Reset Rule Hit Counter with PAN-OS-PHP

Question

Reset Rule Hit Counter with PAN-OS-PHP

bethatasitmay opened this issue 2 years ago · 18 comments

Is your feature request related to a problem?

Sometimes it would be nice to be able to programmatically reset the rule hit counter in rules.

Describe the solution you'd like

Rather than going to each rule, opening the rule usage dialog box, selecting the firewalls, and clicking on Reset Rule Hit Counter, it would be nice to be able to run an action to do it in an automated fashion. For example, if the timestamp is older than a certain date, reset it (for example, we have rules that have one or more hits that happened while migrating firewalls due to an issue during the migration but not hits since then - technically, they are unused).

Describe alternatives you've considered

Filter the rules (either manually or with a PAN-OS-PHP filtered exportToExcel) and manually reset the counters.

Additional context

I'd like to automate the hit count reset based. I suppose someone might want to do this unfiltered, but I would be doing this filtered.

Answer 1 · 2022-10-09T18:14:01.000Z

first version; no rule-hit-count filters are yet available:

please check if the actual implementation in develop docker container is helping you. (or https://github.com/swaschkut/pan-os-php)
after this I will publish this next week in the latest docker container:

docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:develop

show rule-hit-count for specific RULENAME
pan-os-php type=rule in=api://mgmt-IP actions=rule-hit-count-show 'filter=(name eq RULENAME)' location=any

clear rule-hit-count for specific RULENAME
pan-os-php type=rule in=api://mgmt-IP actions=rule-hit-count-clear 'filter=(name eq RULENAME)' location=any

Answer 2 · 2022-10-09T18:15:10.000Z

if you can bring in some suggestion about which rule-hit-count filters are needed, based on the 'actions=rule-hit-count-show' output:

* latest: yes
* hit-count: 0
* last-hit: 0
* last-reset: 2022-10-09 20:00:40
* first-hit: 0
* rule-creation: 2021-12-19 10:51:58
* rule-modification: 2021-12-19 10:51:58

until now I assume the available type=rule filters are enough, but maybe I am wrong:

* timestamp-first-hit.fast
    - >,<,=,!                           : returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / - 90 days

* timestamp-last-hit.fast
    - >,<,=,!

Answer 3 · 2022-10-10T01:43:50.000Z

For what I would like, it would be a filter based on timestamp-last-hit.fast. In my particular scenario (long story short), I was having issues post-migration due to zones, so I ran the calculate-zones action. But, it was taking too long, so to get things working I wiped out all zones and then re-added all source zones. This allowed a bunch of rules to be erroneously hit on the day of the migration (there were 3 migrations - 3 firewalls to 1). So, I have a lot of rules whose last hit was the day of the migrations. So, I know that they were never supposed to be hit and, therefore, they are technically unused.

I'll check it later today (Sunday) or tomorrow.

Answer 4 · 2022-10-10T05:43:03.000Z

so overall this is a command to display rules with the hit-count:

last.hit before 90days from now:
pan-os-php type=rule in=api://MGMT-IP actions=rule-hit-count-show 'filter=(timestamp-last-hit.fast **< -90**)'

if you like to clear rule-hit-count for this:
pan-os-php type=rule in=api://MGMT-IP actions=rule-hit-count-clear 'filter=(timestamp-last-hit.fast **< -90**)'

Answer 5 · 2022-10-10T18:55:55.000Z

introduced with PR:
#676

Answer 6 · 2022-10-11T16:19:41.000Z

For the result output of the -show action, would it be possible to just show the date and show it in normal calendar format the way the GUI shows it?

It would be nice to not have to convert 1639275576 to 2021-12-11 :-)

Answer 7 · 2022-10-11T17:08:21.000Z

By the way, you have a typo in your action above (actual action is -clear) - it says "-clean" instead of "-clear" above

Answer 8 · 2022-10-11T17:12:33.000Z

Hmmm, clean action doesn't work - will post backtrace in a moment.

Answer 9 · 2022-10-11T17:30:03.000Z

Oh, the -show command worked so I'm reasonably sure my filter is correct.

As always, running through PowerShell:

php -r "require_once 'C:/tools/pan/dev/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=DG1-Cluster ruletype=security actions=rule-hit-count-clear 'filter=(timestamp-last-hit.fast < -303) and (name eq RULENAME)'

which translates to:

pan-os-php type=rule in=api://panorama.domain.com location=DG1-Cluster ruletype=security actions=rule-hit-count-clear 'filter=(timestamp-last-hit.fast < -303) and (name eq RULENAME)'

Backtrace info:

*********** pan-os-php.php type=rule UTILITY **************

PAN-OS-PHP version: 2.0.63 [WIN] [8.1.10]
Downloading config from API...
Detected platform type is 'panorama'
No 'template' provided so using default ='any'
filter after sanitization : (timestamp-last-hit.fast < -303) and (name eq RULENAME)
Loading configuration through PAN-OS-PHP library...
(2.46 seconds, 140.51 mb memory)
PAN-OS version: 91
PAN-OS APP-ID version: 8597-7479
PAN-OS Device timezone: US/Pacific is used. actual time: 2022/10/11 10:09:35

processing ruleset 'PanoramaConf: / DeviceGroup:DG1-Cluster / RuleStore:Security' that holds 3419 rules
Firewall: DG1b (serial: '123456789012', PAN-OS: '9.1.13-h3') was rebooted '143 days, 15:27:56' ago.
additional check needed as PAN-OS >= 8.1.X
Firewall: DG1a (serial: '123456789011', PAN-OS: '9.1.13-h3') was rebooted '143 days, 14:38:46' ago.
additional check needed as PAN-OS >= 8.1.X
- object 'RULENAME' passing through Action='rule-hit-count-clear'
** ERROR ** * API reported a failure: "error" with the following addition infos: Failed to reset rule-hit job

