ) + { + foreach( $this->xmlroot_protocol->childNodes as $node ) + { + if( $node->nodeType != XML_ELEMENT_NODE ) + continue; + + $tmpProtocolName = $node->nodeName; + $this->routingProtocols[$tmpProtocolName] = array(); + + $protocolEnabled = DH::findFirstElement("enable", $node); + if( $protocolEnabled !== FALSE ) + $this->routingProtocols[$tmpProtocolName]['enabled'] = $protocolEnabled->textContent; + } + } + $node = DH::findFirstElementOrCreate('interface', $xml); $this->attachedInterfaces->load_from_domxml($node); diff --git a/utils/common/CallContext.php b/utils/common/CallContext.php old mode 100644 new mode 100755 index ff4cef0b..0ee46a8c --- a/utils/common/CallContext.php +++ b/utils/common/CallContext.php @@ -34,6 +34,9 @@ class CallContext public $isSaseAPI = FALSE; public $projectFolder = null; + public $first; + public $uuid; + /** @var $baseObject PANConf|PanoramaConf */ public $baseObject; diff --git a/utils/common/RuleCallContext.php b/utils/common/RuleCallContext.php old mode 100644 new mode 100755 index 439b3695..b371770a --- a/utils/common/RuleCallContext.php +++ b/utils/common/RuleCallContext.php @@ -29,6 +29,8 @@ class RuleCallContext extends CallContext public $ruleList; public $cachedList; + public $mergeArray; + static public function prepareSupportedActions() { $tmpArgs = array(); @@ -71,6 +73,37 @@ public function addRuleToMergedApiChange($setValue) $mergeArray[$subSystem->name()][$ruleLocation][$type][$rule->name()] = $setValue; } + public function addRuleToMergedApiChange2($rule, $setValue) + { + #$rule = $this->object; + + if( !isset($this->mergeArray) ) + $this->mergeArray = array(); + + $mergeArray = &$this->mergeArray; + $panoramaMode = $this->baseObject->isPanorama(); + $subSystem = $this->subSystem; + + + $classToType = array('SecurityRule' => 'security', 'NatRule' => 'nat', 'DefaultSecurityRule' => 'defaultsecurity'); + $type = $classToType[get_class($rule)]; + + if( !$panoramaMode ) + { + $mergeArray[$subSystem->name()][$type][$rule->name()] = $setValue; + return; + } + + $ruleLocation = 'pre-rulebase'; + if( $rule->isPostRule() ) + $ruleLocation = 'post-rulebase'; + + if( $rule->owner->owner->isPanorama() ) + $mergeArray['shared'][$ruleLocation][$type][$rule->name()] = $setValue; + else + $mergeArray[$subSystem->name()][$ruleLocation][$type][$rule->name()] = $setValue; + } + public function generateRuleMergedApiChangeString($forSharedRules = FALSE) { diff --git a/utils/common/actions-routing.php b/utils/common/actions-routing.php old mode 100644 new mode 100755 index c1c5c401..9fdbc794 --- a/utils/common/actions-routing.php +++ b/utils/common/actions-routing.php @@ -42,3 +42,125 @@ //Todo: display routes to zone / Interface IP ); + +RoutingCallContext::$supportedActions[] = array( + 'name' => 'exportToExcel', + 'MainFunction' => function (RoutingCallContext $context) { + $object = $context->object; + $context->objectList[] = $object; + }, + 'GlobalInitFunction' => function (RoutingCallContext $context) { + $context->objectList = array(); + }, + 'GlobalFinishFunction' => function (RoutingCallContext $context) { + $args = &$context->arguments; + $filename = $args['filename']; + + if( isset( $_SERVER['REQUEST_METHOD'] ) ) + $filename = "project/html/".$filename; + + $lines = ''; + + + $addWhereUsed = FALSE; + $addUsedInLocation = FALSE; + + $optionalFields = &$context->arguments['additionalFields']; + + if( isset($optionalFields['WhereUsed']) ) + $addWhereUsed = TRUE; + + if( isset($optionalFields['UsedInLocation']) ) + $addUsedInLocation = TRUE; + + + $headers = 'IDTemplatelocationname'; + + if( $addWhereUsed ) + $headers .= 'where used'; + if( $addUsedInLocation ) + $headers .= 'location used'; + + $count = 0; + if( isset($context->objectList) ) + { + foreach( $context->objectList as $object ) + { + $count++; + + /** @var Tag $object */ + if( $count % 2 == 1 ) + $lines .= "\n"; + else + $lines .= ""; + + $lines .= $context->encloseFunction( (string)$count ); + + if( get_class($object->owner->owner) == "PANConf" ) + { + if( isset($object->owner->owner->owner) && $object->owner->owner->owner !== null && (get_class($object->owner->owner->owner) == "Template" || get_class($context->subSystem->owner) == "TemplateStack" ) ) + { + $lines .= $context->encloseFunction($object->owner->owner->owner->name()); + $lines .= $context->encloseFunction($object->owner->owner->name()); + } + else + { + $lines .= $context->encloseFunction("---"); + $lines .= $context->encloseFunction($object->owner->owner->name()); + } + } + + #$lines .= $context->encloseFunction(PH::getLocationString($object)); + + $lines .= $context->encloseFunction($object->name()); + + if( $addWhereUsed ) + { + $refTextArray = array(); + foreach( $object->getReferences() as $ref ) + $refTextArray[] = $ref->_PANC_shortName(); + + $lines .= $context->encloseFunction($refTextArray); + } + if( $addUsedInLocation ) + { + $refTextArray = array(); + foreach( $object->getReferences() as $ref ) + { + $location = PH::getLocationString($object->owner); + $refTextArray[$location] = $location; + } + + $lines .= $context->encloseFunction($refTextArray); + } + + $lines .= "\n"; + } + } + + $content = file_get_contents(dirname(__FILE__) . '/html/export-template.html'); + $content = str_replace('%TableHeaders%', $headers, $content); + + $content = str_replace('%lines%', $lines, $content); + + $jscontent = file_get_contents(dirname(__FILE__) . '/html/jquery.min.js'); + $jscontent .