search

kevinsteves / pan-python

Multi-tool set for Palo Alto Networks PAN-OS, Panorama, WildFire and AutoFocus
Other
267 stars 102 forks source link

add handling of new dynamic address registration errors in PAN-OS 6.0. #1

Closed btorresgil closed 10 years ago

btorresgil commented 10 years ago

Hi Kevin,

I noticed that in PAN-OS 6.0, if you tag an IP with a tag it already has, it produces an error which is raised as a PanXapiError. This is fine, but the error text is blank so it's impossible to tell this PanXapiError from another. In my code, I needed to ignore this error because I don't care if the tag already existed, so I needed a way to distinguish this error from others. The XML response for the error looks like this:

<response status="error">
    <msg>
        <line>
            <uid-response>
                <version>2.0</version>
                <payload>
                    <register>
                        <entry ip="192.168.1.2" message="tag your-tag already exists, ignore"/>
                        <entry ip="192.168.1.3" message="tag your-tag already exists, ignore"/>
                    </register>
                </payload>
            </uid-response>
        </line>
    </msg>
</response>

I added some code to the function that gets the return status in xapi so that it can handle this new <uid-response> tag to get the error message correctly. It only handles register and unregister errors, but these are the only errors I've seen from the User-ID API that aren't handled.

Feel free to update or enhance my attempt as you see fit. Thanks!

btorresgil commented 10 years ago

Also, you can test easily to see the difference. With a PAN-OS 6.0 firewall, just run a dynamic address update (-U flag on panxapi.py) twice in a row. The first time will succeed, the second will fail, but will not produce any reason for the failure. Now add my code and you'll see a reason for the error.

kevinsteves commented 10 years ago

How do you generate an unregister error? If I run unregister for non-existent values there is no error. [stevesk@light bin]$ ./panxapi.py -t pa-200 -U t/unreg.xml dynamic-update: success [stevesk@light bin]$ ./panxapi.py -t pa-200 -U t/unreg.xml dynamic-update: success

kevinsteves commented 10 years ago

here is an alternate diff to try.

diff --git a/lib/pan/xapi.py b/lib/pan/xapi.py
index e1bd4a1..e504b42 100644
--- a/lib/pan/xapi.py
+++ b/lib/pan/xapi.py
@@ -322,6 +322,21 @@ class PanXapi:
         lines = []

         # XML API response message formats are not documented
+
+        # type=user-id register and unregister
+        path = './msg/line/uid-response/payload/*/entry'
+        elem = self.element_root.findall(path)
+        if len(elem) > 0:
+            if self.debug2:
+                print('path:', path, elem, file=sys.stderr)
+            for line in elem:
+                msg = ''
+                for key in line.keys():
+                    msg += '%s: %s ' % (key, line.get(key))
+                if msg:
+                    lines.append(msg.rstrip())
+            return '\n'.join(lines) if lines else None
+
         path = './msg/line'
         elem = self.element_root.findall(path)
         if len(elem) > 0:
kevinsteves commented 10 years ago

commit alternate diff.