Releases: cpainchaud/pan-configurator
1.5.15: Merge pull request #96 from swaschkut/master
1.5.13
1.5.13
- class ServiceGroup: extend __construct with $fromTemplateXml
- class ServiceStore: extend for API_newService()/newServiceGroup()/API_newServiceGroup()
- class NatRule: added support for floating-ip in NAT rules
- class SecurityRule: added support for URL Categories
- class App : added support for technology, categories fields
- class App : added support for evasive-behavior, consume-big-bandwidth, used-by-malware, able-to-transfer-file, has-known-vulnerability, tunnel-other-application fields
- class App : added support for prone-to-misuse, pervasive-use, risk, virus-ident, file-type-ident, file-forward, is-saas fields
- class APP : added support for timeout, tcp-timeout, udp-timeout, tcp_half_closed_timeout, tcp_time_wait_timeout, custom_signature
- class App : extend with method iscustom() CustomHasSignature()
- class AppStore: added support for application-group and application-filter
- class AppStore: added support for custom application
- class PANConf/PanoramaConf/VirtualSystem: add support for application-group and application-filter
- class PanAPIConnector : added support for mgmt-ip via variable info_mgmtip
utils:
address-edit: new filter tag has / has.nocase / has.regex and tag.count >,<,=,! / object is.recursive.member.of
address-edit: new filter reflocation is / reflocation is.only / refstore is / reftype is
address-edit: new action description-append
address-edit: new action add-member
override-finder: supporting scenario where template defined objects are not present in candidate config
rules-edit: new filter 'service has.recursive', 'secprof av-profile.is.set', 'secprof as-profile.is.set', 'secprof url-profile.is.set', 'secprof wf-profile.is.set', 'secprof vuln-profile.is.set'
rules-edit: new filter 'secprof file-profile.is', 'secprof file-profile.is.set', 'secprof data-profile.is', 'secprof data-profile.is.set'
rules-edit: new filter 'service has.only', 'user has', 'user has.regex', 'url.category is.any'
rules-edit: new filter 'app technology.is', 'app category.is', 'app subcategory.is', 'app characteristic.has xxxx'
rules-edit: new filter 'app includes.full.or.partial', 'app includes.full.or.partial.nocase', 'app included-in.full.or.partial', 'app included-in.full.or.partial.nocase'
rules-edit: new filter 'service has.from.query' and 'service has.recursive.from.query'
rules-edit: new filter 'location is.child.of [DG]'
rules-edit: new filter 'service is.tcp','service is.tcp.only','service is.udp','service is.udp.only','service has.value [PORT_VALUE]','service has.value.recursive [PORT_VALUE]'
rules-edit: new filter 'app custom.has.signature'
rules-edit: new filter 'dnathost included-in.full', 'dnathost included-in.partial', 'dnathost included-in.full.or.partial', 'dnathost includes.full', 'dnathost includes.partial', 'dnathost includes.full.or.partial'
rules-edit: action 'tag-Add-Force' new field 'tagColor' to setColor for forced Tag creation
rules-edit: action 'description-append' new field 'newline' as boolean parameter no/yes
rules-edit: action 'display' extend with logsetting information / URL category
rules-edit: action 'exporttoexcel' extend with additionalFields choice ResolveServiceSummary
rules-edit: action 'description-Prepend'
service-edit: new actions tag-Add | tag-Add-Force | tag-Remove | tag-Remove-All | tag-Remove-Regex
service-edit: new action 'name-rename' to allow renaming based on template string. ie: 'name-Rename:$$protocol$$-$$current.name$$'
service-edit: new action description-append
service-edit: improve action move - API mode now supported to move service objects to shared level
service-edit: new filter tag has / has.nocase / has.regex and tag.count >,<,=,! / object is.recursive.member.of
service-edit: new filter reflocation is / reflocation is.only / refstore is / reftype is
tag-edit: new action move
tag-edit: new filter reflocation is / reflocation is.only / refstore is / reftype is
useid-mgt: add argument debugapi
doc update
bugfix:
- fixed a crash when trying to move some rule types from PRE/POST
- fixed dependencies issues when trying to move an object to another location
- fixed action 'target-set-any' that would not update properly
- override-finder.php : supported use case where firewall has no template applied
- fixed action 'description-Append'
- fixed an issue with pipeSeparatedList and actions in xxx-edit utilities
- upload-confing.php : fix an issue where serial# of in=api://[SERIAL]@ip is also used for out=api://IP - but not definied
- address-edit - xxx-calculate-zones, fixed a crash when interface IP is configured with an address object (class VirtualRouter)