= "\n"; + $jscontent .= file_get_contents(dirname(__FILE__) . '/html/jquery.stickytableheaders.min.js'); + $jscontent .= "\n\$('table').stickyTableHeaders();\n"; + + $content = str_replace('%JSCONTENT%', $jscontent, $content); + + file_put_contents($filename, $content); + }, + 'args' => array('filename' => array('type' => 'string', 'default' => '*nodefault*'), + 'additionalFields' => + array('type' => 'pipeSeparatedList', + 'subtype' => 'string', + 'default' => '*NONE*', + 'choices' => array('WhereUsed', 'UsedInLocation'), + 'help' => + "pipe(|) separated list of additional field to include in the report. The following is available:\n" . + " - WhereUsed : list places where object is used (rules, groups ...)\n" . + " - UsedInLocation : list locations (vsys,dg,shared) where object is used\n") + ) +); \ No newline at end of file diff --git a/utils/common/actions-rule.php b/utils/common/actions-rule.php old mode 100644 new mode 100755 index 910186c2..7c137793 --- a/utils/common/actions-rule.php +++ b/utils/common/actions-rule.php @@ -6032,4 +6032,75 @@ }, 'args' => Array( 'logHistory' => Array( 'type' => 'string', 'default' => 'last-15-minutes' ) ), 'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days', +); +RuleCallContext::$supportedActions[] = array( + 'name' => 'create-new-Rule-from-file-FastAPI', + 'GlobalInitFunction' => function(RuleCallContext $context) + { + $context->uuid = array(); + $context->first = true; + }, + 'MainFunction' => function (RuleCallContext $context) { + $rule = $context->object; + + if( !$context->isAPI ) + derr('you cannot call this action without API mode'); + + if( $context->first ) + { + if( !isset($context->cachedList) ) + { + $text = file_get_contents($context->arguments['fileName']); + + if( $text === FALSE ) + derr("cannot open file '{$context->arguments['fileName']}"); + + $lines = explode("\n", $text); + foreach( $lines as $line ) + { + $line = trim($line); + if( strlen($line) == 0 ) + continue; + $list[$line] = TRUE; + } + + $context->cachedList = &$list; + } + else + $list = &$context->cachedList; + foreach( $list as $rulename => $truefalse ) + { + $tmpRule = $rule->owner->find( $rulename ); + if( $tmpRule == null ) + { + $tmpRule = $rule->owner->newSecurityRule( $rulename ); + + $string = "QUEUED for bundled API call"; + PH::ACTIONlog( $context, $string ); + + $newdoc = new DOMDocument; + $node = $newdoc->importNode($tmpRule->xmlroot, true); + $newdoc->appendChild($node); + + $string = ""; + foreach( $newdoc->documentElement->childNodes as $childnode ) + { + $lineReturn = false; + $indentingXmlIncreament = 1; + $indentingXml = 0; + $xml = &DH::dom_to_xml($childnode, $indentingXml, $lineReturn, -1, $indentingXmlIncreament); + #print $xml; + $string .= $xml; + } + + + $context->addRuleToMergedApiChange2($tmpRule, $string); + } + } + } + }, + 'GlobalFinishFunction' => function (RuleCallContext $context) { + $context->doBundled_API_Call(); + }, + 'args' => array('fileName' => array('type' => 'string', 'default' => '*nodefault*')), ); \ No newline at end of file From d6c89940d2e5e87556746ca8bf2c1a964517fb31 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 5 Oct 2023 23:29:06 +0200 Subject: [PATCH 32/35] type=schedule | bugfix actions=replacewithobject:OBJECTNAME --- CHANGELOG.txt | 1 + utils/common/actions-schedule.php | 8 ++++---- utils/develop/install_script_macos.sh | 7 +++++++ 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index fd3852c5..d75218e7 100755 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -23,6 +23,7 @@ BUGFIX: * type=address-merger | bugfix - do not merger address objects if tag count of planned merged object exceeds PAN-OS limit of 64 tag members * type=address-merger | bugfix for removing tag objects from upper level, if adr merged objects are using them and tag is also available at address level * bugfix for argument 'location=shared:excludemaindg' on FW config file +* type=schedule | bugfix actions=replacewithobject:OBJECTNAME GENERAL: * Class VirtualSystem/SharedGatewayStore | better handling of version variable diff --git a/utils/common/actions-schedule.php b/utils/common/actions-schedule.php index ac2baab2..f573db0e 100644 --- a/utils/common/actions-schedule.php +++ b/utils/common/actions-schedule.php @@ -434,20 +434,20 @@ if( $foundObject === null ) derr("cannot find an object named '{$context->arguments['objectName']}'"); - /** @var ZoneRuleContainer $objectRef */ + /** @var SecurityRule $objectRef */ foreach( $objectRefs as $objectRef ) { $tmp_class = get_class($objectRef); - if( $tmp_class == "ZoneRuleContainer" ) + if( $tmp_class == "SecurityRule" ) { $string = "replacing in {$objectRef->toString()}"; PH::ACTIONlog( $context, $string ); if( $context->isAPI ) - $objectRef->API_replaceReferencedObject($object, $foundObject); + $objectRef->API_setSchedule($foundObject); else - $objectRef->replaceReferencedObject($object, $foundObject); + $objectRef->setSchedule($foundObject); } else { diff --git a/utils/develop/install_script_macos.sh b/utils/develop/install_script_macos.sh index d553569a..b9be6b0b 100644 --- a/utils/develop/install_script_macos.sh +++ b/utils/develop/install_script_macos.sh @@ -9,7 +9,10 @@ echo "START \"install script for MACOS\"" \ && echo "" \ && echo "\"install HOMEBREW\"" \ && echo "https://osxdaily.com/2018/03/07/how-install-homebrew-mac-os/" \ +&& echo "For MacOS Catalina, macOS Mojave, and MacOS Big Sur:" \ && /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" \ +&& echo "For MacOS Ventura, MacOS Monterey:" \ +&& /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" \ && echo "" \ && echo "" \ && echo "" \ @@ -30,6 +33,7 @@ echo "START \"install script for MACOS\"" \ && echo "" \ && php -v \ && echo "" \ +&& echo "RUN echo 'include_path = "/usr/local/Cellar/php/8.2.11/share/php/pear:/Users/swaschkut/Documents/PAN-scripting/pan-os-php"' >> /usr/local/etc/php/8.2/php.ini" \ && echo "" \ && echo "install GIT" \ && brew install git \ @@ -44,6 +48,7 @@ echo "START \"install script for MACOS\"" \ && chmod -R 777 ${FOLDER_PATH} \ && echo "" \ && cp ${FOLDER_PATH}/utils/bash_autocompletion/pan-os-php.sh /usr/share/bash-completion/completions/pan-os-php \ +&& ln -s ${FOLDER_PATH}/utils/bash_autocompletion/pan-os-php.sh pan-os-php && echo "" \ && echo "" \ && echo "" \ @@ -57,6 +62,8 @@ echo "START \"install script for MACOS\"" \ && echo "" \ && echo "" \ && echo "" \ +&& brew install jq \ +&& echo "" \ && echo "" \ && echo "set user bash profile" \ && cat ${FOLDER_PATH}/utils/alias.sh >> ${USER_FOLDER_PATH}/.bashrc \ From 3eb5b365dbffdccb84550b9fde32d600ae9f3436 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Thu, 5 Oct 2023 23:30:36 +0200 Subject: [PATCH 33/35] type=gcp | introdruce $namespace | improve handling for tenant like togglesvc --- CHANGELOG.txt | 1 + utils/lib/GCP.php | 29 ++++++++++++++++++----------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index d75218e7..cf2e9dff 100755 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -16,6 +16,7 @@ UTIL: * type=rule | introduce new actions=stats-appid-fastapi:-90days/stats-service-fastapi:/stats-address-source-fastapi/stats-address-destination-fastapi/stats-address-fastapi/stats-traffic-fastapi * type=routing | introduce actions=exporttoexcel:file.html * type=routing | introduce 'filter=(protocol.bgp is.enabled)' +* type=gcp | introdruce $namespace | improve handling for tenant like togglesvc BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/lib/GCP.php b/utils/lib/GCP.php index de42d92b..8e0b287c 100644 --- a/utils/lib/GCP.php +++ b/utils/lib/GCP.php @@ -189,7 +189,7 @@ public function main() if( $action == "grep" ) { - $kubectlArray = $this->createKubectl( $tenantID ); + $kubectlArray = $this->createKubectl( $tenantID, $namespace ); if( $kubectlArray !== null ) foreach( $kubectlArray as $kubectlString ) @@ -203,7 +203,7 @@ public function main() } elseif( $action == "expedition-log" ) { - $tmpArray = $this->createKubectl( "expedition", "-- cat /var/log/expedition.log" ); + $tmpArray = $this->createKubectl( "expedition", $namespace, "-- cat /var/log/expedition.log" ); $cliArray2[] = $tmpArray[0]; @@ -239,7 +239,7 @@ public function main() PH::print_stdout( $tmpTenantid ); - $tenant_exec_array = $this->createKubectl( $tmpTenantid ); + $tenant_exec_array = $this->createKubectl( $tmpTenantid, $namespace ); if( $tenant_exec_array === null ) { PH::print_stdout( "Tenant: '".$tmpTenantid."' not FOUND as a pod on cluster: ".$cluster ); @@ -375,7 +375,7 @@ public function main() PH::print_stdout( "mgmtsvc tenantID: '".$mgmtsvc_tenantID[0]."'"); - $mgmtsvc = "kubectl exec -it ".$mgmtsvc_tenantID[0]." -c mgmtsvc --insecure-skip-tls-verify=true -- "; + $mgmtsvc = "kubectl exec -it ".$mgmtsvc_tenantID[0]." -c mgmtsvc -n ".$namespace." --insecure-skip-tls-verify=true -- "; #$tenant = "swaschkut-2"; #$cluster = "paas-f4"; @@ -389,7 +389,7 @@ public function main() $this->execCLIWithOutput( $get_auth ); $mgmtsvc_tenantID = $this->grepAllPods( "mgmtsvc" ); - $mgmtsvc = "kubectl exec -it ".$mgmtsvc_tenantID[0]." -c mgmtsvc --insecure-skip-tls-verify=true -- "; + $mgmtsvc = "kubectl exec -it ".$mgmtsvc_tenantID[0]." -c mgmtsvc -n ".$namespace." --insecure-skip-tls-verify=true -- "; $offboard_string = 'curl --header "Content-Type: application/json; charset=UTF-8" --request POST --data \'{"id":"'.$tenantID.'", "r":"false", "mig":"false"}\' http://127.0.0.1:8085/api/v1/src/mgmtsvc/customer/offboard'; $this->execCLIWithOutput( $mgmtsvc.$offboard_string ); @@ -420,7 +420,7 @@ public function main() $this->execCLIWithOutput( $get_auth ); $mgmtsvc_tenantID = $this->grepAllPods( "mgmtsvc" ); - $mgmtsvc = "kubectl exec -it ".$mgmtsvc_tenantID[0]." -c mgmtsvc --insecure-skip-tls-verify=true -- "; + $mgmtsvc = "kubectl exec -it ".$mgmtsvc_tenantID[0]." -c mgmtsvc -n ".$namespace." --insecure-skip-tls-verify=true -- "; $username = "paloalto"; @@ -522,7 +522,7 @@ private function extractTenentID( $line, $command = "-- bash" ) } - private function createKubectl( $tenantID, $command = "-- bash" ) + private function createKubectl( $tenantID, $namespace, $command = "-- bash" ) { $return = array(); //get correct onprem tenant @@ -533,11 +533,13 @@ private function createKubectl( $tenantID, $command = "-- bash" ) foreach( $tenantIDarray as $tenantID ) { if( strpos( $tenantID, "expedition" ) !== FALSE ) - $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c expedition"; + $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c expedition -n ".$namespace; elseif( strpos( $tenantID, "mgmtsvc" ) !== FALSE ) - $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c mgmtsvc"; + $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c mgmtsvc -n ".