search

kevinsteves / pan-python

Multi-tool set for Palo Alto Networks PAN-OS, Panorama, WildFire and AutoFocus
Other
266 stars 102 forks source link

xml_result with traffic log method return wrong format #41

Closed vantruongsinh closed 4 years ago

vantruongsinh commented 4 years ago

When using the log method on the pan.xapi.PanXapi

xapi = pan.xapi.PanXapi (tag = 'FIREWALL')
query = "src in 10.189.169.121 and vsys eq vsys1"
a = xapi.log (log_type = 'traffic' , nlogs = 1, filter = query)

full response xapi.xml_root() as below. '<response status="success"><result>\n <job>\n <tenq>12:21:26</tenq>\n <tdeq>12:21:26</tdeq>\n <tlast>12:21:26</tlast>\n <status>FIN</status>\n <id>33185</id>\n </job>\n <log>\n <logs count="1" progress="100">\n <entry logid="6785292413440213847">\n <domain>1</domain>\n <receive_time>2020/01/24 12:20:39</receive_time>\n <serial>0011C103892</serial>\n <seqno>127157259159</seqno>\n <actionflags>0x0</actionflags>\n <type>TRAFFIC</type>\n <subtype>end</subtype>\n <config_ver>0</config_ver>\n <time_generated>2020/01/24 12:20:39</time_generated>\n <src>10.189.169.121</src>\n <dst>10.101.136.7</dst>\n <rule>Allow_Usr_SplkUFs</rule>\n <srcuser>au\\heyre</srcuser>\n <srcloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</srcloc>\n <dstloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</dstloc>\n <app>ssl</app>\n <vsys>vsys1</vsys>\n <from>rdc-ext</from>\n <to>rdc-appsrv</to>\n <inbound_if>ae1</inbound_if>\n <outbound_if>ae3</outbound_if>\n <time_received>2020/01/24 12:20:39</time_received>\n <sessionid>34084684</sessionid>\n <repeatcnt>1</repeatcnt>\n <sport>56822</sport>\n <dport>9998</dport>\n <natsport>0</natsport>\n <natdport>0</natdport>\n <flags>0x104053</flags>\n <flag-pcap>no</flag-pcap>\n <flag-flagged>no</flag-flagged>\n <flag-proxy>no</flag-proxy>\n <flag-url-denied>no</flag-url-denied>\n <flag-nat>no</flag-nat>\n <captive-portal>no</captive-portal>\n <non-std-dport>yes</non-std-dport>\n <transaction>no</transaction>\n <pbf-c2s>no</pbf-c2s>\n <pbf-s2c>no</pbf-s2c>\n <temporary-match>no</temporary-match>\n <sym-return>no</sym-return>\n <decrypt-mirror>no</decrypt-mirror>\n <credential-detected>no</credential-detected>\n <flag-mptcp-set>no</flag-mptcp-set>\n <flag-tunnel-inspected>no</flag-tunnel-inspected>\n <flag-recon-excluded>no</flag-recon-excluded>\n <proto>tcp</proto>\n <action>allow</action>\n <tunnel>N/A</tunnel>\n <tpadding>0</tpadding>\n <cpadding>0</cpadding>\n <dg_hier_level_1>0</dg_hier_level_1>\n <dg_hier_level_2>0</dg_hier_level_2>\n <dg_hier_level_3>0</dg_hier_level_3>\n <dg_hier_level_4>0</dg_hier_level_4>\n <vsys_name>RDC Exchange</vsys_name>\n <device_name>FIREWALL</device_name>\n <vsys_id>1</vsys_id>\n <tunnelid_imsi>0</tunnelid_imsi>\n <parent_session_id>0</parent_session_id>\n <bytes>48613</bytes>\n <bytes_sent>29335</bytes_sent>\n <bytes_received>19278</bytes_received>\n <packets>177</packets>\n <start>2020/01/24 12:19:18</start>\n <elapsed>78</elapsed>\n <category>any</category>\n <padding>0</padding>\n <pkts_sent>86</pkts_sent>\n <pkts_received>91</pkts_received>\n <session_end_reason>tcp-rst-from-client</session_end_reason>\n <action_source>from-policy</action_source>\n <tunnelid>0</tunnelid>\n <imsi />\n <monitortag />\n <imei />\n </entry>\n </logs>\n </log>\n <meta>\n <devices>\n <entry name="localhost.localdomain">\n <hostname>localhost.localdomain</hostname>\n <vsys>\n <entry name="vsys1">\n <display-name>RDC Exchange</display-name>\n </entry>\n <entry name="vsys2">\n <display-name>TAP Zone</display-name>\n </entry>\n <entry name="vsys3">\n <display-name>Perimeter</display-name>\n </entry>\n <entry name="vsys4">\n <display-name>DIGITAL_DELTA</display-name>\n </entry>\n </vsys>\n </entry>\n </devices>\n </meta>\n</result></response>'

