Open erickfcc opened 2 months ago
Thanks for sharing this bug;
as you are already on version 2.1.25 the repository is available there: https://github.com/swaschkut/pan-os-php
nevertheless, I will inform you as soon as this is fixed. But this will not be start before August 19th
there is now a new develop Docker container available:
docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop
which is fixing this.
for your information:
this is the correct filter:
"filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase"
I am now getting a new error, I ran the development container
docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop
I run the following:
pan-os-php type=diff file1=gates-lab.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=ADCFWD1 name2=new-ADCFWD1
and I get the following error:
*** ** WARNING ** * "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"**
When I add the "/" in front of pre-rules I get a different error
*** pan-os-php.php type=diff UTILITY **
ERROR * Died on user notice or warning!! Error: DOMXPath::query(): Invalid expression on /tools/pan-os-php/lib/misc-classes/DH.php:814
Backtrace 0 backtrace_print() ::/tools/pan-os-php/lib/pan_php_framework.php line 630 1 derr() ::/tools/pan-os-php/lib/pan_php_framework.php line 117 2 myErrorHandler() :: line 3 DOMXPath::query() @ /tools/pan-os-php/lib/misc-classes/DH.php line 814 4 findXPath() ::/tools/pan-os-php/lib/misc-classes/DH.php line 785 5 findXPathSingleEntry() ::/tools/pan-os-php/utils/lib/DIFF.php line 239 6 DIFF::main() @ /tools/pan-os-php/utils/lib/DIFF.php line 110 7 DIFF::utilStart() @ /tools/pan-os-php/utils/lib/UTIL.php line 215 8 UTIL::__construct() @ /tools/pan-os-php/lib/misc-classes/PH.php line 1090 9 callPANOSPHP() ::/tools/pan-os-php/utils/pan-os-php.php line 118 10 **** require_once() ::Command line code line 1
pre-rules
is not a valid Palo Alto Networks PAN-OS path;
you need to use: pre-rulebase
This is what I like to mention at my previous post
I copied this from your output, I should of checked it. Please update the following output when typing help
Thank you
`root@7c79281768a8:/share# pan-os-php type=diff
*** pan-os-php.php type=diff UTILITY **
ERROR "file1" is missing from arguments
USAGE:
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-name']/pre-rules"
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml filter=file.json JSON file structure: { "include": [ "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/tag", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address-group" ], "exclude": [ "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service-group", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/address", "/cloud_services/mobile-users/onboarding/entry[@name='']/dns-servers/entry[@name='']" ], "move": [ { "from": "/template/config/shared/ssl-decrypt", "to": "/template/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ssl-decrypt" } ], "added": [ "/template/config/devices/entry[@name='localhost.localdomain']/network/routing-profile", "/template/config/shared/non-file-based-dlp-settings/max-latency[text()[contains(.,'15')]]", "/policy/panorama/pre-rulebase/security/rules/entry[@name='']/from/member[text()[contains(.,'any')]]", "/policy/panorama/profiles/spyware/entry[@name='']/botnet-domains/dns-security-categories/entry[@name='*']/action[text()[contains(.,'sinkhole')]]", ], "deleted": [ "/template/config/shared/response-page" ], "empty": [ "/policy/post-rulebase/tunnel-inspect" ], "combinedruleordercheck": [ { "pre": "/policy/panorama/pre-rulebase/security", "post": "/policy/panorama/post-rulebase/security" } ] }
php DIFF.php file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=testDG name2=testDG1
I spoke too soon, I am still getting the error when using pre-rulebase
`root@7c79281768a8:/share# pan-os-php type=diff file1=gates-lab.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase" name1=ADCFWD1 name2=new-ADCFWD1
*** pan-os-php.php type=diff UTILITY **
ERROR "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"
USAGE:
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-name']/pre-rules"
