swaschkut
commented
1 year ago as discussed one2one - this feature is working as design,
an object value, if address or address-group must by part of IP/network; based on your filter: 'filter=(value ip4.included-in 10.129.250.0/23)'
and the object you like to see:
processing store 'PanoramaConf: / AddressStore:addresses' that holds 171 objects
object 'OrganizationVPN' passing through Action='display'
AddressGroup 'OrganizationVPN' (5 members) desc: ''
10.129.254.0 value: '10.129.254.0/24'
N-10.129.200.0-23 value: '10.129.200.0/23'
N-10.129.206.0-25 value: '10.129.206.0/25'
- N-10.129.250.0-23 value: '10.129.250.0/23'
N-172.16.128.0-20 value: '172.16.128.0/20'you must use a different filter: 'filter=(value ip4.includes-full-or-partial 10.129.250.0/23)'
please allow me to explain the behaviour of the first filter: 'filter=(value ip4.included-in 10.129.250.0/23)'
- AddressGroup 'OrganizationVPN'
- value: '10.129.206.0/25 => is NOT included in 10.129.250.0/23
SOLUTION: 'filter=(value ip4.includes-full-or-partial 10.129.250.0/23)'
Describe the bug
When using the Address Util in combination with a filter of ip4.included-in, it does not look at the values of group members if there is an address group.
Expected behavior
The IP4 included filter should be group-aware. It should return address groups in addition to standalone address objects if the groups contain the IP4 values being filtered.
Current behavior
Groups are currently not filtered. Here is example output.
pan-os-php type=address location=any actions=display in=INPUTFILE.xml 'filter=(value ip4.included-in 10.129.250.0/23)'
################# processing store 'PanoramaConf: / AddressStore:addresses' that holds 171 objects
processing store 'PanoramaConf: / DeviceGroup:DeviceGroupXYZ/ AddressStore:address' that holds 181 objects
PROCESSING OF 2 OBJECTS DONE ###############
I re-run the search but this time use the name of a group that I know for sure exists and contains the address object as a member.
pan-os-php type=address location=any actions=display in=INPUTFILE.xml 'filter=(name contains OrganizationVPN)'
################
PROCESSING OF 1 OBJECTS DONE ###########################
Possible solution
Make the ip4.included-in filter group-aware. If object type = group recurse through group members and identify IP4 values, given that there is a value field in each member per the output above.
Steps to reproduce
Acquire an input file with both address objects and address group objects. Ensure that one of the address groups includes an address object with the IP4 value that you wish to search for. Filter for address values in CIDR notation. Observe output to see if groups are included. If it only returns the original address object and does not include the group in the output, you have reproduced the bug.
Screenshots
No screenshots needed - output pasted above
Context
Attempting to add user ID's to rules that refer to specific VPN subnet ranges. Some of these rules refer to group objects. I am using the "has from subquery" filter option and defining subqueries from the address util. This problem caused my queries to miss a significant quantity of rules for adding the user ID information to them.
Your Environment