Merge pull request #785 from swaschkut/main

publish version 2.1.20
PaloAltoNetworks · Oct 13, 2023 · 69d70a9 · 69d70a9
2 parents efc5861 + c652b92
commit 69d70a9
Show file tree

Hide file tree

Showing 24 changed files with 923 additions and 87 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,6 +1,28 @@
 CHANGELOG
 
-2.1.19
+2.1.20
+UTIL:
+* type=xpath | introduce "actions=set-text:NODETEXT"
+* type=rule | new 'filter=(app has.seen.fast-api unknow-tcp)' - to filter for device traffic log if specific app-id was seen
+* type=rule actions=exporttoexcel | extend with column 'url-category'
+* type=bpa-generator | introduction to support offline XML config file
+* type=bpa-generator | improve offline config handling
+* type=tsf | in addition to extract XML config, also extract /tmp/cli/techsupport_*.txt
+* type=bpa-generator | introduce support to reach techsupport.txt from TSF /tmp/cli/techsupport_*.txt
+* type=bpa-generator | introduce support to handle TSF file from 11.1
+* type=certificate | introduce actions=exporttoexcel:CERT_file.html | 'filter=(expired < 90days)' | 'filter=(expired < today)'
+* type=certificate actions=exporttoexcel:file.html | extend with column subject and issuer
+
+BUGFIX:
+* type=gcp actions=download | bugfix to handle command order correctly
+* type=rule actions=stats-XYZ-FastAPI | bugfix to read argument correctly
+
+GENERAL:
+* GENERAL: Device App-ID update to version: 8763-8333
+* class Zone.php | extend validation for new PAN-OS features 'net-inspection' 'prenat-identification'
+
+
+2.1.19 (20231006)
 UTIL:
 * different classes | improve usage of flag 'XML_PARSE_BIG_LINES' in method loadXML
 * class PANConf / Panoramaconfg | implement method ChildDeviceGroups() for 'location=shared:excludemaindg'

diff --git a/appid-toolbox/lib/trait/lib_2_report_generator.php b/appid-toolbox/lib/trait/lib_2_report_generator.php
@@ -272,34 +272,62 @@ function logAnalysis_Phase2()
 
             PH::print_stdout("   * Generating report... ");
             //if fastMode: panorama-trsum/trsum ELSE: panorama-traffic/traffic
-            $reports = $rule->API_getAppContainerStats2(time() - ($logHistory * 24 * 3600), time() + 0, TRUE);
-            if( count($reports) == 0 )
+            $oldWay = true;
+
+            if( $oldWay )
             {
-                $reports = $rule->API_getAppContainerStats2(time() - ($logHistory * 24 * 3600), time() + 0, FALSE);
-            }
+                $reports = $rule->API_getAppContainerStats2(time() - ($logHistory * 24 * 3600), time() + 0, TRUE);
+                if( count($reports) == 0 )
+                {
+                    $reports = $rule->API_getAppContainerStats2(time() - ($logHistory * 24 * 3600), time() + 0, FALSE);
+                }
+
 
+                $ruleStats->createRuleStats($rule->name());
 
-            $ruleStats->createRuleStats($rule->name());
+                PH::print_stdout("     * Results (" . count($reports) . "):");
 
-            PH::print_stdout("     * Results (" . count($reports) . "):");
+                $ruleStats->updateRuleUpdateTimestamp($rule->name());
 
-            $ruleStats->updateRuleUpdateTimestamp($rule->name());
+                foreach( $reports as $line )
+                {
+                    $count = array_pop($line);
+                    $app = array_pop($line);
 
-            foreach( $reports as $line )
+                    // if container of app is valid, we want to use this container rather than
+                    $container = array_pop($line);
+                    if( $container != null && strlen($container) > 0 && $container != 'none' && $container != '(null)' )
+                        $app = $container;
+
+                    PH::print_stdout("      - $app ($count)");
+
+                    $ruleStats->addRuleStats($rule->name(), $app, $count);
+                }
+            }
+            else
             {
-                $count = array_pop($line);
-                $app = array_pop($line);
+                $reports = $rule->API_apps_seen();
+
+                if(isset($reports['apps-seen']))
+                {
+                    $ruleStats->createRuleStats($rule->name());
 
-                // if container of app is valid, we want to use this container rather than
-                $container = array_pop($line);
-                if( $container != null && strlen($container) > 0 && $container != 'none' && $container != '(null)' )
-                    $app = $container;
+                    PH::print_stdout("     * Results (" . $reports['apps-seen-count'] . "):");
 
-                PH::print_stdout("      - $app ($count)");
+                    foreach( $reports['apps-seen'] as $app => $line )
+                    {
+                        #if( $line['bytes'] > 0 ) {
+                        #PH::print_stdout("      - $app ($count)");
+                        $count = 0;
+                        PH::print_stdout("      - $app ()");
 
-                $ruleStats->addRuleStats($rule->name(), $app, $count);
+                        $ruleStats->addRuleStats($rule->name(), $app, $count);
+                        #}
+                    }
+                }
             }
 
+
             //not performant to write file for each rule
             #$ruleStats->save_to_file($ruleStatFile);
 

diff --git a/lib/misc-classes/PH.php b/lib/misc-classes/PH.php
@@ -192,7 +192,7 @@ function __construct($argv, $argc)
 
     private static $library_version_major = 2;
     private static $library_version_sub = 1;
-    private static $library_version_bugfix = 19;
+    private static $library_version_bugfix = 20;
 
