Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4. compare two DeviceGroups from same file requesting file2 #790

Open
erickfcc opened this issue Aug 9, 2024 · 10 comments
Open

4. compare two DeviceGroups from same file requesting file2 #790

erickfcc opened this issue Aug 9, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@erickfcc
Copy link

erickfcc commented Aug 9, 2024

Describe the bug

When running the following:

pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2

I get the following error message:

  • ** WARNING ** * "file2" is missing from arguments

Also, when I reference the same file to file1 and file2 it just gives me a "success" message

root@cc49d464c1da:/share# pan-os-php type=diff "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2 file1=diff.xml file2=diff.xml

*********** pan-os-php.php type=diff UTILITY **************

  • PAN-OS-PHP version: 2.1.25 [UNIX] [8.3.6]
    Opening ORIGINAL 'diff.xml' XML file...
    Opening COMPARE 'diff.xml' XML file...
    *** NOW DISPLAY DIFF ***

####################################################################

  • FinalResult: PASS

************* END OF SCRIPT pan-os-php.php type=diff ************

Expected behavior

I expect a diff using the same file referencing to different DGs

Current behavior

Same as bug description

Possible solution

Steps to reproduce

  1. pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=DG1 name2=DG2

Screenshots

Context

I am not able to do a diff between 2 DGs

Your Environment

  • Version used:
  • Environment name and version: Python 3.12.3
  • Operating System and version (desktop or mobile): Mac Sonoma
  • Link to your project:
@erickfcc erickfcc added the bug Something isn't working label Aug 9, 2024
@swaschkut
Copy link
Contributor

Thanks for sharing this bug;

as you are already on version 2.1.25 the repository is available there:
https://github.com/swaschkut/pan-os-php

nevertheless, I will inform you as soon as this is fixed.
But this will not be start before August 19th

@swaschkut
Copy link
Contributor

there is now a new develop Docker container available:
docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop

which is fixing this.

for your information:
this is the correct filter:
"filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase"

@erickfcc
Copy link
Author

I am now getting a new error, I ran the development container

docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop

I run the following:
pan-os-php type=diff file1=gates-lab.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=ADCFWD1 name2=new-ADCFWD1

and I get the following error:

*** ** WARNING ** * "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"**

When I add the "/" in front of pre-rules I get a different error

*********** pan-os-php.php type=diff UTILITY **************

  • PAN-OS-PHP version: 2.1.27 [UNIX] [8.3.6]
    Opening ORIGINAL 'gates-lab.xml' XML file...
  • ** ERROR ** * Died on user notice or warning!! Error: DOMXPath::query(): Invalid expression on /tools/pan-os-php/lib/misc-classes/DH.php:814

*** Backtrace ***
0 ****
backtrace_print()
::/tools/pan-os-php/lib/pan_php_framework.php line 630
1 ****
derr()
::/tools/pan-os-php/lib/pan_php_framework.php line 117
2 ****
myErrorHandler()
:: line
3 ****
DOMXPath::query() @
/tools/pan-os-php/lib/misc-classes/DH.php line 814
4 ****
findXPath()
::/tools/pan-os-php/lib/misc-classes/DH.php line 785
5 ****
findXPathSingleEntry()
::/tools/pan-os-php/utils/lib/DIFF.php line 239
6 ****
DIFF::main() @
/tools/pan-os-php/utils/lib/DIFF.php line 110
7 ****
DIFF::utilStart() @
/tools/pan-os-php/utils/lib/UTIL.php line 215
8 ****
UTIL::__construct() @
/tools/pan-os-php/lib/misc-classes/PH.php line 1090
9 ****
callPANOSPHP()
::/tools/pan-os-php/utils/pan-os-php.php line 118
10 ****
require_once()
::Command line code line 1

@swaschkut
Copy link
Contributor

pre-rules

is not a valid Palo Alto Networks PAN-OS path;

you need to use:
pre-rulebase

This is what I like to mention at my previous post

@erickfcc
Copy link
Author

I copied this from your output, I should of checked it. Please update the following output when typing help

Thank you

`root@7c79281768a8:/share# pan-os-php type=diff

*********** pan-os-php.php type=diff UTILITY **************

  • PAN-OS-PHP version: 2.1.27 [UNIX] [8.3.6]

ERROR "file1" is missing from arguments

USAGE:

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-name']/pre-rules"

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml filter=file.json
    JSON file structure:
    {
    "include": [
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/tag",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address-group"
    ],
    "exclude": [
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service-group",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/address",
    "/cloud_services/mobile-users/onboarding/entry[@name='']/dns-servers/entry[@name='']"
    ],
    "move": [
    {
    "from": "/template/config/shared/ssl-decrypt",
    "to": "/template/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ssl-decrypt"
    }
    ],
    "added": [
    "/template/config/devices/entry[@name='localhost.localdomain']/network/routing-profile",
    "/template/config/shared/non-file-based-dlp-settings/max-latency[text()[contains(.,'15')]]",
    "/policy/panorama/pre-rulebase/security/rules/entry[@name='']/from/member[text()[contains(.,'any')]]",
    "/policy/panorama/profiles/spyware/entry[@name='    ']/botnet-domains/dns-security-categories/entry[@name='*']/action[text()[contains(.,'sinkhole')]]",
    ],
    "deleted": [
    "/template/config/shared/response-page"
    ],
    "empty": [
    "/policy/post-rulebase/tunnel-inspect"
    ],
    "combinedruleordercheck": [
    {
    "pre": "/policy/panorama/pre-rulebase/security",
    "post": "/policy/panorama/post-rulebase/security"
    }
    ]
    }

  • php DIFF.php file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=testDG name2=testDG1

  • ** WARNING ** * "file1" is missing from arguments`

@erickfcc
Copy link
Author

I spoke too soon, I am still getting the error when using pre-rulebase

`root@7c79281768a8:/share# pan-os-php type=diff file1=gates-lab.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase" name1=ADCFWD1 name2=new-ADCFWD1

*********** pan-os-php.php type=diff UTILITY **************

  • PAN-OS-PHP version: 2.1.27 [UNIX] [8.3.6]
    Opening ORIGINAL 'gates-lab.xml' XML file...

