Pan Configurator Versions Save

1.5.13

• class ServiceGroup: extend __construct with $fromTemplateXml
• class ServiceStore: extend for API_newService()/newServiceGroup()/API_newServiceGroup()
• class NatRule: added support for floating-ip in NAT rules
• class SecurityRule: added support for URL Categories
• class App : added support for technology, categories fields
• class App : added support for evasive-behavior, consume-big-bandwidth, used-by-malware, able-to-transfer-file, has-known-vulnerability, tunnel-other-application fields
• class App : added support for prone-to-misuse, pervasive-use, risk, virus-ident, file-type-ident, file-forward, is-saas fields
• class APP : added support for timeout, tcp-timeout, udp-timeout, tcp_half_closed_timeout, tcp_time_wait_timeout, custom_signature
• class App : extend with method iscustom() CustomHasSignature()
• class AppStore: added support for application-group and application-filter
• class AppStore: added support for custom application
• class PANConf/PanoramaConf/VirtualSystem: add support for application-group and application-filter
• class PanAPIConnector : added support for mgmt-ip via variable info_mgmtip

utils: address-edit: new filter tag has / has.nocase / has.regex and tag.count >,<,=,! / object is.recursive.member.of address-edit: new filter reflocation is / reflocation is.only / refstore is / reftype is address-edit: new action description-append address-edit: new action add-member override-finder: supporting scenario where template defined objects are not present in candidate config rules-edit: new filter 'service has.recursive', 'secprof av-profile.is.set', 'secprof as-profile.is.set', 'secprof url-profile.is.set', 'secprof wf-profile.is.set', 'secprof vuln-profile.is.set' rules-edit: new filter 'secprof file-profile.is', 'secprof file-profile.is.set', 'secprof data-profile.is', 'secprof data-profile.is.set' rules-edit: new filter 'service has.only', 'user has', 'user has.regex', 'url.category is.any' rules-edit: new filter 'app technology.is', 'app category.is', 'app subcategory.is', 'app characteristic.has xxxx' rules-edit: new filter 'app includes.full.or.partial', 'app includes.full.or.partial.nocase', 'app included-in.full.or.partial', 'app included-in.full.or.partial.nocase' rules-edit: new filter 'service has.from.query' and 'service has.recursive.from.query' rules-edit: new filter 'location is.child.of [DG]' rules-edit: new filter 'service is.tcp','service is.tcp.only','service is.udp','service is.udp.only','service has.value [PORT_VALUE]','service has.value.recursive [PORT_VALUE]' rules-edit: new filter 'app custom.has.signature' rules-edit: new filter 'dnathost included-in.full', 'dnathost included-in.partial', 'dnathost included-in.full.or.partial', 'dnathost includes.full', 'dnathost includes.partial', 'dnathost includes.full.or.partial' rules-edit: action 'tag-Add-Force' new field 'tagColor' to setColor for forced Tag creation rules-edit: action 'description-append' new field 'newline' as boolean parameter no/yes rules-edit: action 'display' extend with logsetting information / URL category rules-edit: action 'exporttoexcel' extend with additionalFields choice ResolveServiceSummary rules-edit: action 'description-Prepend' service-edit: new actions tag-Add | tag-Add-Force | tag-Remove | tag-Remove-All | tag-Remove-Regex service-edit: new action 'name-rename' to allow renaming based on template string. ie: 'name-Rename:$$protocol$$-$$current.name$$' service-edit: new action description-append service-edit: improve action move - API mode now supported to move service objects to shared level service-edit: new filter tag has / has.nocase / has.regex and tag.count >,<,=,! / object is.recursive.member.of service-edit: new filter reflocation is / reflocation is.only / refstore is / reftype is tag-edit: new action move tag-edit: new filter reflocation is / reflocation is.only / refstore is / reftype is useid-mgt: add argument debugapi doc update

bugfix:

