search

swaschkut / pan-os-php

Framework and utilities to easily manage and edit Palo Alto Network PANOS devices
ISC License
18 stars 1 forks source link

ApplicationSeen parameter added to display doesn't add anything #25

Closed bethatasitmay closed 2 months ago

bethatasitmay commented 2 months ago

Describe the bug

According to the change log, documentation, and type=rule listactions, display has a parameter of ApplicationSeen, among others. While, for example, HitCount works, ApplicationSeen does not.

Expected behavior

When I run an application of display:ApplicationSeen

Current behavior

Nothing additional is added by using the ApplicationSeen parameter

Steps to reproduce

Display - no parameter

> php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=DG1 ruletype=security 'actions=display' 'filter=(name contains rule001)'

***********************************************
*********** pan-os-php.php type=rule UTILITY **************

 - PAN-OS-PHP version: 2.1.25 [WIN] [8.3.10]
 - Downloading config from API...
 - Detected platform type is 'panorama'
 - No 'template' provided so using default ='any'
 - filter after sanitization : (name contains rule001)
 - Loading configuration through PAN-OS-PHP library...
   (1.13 seconds, 56.62 mb memory)
 - PAN-OS-PHP APP-ID version: 8867-8824

 - PAN-OS APP-ID version: 8888-8941
 - PAN-OS AV version: 4929-5447
 - PAN-OS WF version: 515890-518890
 - PAN-OS THREAT version: 8888-8941
 - PAN-OS version: 110
 - PAN-OS Device timezone: US/Pacific is used. actual time: 2024/09/02 18:42:25

* processing ruleset 'PanoramaConf: / DeviceGroup:DG1 / RuleStore:Security' that holds 999 rules
   - object 'rule001'  passing through Action='display' Args: additionalFields=,
       *Rule named 'rule001'  UUID: '12345678'
         Action: allow    Type:universal
         From: src-zone  |  To:  dst-zone
         Source:  internal-nets
         Destination: external-nets
         Service:  application-default    Apps:  AppID-Group1
         User: *any*         HIP:   any
         Tags:  keep
         Group-Tag:  keep
         Desc:  Removed
         SecurityProfil: [SECGROUP] => 'secgrp1'
         LogSetting: [LogProfile] => 'logprof1' ( log at end )
         URL Category: **ANY**

Display with ApplicationSeen parameter

> php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=DG1 ruletype=security 'actions=display:ApplicationSeen' 'filter=(name contains rule001)'

***********************************************
*********** pan-os-php.php type=rule UTILITY **************

 - PAN-OS-PHP version: 2.1.25 [WIN] [8.3.10]
 - Downloading config from API...
 - Detected platform type is 'panorama'
 - No 'template' provided so using default ='any'
 - filter after sanitization : (name contains rule001)
 - Loading configuration through PAN-OS-PHP library...
   (1.14 seconds, 56.62 mb memory)
 - PAN-OS-PHP APP-ID version: 8867-8824

 - PAN-OS APP-ID version: 8888-8941
 - PAN-OS AV version: 4929-5447
 - PAN-OS WF version: 515890-518890
 - PAN-OS THREAT version: 8888-8941
 - PAN-OS version: 110
 - PAN-OS Device timezone: US/Pacific is used. actual time: 2024/09/02 18:42:01

* processing ruleset 'PanoramaConf: / DeviceGroup:DG1 / RuleStore:Security' that holds 999 rules
   - object 'rule001'  passing through Action='display' Args: additionalFields=ApplicationSeen,
       *Rule named 'rule001'  UUID: '12345678'
         Action: allow    Type:universal
         From: src-zone  |  To:  dst-zone
         Source:  internal-nets
         Destination: external-nets
         Service:  application-default    Apps:  AppID-Group1
         User: *any*         HIP:   any
         Tags:  keep
         Group-Tag:  keep
         Desc:  removed
         SecurityProfil: [SECGROUP] => 'secgrp1'
         LogSetting: [LogProfile] => 'logprof1' ( log at end )
         URL Category: **ANY**

In this particular case, there should be 2 specific AppIDs seen based on what is showing in the security policy.

Context

I was simply expecting similar output to exportToExcel where it does work.

Your Environment

swaschkut commented 2 months ago

thanks for raising this part.

'actions=display:ApplicationSeen'

is already full of information, so as you already realised the method to be used for human to get more information is: 'actions=exporttoexcel:file.html,ApplicationSeen'

The functionality of: 'actions=display:ApplicationSeen' is working fine for JSON output, but there you need to use an additional argument:

'actions=display:ApplicationSeen' shadow-json

The CLI output for human is not planned to be extended for 'actions=display', because it is already hard to read to available packed information.

bethatasitmay commented 2 months ago

Ok, no worries - I didn't know if that was intentional or not. Thanks!