moshekaplan
commented
6 months ago Very strange. My immediate guesses are that the address's value isn't being parsed correctly from the policy, or that for some reason, the device group isn't being detected as being a child of 'shared'. If you could share a sanitized XML snippet of the policy, that would be greatly helpful.
Based on a quick peek, SDWANPreRules and SDWANPostRules are not currently examined, and so there could definitely be false positives if an address is only used there. (https://github.com/moshekaplan/palo_alto_firewall_analyzer/blob/main/src/palo_alto_firewall_analyzer/pan_config.py#L72L93)
I will try to get a clean example of this but came across this package and wanted to give it a test. However several of the addresses it flagged from the "shared" device group are in fact in use directly in policies.
Luckily if running validator the panorama throws a reference error so it doesn't delete it. But I'm not sure why it was flagged in the first place.
There is nothing particularly unique about the address or rule. The address object has name form "1.1.1.1" and netmask form "1.1.1.1/32" -- it is not added to group but added to rule directly as a destination of another device group.