private function &getBaseXPath()
{
$str = '';
$class = get_class($this->owner);
if ($class == 'PanoramaConf' || $class == 'PANConf') {
$str = "/config/shared";
} else {
$str = $this->owner->getXPath();
}
return $str;
}
public function &getXPath(Rule $contextRule)
{
$class = get_class($this->owner);
$serial = spl_object_hash($contextRule);
$str = '';
if ($class == 'VirtualSystem') {
$str = $this->owner->getXPath() . '/rulebase';
} else {
if ($class == 'DeviceGroup') {
if ($contextRule->isPreRule()) {
$str = $this->owner->getXPath() . '/pre-rulebase';
} else {
if ($contextRule->isPostRule()) {
$str = $this->owner->getXPath() . '/post-rulebase';
} else {
derr('unsupported mode');
}
}
} else {
if ($class == 'PANConf') {
derr('unsupported');
} else {
if ($class == 'PanoramaConf') {
if ($contextRule->isPreRule()) {
$str = "/config/shared/pre-rulebase";
} else {
if ($contextRule->isPostRule()) {
$str = "/config/shared/post-rulebase";
} else {
derr('unsupported mode');
}
}
} else {
derr('unsupported mode');
}
}
}
}
$str .= '/' . self::$storeNameByType[$this->type]['xpathRoot'] . '/rules';
return $str;
}
<?php // load 'PAN Configurator' library require_once "../lib/panconfigurator.php"; /*************************************************************** ****************************************************************/ // input and ouput xml files $inputfile = 'sample-configs/panorama-example.xml'; $outputfile = 'output.xml'; // Create a new PanoramaConf object $p = new PanoramaConf(); // and load it from a XML file $p->load_from_file($inputfile); print "\n***********************************************\n\n"; // display some statiscs for debug and exit program! print "\n\n***********************************************\n"; $p->display_statistics();
automatically
*********************************************************************************************/
// load 'PAN Configurator' library
require_once "../lib/panconfigurator.php";
//$mode = 'panos';
$mode = 'panorama';
// input and ouput xml files
$inputfile = 'sample-configs/panorama-example4.xml';
$outputfile = 'output.xml';
$largeGroupsCount = 491;
$splitCount = 490;
// is it a Panorma or PANOS config ?
if ($mode == 'panorama') {
// Create Panorama object
$p = new PanoramaConf();
// and load it from a XML file
$p->load_from_file($inputfile);
// load the list of DeviceGroups in an array
$subs = $p->deviceGroups;
} else {
if ($mode == 'panos') {
// Create new PanConf object
$p = new PANConf();
// load it from XML file
$p->load_from_file($inputfile);
// load the list of VSYS in an array
$subs = $p->virtualSystems;
} else {
derr('Please set mode="panos" or mode ="panorama"');
}
*
* This script will list all rules in DeviceGroup referenced in $targetDG
* and force them into using profile group referenced in $targetProfile
*
*
*****************************************************************************/
// load PAN-Configurator library
require_once "../lib/panconfigurator.php";
// input and output files
$origfile = "sample-configs/panorama-example.xml";
$outputfile = "output.xml";
$targetDG = 'Perimeter-FWs';
$targetProfile = 'Shared Production Profile';
// We're going to load a PANConf object (PANConf is for PANOS Firewall,
// PanoramaConf is obviously for Panorama which is covered in another example)
$panc = new PanoramaConf();
$panc->load_from_file($origfile);
// Did we find VSYS1 ?