ERROR "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"

USAGE:

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-name']/pre-rules"

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml filter=file.json
    JSON file structure:
    {
    "include": [
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/tag",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address-group"
    ],
    "exclude": [
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service-group",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/address",
    "/cloud_services/mobile-users/onboarding/entry[@name='']/dns-servers/entry[@name='']"
    ],
    "move": [
    {
    "from": "/template/config/shared/ssl-decrypt",
    "to": "/template/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ssl-decrypt"
    }
    ],
    "added": [
    "/template/config/devices/entry[@name='localhost.localdomain']/network/routing-profile",
    "/template/config/shared/non-file-based-dlp-settings/max-latency[text()[contains(.,'15')]]",
    "/policy/panorama/pre-rulebase/security/rules/entry[@name='']/from/member[text()[contains(.,'any')]]",
    "/policy/panorama/profiles/spyware/entry[@name='    ']/botnet-domains/dns-security-categories/entry[@name='*']/action[text()[contains(.,'sinkhole')]]",
    ],
    "deleted": [
    "/template/config/shared/response-page"
    ],
    "empty": [
    "/policy/post-rulebase/tunnel-inspect"
    ],
    "combinedruleordercheck": [
    {
    "pre": "/policy/panorama/pre-rulebase/security",
    "post": "/policy/panorama/post-rulebase/security"
    }
    ]
    }

  • php DIFF.php file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=testDG name2=testDG1

  • ** WARNING ** * "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"`

@swaschkut
Copy link
Contributor

but the error message is now mentioned very clear:

ERROR "filter" argument is not a valid xPATH or not available | xpath2: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='new-ADCFWD1']/pre-rulebase"

your device-group "new-ADCFWD1" does not have the xpath available;
there are NO rules available in this device-group

@erickfcc
Copy link
Author

erickfcc commented Aug 21, 2024
edited
Loading

That error is not true, I have verified that ther DG exists, its not my file

root@5de3d9754888:/share# pan-os-php type=diff file1=stage0.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rulebase" name1=ADCFWD1 name2=new-ADCFWD1

*********** pan-os-php.php type=diff UTILITY **************

  • PAN-OS-PHP version: 2.1.27 [UNIX] [8.3.6]
    Opening ORIGINAL 'stage0.xml' XML file...

ERROR "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"

USAGE:

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-name']/pre-rules"

  • php DIFF.php file1=ORIGINAL.xml file2=NEWESTFILE.xml filter=file.json
    JSON file structure:
    {
    "include": [
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/tag",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/address-group"
    ],
    "exclude": [
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='testDG']/service-group",
    "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/address",
    "/cloud_services/mobile-users/onboarding/entry[@name='']/dns-servers/entry[@name='']"
    ],
    "move": [
    {
    "from": "/template/config/shared/ssl-decrypt",
    "to": "/template/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ssl-decrypt"
    }
    ],
    "added": [
    "/template/config/devices/entry[@name='localhost.localdomain']/network/routing-profile",
    "/template/config/shared/non-file-based-dlp-settings/max-latency[text()[contains(.,'15')]]",
    "/policy/panorama/pre-rulebase/security/rules/entry[@name='']/from/member[text()[contains(.,'any')]]",
    "/policy/panorama/profiles/spyware/entry[@name='    ']/botnet-domains/dns-security-categories/entry[@name='*']/action[text()[contains(.,'sinkhole')]]",
    ],
    "deleted": [
    "/template/config/shared/response-page"
    ],
    "empty": [
    "/policy/post-rulebase/tunnel-inspect"
    ],
    "combinedruleordercheck": [
    {
    "pre": "/policy/panorama/pre-rulebase/security",
    "post": "/policy/panorama/post-rulebase/security"
    }
    ]
    }

  • php DIFF.php file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='$$name$$']/pre-rules" name1=testDG name2=testDG1

  • ** WARNING ** * "filter" argument is not a valid xPATH or not available | xpath1: "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='ADCFWD1']/pre-rules"

root@5de3d9754888:/share# exit
exit

#( 08/20/24@ 7:48PM )( erickmel@mb16inch ):~/GitHub
  cat stage0.xml | grep -B1 ADCFWD1
   <device-group>
    <entry name="ADCFWD1">****

  </entry>
    <entry name="new-ADCFWD1">

@erickfcc
Copy link
Author

CleanShot 2024-08-20 at 19 58 13

@swaschkut
Copy link
Contributor

Hi Erick,
looks like we are not speaking about the same topic.

maybe to get closure to this:
Please create a new SecurityRule in DG "new-ADCFWD1" and disable this Rule.

right now based on the error message, there are no Rules available in the DG "new-ADCFWD1" and Palo Alto Networks therefor do not create in the XML file the XMLnode.
And if this is not available, the script is telling you, that this specific xPath cannot be found.

I hope that this workaround help you to understand what the real issue is.

Another hint:
In the newest develop container I had to change the search variable;
$$name$$ can not be used any more, due to problems with BASH PIP alignment.

pan-os-php type=diff help

pan-os-php type=diff file1=diff.xml "filter=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{name}}']/pre-rulebase" name1=testDG name2=testDG1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swaschkut @erickfcc