- address-edit: action 'move' was improperly applied to tmp objects
- changed SecurityRule::API_getAppContainerStats2() to use DeviceGroup name on PANOS 7.1 instead of firewall serial numbers
- fixed a crash when displaying service objects where a service group is member of a service group
- xxxx-merger : fixed an issue where subQueries were ignored
- fixed an issue where predefined applications were created as TMP
- fixed an issue with 'filter=(rule has.source.nat)' where no source NAT rule were shown
- fixed a crash when trying to add tag to temporary address objects
- fix address-edit help name-rename output
- fix class-loopbackinterface / class-aggregateethernetinterface regarding $type variable
- fixx for address-edit filter - value ip4.included-in/ip4.includes-full/ip4.includes-full-or-partial - regarding addressgroup with member count 0
1.5.12
1.5.12
- introduction of UTILS help.html (utils/doc/help.html)
- introduction of new util : userid-mgr to register/unregister/dump userid record through api
- introduction of info_hostname in PanAPIConnector
- introduction of TAG color
utils:
rules-edit: action 'exportToExcel' new fields 'dst_negated' and 'src_negated' to show when some fields are negated
rules-edit: new action 'name-removePrefix' 'name-removeSuffix' 'app-add-force'
rules-edit: action 'from/to-calculate-zones' add new mode 'unneeded-tag-add' to add rule tag (unneeded-from/to-zone) where unneeded zones are available
rules-edit: filter 'is.unused.fast' extend for nat rules
rules-edit: new filters 'src is.fully.included.in.list'
rules-edit: new actions 'dst-Remove-Objects-Matching-Filter' and 'src-Remove-Objects-Matching-Filter' to remove objects matching a specific filter
rules-edit: new action 'securityProfile-Profile-Set' to set individual profiles
address-edit: new filter 'description regex'
address-edit: new fields in exportToExcel : 'ResolveIP' and 'NestedMembers'
service-edit: new filter 'description regex'
generic: new filters 'location regex'
tag-edit: new action 'setColor', 'addComments', 'deleteComments'
tag-edit: new filter 'color eq', 'comments regex /XXX/', 'comments is.empty'
bugfix:
- help message was not available in override-finder.php
- fixed an issue with PANOS 8.0 and new DG hierarchy. OMG what did they do ? :D
1.5.11
1.5.11
- new function AddressCommon->hasDescendants() to for objects with same name in lower level (child devicegroups)
- new function AddressCommon->hasDescendants() to determine if objects with same name in lower level (child devicegroups) exist
- Improved address name regex based filter with support to insert objects value:
$$netmask$$ ,$$netmask.blank32$$ ,$$value$$ ,$$value.no-netmask$$ - new Utility to manage stored API keys 'key-manager.php'
utils:
- new 'address-merger', 'addressgroup-merger', 'service-merger', 'servicegroup-merger' utilities. Safer, faster and find more dups than MT.
- new tag-edit utility on the same basis as address-edit
rules-edit: new action 'tag-Remove-All' 'position-Move-to-Top' 'position-Move-To-Bottom' 'position-Move-Before' 'position-Move-After'
rules-edit: new filter 'service has.regex', 'rule is.dsri'
rules-edit: action 'exportToExcel' new option to add optional fields like 'resolveAddressSummary'
address-edit: new action 'name-rename' to allow renaming based on template string. ie: 'name-Rename:H-$$value.no-netmask-$$current.name$$'
address-edit: new filters 'overriden.at.lower.level' and 'overrides.upper.level', 'ip4.includes-full', 'ip4.includes-full-or-partial', 'object is.iprange', 'object is.fqdn', 'object is.ip-netmask', netmask >,<,=,! XX
address-edit: new actions 'name-removePrefix, name-removeSuffix', 'tag-add', 'tag-add-force', 'tag-remove', 'tag-remove-all', 'tag-remove-regex'
service-edit: new actions 'name-removePrefix, name-removeSuffix'
service-edit: new filters 'object is.tcp' and 'object is.udp'
tag-edit: new filters 'name eq', 'name contains', 'name eq.nocase', 'location is' and 'refcount - >,<,=,!'
override-finder: when firewall is not available, instead of exit with error, program will skip it and warn user.
bugfix:
- added checks to prevent crash when trying to resolve an IPv6 object into an IPv4 mapping
- fixed a crash when exporting PBF rules to HTML in rules-edit utility
- fixed a crash when replacing an object used in a DNAT with another object
- fixed an typo with setLogEnd in SecurityRule that would prevent the rule from being updated
1.5.10
1.5.10
- New Utility "override-finder.php" : find and display which parts of a firewall configuration are currently overriding the Template pushed by Panorama.