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml filter=file.json JSON file structure: { "include": [ "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/tag", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address-group" ], "exclude": [ "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service-group", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/address", "/cloud_services/mobile-users/onboarding/entry[@name='']/dns-servers/entry[@name='']" ], "move": [ { "from": "/template/config/shared/ssl-decrypt", "to": "/template/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ssl-decrypt" } ], "added": [ "/template/config/devices/entry[@name='localhost.localdomain']/network/routing-profile", "/template/config/shared/non-file-based-dlp-settings/max-latency[text()[contains(.,'15')]]", "/policy/panorama/pre-rulebase/security/rules/entry[@name='']/from/member[text()[contains(.,'any')]]", "/policy/panorama/profiles/spyware/entry[@name='']/botnet-domains/dns-security-categories/entry[@name='*']/action[text()[contains(.,'sinkhole')]]", ], "deleted": [ "/template/config/shared/response-page" ], "empty": [ "/policy/post-rulebase/tunnel-inspect" ], "combinedruleordercheck": [ { "pre": "/policy/panorama/pre-rulebase/security", "post": "/policy/panorama/post-rulebase/security" } ] }
php DIFF.php file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=testDG name2=testDG1
but the error message is now mentioned very clear:
ERROR "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"
your device-group "new-ADCFWD1" does not have the xpath available; there are NO rules available in this device-group
That error is not true, I have verified that ther DG exists, its not my file
root@5de3d9754888:/share# pan-os-php type=diff file1=stage0.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase" name1=ADCFWD1 name2=new-ADCFWD1
*** pan-os-php.php type=diff UTILITY **
ERROR "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"
USAGE:
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-name']/pre-rules"
php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml filter=file.json JSON file structure: { "include": [ "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/tag", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address-group" ], "exclude": [ "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service-group", "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/address", "/cloud_services/mobile-users/onboarding/entry[@name='']/dns-servers/entry[@name='']" ], "move": [ { "from": "/template/config/shared/ssl-decrypt", "to": "/template/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ssl-decrypt" } ], "added": [ "/template/config/devices/entry[@name='localhost.localdomain']/network/routing-profile", "/template/config/shared/non-file-based-dlp-settings/max-latency[text()[contains(.,'15')]]", "/policy/panorama/pre-rulebase/security/rules/entry[@name='']/from/member[text()[contains(.,'any')]]", "/policy/panorama/profiles/spyware/entry[@name='']/botnet-domains/dns-security-categories/entry[@name='*']/action[text()[contains(.,'sinkhole')]]", ], "deleted": [ "/template/config/shared/response-page" ], "empty": [ "/policy/post-rulebase/tunnel-inspect" ], "combinedruleordercheck": [ { "pre": "/policy/panorama/pre-rulebase/security", "post": "/policy/panorama/post-rulebase/security" } ] }
php DIFF.php file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=testDG name2=testDG1
root@5de3d9754888:/share# exit exit
#( 08/20/24@ 7:48PM )( erickmel@mb16inch ):~/GitHub
cat stage0.xml | grep -B1 ADCFWD1
<device-group>
<entry name="ADCFWD1">****
</entry>
<entry name="new-ADCFWD1">
Hi Erick, looks like we are not speaking about the same topic.
maybe to get closure to this: Please create a new SecurityRule in DG "new-ADCFWD1" and disable this Rule.
right now based on the error message, there are no Rules available in the DG "new-ADCFWD1" and Palo Alto Networks therefor do not create in the XML file the
I hope that this workaround help you to understand what the real issue is.
Another hint:
In the newest develop container I had to change the search variable;
$$name$$
can not be used any more, due to problems with BASH PIP alignment.
pan-os-php type=diff help
pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{name}}']/pre-rulebase" name1=testDG name2=testDG1
Describe the bug
When running the following:
pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2
I get the following error message:
Also, when I reference the same file to file1 and file2 it just gives me a "success" message
root@cc49d464c1da:/share# pan-os-php type=diff "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2 file1=diff.xml file2=diff.xml
*** pan-os-php.php type=diff UTILITY **
####################################################################
***** END OF SCRIPT pan-os-php.php type=diff ****
Expected behavior
I expect a diff using the same file referencing to different DGs
Current behavior
Same as bug description
Possible solution
Steps to reproduce
Screenshots
Context
I am not able to do a diff between 2 DGs
Your Environment