In better format

<?xml version="1.0" encoding="UTF-8"?>
<response status="success">
   <result>
      <job>
         <tenq>12:21:26</tenq>
         <tdeq>12:21:26</tdeq>
         <tlast>12:21:26</tlast>
         <status>FIN</status>
         <id>33185</id>
      </job>
      <log>
         <logs count="1" progress="100">
            <entry logid="6785292413440213847">
               <domain>1</domain>
               <receive_time>2020/01/24 12:20:39</receive_time>
               <serial>0011C103892</serial>
               <seqno>127157259159</seqno>
               <actionflags>0x0</actionflags>
               <type>TRAFFIC</type>
               <subtype>end</subtype>
               <config_ver>0</config_ver>
               <time_generated>2020/01/24 12:20:39</time_generated>
               <src>10.189.169.121</src>
               <dst>10.101.136.7</dst>
               <rule>Allow_Usr_SplkUFs</rule>
               <srcuser>au\\heyre</srcuser>
               <srcloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</srcloc>
               <dstloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</dstloc>
               <app>ssl</app>
               <vsys>vsys1</vsys>
               <from>rdc-ext</from>
               <to>rdc-appsrv</to>
               <inbound_if>ae1</inbound_if>
               <outbound_if>ae3</outbound_if>
               <time_received>2020/01/24 12:20:39</time_received>
               <sessionid>34084684</sessionid>
               <repeatcnt>1</repeatcnt>
               <sport>56822</sport>
               <dport>9998</dport>
               <natsport>0</natsport>
               <natdport>0</natdport>
               <flags>0x104053</flags>
               <flag-pcap>no</flag-pcap>
               <flag-flagged>no</flag-flagged>
               <flag-proxy>no</flag-proxy>
               <flag-url-denied>no</flag-url-denied>
               <flag-nat>no</flag-nat>
               <captive-portal>no</captive-portal>
               <non-std-dport>yes</non-std-dport>
               <transaction>no</transaction>
               <pbf-c2s>no</pbf-c2s>
               <pbf-s2c>no</pbf-s2c>
               <temporary-match>no</temporary-match>
               <sym-return>no</sym-return>
               <decrypt-mirror>no</decrypt-mirror>
               <credential-detected>no</credential-detected>
               <flag-mptcp-set>no</flag-mptcp-set>
               <flag-tunnel-inspected>no</flag-tunnel-inspected>
               <flag-recon-excluded>no</flag-recon-excluded>
               <proto>tcp</proto>
               <action>allow</action>
               <tunnel>N/A</tunnel>
               <tpadding>0</tpadding>
               <cpadding>0</cpadding>
               <dg_hier_level_1>0</dg_hier_level_1>
               <dg_hier_level_2>0</dg_hier_level_2>
               <dg_hier_level_3>0</dg_hier_level_3>
               <dg_hier_level_4>0</dg_hier_level_4>
               <vsys_name>Zone1</vsys_name>
               <device_name>FIREWALL</device_name>
               <vsys_id>1</vsys_id>
               <tunnelid_imsi>0</tunnelid_imsi>
               <parent_session_id>0</parent_session_id>
               <bytes>48613</bytes>
               <bytes_sent>29335</bytes_sent>
               <bytes_received>19278</bytes_received>
               <packets>177</packets>
               <start>2020/01/24 12:19:18</start>
               <elapsed>78</elapsed>
               <category>any</category>
               <padding>0</padding>
               <pkts_sent>86</pkts_sent>
               <pkts_received>91</pkts_received>
               <session_end_reason>tcp-rst-from-client</session_end_reason>
               <action_source>from-policy</action_source>
               <tunnelid>0</tunnelid>
               <imsi />
               <monitortag />
               <imei />
            </entry>
         </logs>
      </log>
      <meta>
         <devices>
            <entry name="localhost.localdomain">
               <hostname>localhost.localdomain</hostname>
               <vsys>
                  <entry name="vsys1">
                     <display-name>vsys1</display-name>
                  </entry>
                  <entry name="vsys2">
                     <display-name>vsys2</display-name>
                  </entry>
                  <entry name="vsys3">
                     <display-name>vsys3</display-name>
                  </entry>
                  <entry name="vsys4">
                     <display-name>vsys4</display-name>
                  </entry>
               </vsys>
            </entry>
         </devices>
      </meta>
   </result>
</response>

