PaloAltoNetworks/pan-os-php

Type=Address filter ip4.included-in does not check groups

taddairpanw opened this issue · 1 comments

taddairpanw commented

Describe the bug

When using the Address Util in combination with a filter of ip4.included-in, it does not look at the values of group members if there is an address group.

Expected behavior

The IP4 included filter should be group-aware. It should return address groups in addition to standalone address objects if the groups contain the IP4 values being filtered.

Current behavior

Groups are currently not filtered. Here is example output.

pan-os-php type=address location=any actions=display in=INPUTFILE.xml 'filter=(value ip4.included-in 10.129.250.0/23)'

#################
processing store 'PanoramaConf: / AddressStore:addresses' that holds 171 objects

  • object 'N-10.129.250.0-23' passing through Action='display'
    • Address 'N-10.129.250.0-23' type: 'ip-netmask' value: '10.129.250.0/23' desc: '' IPcount: '512'

processing store 'PanoramaConf: / DeviceGroup:DeviceGroupXYZ/ AddressStore:address' that holds 181 objects

  • object 'N-10.129.250.0-23' passing through Action='display'
    • Address 'N-10.129.250.0-23' type: 'ip-netmask' value: '10.129.250.0/23' desc: '' IPcount: '512'

**** PROCESSING OF 2 OBJECTS DONE ****
###############

I re-run the search but this time use the name of a group that I know for sure exists and contains the address object as a member.

pan-os-php type=address location=any actions=display in=INPUTFILE.xml 'filter=(name contains OrganizationVPN)'

################

  • processing store 'PanoramaConf: / AddressStore:addresses' that holds 171 objects
    • object 'OrganizationVPN' passing through Action='display'
      • AddressGroup 'OrganizationVPN' (5 members) desc: ''
        • 10.129.254.0 value: '10.129.254.0/24'
        • N-10.129.200.0-23 value: '10.129.200.0/23'
        • N-10.129.206.0-25 value: '10.129.206.0/25'
          - N-10.129.250.0-23 value: '10.129.250.0/23'
        • N-172.16.128.0-20 value: '172.16.128.0/20'

**** PROCESSING OF 1 OBJECTS DONE ****
###########################

Possible solution

Make the ip4.included-in filter group-aware. If object type = group recurse through group members and identify IP4 values, given that there is a value field in each member per the output above.

Steps to reproduce

Acquire an input file with both address objects and address group objects. Ensure that one of the address groups includes an address object with the IP4 value that you wish to search for. Filter for address values in CIDR notation. Observe output to see if groups are included. If it only returns the original address object and does not include the group in the output, you have reproduced the bug.

Screenshots

No screenshots needed - output pasted above

Context

Attempting to add user ID's to rules that refer to specific VPN subnet ranges. Some of these rules refer to group objects. I am using the "has from subquery" filter option and defining subqueries from the address util. This problem caused my queries to miss a significant quantity of rules for adding the user ID information to them.

Your Environment

  • Version used:
    • PAN-OS-PHP version: 2.0.74 [UNIX]
  • /spring/Expedition-Converter/pan-os-php/utils
  • PHP version: 7.4.3
swaschkut commented

as discussed one2one - this feature is working as design,

an object value, if address or address-group must by part of IP/network;
based on your filter:
'filter=(value ip4.included-in 10.129.250.0/23)'

and the object you like to see:

processing store 'PanoramaConf: / AddressStore:addresses' that holds 171 objects
object 'OrganizationVPN' passing through Action='display'
AddressGroup 'OrganizationVPN' (5 members) desc: ''
10.129.254.0 value: '10.129.254.0/24'
N-10.129.200.0-23 value: '10.129.200.0/23'
N-10.129.206.0-25 value: '10.129.206.0/25'
- N-10.129.250.0-23 value: '10.129.250.0/23'
N-172.16.128.0-20 value: '172.16.128.0/20'

you must use a different filter:
'filter=(value ip4.includes-full-or-partial 10.129.250.0/23)'

please allow me to explain the behaviour of the first filter:
'filter=(value ip4.included-in 10.129.250.0/23)'

  • AddressGroup 'OrganizationVPN'
  • value: '10.129.206.0/25 => is NOT included in 10.129.250.0/23

SOLUTION:
'filter=(value ip4.includes-full-or-partial 10.129.250.0/23)'