$namespace; + elseif( strpos( $tenantID, "togglesvc" ) !== FALSE ) + $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c togglesvc -n ".$namespace; else - $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c ".substr($tenantID, 0, -2); + $tenant_exec = "kubectl ".$this->insecureValue." exec -it " . $tenantID . " -c ".substr($tenantID, 0, -2). " -n ".$namespace; $return[] = $tenant_exec." ".$command; } @@ -595,6 +597,7 @@ private function MFAAuthenticationCheck() "code": 403 }'; + $curl = curl_init($this->http_auth); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); @@ -604,6 +607,9 @@ private function MFAAuthenticationCheck() $response = curl_exec($curl); curl_close($curl); + $exec = 'open -a "Google Chrome" '.$this->http_auth; + exec( $exec ); + /* if( $expectedResponse !== $response ) { $counter = 0; @@ -624,6 +630,7 @@ private function MFAAuthenticationCheck() } while( $expectedResponse !== $response && $counter < 2 ); } + */ if( $expectedResponse === $response ) { @@ -634,7 +641,7 @@ private function MFAAuthenticationCheck() else { $message = "please open: ".$this->http_auth." in WebBrowser for MFA authentication. Then rerun this script"; - derr( $message, null, FALSE ); + #derr( $message, null, FALSE ); } } From 8818090dd41f132a47a75ae8bf87b8eb09e244c6 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 6 Oct 2023 15:57:54 +0200 Subject: [PATCH 34/35] type=xpath | introduce actions=remove | introduce 'filter-text=NODETEXT' --- CHANGELOG.txt | 1 + utils/lib/XPATH.php | 100 +++++++++++++++++++++++++++++++++++++------- 2 files changed, 86 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index cf2e9dff..07ac6f2d 100755 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -17,6 +17,7 @@ UTIL: * type=routing | introduce actions=exporttoexcel:file.html * type=routing | introduce 'filter=(protocol.bgp is.enabled)' * type=gcp | introdruce $namespace | improve handling for tenant like togglesvc +* type=xpath | introduce actions=remove | introduce 'filter-text=NODETEXT' BUGFIX: * class PANConf|VirtualSystem | bugfix to support SharedGateway also for Tag objects correctly diff --git a/utils/lib/XPATH.php b/utils/lib/XPATH.php index 4b5394f4..8a2fbe59 100644 --- a/utils/lib/XPATH.php +++ b/utils/lib/XPATH.php @@ -25,6 +25,7 @@ public function utilStart() $this->usageMsg = PH::boldText("USAGE: ")."php ".basename(__FILE__)." in=inputfile.xml ". " \"filter-node=certificate\"\n". " \"[filter-nameattribute=address_object_name]\"\n". + " \"[filter-text=xml-node-text]\"\n". " \"[filter-xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/update-server]\"\n". " \"[display-fullxpath]\"\n". " \"[display-xmlnode]\"\n". @@ -56,16 +57,31 @@ public function main() $displayXMLnode = false; $displayXMLlineno = false; $displayAttributeName = false; + $action = "display"; - if( !isset( PH::$args['filter-node'] ) && !isset( PH::$args['filter-nameattribute'] ) && !isset( PH::$args['filter-xpath'] ) ) + if( isset( PH::$args['actions'] ) ) + { + $supportedActions = array( 'display', 'remove' ); + $action = PH::$args['actions']; + + if( !in_array( $action, $supportedActions ) ) + derr( "action: ". $action. " not supported", null, false ); + } + + + if( !isset( PH::$args['filter-node'] ) && !isset( PH::$args['filter-nameattribute'] ) && !isset( PH::$args['filter-xpath'] ) && !isset( PH::$args['filter-text'] ) ) $this->display_error_usage_exit('"filter-node" argument is not set: example "certificate"'); elseif( !isset( PH::$args['filter-node'] ) && isset( PH::$args['filter-nameattribute'] ) ) $qualifiedNodeName = "entry"; + elseif( isset( PH::$args['filter-text'] ) ) + $qualifiedNodeName = "//*[text()[contains(.,'".PH::$args['filter-text']."')]]"; elseif( !isset( PH::$args['filter-xpath'] ) ) $qualifiedNodeName = PH::$args['filter-node']; if( isset( PH::$args['filter-xpath'] ) ) $xpath = PH::$args['filter-xpath']; + elseif( isset( PH::$args['filter-text'] ) ) + $xpath = $qualifiedNodeName; if( isset( PH::$args['display-fullxpath'] ) ) $fullxpath = true; @@ -85,7 +101,7 @@ public function main() $displayAttributeName = true; ######################################################################################################################## - if( !isset( PH::$args['filter-xpath'] ) ) + if( !isset( PH::$args['filter-xpath'] ) && !isset( PH::$args['filter-text'] ) ) { //todo: missing connector support $nodeList = $this->xmlDoc->getElementsByTagName($qualifiedNodeName); @@ -162,9 +178,9 @@ public function main() PH::print_stdout(" |" . $item['xpath'] . "|"); if( $displayXMLnode ) - $this->getXpathDisplay( $item['xpath'], ""); + $this->getXpathDisplay( $item['xpath'], "", false, $action); if( $displayAttributeName ) - $this->getXpathDisplay( $item['xpath'], "", true); + $this->getXpathDisplay( $item['xpath'], "", true, $action); } } } @@ -186,9 +202,9 @@ public function main() PH::print_stdout( " * line: ".