swaschkut / pan-os-php

Framework and utilities to easily manage and edit Palo Alto Network PANOS devices
ISC License
16 stars 1 forks source link

Issue: Bug - exportToExcel...,HitCount throws 'unsupported' error #13

Closed bethatasitmay closed 4 months ago

bethatasitmay commented 6 months ago

Describe the bug

I've used the HitCount parameter quite a few times and hadn't had an issue until now. I'm getting after processing a few rules' hit count XML:

along with Backtrace info and there is no file output.

Expected behavior

The processing of the XML should complete and allow the exportToExcel to complete.

Current behavior

This has been sanitized and trimmed. I did look at the rule that would be next (GenericA-017 in the sanitized version) and there's nothing special about in the GUI that I can see. It is very similar in settings (disabled) and tags to GenericaA-007 (this, of course, assumes that's the rule where the issue lies).


*** pan-os-php.php type=rule UTILITY **

...trimmed...

Steps to reproduce

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:Disabled-tagged-pre-FW1-B.xls,HitCount 'filter=(rule is.disabled) and (tag has DISABLED)'

Basically, I'm looking for all disabled rules that have the DISABLED tag. I also ran it for tagged rules that weren't disabled & it worked fine, but that was only 4 rules vs.

Your Environment

bethatasitmay commented 6 months ago

Note that I changed the output of the greater than/less than signs to parentheses as the former weren't formatting correctly.

bethatasitmay commented 6 months ago

Oh, and if I remove the ,HitCount parameter, the command completes successfully.

swaschkut commented 6 months ago

I do not exactly know how Windows WSL CLI is working, but I recomment to use single quote around actions command:

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.dcswins.com location=FW1 ruletype=security 'actions=exportToExcel:Disabled-tagged-pre-SC-B.xls,HitCount' 'filter=(rule is.disabled) and (tag has DISABLED)'

please try this out.

This has nothing to do with pan-os-php. this is how your CLI is working and understand the input

bethatasitmay commented 6 months ago

While WSL appears to be installed, it isn't working:

wsl -l -v The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

The only time I've had to surround an action or parameter with '' is when there is a space involved - the command has worked fine for other things.

In fact, I accidentally ran this a couple of days ago (note the questionable filter):

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:Disabled-rules-pre-FW1-A.xls,HitCount 'filter=and !(tag has DISABLED)'

Which dumps the other 1,618 rules with no issues.

I went ahead and tried the command from my initial report again with the entire action= section surrounded by '' as per you comment above and it stops at the same point with the same messages.

I also made the following attempts:

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:Disabled-tagged-GenericA-017-only.xls,HitCount 'filter=(rule is.disabled) and (tag has DISABLED) and (name eq GenericA-017)'

Works fine (one rule output)

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:GenericA-017-only.xls,HitCount 'filter=(name eq GenericA-017)'

Works fine (one rule output)

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:All-FW1-rules.xls,HitCount

Fails in the same spot.

bethatasitmay commented 6 months ago

Oh......

It occurred to me that if the failure is happening between GenericA-007 and GenericA-017, I should try just those two rules:

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:GenericA-007-GenericA-017.xls,HitCount 'filter=(name eq GenericA-007) or (name eq GenericA-017)'

And indeed it fails in the same spot - GenericA-007 shows XML output and then it fails before anything for GenericA-017 appears.

swaschkut commented 6 months ago

do you think there will be a way to share an example config which is very similar to these two rules?

bethatasitmay commented 6 months ago

That's what I was thinking - start at the first rule and then go to the end of the second rule (or maybe even go one earlier and one later). Would you like it as XML or set commands (or both)?

With that said, I think the problem is with GenericA-007 - I just ran a dump of only that rule and it failed.

swaschkut commented 6 months ago

XML would be perfect:

pan-os-php type=rule actions=xml-extract 'filter=(name eq GenericA-017)' location=FW1

something like this would be display the xml part of this rule

swaschkut commented 6 months ago

but the problem could be also with the API request / response.

maybe run your command first with debugapi

bethatasitmay commented 6 months ago

DebugAPI:

) php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" DebugAPI type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:Disabled-tagged-pre-FW1-F.xls,HitCount 'filter=(name eq GenericA-007)'


*** pan-os-php.php type=rule UTILITY **

bethatasitmay commented 6 months ago

xml-extract:

) php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 actions=xml-extract 'filter=(name eq GenericA-007) or (name eq GenericA-017)'


