search

swaschkut / pan-os-php

Framework and utilities to easily manage and edit Palo Alto Network PANOS devices
ISC License
14 stars 1 forks source link

Issue: Bug - (timestamp-last-hit.fast = 0) not matching disabled rules #9

Open bethatasitmay opened 5 months ago

bethatasitmay commented 5 months ago

Hi

Describe the bug

As you may recall from this discussion...

https://github.com/PaloAltoNetworks/pan-os-php/discussions/681

... you had fixed an issue with timestamp-last-hit not including never hit rules (Rule Usage shows Unused or, I assume, '-').

While doing some unused tagging, I noticed that, as best I can determine, (timestamp-last-hit.fast = 0) does not match disabled rules. I say as best as I can determine as that I'm seeing is that only disabled rules didn't get the tag I was adding.

Expected behavior

Any rule that is Unused (per the filter (timestamp-last-hit.fast = 0)) should match.

Current behavior

All enabled rules with Unused for the Rule Usage match and the tag is added, but disabled rules do not match and don't have the tag added.

Possible solution

Maybe it's by design? If so, then please either include disabled rules or include a switch/parameter that makes it happen.

Steps to reproduce

php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=tag-Add:Unused-Never 'filter=(timestamp-last-hit.fast = 0) and !(tag has Unused-Never)'

The same thing happens if I don't filter out rules that already have the tag.

Context

Tagging rules in preparation for future unused rule deletion.

Your Environment

swaschkut commented 5 months ago

same information as on the other opened issue:

this feature is relaying on Palo Alto Networks PAN-OS XML API. Based on your shared information, it looks like Palo Alto Networks does not response disabled rules for this timestamp-last-hist-fast XML API request pan-os-php is sending to Panorama.

for your use-case please use: php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=tag-Add:Unused-Never 'filter=(rule is.unused.fast) and !(tag has Unused-Never)'

with this filter: PAN-OS-PHP is using old implementation and using Panorama as a "Proxy" to reach out to each FW attached to this DeviceGroup an request separate information if a rule is unused from a Panorama perspective.

bethatasitmay commented 5 months ago

Oh, sorry - I misunderstood. I thought you were saying that only unused.fast was going through Panorama as a proxy and not timestamp-last-hit. I didn't realize they operated the same way in that regard.

Well, I have a workaround of sorts for never hit ("unused") - just enable the rules (we also tag them Disabled and To-Be-Deleted) and then check them in Panorama for the last hit.

I suppose going forward we shouldn't disable rules (maybe put an expired schedule on them) so that they retain the last hit (assuming there is a last hit and not marked "unused") on the firewalls so that PAN-OS-PHP will pick it up.

Is it possible in the api to query the last hit from Panorama and if so any plans to update PAN-OS-PHP to use that method?