• fixed a crash when trying to move some rule types from PRE/POST
• fixed dependencies issues when trying to move an object to another location
• fixed action 'target-set-any' that would not update properly
• override-finder.php : supported use case where firewall has no template applied
• fixed action 'description-Append'
• fixed an issue with pipeSeparatedList and actions in xxx-edit utilities
• upload-confing.php : fix an issue where serial# of in=api://[SERIAL]@IP is also used for out=api://IP - but not definied
• address-edit - xxx-calculate-zones, fixed a crash when interface IP is configured with an address object (class VirtualRouter)
• address-edit: action 'move' was improperly applied to tmp objects
• changed SecurityRule::API_getAppContainerStats2() to use DeviceGroup name on PANOS 7.1+ instead of firewall serial numbers
• fixed a crash when displaying service objects where a service group is member of a service group
• xxxx-merger : fixed an issue where subQueries were ignored
• fixed an issue where predefined applications were created as TMP
• fixed an issue with 'filter=(rule has.source.nat)' where no source NAT rule were shown
• fixed a crash when trying to add tag to temporary address objects
• fix address-edit help name-rename output
• fix class-loopbackinterface / class-aggregateethernetinterface regarding $type variable
• fixx for address-edit filter - value ip4.included-in/ip4.includes-full/ip4.includes-full-or-partial - regarding addressgroup with member count 0

1.5.12

• introduction of UTILS help.html (utils/doc/help.html)
• introduction of new util : userid-mgr to register/unregister/dump userid record through api
• introduction of info_hostname in PanAPIConnector
• introduction of TAG color

utils: rules-edit: action 'exportToExcel' new fields 'dst_negated' and 'src_negated' to show when some fields are negated rules-edit: new action 'name-removePrefix' 'name-removeSuffix' 'app-add-force' rules-edit: action 'from/to-calculate-zones' add new mode 'unneeded-tag-add' to add rule tag (unneeded-from/to-zone) where unneeded zones are available rules-edit: filter 'is.unused.fast' extend for nat rules rules-edit: new filters 'src is.fully.included.in.list' rules-edit: new actions 'dst-Remove-Objects-Matching-Filter' and 'src-Remove-Objects-Matching-Filter' to remove objects matching a specific filter rules-edit: new action 'securityProfile-Profile-Set' to set individual profiles address-edit: new filter 'description regex' address-edit: new fields in exportToExcel : 'ResolveIP' and 'NestedMembers' service-edit: new filter 'description regex' generic: new filters 'location regex' tag-edit: new action 'setColor', 'addComments', 'deleteComments' tag-edit: new filter 'color eq', 'comments regex /XXX/', 'comments is.empty'

bugfix:

• help message was not available in override-finder.php
• fixed an issue with PANOS 8.0 and new DG hierarchy. OMG what did they do ? :D

1.5.11

• new function AddressCommon->hasDescendants() to for objects with same name in lower level (child devicegroups)
• new function AddressCommon->hasDescendants() to determine if objects with same name in lower level (child devicegroups) exist
• Improved address name regex based filter with support to insert objects value: $$netmask$$, $$netmask.blank32$$, $$value$$, $$value.no-netmask$$
• new Utility to manage stored API keys 'key-manager.php'

utils:

• new 'address-merger', 'addressgroup-merger', 'service-merger', 'servicegroup-merger' utilities. Safer, faster and find more dups than MT.
• new tag-edit utility on the same basis as address-edit rules-edit: new action 'tag-Remove-All' 'position-Move-to-Top' 'position-Move-To-Bottom' 'position-Move-Before' 'position-Move-After' rules-edit: new filter 'service has.regex', 'rule is.dsri' rules-edit: action 'exportToExcel' new option to add optional fields like 'resolveAddressSummary' address-edit: new action 'name-rename' to allow renaming based on template string. ie: 'name-Rename:H-$$value.no-netmask-$$current.name$$' address-edit: new filters 'overriden.at.lower.level' and 'overrides.upper.level', 'ip4.includes-full', 'ip4.includes-full-or-partial', 'object is.iprange', 'object is.fqdn', 'object is.ip-netmask', netmask >,<,=,! XX address-edit: new actions 'name-removePrefix, name-removeSuffix', 'tag-add', 'tag-add-force', 'tag-remove', 'tag-remove-all', 'tag-remove-regex' service-edit: new actions 'name-removePrefix, name-removeSuffix' service-edit: new filters 'object is.tcp' and 'object is.udp' tag-edit: new filters 'name eq', 'name contains', 'name eq.nocase', 'location is' and 'refcount - >,<,=,!' override-finder: when firewall is not available, instead of exit with error, program will skip it and warn user.

bugfix:

• added checks to prevent crash when trying to resolve an IPv6 object into an IPv4 mapping
• fixed a crash when exporting PBF rules to HTML in rules-edit utility
• fixed a crash when replacing an object used in a DNAT with another object
• fixed an typo with setLogEnd in SecurityRule that would prevent the rule from being updated