     //BASIC AUTH PAN-OS 7.1
     public static $softwareupdate_key = "658d787f293e631196dac9fb29490f1cc1bb3827";

diff --git a/lib/misc-classes/RQuery.php b/lib/misc-classes/RQuery.php
@@ -60,6 +60,8 @@ class RQuery
     /** @var  string field to which this Rquery applies */
     public $field;
 
+    public $isAPI = FALSE;
+
 
     public $inverted = FALSE;
 
@@ -70,7 +72,7 @@ class RQuery
     public $padded;
     public $contextObject;
 
-    public function __construct($objectType, $level = 0)
+    public function __construct($objectType, $level = 0, $isAPI = false)
     {
         $this->level = $level;
         $this->padded = str_pad('', ($this->level + 1) * 2, ' ');
@@ -113,6 +115,10 @@ public function __construct($objectType, $level = 0)
             $this->contextObject = new StaticRouteRQueryContext($this);
         else
             derr("unsupported object type '$objectType'");
+
+        if( $isAPI )
+            $this->contextObject->isAPI = TRUE;
+
     }
 
     /**

diff --git a/lib/misc-classes/RQueryContext.php b/lib/misc-classes/RQueryContext.php
@@ -11,6 +11,8 @@ class RQueryContext
     public $value;
     public $operator;
 
+    public $isAPI = FALSE;
+
     public $rQueryObject;
 
     public $nestedQueries;

diff --git a/lib/misc-classes/filters/filters-Certificate.php b/lib/misc-classes/filters/filters-Certificate.php
@@ -169,4 +169,30 @@
         'fString' => '(%PROP% 1)',
         'input' => 'input/panorama-8.0.xml'
     )
+);
+
+RQuery::$defaultFilters['certificate']['expired']['operators']['>,<,=,!'] = array(
+    'Function' => function (CertificateRQueryContext $context) {
+        $object = $context->object;
+
+
+        $timestamp_value = strtotime($object->notValidafter);
+        if( $context->value == 0 )
+            $filter_timestamp = $context->value;
+        else
+            $filter_timestamp = strtotime($context->value);
+        $operator = $context->operator;
+        if( $operator == '=' )
+            $operator = '==';
+
+        $operator_string = $timestamp_value." ".$operator." ".$filter_timestamp;
+        if( $operator == '==' && $timestamp_value == 0 )
+            return true;
+        elseif( $timestamp_value != 0 && eval("return $operator_string;" ) )
+            return true;
+
+        return false;
+    },
+    'arg' => TRUE,
+    'help' => 'returns TRUE if rule name matches the specified timestamp MM/DD/YYYY [american] / DD-MM-YYYY [european] / 21 September 2021 / -90 days',
 );
diff --git a/lib/misc-classes/filters/filters-Rule.php b/lib/misc-classes/filters/filters-Rule.php
@@ -1534,6 +1534,25 @@
     'help' => 'example: \'filter=(app has.from.query subquery1)\' \'subquery1=(object is.application-group)\'',
 );
 
+RQuery::$defaultFilters['rule']['app']['operators']['has.seen.fast-api'] = array(
+    'Function' => function (RuleRQueryContext $context) {
+        $rule = $context->object;
+
+        #if( !$context->isAPI )
+        #    derr( "this filter is only supported in API mode", null, false );
+
+        $rule_array = $rule->API_apps_seen();
+
+        if( isset($rule_array['apps-seen']) && in_array( $context->value, array_keys($rule_array['apps-seen'])) )
+            return TRUE;
+
+        return null;
+    },
+    'arg' => TRUE,
+    'help' => 'example: \'filter=(app has.seen.fast-api unknown-tcp)\'',
+);
+
+
 //                                              //
 //          Services properties                 //
 //                                              //

diff --git a/lib/network-classes/Certificate.php b/lib/network-classes/Certificate.php
@@ -49,6 +49,8 @@ class Certificate
     public $notValidbefore = null;
     public $notValidafter = null;
 
+    public $publicKeyDetailArray = null;
+
     /**
      * @param string $name
      * @param CertificateStore $owner
@@ -227,8 +229,10 @@ function_exists('openssl_x509_parse') )
                         //this does not contain the bits
                         $cert = openssl_x509_read($this->publicKey);
                         if( $cert !== FALSE )
+                        {
                             $cert_obj = openssl_x509_parse($cert);
-                        #print_r( $cert_obj );
+                            $this->publicKeyDetailArray = $cert_obj ;
+                        }
 
                         //publicKey Signature Algorithm
                         if( isset($cert_obj['signatureTypeLN']) )

diff --git a/lib/network-classes/Zone.php b/lib/network-classes/Zone.php
@@ -205,8 +205,6 @@ public function load_from_domxml(DOMElement $xml)
             {
                 $this->type = $node->tagName;
             }
-
-
             elseif( $node->tagName == 'zone-protection-profile' )
             {
                 $this->zoneProtectionProfile = $node->textContent;
@@ -218,9 +216,17 @@ public function load_from_domxml(DOMElement $xml)
             elseif( $node->tagName == 'enable-packet-buffer-protection' )
             {
 
+            }
+            elseif( $node->tagName == 'net-inspection' )
+            {
+
+            }
+            elseif( $node->tagName == 'prenat-identification' )
+            {
+
             }
             else
-                mwarning("zone type: " . $node->tagName . " is not yet supported.");
+                mwarning("zone type: " . $node->tagName . " is not yet supported.", null, False);
 
         }
     }