*** Backtrace ***
0 ****
backtrace_print()
::C:\tools\pan\dev\pan-os-php\lib\pan_php_framework.php line 595
1 ****
derr()
::C:\tools\pan\dev\pan-os-php\lib\misc-classes\PanAPIConnector.php line 1252
2 ****
PanAPIConnector:panorama.domain.com
PanAPIConnector::sendRequest() @
C:\tools\pan\dev\pan-os-php\lib\misc-classes\PanAPIConnector.php line 1809
3 ****
PanAPIConnector:panorama.domain.com
PanAPIConnector::sendOpRequest() @
C:\tools\pan\dev\pan-os-php\lib\rule-classes\Rule.php line 777
4 ****
PanoramaConf: / DeviceGroup:DG1-Cluster / RuleStore:Security / SecurityRule:RULENAME
Rule::API_clearRuleHitCount() @
C:\tools\pan\dev\pan-os-php\utils\common\actions-rule.php line 5197
5 ****
{closure}()
::C:\tools\pan\dev\pan-os-php\utils\common\CallContext.php line 103
6 ****
Action:'rule-hit-count-clear'
CallContext::executeAction() @
C:\tools\pan\dev\pan-os-php\utils\lib\RULEUTIL.php line 428
7 ****
RULEUTIL::time_to_process_objects() @
C:\tools\pan\dev\pan-os-php\utils\lib\RULEUTIL.php line 36
8 ****
RULEUTIL::utilStart() @
C:\tools\pan\dev\pan-os-php\utils\lib\UTIL.php line 192
9 ****
UTIL::__construct() @
C:\tools\pan\dev\pan-os-php\lib\misc-classes\PH.php line 977
10 ****
callPANOSPHP()
::C:\tools\pan\dev\pan-os-php\utils\pan-os-php.php line 118
11 ****
require_once()
::Command line code line 1

Answer 10 · 2022-10-11T17:31:37.000Z

This is the 2.0.63 dev version.

FYI, I can't re-open one of my issues if it is closed by a repo collaborator.

Answer 11 · 2022-10-11T17:36:52.000Z

so your are running this against:

Panorama pan-os 9.1

I need to check later on this week why 9.1 is not working

regarding your suggestion:
"It would be nice to not have to convert 1639275576 to 2021-12-11 :-)"

please share full example output, I thought this is already implemented

Answer 12 · 2022-10-11T17:47:16.000Z

I recommend to NOT use dev !!! after it is published

Answer 13 · 2022-10-12T05:24:43.000Z

Oh, didn't know it was published - is that what the PR # means?

Answer 14 · 2022-10-12T05:47:12.000Z

Run from published version (not dev) refreshed a few minutes ago:

*********** pan-os-php.php type=rule UTILITY **************

PAN-OS-PHP version: 2.0.62 [WIN] [8.1.10]
Downloading config from API...
Detected platform type is 'panorama'
No 'template' provided so using default ='any'
filter after sanitization : (timestamp-last-hit.fast < -303) and (name eq RULENAME)
Loading configuration through PAN-OS-PHP library...
(2.00 seconds, 140.51 mb memory)
PAN-OS version: 91
PAN-OS APP-ID version: 8597-7479
PAN-OS Device timezone: US/Pacific is used. actual time: 2022/10/11 22:30:46

processing ruleset 'PanoramaConf: / DeviceGroup:DG1-Cluster / RuleStore:Security' that holds 3419 rules
Firewall: DG1b (serial: '123456789012', PAN-OS: '9.1.13-h3') was rebooted '144 days, 3:49:02' ago.
additional check needed as PAN-OS >= 8.1.X
Firewall: DG1a (serial: '123456789011', PAN-OS: '9.1.13-h3') was rebooted '144 days, 2:59:42' ago.
additional check needed as PAN-OS >= 8.1.X
- object 'RULENAME' passing through Action='rule-hit-count-show'

37163927557601639266765166555244816367427131653339603yes0000165310182616367427141653099060yes

objects processed in DG/Vsys 'DG1-Cluster' : 1 filtered over 3419 available

**** PROCESSED 1 objects over 3419 available ****

************* END OF SCRIPT pan-os-php.php type=rule ************

Answer 15 · 2022-10-12T05:51:08.000Z

By the way, I'm still getting the clear action failure in the published version (Backtrace is the same).

Answer 16 · 2022-10-13T17:58:50.000Z

problem here is that Panorama has a complete different API command,
need to spent more time on this.
the Implemented one is working well for Firewall

Answer 17 · 2022-10-19T21:33:55.000Z

regarding your suggestion: "It would be nice to not have to convert 1639275576 to 2021-12-11 :-)"

please share full example output, I thought this is already implemented

FYI, I just sent you an email with the details.

Answer 18 · 2023-03-21T06:41:20.000Z

BUMP
actions=rule-hit-count-clear not working on all Panorama version - API call syntax is not correct