$miscEntry['line'] ); if( $displayXMLnode ) - $this->getXpathDisplay( $xpath, ""); + $this->getXpathDisplay( $xpath, "", false, $action); if( $displayAttributeName ) - $this->getXpathDisplay( $xpath, "", true); + $this->getXpathDisplay( $xpath, "", true, $action); } } @@ -218,17 +234,17 @@ public function main() if( $this->debugAPI ) $fw_con->setShowApiCalls( $this->debugAPI ); if( $displayAttributeName ) - $this->getXpathDisplay( $xpath, $this->pan->connector->serial, true); + $this->getXpathDisplay( $xpath, $this->pan->connector->serial, true, $action); else - $this->getXpathDisplay( $xpath, $this->pan->connector->serial); + $this->getXpathDisplay( $xpath, $this->pan->connector->serial, false, $action); } else { $this->pan->connector->refreshSystemInfos(); if( $displayAttributeName ) - $this->getXpathDisplay( $xpath, $this->pan->connector->serial, true); + $this->getXpathDisplay( $xpath, $this->pan->connector->serial, true, $action); else - $this->getXpathDisplay( $xpath, $this->pan->connector->info_serial); + $this->getXpathDisplay( $xpath, $this->pan->connector->info_serial, false, $action); } } elseif( $this->configType == 'panorama' ) @@ -251,19 +267,37 @@ public function main() $i++; if( $displayAttributeName ) - $this->getXpathDisplay( $xpath, $child['serial'], true); + $this->getXpathDisplay( $xpath, $child['serial'], true, $action); else - $this->getXpathDisplay( $xpath, $child['serial']); + $this->getXpathDisplay( $xpath, $child['serial'],false, $action); } } } else { if( $displayAttributeName ) - $this->getXpathDisplay( $xpath, "", true); + $this->getXpathDisplay( $xpath, "", true, $action); else - $this->getXpathDisplay( $xpath, ""); + $this->getXpathDisplay( $xpath, "", false, $action); + } + } + + if( $action == "remove" ) + { + //todo: save output + //check if out is set + if( isset( PH::$args['out'] ) ) + { + $lineReturn = TRUE; + $indentingXml = 0; + $indentingXmlIncreament = 1; + + $xml = &DH::dom_to_xml($this->xmlDoc->documentElement, $indentingXml, $lineReturn, -1, $indentingXmlIncreament + 1); + + file_put_contents(PH::$args['out'], $xml); } + else + derr( "action=remove used - but argument 'out=FILENAME' is not set " ); } } @@ -285,16 +319,46 @@ function add_supported_arguments() } - function getXpathDisplay( $xpath, $serial, $entry = false) + function getXpathDisplay( $xpath, $serial, $entry = false, $actions = "display") { + $text_contains_search = false; + PH::$JSON_TMP[$serial]['serial'] = $serial; //check Xpath $xpathResult = DH::findXPath( $xpath, $this->xmlDoc); PH::print_stdout( " * XPATH: ".$xpath ); + + if( strpos($xpath, "[text()[contains(") !== FALSE ) + $text_contains_search = true; + PH::$JSON_TMP[$serial]['xpath'] = $xpath; foreach( $xpathResult as $xpath1 ) { + if($text_contains_search) + { + /** @var DOMElement $xpath1 */ + PH::print_stdout(); + $nodePath = $xpath1->getNodePath(); + PH::print_stdout( " * XPATH: ".$nodePath ); + + $tmpArray = explode("]", $nodePath); + $tmp_path = ""; + foreach( $tmpArray as $key => $path_tmp ) + { + if( !empty($path_tmp) ) + { + $tmp_path .= $path_tmp."]"; + + $xpathResult = DH::findXPath( $tmp_path, $this->xmlDoc); + if( $xpathResult[0]->hasAttribute('name') ) + print " - "."entry[@name='".$xpathResult[0]->getAttribute('name')."']\n"; + else + print " - ".$xpathResult[0]->nodeName."\n"; + } + } + } + $newdoc = new DOMDocument; $node = $newdoc->importNode($xpath1, true); $newdoc->appendChild($node); @@ -320,6 +384,12 @@ function getXpathDisplay( $xpath, $serial, $entry = false) PH::print_stdout( " - name: ". $child->getAttribute('name') ); } } + + if( $actions === "remove" ) + { + PH::print_stdout("remove xpath!!!"); + $xpath1->parentNode->removeChild($xpath1); + } } if( count($xpathResult) == 0 ) From 99c381ef9686e002849128358a080947afeb6970 Mon Sep 17 00:00:00 2001 From: Sven Waschkut Date: Fri, 6 Oct 2023 17:11:54 +0200 Subject: [PATCH 35/35] GENERAL - APP-ID update to Device App-ID version: 8762-8327 --- CHANGELOG.txt | 2 + lib/object-classes/predefined.xml | 896 +++++++++++++++++++++++++++++- utils/develop/ui/json_array.js | 46 ++ utils/lib/util_action_filter.json | 46 ++ 4 files changed, 976 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 07ac6f2d..04d5ad49 100755 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -29,6 +29,8 @@ BUGFIX: GENERAL: * Class VirtualSystem/SharedGatewayStore | better handling of version variable +* update actions/filter JSON file +* APP-ID update to Device App-ID version: 8762-8327 2.1.18 (20230920) diff --git a/lib/object-classes/predefined.xml b/lib/object-classes/predefined.xml index 3410ff72..57a2aaab 100644 --- a/lib/object-classes/predefined.xml +++ b/lib/object-classes/predefined.xml @@ -1,6 +1,6 @@ - 8756-8298 + 8762-8327 @@ -240552,7 +240552,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n This tag groups App-IDs that use artificial intelligence algorithms to create new content (text, video, audio, images, etc.) or alter it (edit, correct, extend, etc.) based on user input. - 8756-8298 + 8762-8327 @@ -280669,6 +280669,62 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n alert + + Malicious Python File Detection + spyware + medium + + alert + + + Malicious JavaScript Files Detection + spyware + medium + + alert + + + Malicious VBScript Files Detection + spyware + medium + + alert + + + Malicious PowerShell Files Detection + spyware + medium + + alert + + + Malicious HTA Files Detection + spyware + medium + + alert + + + Malicious ELF Files Detection + spyware + medium + + alert + + + Malicious PDF Files Detection + spyware + medium + + alert + + + Malicious Microsoft OOXML Files Detection + spyware + medium + + alert + EmailSpyPro adware @@ -294922,7 +294978,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n DoNot Group Command and Control Traffic Detection spyware critical - + reset-both @@ -303342,6 +303398,13 