1.5.10

• New Utility "override-finder.php" : find and display which parts of a firewall configuration are currently overriding the Template pushed by Panorama.
• DoSRule and QoSRule class introduced
• Fixed PBF rules inconsistencies FROM and TO fields
• PanAPIConnector new function panorama_getConnectedFirewallsSerials()

utils: upload-config: new argument 'extraFiltersOut' to strip unwanted XML parts out of the config before saving/uploading it. rules-edit: new actions 'from-replace', 'to-replace' to help replace Zones where required

bugfix:

• fixed a loading error when using blank proxy-id in IPsecTunnels which implictly means 0.0.0.0/0
• fixed an issue where malformed xml could be generated when changing log-profile when it already existed
• fixed error caused by typo in filter (src/to has.from.query)
• fixed rules-edit filter is.dnat and is.snat and renamed has.source.nat, has.destination.nat, has.bidir.nat

• PanAPIConnector::register_sendUpdate() new IP registration function; PanAPIConnector::register_getIP() new get registered IP function
• ServiceGroup : detect and warn when a group has several times the same object
• Zone : function addObjectWhereIamUsed() implemented, supports only SecurityRule so far
• Rules : improved support of targets with new functions : target_rewriteXML, target_addDevice, target_setAny, target_setNegate, target_isNegated, target_removeDevice
• PH: finally introduced a way to track library version with PH::frameworkVersion() and PH::frameworkVersion_isGreaterThan()

utils: service-edit: new filters 'object is.unused.recursive' to check if an object is used in groups/nested groups which are not used either rules-edit: new actions 'src-Negate-Set','dst-Negate-Set' to enable/disable a rule Source/Destination negation 'target-Set-Any','target-Add-Device','target-Negate-Set','target-RemoveDevice' to manage targets 'clone' to clone rules before/after another rule and add a suffix rules-edit: improved 'calculate-zones' with NAT rules which will be cloned if several destination zones are found

bugfix:

• typos in service-edit action prefix-add suffix-add
• report generation on 7050 requires explicit 'async=yes'
• calculate-zones now considers directly connected with better priority than static ones
• fix issue in VirtualSystems where Captive-Portal rules were loaded as AppOverride
• fix 'stats' output for rules-edit.php, address-edit.php and service-edit.php

• introduction of rules Target field support in the core lib and in utils/filters
• NatRule display() outputs more informations, directly benefits to rules-edit.php
• PH::getPanObjectFromconfig() new helper function to load Panorama or Firewall conf
• introduced plugin system for address/rules/services-edit.php
• TagRuleContainer::copy new helper function to copy tags from one Rule to another
• DecryptionRule/PbfRule class now supports service (introduced in PANOS6.1)

utils: rules-edit : new filters 'target is.any' 'target has xxxxx/vsysX' 'snathost has xxxx' 'dnathost has xxxx' 'rule is.snat' 'rule is.dnat' 'rule is.snatbidir' 'snat is.static' 'snat is.dynamic-ip' 'snat is.dynamic-ip-and-port' 'natdstinterface is.set' 'rule is.universal' 'rule is.intrazone' 'rule is.interzone' rules-edit : new filters for security profiles: 'secprof av-profile.is' 'secprof as-profile.is' 'secprof vuln-profile.is' 'secprof wf-profile.is' rules-edit : new actions 'name-Append' and 'name-Prepend' 'split-bidirectionalnat' 'change-ruleType' address-edit : improved filter 'name regex' to allow external regular expression reference, permitting expression with parenthesis without the need to escape. ie: 'filter=(name regex %subquery1)' 'subquery1=/^(az)/' address-edit: new filters 'object is.unused.recursive' to check if an object is used in groups/nested groups which are not used either utilities: propose to enter a new login/password if previous ones are detected as invalid

bugfixes:

• fixed an issue where security profile filter 'is.set' and 'not.set' could return wrong value
• fixed an issue where log fowarding profile change would not update the XML
• RuleStore : fixed an issue where creating a NatRule would generate an error
• rules-edit 'logEnd-Disable' was not available due to a typo in the name
• RuleStore::moveRuleAfter/Before fix for post-rulebase would not work
• Source Nat could be improperly written in some cases

