search

PaloAltoNetworks / pan-os-php

Framework and utilities to easily manage and edit Palo Alto Network PANOS devices
ISC License
73 stars 16 forks source link

4. compare two DeviceGroups from same file requesting file2 #790

Open erickfcc opened 2 months ago

erickfcc commented 2 months ago

Describe the bug

When running the following:

pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2

I get the following error message:

Also, when I reference the same file to file1 and file2 it just gives me a "success" message

root@cc49d464c1da:/share# pan-os-php type=diff "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2 file1=diff.xml file2=diff.xml

*** pan-os-php.php type=diff UTILITY **

####################################################################

***** END OF SCRIPT pan-os-php.php type=diff ****

Expected behavior

I expect a diff using the same file referencing to different DGs

Current behavior

Same as bug description

Possible solution

Steps to reproduce

  1. pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2

Screenshots

Context

I am not able to do a diff between 2 DGs

Your Environment

swaschkut commented 2 months ago

Thanks for sharing this bug;

as you are already on version 2.1.25 the repository is available there: https://github.com/swaschkut/pan-os-php

nevertheless, I will inform you as soon as this is fixed. But this will not be start before August 19th

swaschkut commented 2 months ago

there is now a new develop Docker container available: docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop

which is fixing this.

for your information: this is the correct filter: "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase"

erickfcc commented 2 months ago

I am now getting a new error, I ran the development container

docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop

I run the following: pan-os-php type=diff file1=gates-lab.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=ADCFWD1 name2=new-ADCFWD1

and I get the following error:

*** ** WARNING ** * "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"**

When I add the "/" in front of pre-rules I get a different error

*** pan-os-php.php type=diff UTILITY **

swaschkut commented 2 months ago

pre-rules

is not a valid Palo Alto Networks PAN-OS path;

you need to use: pre-rulebase

This is what I like to mention at my previous post

erickfcc commented 2 months ago

I copied this from your output, I should of checked it. Please update the following output when typing help

Thank you

`root@7c79281768a8:/share# pan-os-php type=diff

*** pan-os-php.php type=diff UTILITY **

ERROR "file1" is missing from arguments

USAGE:

erickfcc commented 2 months ago

I spoke too soon, I am still getting the error when using pre-rulebase

`root@7c79281768a8:/share# pan-os-php type=diff file1=gates-lab.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase" name1=ADCFWD1 name2=new-ADCFWD1

*** pan-os-php.php type=diff UTILITY **

ERROR "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"

USAGE:

swaschkut commented 2 months ago

but the error message is now mentioned very clear:

ERROR "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"

your device-group "new-ADCFWD1" does not have the xpath available; there are NO rules available in this device-group

erickfcc commented 2 months ago

That error is not true, I have verified that ther DG exists, its not my file

root@5de3d9754888:/share# pan-os-php type=diff file1=stage0.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase" name1=ADCFWD1 name2=new-ADCFWD1

*** pan-os-php.php type=diff UTILITY **

ERROR "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"

USAGE:

root@5de3d9754888:/share# exit exit

#( 08/20/24@ 7:48PM )( erickmel@mb16inch ):~/GitHub
  cat stage0.xml | grep -B1 ADCFWD1
   <device-group>
    <entry name="ADCFWD1">****

  </entry>
    <entry name="new-ADCFWD1">
erickfcc commented 2 months ago

CleanShot 2024-08-20 at 19 58 13

swaschkut commented 2 months ago

Hi Erick, looks like we are not speaking about the same topic.

maybe to get closure to this: Please create a new SecurityRule in DG "new-ADCFWD1" and disable this Rule.

right now based on the error message, there are no Rules available in the DG "new-ADCFWD1" and Palo Alto Networks therefor do not create in the XML file the XMLnode. And if this is not available, the script is telling you, that this specific xPath cannot be found.

I hope that this workaround help you to understand what the real issue is.

Another hint: In the newest develop container I had to change the search variable; $$name$$ can not be used any more, due to problems with BASH PIP alignment.

pan-os-php type=diff help

pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{name}}']/pre-rulebase" name1=testDG name2=testDG1