Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Partial XPath support no longer supported in PAN-OS 11.0 #570

Open
stealthllama opened this issue Jul 24, 2024 · 2 comments
Open

Partial XPath support no longer supported in PAN-OS 11.0 #570

stealthllama opened this issue Jul 24, 2024 · 2 comments
Labels
bug

Comments

@stealthllama
Copy link
Contributor

stealthllama commented Jul 24, 2024
edited
Loading

Describe the bug

Partial XPath support was dropped in PAN-OS 11.0. The create() function in pan-os-python issues set commands with a partial XPath value for the newly created configuration object. This results in inconsistencies when performing partial commits on Panorama. Changes made by specific administrators are not pushed to the managed firewalls when a partial commit is performed.

Expected behavior

The set commands generated from the create() function should include the object entry on the XPath string.

Example:

<request cmd='set' obj="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Lab Testing']/address/entry[@name='Address A']" cookie='1357220402109258' client='xmlapi' refresh='no'><ip-netmask>192.168.200.10/32</ip-netmask><description>Address A added by notbob from Postman</description></request>

Current behavior

The set commands generated from the create() function strip out the object entry suffix on the XPath string. A xpath_short() function is called to perform this truncation.

Example:

 <request cmd='set' obj="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Lab Testing']/address" cookie='4859959213841190' client='xmlapi' refresh='no'><entry name="Address B"><ip-netmask>192.168.120.8/32</ip-netmask><description>Address B added by bob from Ansible</description></entry></request>

Possible solution

The create() function must specific the complete XPath with entry suffix in all set commands.

Steps to reproduce

  1. Create a new address object via the create() function against Panorama 11.0.3-h3 or later.
  2. Commit and push changes made by the specific administrator,
  3. The newly created object does not appear on the managed firewall.

Context

This issue impacts all users of the Ansible collection for PAN-OS.

Your Environment

  • Version used: Panorama 11.0.3-h3 or later
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Python 3.10.14
  • Operating System and version (desktop or mobile): MacOS 14.5
@stealthllama
Copy link
Contributor Author

The xpath_short() function that is being called by create():

pan-os-python/panos/base.py

Line 382 in 62bcff3

def xpath_short(self, root=None):

@migara migara mentioned this issue Jul 25, 2024
Open
@keithcampbelljr
Copy link
Contributor

@stealthllama I'm currently working on this as it seemed straight forward. Does this issue only have an impact on AddressObject? Or does this need to impact other object types as well? I need to test this to see the xml output but I was looking at something like:
self._xpaths.add_profile(value="/address/entry[@name='{name}']")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stealthllama @keithcampbelljr