pan-os-python icon indicating copy to clipboard operation
pan-os-python copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Partial XPath support no longer supported in PAN-OS 11.0

Open stealthllama opened this issue 1 year ago • 2 comments

Describe the bug

Partial XPath support was dropped in PAN-OS 11.0. The create() function in pan-os-python issues set commands with a partial XPath value for the newly created configuration object. This results in inconsistencies when performing partial commits on Panorama. Changes made by specific administrators are not pushed to the managed firewalls when a partial commit is performed.

Expected behavior

The set commands generated from the create() function should include the object entry on the XPath string.

Example:

<request cmd='set' obj="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Lab Testing']/address/entry[@name='Address A']" cookie='1357220402109258' client='xmlapi' refresh='no'><ip-netmask>192.168.200.10/32</ip-netmask><description>Address A added by notbob from Postman</description></request>

Current behavior

The set commands generated from the create() function strip out the object entry suffix on the XPath string. A xpath_short() function is called to perform this truncation.

Example:

 <request cmd='set' obj="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Lab Testing']/address" cookie='4859959213841190' client='xmlapi' refresh='no'><entry name="Address B"><ip-netmask>192.168.120.8/32</ip-netmask><description>Address B added by bob from Ansible</description></entry></request>

Possible solution

The create() function must specific the complete XPath with entry suffix in all set commands.

Steps to reproduce

  1. Create a new address object via the create() function against Panorama 11.0.3-h3 or later.
  2. Commit and push changes made by the specific administrator,
  3. The newly created object does not appear on the managed firewall.

Context

This issue impacts all users of the Ansible collection for PAN-OS.

Your Environment

  • Version used: Panorama 11.0.3-h3 or later
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Python 3.10.14
  • Operating System and version (desktop or mobile): MacOS 14.5

stealthllama avatar Jul 24 '24 15:07 stealthllama

The xpath_short() function that is being called by create():

https://github.com/PaloAltoNetworks/pan-os-python/blob/62bcff3bca86a5ff745eae3e92635d109673963a/panos/base.py#L382

stealthllama avatar Jul 24 '24 15:07 stealthllama

@stealthllama I'm currently working on this as it seemed straight forward. Does this issue only have an impact on AddressObject? Or does this need to impact other object types as well? I need to test this to see the xml output but I was looking at something like: self._xpaths.add_profile(value="/address/entry[@name='{name}']")

keithcampbelljr avatar Aug 19 '24 20:08 keithcampbelljr