* * *****************************************************************************/ // load PAN-Configurator library require_once "../lib/panconfigurator.php"; // input and output files $origfile = "sample-configs/panorama-example.xml"; $outputfile = "output.xml"; $targetDG = 'Perimeter-FWs'; $targetProfile = 'Shared Production Profile'; // We're going to load a PANConf object (PANConf is for PANOS Firewall, // PanoramaConf is obviously for Panorama which is covered in another example) $panc = new PanoramaConf(); $panc->load_from_file($origfile); // Did we find VSYS1 ? $dg = $panc->findDeviceGroup($targetDG); if (is_null($dg)) { derr("DeviceGroup {$targetDV} was not found ? Exit\n"); } print "\n***********************************************\n\n"; // Going after each pre-Security rules to add a profile foreach ($dg->securityRules->rules() as $rule) { print "Rule '" . $rule->name() . "' modified\n"; $rule->setSecurityProfileGroup($targetProfile); } print "\n***********************************************\n"; $panc->save_to_file($outputfile); //display some statistics $panc->display_statistics(); //more debugging infos memory_and_gc('end');
if ($newOcounter > 0) { $newOName .= '-' . $newOcounter; } $newO = $store->find($newOName); if ($newO !== null) { if ($newO->value() == $oValue) { break; } else { $newO = null; } } else { $newO = $store->newAddress($newOName, 'ip-range', $oValue, '', false); if ($newO === null) { derr('object creation error ???'); } } $newOcounter++; } print " --> " . $newO->name() . "\n"; $groupToProcess->add($newO, false); } } } unset($incl); $groupToProcess->rewriteXML(); $store->rewriteAddressStoreXML(); print "\n ** Total Ranges dynamically needed for group '" . $groupToProcess->name() . "' : " . count($finalInclMapping) . "\n"; print "\n* done *\n\n"; } $pan->save_to_file($outputFile);
$adjacencyPositionReference = $rulePosition; print " - Now merging with the following " . count($matchingHashTable) . " rules:\n"; foreach ($matchingHashTable as $ruleToCompare) { if ($mergeAdjacentOnly) { $ruleToComparePosition = $rulesArrayIndex[$ruleToCompare->indexPosition]; $adjacencyPositionDiff = $ruleToComparePosition - $adjacencyPositionReference; if ($adjacencyPositionDiff < 1) { derr('an unexpected event occured'); } if ($adjacencyPositionDiff > 1) { print " - ignored because of option 'mergeAdjacentOnly'\n"; break; } //print " - adjacencyDiff={$adjacencyPositionDiff}\n"; $adjacencyPositionReference = $ruleToComparePosition; } $ruleToCompare->display(9); mergeRules($rule, $ruleToCompare, $method); $mergedRulesCount++; } print " - Rule after merge:\n"; $rule->display(5); unset($hashTable[$rule->mergeHash][$rule->serial]); } print "\n*** MERGING DONE : {$mergedRulesCount} rules merged over " . count($rulesToProcess) . " in total (" . (count($rulesToProcess) - $mergedRulesCount) . " remaining) ***\n"; // save our work !!! if ($configOutput !== null) { print " - saving final config to {$configOutput}... "; $pan->save_to_file($configOutput, false); print "OK!\n"; }
$doAction->padding = ' '; $doAction->executeAction($rule); print "\n"; } } print "* objects processed in DG/Vsys '{$store->owner->name()}' : {$subObjectsProcessed} filtered over {$store->count()} available\n\n"; } print "\n"; // </editor-fold> if (isset(PH::$args['stats'])) { $pan->display_statistics(); print "\n"; foreach ($rulesToProcess as &$record) { if (get_class($record['store']->owner) != 'PanoramaConf' && get_class($record['store']->owner) != 'PANConf') { $record['store']->owner->display_statistics(); print "\n"; } } } $totalObjectsOfSelectedStores = 0; foreach ($rulesToProcess as &$record) { $totalObjectsOfSelectedStores += $record['store']->count(); } print "\n **** PROCESSING OF {$totalObjectsProcessed} OBJECTS PROCESSED over {$totalObjectsOfSelectedStores} available **** \n\n"; // save our work !!! if ($configOutput !== null) { $pan->save_to_file($configOutput); } print "\n\n************ END OF RULE-EDIT UTILITY ************\n"; print "**************************************************\n"; print "\n\n";
// But we need to filter these references to extract SecurityRule only $list = $incoming->findAssociatedSecurityRules(); // how many references left after filtering? $countref = count($list); print "Tag named '" . $incoming->name() . "' is used in {$countref} SecurityRules\n"; // Now we need to look at each rule and change it's source and destination zones foreach ($list as $rule) { // print rulename for debug, comment them if you want print " Rule named '" . $rule->name() . "' from DeviceGroup '" . $rule->owner->name() . "' with tag '" . $incoming->name() . "' has the following Zones:\n"; print " From: " . $rule->from->toString_inline() . "\n"; print " To: " . $rule->to->toString_inline() . "\n"; // now we check if each rule has internal in source zone and external in destination zone if (!$rule->from->hasZone($external)) { print " This rule needs needs source zone to be added\n"; $rule->from->addZone($external); print " Updated From: " . $rule->from->toString_inline() . "\n"; } if (!$rule->to->hasZone($internal)) { print " This rule needs needs destination zone to be added\n"; $rule->to->addZone($internal); print " Updated To: " . $rule->to->toString_inline() . "\n"; } print "\n"; } print "We have edited a total of {$total} SecurityRules\n\n"; // save resulting configuration file to output.xml $p->save_to_file($outputfile); // display some statiscs for debug and exit program! print "\n\n***********************************************\n"; $p->display_statistics(); memory_and_gc('end');