*** pan-os-php.php type=rule UTILITY **

***** END OF SCRIPT pan-os-php.php type=rule ****

bethatasitmay commented 6 months ago

For the xml-extract, there doesn't appear to be anything unique or improper about the rules. While the tag, zones, src/dst, and descriptions aren't the same, they appear to be using the same kinds of things

swaschkut commented 6 months ago

ok, thanks. What I figured out is, that for the exporttoexcel there is a field which is a different variable type as right now supported.

it is not yet fixed but for your configuration there is a need to get more data related to the real issue:

Can you please use this repository, and send me the output: https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" DebugAPI type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:Disabled-tagged-pre-FW1-F.xls,HitCount 'filter=(name eq GenericA-007)'

bethatasitmay commented 6 months ago

Can you please use this repository, and send me the output: https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X

Sorry, how do I send the output to you through that tree?

swaschkut commented 6 months ago

Please use this repository: https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X to update/install pan-os-php

to execute this command php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" DebugAPI type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=exportToExcel:Disabled-tagged-pre-FW1-F.xls,HitCount 'filter=(name eq GenericA-007)'

and send me the output for this execution. The repository mentioned above has new code, which will hopefully help to come closure to the real issue

bethatasitmay commented 6 months ago

I understand what you're looking for - I just don't know how to send you the information through the specific repository.

Do I upload a file or something else?

When I click on issues after I click on that link I'm just brought back to this section - it's not unique to the repository.

swaschkut commented 6 months ago

just bring the output into this issue.

bethatasitmay commented 6 months ago

(deleted due to not being correct output)

swaschkut commented 6 months ago

are you using the correct repository? you are still on version 2.1.23 which is the latest version;

the develop version is already on 2.1.24 which is available here: https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X

you did not update your pan-os-php code correctly.

example git:

git clone --branch develop_2-1-X swaschkut/pan-os-php

I have no clue how you are doing this in your windows environment, this is the reason why I started years ago to official ONLY support Docker container, as I can not be involved in any update issues based on specific user environment

bethatasitmay commented 6 months ago

Sorry, I'm an idiot - I understand what you're saying now. Sorry again - I haven't had much sleep this week and my brain is slowly melting.

As far as Docker goes, I can't use Docker because (1) my company (or at least my boss) won't buy it and (2) the networking of Docker can't be controlled and it overlaps with my company's enterprise network.

bethatasitmay commented 6 months ago

So, I normally do the git clone like this:

git clone https://github.com/swaschkut/pan-os-php.git

(or from when you were at PAN like this: git clone https://github.com/PaloAltoNetworks/pan-os-php.git)

Any thoughts on how to clone an individual version? If not, I'll ask our PowerShell guru on Monday.

I tried all of these methods:

PS C:\tools\pan> git clone https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X Cloning into 'develop_2-1-X'... fatal: repository 'https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X/' not found

PS C:\tools\pan> git clone https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X.git Cloning into 'develop_2-1-X'... fatal: repository 'https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X.git/' not found

PS C:\tools\pan> git clone https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X/pan-os-php.git Cloning into 'pan-os-php'... fatal: repository 'https://github.com/swaschkut/pan-os-php/tree/develop_2-1-X/pan-os-php.git/' not found

PS C:\tools\pan> git clone --branch develop_2-1-X swaschkut/pan-os-php fatal: repository 'swaschkut/pan-os-php' does not exist

PS C:\tools\pan> git clone -branch develop_2-1-X swaschkut/pan-os-php fatal: repository 'develop_2-1-X' does not exist

bethatasitmay commented 6 months ago

The only other thing about how we install it, is that in the php.ini file we change enable_dl = off to enable_dl = on.

swaschkut commented 6 months ago

is this not working?

git clone --branch develop_2-1-X https://github.com/swaschkut/pan-os-php.git

also this should work git clone -b develop_2-1-X https://github.com/swaschkut/pan-os-php.git

bethatasitmay commented 6 months ago

Oh, that worked w/ the full URL - see, I wasn't lying when I said I'm not thinking straight :-)

bethatasitmay commented 6 months ago

Success - v2.1.24 worked without error.

I'm now running a full security policy dump to see if it snags on anything else, but I would expect it to be clean at this point.

This will take a while to run - I'll update after it finishes (probably later Saturday - it's just before 23:58 Friday.

bethatasitmay commented 6 months ago

Sorry, forgot to make an update - the full policy dump worked fine - no errors.