Closed desh130 closed 10 months ago
moshekaplan
commented
11 months ago This one is strange. The IP address value has already been confirmed to be of type ip-netmask, yet the value is not a string, but a dict.
I will try to look into this when I return from vacation next week.
In case it's relevant: What version of the Palo Alto firewall or Panorama are you running this on?
desh130
commented
11 months ago The pano version is 10.2.5Sent from my phone may contains some typo error. On Oct 4, 2023, at 10:43 PM, Moshe Kaplan @.***> wrote: This one is strange. The IP address value has already been confirmed to be of type ip-netmask, yet the value is not a string, but a dict. I will try to look into this when I return from vacation next week. In case it's relevant: What version of the Palo Alto firewall or Panorama are you running this on?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
moshekaplan
commented
11 months ago I've created a new release with additional debugging. Could you re-run pan_analyzer with --debug appended and paste the object's information from the bottom of the debug file, after the crash?
desh130
commented
10 months ago Ok I will check and let you know. Thanks for fixing Sent from my phone may contains some typo error. On Oct 12, 2023, at 11:38 PM, Moshe Kaplan @.***> wrote: I've created a new release with additional debugging. Could you re-run pan_analyzer with --debug appended and paste the object's information from the bottom of the debug file, after the crash?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
desh130
commented
10 months ago Thanks for fixing the other issue. It is fixed now.
moshekaplan
commented
10 months ago I didn't change anything, but I'm glad that the issues are gone. If they recur, please open a new issue and we can try to use the additional debugging information then.
desh130
commented
10 months ago Hey Is their any way if we want to run single module like find unused and duplicate object and then delete them.Thanks in advance. Sent from my phone may contains some typo error. On Oct 16, 2023, at 3:47 PM, Moshe Kaplan @.***> wrote: I didn't change anything, but I'm glad that the issues are gone. If they recur, please open a new issue and we can try to use the additional debugging information then.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
moshekaplan
commented
10 months ago Yes, for example:
pan_analyzer --validator UnusedServices
desh130
commented
10 months ago Thanks that what I am looking for. Thanks a lot. Sent from my phone may contains some typo error. On Oct 16, 2023, at 10:29 PM, Moshe Kaplan @.***> wrote: Yes, for example: pan_analyzer --validator UnusedServices
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
desh130
commented
10 months ago Hey Moshekaplan Is their any way to find address or group like one large object that replace other smaller IPsSent from my phone may contains some typo error. On Oct 16, 2023, at 10:29 PM, Moshe Kaplan @.***> wrote: Yes, for example: pan_analyzer --validator UnusedServices
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
moshekaplan
commented
10 months ago Perhaps you are referring to pan_analyzer --validator AddressesShouldBeGroups ?
desh130
commented
10 months ago Hey Moshekaplan Thanks for the reply. I mean to say suppose we have address 10.0.0.0/8, 10.0.0.0/16 and 10.0.0.0/8 also. I want to find through pan analyzer. Is their any way.Thanks Sent from my phone may contains some typo error. On Oct 25, 2023, at 11:09 PM, Moshe Kaplan @.***> wrote: Perhaps you are referring to pan_analyzer --validator AddressesShouldBeGroups ?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
moshekaplan
commented
10 months ago Perhaps EquivalentAddresses, for detecting two addresses which both contain 10.0.0.0/8?
Although if I'm understanding correctly, your example is you have a firewall policy which allows communications to both 10.0.0.0/8 and 10.0.0.0/16, and you want to flag on the 10.0.0.0/16 entry as being extra?
I don't think any of the current validators support that, but that would be a good enhancement to RedundantRuleAddresses.
I've created https://github.com/moshekaplan/palo_alto_firewall_analyzer/issues/74 for this enhancement.
desh130
commented
10 months ago Thanks, Moshekaplan for your reply. I am iterating through all rules in all DG and have to find all rules between two specific CIDR blocks.I have created a code. it might help you to understand
import xml.etree.ElementTree as ETimport panxapi '''# Panorama connection detailspanorama_host = "192.168.248.140"panorama_user = "admin"panorama_password = " "
try: response = xapi.get(xpath=xpath) if response is None: raise Exception("Empty response from the API.")except Exception as e: print(f"Error: {e}") exit() '''# Parse the XML responseroot = ET.parse("3882.xml")#print(root)
On Wednesday, November 8, 2023 at 09:49:51 AM CST, Moshe Kaplan ***@***.***> wrote: Perhaps EquivalentAddresses, for detecting two addresses which both contain 10.0.0.0/8?
Although if I'm understanding correctly, your example is you have a firewall policy which allows communications to both 10.0.0.0/8 and 10.0.0.0/16, and you want to flag on the 10.0.0.0/16 entry as being extra?
I don't think any of the current validators support that, but that would be a good enhancement to RedundantRuleAddresses.
I've created #74 for this enhancement.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
moshekaplan
commented
10 months ago That script sounds like a useful ideas . I've created https://github.com/moshekaplan/palo_alto_firewall_analyzer/issues/75 for that enhancement.
desh130
commented
8 months ago Hey moshekaplanHow are you? Should we use —fixer consolidate Addresses to fix duplicate addressesSent from my phone may contains some typo error. On Nov 8, 2023, at 12:33 PM, Moshe Kaplan @.***> wrote: That script sounds like a useful ideas . I've created #75 for that enhancement.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
moshekaplan
commented
8 months ago Yes, that is its purpose - it finds multiple uses of an address object's value and consolidates all the usage to just one of the address objects, so that the others can be deleted as being unused.
Moshe
On Wed, Dec 13, 2023 at 3:16 AM desh130 @.***> wrote:
Hey moshekaplanHow are you? Should we use —fixer consolidate Addresses to fix duplicate addressesSent from my phone may contains some typo error. On Nov 8, 2023, at 12:33 PM, Moshe Kaplan @.***> wrote: That script sounds like a useful ideas . I've created #75 for that enhancement.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>
— Reply to this email directly, view it on GitHub https://github.com/moshekaplan/palo_alto_firewall_analyzer/issues/59#issuecomment-1853452376, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGF2J7UCZADUEWNOKBGTU3YJFP7RAVCNFSM6AAAAAA5TRSLUCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJTGQ2TEMZXGY . You are receiving this because you modified the open/close state.Message ID: @.*** com>
alo_alto_firewall_analyzer.validators.misleading_objects - INFO - (9/13) Checking PDX Office's Address objects palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (10/13) Checking HVW DC's Address objects palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (11/13) Checking PDX's Address objects palo_alto_firewall_analyzer.validators.misleading_objects - INFO - (12/13) Checking vor0506df01's Address objects Traceback (most recent call last): File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "C:\Pan_Cleaner\pan_analyzer.exe__main__.py", line 7, in
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 193, in main
problems, total_problems = run_policy_validators(validators, profilepackage, output_fname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\scripts\pan_analyzer.py", line 66, in run_policy_validators
validator_problems = validator_function(profilepackage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\desh1\AppData\Roaming\Python\Python311\site-packages\palo_alto_firewall_analyzer\validators\misleading_objects.py", line 49, in find_misleading_addresses
ip_address = entry_value.split('/', 1)[0]
^^^^^^^^^^^^^^^^^
AttributeError: 'dict' object has no attribute 'split'