FR-13092022-1 Resolving address objects and groups without summarising them

Question

FR-13092022-1 Resolving address objects and groups without summarising them

nexusops opened this issue 2 years ago · 1 comments

Is your feature request related to a problem?

ResolveAddressSummary works great when admins need to see straight away what IP addresses are behind named objects or groups. Unfortunately, if the resolved summary doesn't correspond with the expectations, few more extra steps need to be taken in order to resolve the individual objects to their specific values in order to discover which one(s) are skewing the resulting summary.

For example: Imagine a list of 100 objects inside an object group. Each of those objects is supposed to be a /24, /23 or /25 subnet, but the resulting summary shows a much larger result caused by one of those objects being a /2 due to a typo.

Describe the solution you'd like

An extra argument for the ExportToExcel, which adds an extra information into the spreadsheet where the objects are resolved individually without performing summary. The existing ResolveAddressSummary and its column don't need to be changed in any way.

The argument could be called ResolveAddressDetail and the information can be presented as an extra column where each object would be resolved line by line. The challenge would be with resolving object-groups with non-contiguous objects.

For example: think of a rule with groups called "Test" with objects 10.10.10.0/24, 10.30.40.50/32, 10.20.20.0/25 and "Test2" with objects 10.20.30.0/24, 10.50.60.128/25 in the source field. Currently, the members are simply listed in the "resolved_sum" column. Somehow, the spreadsheet would need to make it clear where each of the resolved groups start and where they end in the new "resolved_detail" column. One option could be by merging the cells for the object name, similar to how the cells are merged for the rule name.

Here is an example

Describe alternatives you've considered

Option 1: export the objects for a specific rule, which has a different "resolved_sum" than expected
pan-os-php type=address location=any in=[config] actions=exporttoexcel 'filter=(refobjectname is [rule_name])'

Option 2: export all objects and use the list as a reference for checking multiple rules and object groups
pan-os-php type=address in=[config] actions=exporttoexcel

Neither of the two options scale very well if multiple rules and objects need to be verified. Having the information directly in the rule export sheet gives the ability to check the object values then and there

Answer 1 · 2023-07-14T06:23:30.000Z

please check action:

pan-os-php type=rule 'actions=exporttoexcel:test.html,resolveaddresssummary' location=shared in=config.xml

introduced new fields:
src_resolved_nested_name | src_resolved_nested_value | src_resolved_nested_location

version 2.1.9 (20230712)