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-both + + TCP Shell Command Detection + backdoor + critical + + reset-both + Mythic Agent Medusa Command and Control Traffic Detection hacktool @@ -303447,6 +303510,20 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-both + + Malicious Registration File Detection + spyware + critical + + reset-both + + + Kazuar Backdoor Command and Control Traffic Detection + command-and-control + critical + + reset-both + Backdoor.BO.Rootme backdoor @@ -306582,6 +306659,20 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Rockwell Automation Code Execution and Denial-of-Service Vulnerability + + CVE-2023-3595 + CVE-2023-3596 + + code-execution + critical + + + yes + + alert + SAP Business One 2005 License Manager Buffer Overflow Vulnerability @@ -322295,7 +322386,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n yes - reset-server + alert libVNC LibVNCServer File Transfer Extension Heap-based Buffer Overflow Vulnerability @@ -324606,6 +324697,19 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n alert + + Netatalk dsiwriteinit Heap Buffer Overflow Vulnerability Vulnerability + + CVE-2022-43634 + + overflow + critical + + + yes + + reset-server + Solarwinds Insecure Deserialization Vulnerability @@ -324684,6 +324788,45 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Git gitattributes Integer Overflow Vulnerability + + CVE-2022-23521 + + code-execution + critical + + + yes + + reset-client + + + FRRouting BGP Denial-of-Service Vulnerability + + CVE-2023-38802 + + dos + high + + + yes + + reset-server + + + FRRouting BGP Denial-of-Service Vulnerability + + CVE-2023-38802 + + dos + high + + + yes + + reset-client + Palo Alto Networks PAN-OS Denial-of-Service Vulnerability @@ -357762,7 +357905,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n code-execution critical - + yes @@ -373332,7 +373475,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n code-execution high - + yes @@ -393462,6 +393605,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n Palo Alto Networks PAN-OS XML External Entity Vulnerability CVE-2021-3055 + CVE-2023-38046 code-execution medium @@ -399827,6 +399971,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n CVE-2022-25134 CVE-2022-26210 CVE-2022-26186 + CVE-2022-27003 code-execution critical @@ -410360,6 +410505,16 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Qizhi Fortress Unauthorized Administrative Login Vulnerability + info-leak + medium + + + yes + + alert + Microsoft Internet Explorer Memory Corruption Vulnerability @@ -413945,6 +414100,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n Inductive Automation Ignition ServerMessage Insecure Deserialization Vulnerability CVE-2022-35870 + CVE-2023-39475 code-execution high @@ -414687,6 +414843,19 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-both + + Contec CONPROSYS HMI System SQL Injection Vulnerability + + CVE-2023-1658 + + sql-injection + high + + + yes + + reset-server + Sielco PolyEco Digital FM Transmitter Authentication Bypass Vulnerability info-leak @@ -417599,6 +417768,22 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n alert + + Microsoft Internet Explorer Memory Corruption Vulnerability + + CVE-2013-3112 + + + MS13-047 + + code-execution + critical + + + yes + + reset-both + Beijing Grandview Century eHR Software SQL Injection vulnerability sql-injection @@ -417625,6 +417810,20 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-both + + OpenTSDB Remote Command Injection Vulnerability + + CVE-2023-25826 + CVE-2023-36812 + + code-execution + critical + + + yes + + reset-server + Microsoft Internet Explorer Memory Corruption Vulnerability @@ -417709,6 +417908,35 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-both + + Samba nmbd NetServerInfo1 Server Comment Buffer Overflow Vulnerability + + CVE-2014-3560 + + overflow + high + + + yes + + reset-client + + + Adobe Photoshop Camera Raw Remote Buffer Underflow Vulnerability + + CVE-2012-5679 + + + APSB12-28 + + overflow + high + + + yes + + reset-client + Microsoft Outlook Remote Code Execution Vulnerability @@ -418206,6 +418434,15 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + HTTP Request Smuggling Attempt + protocol-anomaly + informational + + + yes + + Abode Systems Command Injection Vulnerability @@ -418817,6 +419054,19 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + GLPI-Project GLPI REST API usertoken SQL Injection Vulnerability + + CVE-2022-39323 + + sql-injection + critical + + + yes + + reset-server + Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability @@ -419671,6 +419921,22 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n alert + + Adobe Photoshop Camera Raw Remote Buffer Underflow Vulnerability + + CVE-2012-5679 + + + APSB12-28 + + overflow + high + + + yes + + reset-both + Tenda AC15 and AC18 Routers Heap Overflow Vulnerability @@ -419762,6 +420028,19 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Zoho ManageEngine ServiceDesk Plus Releases Status Comments Stored Cross-site Scripting Vulnerabilit + + CVE-2023-23077 + + code-execution + medium + + + yes + + alert + OpenCATS Questionnaire.php Stored Cross-Site Scripting Vulnerability @@ -419799,6 +420078,22 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability + + CVE-2015-0059 + + + MS15-010 + + code-execution + medium + + + yes + + alert + vBulletin Deserialization Vulnerability @@ -420005,6 +420300,22 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Adobe Reader Memory Corruption Vulnerability + + CVE-2017-3036 + + + APSB17-11 + + code-execution + high + + + yes + + reset-both + Microsoft Internet Explorer Graphics Component Memory Corruption Vulnerability @@ -420440,6 +420751,29 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-client + + DrayTek Vigor Remote Code Execution Vulnerability + + CVE-2022-32548 + + code-execution + critical + + + yes + + reset-server + + + HTTP Evasion Directory Traversal + info-leak + medium + + + yes + + alert + Generic Cross-Site Scripting Vulnerability code-execution @@ -420492,6 +420826,19 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + LibreNMS Reflected Cross-Site Scripting Vulnerability + + CVE-2023-4347 + + code-execution + medium + + + yes + + alert + WordPress Forminator Plugin File Upload Vulnerability @@ -420505,6 +420852,19 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + D-Link Systems DIR-2640 Authentication Bypass Vulnerability + + CVE-2023-32148 + + code-execution + high + + + yes + + reset-server + Ivanti Avalanche Directory Traversal Vulnerability @@ -420545,6 +420905,16 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n alert + + Possible System Information Leak + info-leak + informational + + + yes + + alert + Google Chrome Type Confusion Vulnerability @@ -420663,6 +421033,22 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Microsoft Excel File Heap Overflow Vulnerability + + CVE-2012-0185 + + + MS12-030 + + code-execution + high + + + yes + + reset-both + TOTOlink A7100RU Command Injection Vulnerability @@ -420757,6 +421143,59 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-both + + Netgear Command Injection Vulnerability + + CVE-2023-33532 + CVE-2023-33533 + + code-execution + critical + + + yes + + reset-server + + + Advantech iView ConfigurationServlet SQL Injection Vulnerability + + CVE-2023-3983 + + sql-injection + high + + + yes + + reset-server + + + VISAM VBASE Automation Base XXE Vulnerability + + CVE-2022-46286 + + info-leak + medium + + + yes + + alert + + + VISAM VBASE Automation Base XXE Vulnerability + + CVE-2022-46300 + + info-leak + medium + + + yes + + alert + Avaya Aura Remote Code Execution Vulnerability @@ -420783,6 +421222,409 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Elastic Elasticsearch Snapshot API Directory Traversal Vulnerability + + CVE-2015-5531 + + info-leak + high + + + yes + + reset-server + + + Siemens Tecnomatix Plant Simulation SPP File Parsing Stack Buffer Overflow Vulnerability + + CVE-2023-27404 + + overflow + high + + + yes + + reset-both + + + DotCMS Open Redirect Vulnerability + + CVE-2018-17422 + + code-execution + medium + + + yes + + alert + + + IPanel Administration System Cross Site Scripting Vulnerability + + CVE-2021-41878 + + code-execution + medium + + + yes + + alert + + + SAP Internet Graphics Server XML External Entity Vulnerability + + CVE-2018-2392 + + code-execution + medium + + + yes + + alert + + + VBulletin Open Redirect Vulnerability + + CVE-2018-6200 + + code-execution + medium + + + yes + + alert + + + Google Chrome Use-After-Free Vulnerability + + CVE-2023-3421 + + code-execution + high + + + yes + + reset-both + + + Google Chrome Use-After-Free Vulnerability + + CVE-2023-3422 + + code-execution + high + + + yes + + reset-both + + + Google Chrome Use-After-Free Vulnerability + + CVE-2023-3731 + + code-execution + high + + + yes + + reset-both + + + Delta Industrial Automation DIAScreen DPA File Parsing Stack Buffer Overflow Vulnerability + + CVE-2023-0250 + + overflow + high + + + yes + + reset-both + + + FUXA Remote Command Execution Vulnerability + + CVE-2023-33831 + + code-execution + critical + + + yes + + reset-server + + + mySCADA myPRO Command Injection Vulnerability + + CVE-2023-28716 + + code-execution + high + + + yes + + reset-server + + + Inductive Automation Ignition AbstractGatewayFunction Insecure Deserialization Vulnerability + + CVE-2023-39473 + + code-execution + medium + + + yes + + alert + + + Windows Themes Remote Code Execution Vulnerability + + CVE-2023-38146 + + code-execution + high + + + yes + + reset-both + + + Zimbra Collaboration Memcached CRLF Injection Vulnerability + + CVE-2022-27924 + + code-execution + high + + + yes + + reset-server + + + Libwebp Heap Overflow Vulnerability + + CVE-2023-4863 + + overflow + high + + + yes + + reset-both + + + D-Link DIR-2640 HNAP LoginPassword Authentication Bypass Vulnerability + + CVE-2023-32152 + + info-leak + medium + + + yes + + alert + + + Google Cloud Platform ESPv2 Authentication Bypass Vulnerability + + CVE-2023-30845 + + info-leak + critical + + + yes + + reset-server + + + FUXA SQL Injection Vulnerability + + CVE-2023-31719 + + sql-injection + critical + + + yes + + reset-server + + + Google Chrome Type Confusion Vulnerability + + CVE-2023-2724 + + code-execution + high + + + yes + + reset-both + + + Microsoft SharePoint Server Remote Code Execution Vulnerability + + CVE-2023-24955 + + code-execution + high + + + yes + + reset-server + + + Cisco Multiple Products Command Injection Vulnerability + + CVE-2023-20209 + + code-execution + high + + + yes + + reset-server + + + Google Chrome Type Confusion Vulnerability + + CVE-2023-4762 + + code-execution + high + + + yes + + reset-both + + + ImageMagick Command Injection Vulnerability + + CVE-2023-34152 + + code-execution + critical + + + yes + + reset-server + + + Openemr Cross-Site Scripting Vulnerability + + CVE-2023-2948 + + code-execution + medium + + + yes + + alert + + + D-Link Systems Dir-2640 Command Injection Vulnerbility + + CVE-2023-32150 + + code-execution + high + + + yes + + reset-server + + + Softing Edgeaggregator Directory Traversal Vulnerbility + + CVE-2023-38126 + + code-execution + high + + + yes + + reset-both + + + JetBrains TeamCity Authentication Bypass Vulnerability + + CVE-2023-42793 + + info-leak + critical + + + yes + + reset-server + + + Microsoft Exchange Server Remote Code Execution Vulnerability + + CVE-2023-36744 + + code-execution + high + + + yes + + reset-server + + + Progress WSFTP Server Deserialization Vulnerability + + CVE-2023-40044 + + code-execution + high + + + yes + + reset-both + + + Progress Ipswitch WSFTP Server Cross-Site Scripting Vulnerability + + CVE-2022-27665 + + code-execution + medium + + + yes + + alert + Mozilla Firefox Browser Engine Multiple Unspecified Vulnerabilities @@ -477524,7 +478366,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n code-execution high - + yes @@ -499451,7 +500293,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n code-execution high - + yes @@ -502804,7 +503646,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n code-execution critical - + yes @@ -517443,7 +518285,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n high - yes + yes reset-server @@ -518729,7 +519571,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n code-execution medium - + yes @@ -544454,12 +545296,12 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n CVE-2010-1850 overflow - high + low yes - reset-server + alert Oracle MySQL Database IN and CASE NULL Argument Denial of Service Vulnerability @@ -550732,6 +551574,32 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n reset-server + + Rockwell Automation ThinManager ThinServer Type 13 Synchronization Integer Overflow Vulnerability + + CVE-2023-2914 + + overflow + high + + + yes + + alert + + + Ivanti Avalanche Stack Buffer Overflow Vulnerability + + CVE-2023-32560 + + overflow + critical + + + yes + + reset-server + Cisco Secure ACS EAP-TLS Authentication Bypass Vulnerability @@ -567068,7 +567936,7 @@ Refer to this article for details - https://live.paloaltonetworks.com/t5/blogs/n scan medium - + scan medium diff --git a/utils/develop/ui/json_array.js b/utils/develop/ui/json_array.js index 4597abc6..4e22a282 100644 --- a/utils/develop/ui/json_array.js +++ b/utils/develop/ui/json_array.js @@ -2187,6 +2187,28 @@ var subjectObject = "display": { "name": "display", "MainFunction": {} + }, + "exporttoexcel": { + "name": "exportToExcel", + "MainFunction": {}, + "GlobalInitFunction": {}, + "GlobalFinishFunction": {}, + "args": { + "filename": { + "type": "string", + "default": "*nodefault*" + }, + "additionalFields": { + "type": "pipeSeparatedList", + "subtype": "string", + "default": "*NONE*", + "choices": [ + "WhereUsed", + "UsedInLocation" + ], + "help": "pipe(|) separated list of additional field to include in the report. The following is available:\n - WhereUsed : list places where object is used (rules, groups ...)\n - UsedInLocation : list locations (vsys,dg,shared) where object is used\n" + } + } } }, "filter": { @@ -2201,6 +2223,18 @@ var subjectObject = } } } + }, + "protocol.bgp": { + "operators": { + "is.enabled": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } } } }, @@ -2351,6 +2385,18 @@ var subjectObject = } } }, + "create-new-rule-from-file-fastapi": { + "name": "create-new-Rule-from-file-FastAPI", + "GlobalInitFunction": {}, + "MainFunction": {}, + "GlobalFinishFunction": {}, + "args": { + "fileName": { + "type": "string", + "default": "*nodefault*" + } + } + }, "delete": { "name": "delete", "MainFunction": {} diff --git a/utils/lib/util_action_filter.json b/utils/lib/util_action_filter.json index d0183440..0f1c37c5 100644 --- a/utils/lib/util_action_filter.json +++ b/utils/lib/util_action_filter.json @@ -2186,6 +2186,28 @@ "display": { "name": "display", "MainFunction": {} + }, + "exporttoexcel": { + "name": "exportToExcel", + "MainFunction": {}, + "GlobalInitFunction": {}, + "GlobalFinishFunction": {}, + "args": { + "filename": { + "type": "string", + "default": "*nodefault*" + }, + "additionalFields": { + "type": "pipeSeparatedList", + "subtype": "string", + "default": "*NONE*", + "choices": [ + "WhereUsed", + "UsedInLocation" + ], + "help": "pipe(|) separated list of additional field to include in the report. The following is available:\n - WhereUsed : list places where object is used (rules, groups ...)\n - UsedInLocation : list locations (vsys,dg,shared) where object is used\n" + } + } } }, "filter": { @@ -2200,6 +2222,18 @@ } } } + }, + "protocol.bgp": { + "operators": { + "is.enabled": { + "Function": {}, + "arg": false, + "ci": { + "fString": "(%PROP% ethernet1\/1)", + "input": "input\/panorama-8.0.xml" + } + } + } } } }, @@ -2350,6 +2384,18 @@ } } }, + "create-new-rule-from-file-fastapi": { + "name": "create-new-Rule-from-file-FastAPI", + "GlobalInitFunction": {}, + "MainFunction": {}, + "GlobalFinishFunction": {}, + "args": { + "fileName": { + "type": "string", + "default": "*nodefault*" + } + } + }, "delete": { "name": "delete", "MainFunction": {}