swaschkut
commented
1 year ago as Panorama DeviceGroup is specific, you can directly add zone information without creating a real Zone object in template in Panorama GUI;
explicit therefor as mentioned in the pan-os-php script: "zone named 'NewZone' not found, you can try to use xxx-add-force action instead"
please use:
....in=api://panorama.domain.com location=DG1 actions=to-Add-force:NewZone 'filter=(to has ExistingZone)'
bethatasitmay
Describe the bug
I added 2 new zones in the GUI, but when I try to add them to rule (from-Add/to-Add) it fails stating the zone doesn't exist. If I manually add the zones to at least one rule, the command will work. I didn't try the force option.
Expected behavior
A new zone should be added to a rule without having to manually adding to a rule first.
Current behavior
I get an error:
PS C:\tools\pan> php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=DG1 actions=to-Add:NewZone 'filter=(to has ExistingZone)'
*** pan-os-php.php type=rule UTILITY **
PAN-OS-PHP version: 2.1.20 [WIN] [8.2.12]
Downloading config from API...
Detected platform type is 'panorama'
No 'template' provided so using default ='any'
No 'ruleType' specified, using 'security' by default
filter after sanitization : (to has ExistingZone)
Loading configuration through PAN-OS-PHP library... (1.65 seconds, 88.08 mb memory)
PAN-OS-PHP APP-ID version: 8763-8333
PAN-OS APP-ID version: 8775-8381
PAN-OS AV version: 4625-5143
PAN-OS WF version: 515890-518890
PAN-OS THREAT version: 8775-8381
PAN-OS version: 91
PAN-OS Device timezone: US/Pacific is used. actual time: 2023/11/03 10:29:54
processing ruleset 'PanoramaConf: / DeviceGroup:DG1 / RuleStore:Security' that holds 1978 rules
ERROR * zone named 'NewZone' not found, you can try to use xxx-add-force action instead
Backtrace 0 backtrace_print() ::C:\tools\pan\pan-os-php\lib\pan_php_framework.php line 617 1 derr() ::C:\tools\pan\pan-os-php\utils\common\actions-rule.php line 495 2 {closure}() ::C:\tools\pan\pan-os-php\utils\common\actions-rule.php line 892 3 {closure}() ::C:\tools\pan\pan-os-php\utils\common\CallContext.php line 115 4 Action:'to-Add' / Args: zoneName=NewZone, CallContext::executeAction() @ C:\tools\pan\pan-os-php\utils\lib\RULEUTIL.php line 492 5 RULEUTIL::time_to_process_objects() @ C:\tools\pan\pan-os-php\utils\lib\RULEUTIL.php line 36 6 RULEUTIL::utilStart() @ C:\tools\pan\pan-os-php\utils\lib\UTIL.php line 212 7 UTIL::__construct() @ C:\tools\pan\pan-os-php\lib\misc-classes\PH.php line 1048 8 callPANOSPHP() ::C:\tools\pan\pan-os-php\utils\pan-os-php.php line 117 9 require_once() ::Command line code line 1
Possible solution
Maybe in this situation the force option is required. If not, make it so I don't have to manually add a new zone to a rule for the command to work.
Steps to reproduce
See PowerShell command under Current Behavior
After failure, if I manually add NewZone to a rule (I only added it to one) and commit to Panorama (I don't know if the commit step is necessary), the command works and adds it to the remaining rules.
Context
I have new zones to add to our rules. Today was the first time trying to add a new zone that wasn't already in a rule.
Your Environment