- DoSRule and QoSRule class introduced
- Fixed PBF rules inconsistencies FROM and TO fields
- PanAPIConnector new function panorama_getConnectedFirewallsSerials()
utils:
upload-config: new argument 'extraFiltersOut' to strip unwanted XML parts out of the config before saving/uploading it.
rules-edit: new actions 'from-replace', 'to-replace' to help replace Zones where required
bugfix:
- fixed a loading error when using blank proxy-id in IPsecTunnels which implictly means 0.0.0.0/0
- fixed an issue where malformed xml could be generated when changing log-profile when it already existed
- fixed error caused by typo in filter (src/to has.from.query)
- fixed rules-edit filter is.dnat and is.snat and renamed has.source.nat, has.destination.nat, has.bidir.nat
1.5.9
- PanAPIConnector::register_sendUpdate() new IP registration function; PanAPIConnector::register_getIP() new get registered IP function
- ServiceGroup : detect and warn when a group has several times the same object
- Zone : function addObjectWhereIamUsed() implemented, supports only SecurityRule so far
- Rules : improved support of targets with new functions : target_rewriteXML, target_addDevice, target_setAny, target_setNegate, target_isNegated, target_removeDevice
- PH: finally introduced a way to track library version with PH::frameworkVersion() and PH::frameworkVersion_isGreaterThan()
utils:
service-edit: new filters 'object is.unused.recursive' to check if an object is used in groups/nested groups which are not used either
rules-edit: new actions 'src-Negate-Set','dst-Negate-Set' to enable/disable a rule Source/Destination negation
'target-Set-Any','target-Add-Device','target-Negate-Set','target-RemoveDevice' to manage targets
'clone' to clone rules before/after another rule and add a suffix
rules-edit: improved 'calculate-zones' with NAT rules which will be cloned if several destination zones are found
bugfix:
- typos in service-edit action prefix-add suffix-add
- report generation on 7050 requires explicit 'async=yes'
- calculate-zones now considers directly connected with better priority than static ones
- fix issue in VirtualSystems where Captive-Portal rules were loaded as AppOverride
- fix 'stats' output for rules-edit.php, address-edit.php and service-edit.php
1.5.8
- introduction of rules Target field support in the core lib and in utils/filters
- NatRule display() outputs more informations, directly benefits to rules-edit.php
- PH::getPanObjectFromconfig() new helper function to load Panorama or Firewall conf
- introduced plugin system for address/rules/services-edit.php
- TagRuleContainer::copy new helper function to copy tags from one Rule to another
- DecryptionRule/PbfRule class now supports service (introduced in PANOS6.1)
utils:
rules-edit : new filters 'target is.any' 'target has xxxxx/vsysX' 'snathost has xxxx' 'dnathost has xxxx' 'rule is.snat' 'rule is.dnat' 'rule is.snatbidir' 'snat is.static' 'snat is.dynamic-ip' 'snat is.dynamic-ip-and-port' 'natdstinterface is.set' 'rule is.universal' 'rule is.intrazone' 'rule is.interzone'
rules-edit : new filters for security profiles: 'secprof av-profile.is' 'secprof as-profile.is' 'secprof vuln-profile.is' 'secprof wf-profile.is'
rules-edit : new actions 'name-Append' and 'name-Prepend' 'split-bidirectionalnat' 'change-ruleType'
address-edit : improved filter 'name regex' to allow external regular expression reference, permitting expression with parenthesis without the need to escape. ie: 'filter=(name regex %subquery1)' 'subquery1=/^(az)/'
address-edit: new filters 'object is.unused.recursive' to check if an object is used in groups/nested groups which are not used either
utilities: propose to enter a new login/password if previous ones are detected as invalid
bugfixes:
- fixed an issue where security profile filter 'is.set' and 'not.set' could return wrong value
- fixed an issue where log fowarding profile change would not update the XML
- RuleStore : fixed an issue where creating a NatRule would generate an error
- rules-edit 'logEnd-Disable' was not available due to a typo in the name
- RuleStore::moveRuleAfter/Before fix for post-rulebase would not work
- Source Nat could be improperly written in some cases
1.5.6
- introduction of CaptivePortal, Pbf type rules initial support
- PANConf : enhanced support to load pushed panorama config
- RuleStore : new function to get rules from parent DeviceGroups
- AddressGroup : enhanced group loading time & consistency
- SecurityRule|DecryptionRule : added userID support (readonly for the moment) filters for rules-edit.php