• introduction of CaptivePortal, Pbf type rules initial support
• PANConf : enhanced support to load pushed panorama config
• RuleStore : new function to get rules from parent DeviceGroups
• AddressGroup : enhanced group loading time & consistency
• SecurityRule|DecryptionRule : added userID support (readonly for the moment) + filters for rules-edit.php
• changes to make XML code closer to PANOS flavor : empty rules stores won't be created in XML anymore, same for Tag stores

utils: rules-edit : loading of firewall configurations can now get panorama pushed config, use option 'loadPanoramaPushedConfig' rules-edit : added new filters for userid : 'user is.any' 'user is.unknown' 'user is.known' 'user is.prelogon' rules-edit : added security profile, log profile userid column in ExportToExcel

bugfixes:

• proper XML update when an object used in DNAT is renamed
• fixed an issue where M-100 and M-500 would not be detected as Panorama
• fixed missing TO field in ExportToExcel
• fixed an issue where a zone would have wrong name after its creation
• fixed an issue with users of old PHP (previous version of MACOSX) and OpenSSL TLS

1.5.5 core:

• AddressGroup : new functions API_add(), API_remove(), function addObjectWhereIamUsed(), API_addObjectWhereIamUsed()
• Service : added tag support, new function addObjectWhereIamUsed(), API_addObjectWhereIamUsed()
• ServiceGroup : added tag support, new function API_remove(), addObjectWhereIamUsed(), API_addObjectWhereIamUsed(), removeWhereIamUsed() API_removeWhereIamUsed()

utils:

• rules-edit.php : new Actions 'description-append', 'securityProfile-Remove', 'removeWhereUsed'
• rules-edit.php : create FastAPI modes for : 'enabled-set', 'logStart-Enable', 'logStart-Disable', 'logEnd-Enable', 'logEnd-Disable' 'securityProfile-Group-Set'
• rules-edit.php : new filters 'name is.in.file'
• service-edit.php : new Action 'replaceWithObject', 'addObjectWhereUsed', 'removeWhereUsed'
• address-edit.php : new Action 'replaceWithObject', 'addObjectWhereUsed'
• address-edit.php : new filters 'name is.in.file' 'value ip4.included-in '

bugfixes:

• rules-edit.php : destination zone calculation fix in
• AddressGroup : was incorrectly reported as Dynamic when object XML was empty (MigrationTool issue)
• Address : support usage of IP ranges directly in rules which was not supported before.
• IP4Map : included-in calculation was return wrong 0 whatever the input

1.5.0 Library:

• 6.1 'rule-type' support (universal,intrazone,interzone) implemented. See SecurityRule->type() for details.
• support for 7.0 new Security rules actions : drop, reset-client, reset-server, reset-both
• support for 7.0 Device Group hierarchy
• basic support of Panorama templates
• moved preRules and postRules into one single store (see getPreRules and getPostRules)
• VirtualRouter and Static route implemented
• Major interface/network additions were made to allow future tools like routes calculation etc etc.
• Support for AppOverride rules

Utilities:

• new utility : rule-merger.php to find similar rules and merge them
• util rule-edit : new action 'resolve-zones' to do a rule resolution
• util rule-edit : new action 'copy' to copy rules into another vsys/device-group
• util rule-edit : new action 'tag-remove-regex'
• util rule-edit : new action 'cloneForAppOverride' to clone a security rule and make it an AppOverride
• util rule-edit : service-edit and address-edit will auto-detect PANOS vs Panorama, no need to use argument 'type' anymore
• util rule-edit : new filters : 'rule is.unused.fast' will check if a rule was not used since reboot (use cli 'show running rule-use rule-base security type unused vsys vsys1')
• util rule-edit : new filters : src/dst 'included-in.full included-in.partial included-in.full.or.partial' and 'includes.full includes-full.or.partial includes.partial'
• util rule-edit : new filters : src/dst 'has.recursive.regex'
• util rule-edit : new filters : description 'regex' , 'is.empty'
• util rule-edit : new filters for app 'has' and 'has.nocase' and log profile : 'logprof is.set' 'logprof is xxx'
• util rule-edit : new filters for zones : 'has.regex' and 'from.count' 'to.count'
• util rule-edit : new listActions menu
• util address-edit: new action 'move'
• util service-edit and address-edit new actions: replaceByMembersAndDelete, showIP4Mapping
• util service-edit : new action 'addObjectWhereUsed'
• util service-edit : new filters for services : 'name is.in.file'
• util upload-config : now supports inject xml parts direct in candidate config (see 'toXpath' and 'fromXpath' option)
• util upload-config : you can now preserve target firewall config (like its mgmt ip for example, look for 'help' to see options available).
• util upload-config : now supports api://x.x.x.x/running-config candidate-config to choose between running and candidate or already saved file