*
*
*****************************************************************************/
// load PAN-Configurator library
require_once "../lib/panconfigurator.php";
// input and output files
$origfile = "sample-configs/panorama-example.xml";
$outputfile = "output.xml";
$targetDG = 'Perimeter-FWs';
$targetProfile = 'Shared Production Profile';
// We're going to load a PANConf object (PANConf is for PANOS Firewall,
// PanoramaConf is obviously for Panorama which is covered in another example)
$panc = new PanoramaConf();
$panc->load_from_file($origfile);
// Did we find VSYS1 ?
$dg = $panc->findDeviceGroup($targetDG);
if (is_null($dg)) {
derr("DeviceGroup {$targetDV} was not found ? Exit\n");
}
print "\n***********************************************\n\n";
// Going after each pre-Security rules to add a profile
foreach ($dg->securityRules->rules() as $rule) {
print "Rule '" . $rule->name() . "' modified\n";
$rule->setSecurityProfileGroup($targetProfile);
}
print "\n***********************************************\n";
$panc->save_to_file($outputfile);
//display some statistics
$panc->display_statistics();
//more debugging infos
memory_and_gc('end');
if ($newOcounter > 0) {
$newOName .= '-' . $newOcounter;
}
$newO = $store->find($newOName);
if ($newO !== null) {
if ($newO->value() == $oValue) {
break;
} else {
$newO = null;
}
} else {
$newO = $store->newAddress($newOName, 'ip-range', $oValue, '', false);
if ($newO === null) {
derr('object creation error ???');
}
}
$newOcounter++;
}
print " --> " . $newO->name() . "\n";
$groupToProcess->add($newO, false);
}
}
}
unset($incl);
$groupToProcess->rewriteXML();
$store->rewriteAddressStoreXML();
print "\n ** Total Ranges dynamically needed for group '" . $groupToProcess->name() . "' : " . count($finalInclMapping) . "\n";
print "\n* done *\n\n";
}
$pan->save_to_file($outputFile);
$adjacencyPositionReference = $rulePosition;
print " - Now merging with the following " . count($matchingHashTable) . " rules:\n";
foreach ($matchingHashTable as $ruleToCompare) {
if ($mergeAdjacentOnly) {
$ruleToComparePosition = $rulesArrayIndex[$ruleToCompare->indexPosition];
$adjacencyPositionDiff = $ruleToComparePosition - $adjacencyPositionReference;
if ($adjacencyPositionDiff < 1) {
derr('an unexpected event occured');
}
if ($adjacencyPositionDiff > 1) {
print " - ignored because of option 'mergeAdjacentOnly'\n";
break;
}
//print " - adjacencyDiff={$adjacencyPositionDiff}\n";
$adjacencyPositionReference = $ruleToComparePosition;
}
$ruleToCompare->display(9);
mergeRules($rule, $ruleToCompare, $method);
$mergedRulesCount++;
}
print " - Rule after merge:\n";
$rule->display(5);
unset($hashTable[$rule->mergeHash][$rule->serial]);
}
print "\n*** MERGING DONE : {$mergedRulesCount} rules merged over " . count($rulesToProcess) . " in total (" . (count($rulesToProcess) - $mergedRulesCount) . " remaining) ***\n";
// save our work !!!
if ($configOutput !== null) {
print " - saving final config to {$configOutput}... ";
$pan->save_to_file($configOutput, false);
print "OK!\n";
}
$doAction->padding = ' ';
$doAction->executeAction($rule);
print "\n";
}
}
print "* objects processed in DG/Vsys '{$store->owner->name()}' : {$subObjectsProcessed} filtered over {$store->count()} available\n\n";
}
print "\n";
// </editor-fold>
if (isset(PH::$args['stats'])) {
$pan->display_statistics();
print "\n";
foreach ($rulesToProcess as &$record) {
if (get_class($record['store']->owner) != 'PanoramaConf' && get_class($record['store']->owner) != 'PANConf') {
$record['store']->owner->display_statistics();
print "\n";
}
}
}
$totalObjectsOfSelectedStores = 0;
foreach ($rulesToProcess as &$record) {
$totalObjectsOfSelectedStores += $record['store']->count();
}
print "\n **** PROCESSING OF {$totalObjectsProcessed} OBJECTS PROCESSED over {$totalObjectsOfSelectedStores} available **** \n\n";
// save our work !!!
if ($configOutput !== null) {
$pan->save_to_file($configOutput);
}
print "\n\n************ END OF RULE-EDIT UTILITY ************\n";
print "**************************************************\n";
print "\n\n";
// But we need to filter these references to extract SecurityRule only
$list = $incoming->findAssociatedSecurityRules();
// how many references left after filtering?
$countref = count($list);
print "Tag named '" . $incoming->name() . "' is used in {$countref} SecurityRules\n";
// Now we need to look at each rule and change it's source and destination zones
foreach ($list as $rule) {
// print rulename for debug, comment them if you want
print " Rule named '" . $rule->name() . "' from DeviceGroup '" . $rule->owner->name() . "' with tag '" . $incoming->name() . "' has the following Zones:\n";
print " From: " . $rule->from->toString_inline() . "\n";
print " To: " . $rule->to->toString_inline() . "\n";
// now we check if each rule has internal in source zone and external in destination zone
if (!$rule->from->hasZone($external)) {
print " This rule needs needs source zone to be added\n";
$rule->from->addZone($external);
print " Updated From: " . $rule->from->toString_inline() . "\n";
}
if (!$rule->to->hasZone($internal)) {
print " This rule needs needs destination zone to be added\n";
$rule->to->addZone($internal);
print " Updated To: " . $rule->to->toString_inline() . "\n";
}
print "\n";
}
print "We have edited a total of {$total} SecurityRules\n\n";
// save resulting configuration file to output.xml
$p->save_to_file($outputfile);
// display some statiscs for debug and exit program!
print "\n\n***********************************************\n";
$p->display_statistics();
memory_and_gc('end');