$dg = $panc->findDeviceGroup($targetDG);
if (is_null($dg)) {
derr("DeviceGroup {$targetDV} was not found ? Exit\n");
}
print "\n***********************************************\n\n";
// Going after each pre-Security rules to add a profile
foreach ($dg->securityRules->rules() as $rule) {
print "Rule '" . $rule->name() . "' modified\n";
$rule->setSecurityProfileGroup($targetProfile);
}
print "\n***********************************************\n";
$panc->save_to_file($outputfile);
//display some statistics
//
// Script really starts here
//
$configType = strtolower(PH::$args['type']);
if ($configType != 'panos' && $configType != 'panorama') {
derr("\n**ERROR** Unsupported config type '{$configType}'. Check your CLI arguments\n\n");
}
print "Config type is '{$configType}', intput filename is '{$inputFile}'\n";
if (!file_exists($inputFile)) {
derr("\n**ERROR** Input file '" . $inputFile . "' doesn't exists!\n\n");
}
print "Loading config file '" . $inputFile . "'... ";
if ($configType == 'panos') {
$pan = new PANConf();
} else {
$pan = new PanoramaConf();
}
$pan->load_from_file($inputFile);
print "OK!\n\n";
// Variable that will hold all groups to be processed
$groupsToProcess = array();
// if $argv[4] is a file that exists then we must load it
if ($groupFile !== null) {
$fcontent = file_get_contents($groupFile);
$groupsToProcess = explode("\n", $fcontent);
} else {
$groupsToProcess[] = $groupLocation . '/' . $groupName;
}
print "Sanitizing and listing groups from input:\n";
foreach ($groupsToProcess as $index => &$group) {
if (strlen($group) < 3) {
// Determine if PANOS or Panorama
//
$xpathResult = DH::findXPath('/config/devices/entry/vsys', $xmlDoc);
if ($xpathResult === FALSE) {
derr('XPath error happened');
}
if ($xpathResult->length < 1) {
$configType = 'panorama';
} else {
$configType = 'panos';
}
unset($xpathResult);
if ($configType == 'panos') {
$pan = new PANConf();
} else {
$pan = new PanoramaConf();
}
print " - Detected platform type is '{$configType}'\n";
if ($configInput['type'] == 'api') {
$pan->connector = $configInput['connector'];
}
// </editor-fold>
//
// Location provided in CLI ?
//
if (isset(PH::$args['location'])) {
$rulesLocation = PH::$args['location'];
if (!is_string($rulesLocation) || strlen($rulesLocation) < 1) {
display_error_usage_exit('"location" argument is not a valid string');
}
} else {
// Determine if PANOS or Panorama
//
$xpathResult = DH::findXPath('/config/devices/entry/vsys', $xmlDoc);
if ($xpathResult === FALSE) {
derr('XPath error happened');
}
if ($xpathResult->length < 1) {
$configType = 'panorama';
} else {
$configType = 'panos';
}
unset($xpathResult);
if ($configType == 'panos') {
$pan = new PANConf();
} else {
$pan = new PanoramaConf();
}
print " - Detected platform type is '{$configType}'\n";
if ($configInput['type'] == 'api') {
$pan->connector = $configInput['connector'];
}
$errorMessage = '';
$filterQuery = null;
if (isset(PH::$args['filter'])) {
$filterQuery = new RQuery('rule');
if (!$filterQuery->parseFromString(PH::$args['filter'], $errorMessage)) {
derr($errorMessage);
}
print " - rule filter after sanitizing : ";
$filterQuery->display();
}
This sample script will look for all rules inside a Panorama config and search for
tags Outgoing or Incoming.
When Outgoing is found, it will edit the rule to put FromZone = internal and
ToZone = external
When Incoming is found, it will edit the rule to put FromZone = extern and
ToZone = internal
*********************************************************************************************/
// input and ouput xml files
$inputfile = 'sample-configs/panorama-example.xml';
$outputfile = 'output.xml';
// Create a new PanoramaConf object
$p = new PanoramaConf();
// and load it from a XML file
$p->load_from_file($inputfile);
print "\n***********************************************\n\n";
// below starts the real stuff
// we need to find references of Zones 'internal' and 'external'. they will be used later
$internal = $p->zoneStore->find('internal');
$external = $p->zoneStore->find('external');
if (!$internal) {
derr("We didn't find zone 'internal', is there a problem? \n");
}
if (!$external) {
derr("We didn't find zone 'external', is there a problem? \n");
}
// We are looking for a tag called "Outgoing" , to be used later, same for Incoming tag
$outgoing = $p->tagStore()->find('Outgoing');