However, xapi.xml_result () is not in the xml format

\n <job>\n <tenq>12:21:26</tenq>\n <tdeq>12:21:26</tdeq>\n <tlast>12:21:26</tlast>\n <status>FIN</status>\n <id>33185</id>\n </job>\n <log>\n <logs count="1" progress="100">\n <entry logid="6785292413440213847">\n <domain>1</domain>\n <receive_time>2020/01/24 12:20:39</receive_time>\n <serial>0011C103892</serial>\n <seqno>127157259159</seqno>\n <actionflags>0x0</actionflags>\n <type>TRAFFIC</type>\n <subtype>end</subtype>\n <config_ver>0</config_ver>\n <time_generated>2020/01/24 12:20:39</time_generated>\n <src>10.189.169.121</src>\n <dst>10.101.136.7</dst>\n <rule>Allow_Usr_SplkUFs</rule>\n <srcuser>au\\heyre</srcuser>\n <srcloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</srcloc>\n <dstloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</dstloc>\n <app>ssl</app>\n <vsys>vsys1</vsys>\n <from>Zone1</from>\n <to>rdc-appsrv</to>\n <inbound_if>ae1</inbound_if>\n <outbound_if>ae3</outbound_if>\n <time_received>2020/01/24 12:20:39</time_received>\n <sessionid>34084684</sessionid>\n <repeatcnt>1</repeatcnt>\n <sport>56822</sport>\n <dport>9998</dport>\n <natsport>0</natsport>\n <natdport>0</natdport>\n <flags>0x104053</flags>\n <flag-pcap>no</flag-pcap>\n <flag-flagged>no</flag-flagged>\n <flag-proxy>no</flag-proxy>\n <flag-url-denied>no</flag-url-denied>\n <flag-nat>no</flag-nat>\n <captive-portal>no</captive-portal>\n <non-std-dport>yes</non-std-dport>\n <transaction>no</transaction>\n <pbf-c2s>no</pbf-c2s>\n <pbf-s2c>no</pbf-s2c>\n <temporary-match>no</temporary-match>\n <sym-return>no</sym-return>\n <decrypt-mirror>no</decrypt-mirror>\n <credential-detected>no</credential-detected>\n <flag-mptcp-set>no</flag-mptcp-set>\n <flag-tunnel-inspected>no</flag-tunnel-inspected>\n <flag-recon-excluded>no</flag-recon-excluded>\n <proto>tcp</proto>\n <action>allow</action>\n <tunnel>N/A</tunnel>\n <tpadding>0</tpadding>\n <cpadding>0</cpadding>\n <dg_hier_level_1>0</dg_hier_level_1>\n <dg_hier_level_2>0</dg_hier_level_2>\n <dg_hier_level_3>0</dg_hier_level_3>\n <dg_hier_level_4>0</dg_hier_level_4>\n <vsys_name>Zone1</vsys_name>\n <device_name>FIREWALL</device_name>\n <vsys_id>1</vsys_id>\n <tunnelid_imsi>0</tunnelid_imsi>\n <parent_session_id>0</parent_session_id>\n <bytes>48613</bytes>\n <bytes_sent>29335</bytes_sent>\n <bytes_received>19278</bytes_received>\n <packets>177</packets>\n <start>2020/01/24 12:19:18</start>\n <elapsed>78</elapsed>\n <category>any</category>\n <padding>0</padding>\n <pkts_sent>86</pkts_sent>\n <pkts_received>91</pkts_received>\n <session_end_reason>tcp-rst-from-client</session_end_reason>\n <action_source>from-policy</action_source>\n <tunnelid>0</tunnelid>\n <imsi />\n <monitortag />\n <imei />\n </entry>\n </logs>\n </log>\n <meta>\n <devices>\n <entry name="localhost.localdomain">\n <hostname>localhost.localdomain</hostname>\n <vsys>\n <entry name="vsys1">\n <display-name>vsys1</display-name>\n </entry>\n <entry name="vsys2">\n <display-name>vsys2</display-name>\n </entry>\n <entry name="vsys3">\n <display-name>vsys3</display-name>\n </entry>\n <entry name="vsys4">\n <display-name>vsys4</display-name>\n </entry>\n </vsys>\n </entry>\n </devices>\n </meta>\n

kevinsteves commented 4 years ago

Most PAN-OS API XML responses have an XML document (document node) as a child of the <result> element node. This response does not. So you may want to use xml_root() or the element_root attribute to read the document.

element_root

The element_root data attribute is set to the root element of the
parsed response document XML tree; it is an Element object and is
set using etree.ElementTree.fromstring().
vantruongsinh commented 4 years ago

Thanks for your reply @kevinsteves