- changes to make XML code closer to PANOS flavor : empty rules stores won't be created in XML anymore, same for Tag stores
utils:
rules-edit : loading of firewall configurations can now get panorama pushed config, use option 'loadPanoramaPushedConfig'
rules-edit : added new filters for userid : 'user is.any' 'user is.unknown' 'user is.known' 'user is.prelogon'
rules-edit : added security profile, log profile userid column in ExportToExcel
bugfixes:
- proper XML update when an object used in DNAT is renamed
- fixed an issue where M-100 and M-500 would not be detected as Panorama
- fixed missing TO field in ExportToExcel
- fixed an issue where a zone would have wrong name after its creation
- fixed an issue with users of old PHP (previous version of MACOSX) and OpenSSL TLS
1.5.5
1.5.5
core:
- AddressGroup : new functions API_add(), API_remove(), function addObjectWhereIamUsed(), API_addObjectWhereIamUsed()
- Service : added tag support, new function addObjectWhereIamUsed(), API_addObjectWhereIamUsed()
- ServiceGroup : added tag support, new function API_remove(), addObjectWhereIamUsed(), API_addObjectWhereIamUsed(), removeWhereIamUsed()
API_removeWhereIamUsed()
utils:
- rules-edit.php : new Actions 'description-append', 'securityProfile-Remove', 'removeWhereUsed'
- rules-edit.php : create FastAPI modes for : 'enabled-set', 'logStart-Enable', 'logStart-Disable', 'logEnd-Enable', 'logEnd-Disable'
'securityProfile-Group-Set' - rules-edit.php : new filters 'name is.in.file'
- service-edit.php : new Action 'replaceWithObject', 'addObjectWhereUsed', 'removeWhereUsed'
- address-edit.php : new Action 'replaceWithObject', 'addObjectWhereUsed'
- address-edit.php : new filters 'name is.in.file' 'value ip4.included-in '
bugfixes:
- rules-edit.php : destination zone calculation fix in
- AddressGroup : was incorrectly reported as Dynamic when object XML was empty (MigrationTool issue)
- Address : support usage of IP ranges directly in rules which was not supported before.
- IP4Map : included-in calculation was return wrong 0 whatever the input
1.5.0
1.5.0
Library:
- 6.1 'rule-type' support (universal,intrazone,interzone) implemented. See SecurityRule->type() for details.
- support for 7.0 new Security rules actions : drop, reset-client, reset-server, reset-both
- support for 7.0 Device Group hierarchy
- basic support of Panorama templates
- moved preRules and postRules into one single store (see getPreRules and getPostRules)
- VirtualRouter and Static route implemented
- Major interface/network additions were made to allow future tools like routes calculation etc etc.
- Support for AppOverride rules
Utilities:
- new utility : rule-merger.php to find similar rules and merge them
- util rule-edit : new action 'resolve-zones' to do a rule resolution
- util rule-edit : new action 'copy' to copy rules into another vsys/device-group
- util rule-edit : new action 'tag-remove-regex'
- util rule-edit : new action 'cloneForAppOverride' to clone a security rule and make it an AppOverride
- util rule-edit : service-edit and address-edit will auto-detect PANOS vs Panorama, no need to use argument 'type' anymore
- util rule-edit : new filters : 'rule is.unused.fast' will check if a rule was not used since reboot (use cli 'show running rule-use rule-base security type unused vsys vsys1')
- util rule-edit : new filters : src/dst 'included-in.full included-in.partial included-in.full.or.partial' and 'includes.full includes-full.or.partial includes.partial'
- util rule-edit : new filters : src/dst 'has.recursive.regex'
- util rule-edit : new filters : description 'regex' , 'is.empty'
- util rule-edit : new filters for app 'has' and 'has.nocase' and log profile : 'logprof is.set' 'logprof is xxx'
- util rule-edit : new filters for zones : 'has.regex' and 'from.count' 'to.count'
- util rule-edit : new listActions menu
- util address-edit: new action 'move'
- util service-edit and address-edit new actions: replaceByMembersAndDelete, showIP4Mapping
- util service-edit : new action 'addObjectWhereUsed'
- util service-edit : new filters for services : 'name is.in.file'
- util upload-config : now supports inject xml parts direct in candidate config (see 'toXpath' and 'fromXpath' option)
- util upload-config : you can now preserve target firewall config (like its mgmt ip for example, look for 'help' to see options available).
- util upload-config : now supports api://x.x.x.x/running-config candidate-config to choose between running and candidate or already saved file