Question on calculate-zones

[bethatasitmay]

Hi

Something I can't remember if we covered or not at the time - are you calculating based on the RIB or the FIB? Thanks!

[swaschkut]

it is the static routing table configured in the XML configuration:

pan-os-php type=rule help to-calculate-zones

---

*********** pan-os-php.php type=rule UTILITY **************

• PAN-OS-PHP version: 2.0.62 [UNIX] [8.1.8]
  *** help for Action to-calculate-zones:[mode], [virtualRouter], [template], [vsys]
  This Action will use routing tables to resolve zones. When the program cannot find all parameters by itself (like vsys or template name you will have ti manually provide them.

Usage examples:

- xxx-calculate-zones
- xxx-calculate-zones:replace
- xxx-calculate-zones:append,vr1
- xxx-calculate-zones:replace,vr3,api@0011C890C,vsys1
- xxx-calculate-zones:show,vr5,Datacenter_template
- xxx-calculate-zones:replace,vr3,file@firewall.xml,vsys1

Listing arguments:

-- mode :
OPTIONAL
type=string
choices: replace, append, show, unneeded-tag-add

Will determine what to do with resolved zones : show them, replace them in the rule , only append them (removes none but adds missing ones) or tag-add for unneeded zones

-- virtualRouter :
OPTIONAL
type=string

Can optionally be provided if script cannot find which virtualRouter it should be using (ie: there are several VR in same VSYS)

-- template :
OPTIONAL
type=string

When you are using Panorama then 1 or more templates could apply to a DeviceGroup, in such a case you may want to specify which Template name to use.
Beware that if the Template is overriden or if you are not using Templates then you will want load firewall config in lieu of specifying a template.
For this, give value 'api@XXXXX' where XXXXX is serial number of the Firewall device number you want to use to calculate zones.
If you don't want to use API but have firewall config file on your computer you can then specify file@/folderXYZ/config.xml.

-- vsys :
OPTIONAL
type=string

specify vsys when script cannot autodetermine it or when you when to manually override

[bethatasitmay]

It's pulling in dynamic routes, too, which I wouldn't expect to be in the XML. And, as you quoted from the help, it says:

"This Action will use routing tables to resolve zones."

I'm wondering if it's RIB vs. FIB because for zone calculation purposes the RIB would be preferred (since all known routes would be in the RIB while the FIB only has the calculated best routes).

[bethatasitmay]

bump

Just making sure you saw this one - no rush, though. Thanks!

[swaschkut]

the behaviour for the implemented zone calculation is same for offline XML file and PAN-OS API mode,
said this, dynamic routes can not be used for zone calculation.

Please check your environment / used configuration files

[bethatasitmay]

Prior to us discussing this in the Fall of 2021, it only pulled in static routes. I inquired about using dynamic routes and I thought that's what you had added (it certainly operates as if it's looking at dynamic routes) - I see the action matching zones to routes that are only available via OSPF or BGP.

If it wasn't using dynamic routes there are routes we have that match to the static default route and everything not defined by an interface or static route would get the Internet zone as that's where the default route goes.

[swaschkut]

exactly:

if no better matching static route is available, the default route come in place, and is used

[bethatasitmay]

Sorry if I didn't make it clear - this is being run against the Panorama API not an offline xml file.

So, for dynamic routes is the action looking at the RIB or the FIB?

[swaschkut]

I am repeating my self:

for zone calculation dynamic routes are not taken into the zone calculation.
the information which is used for the implemented zone calculation is always coming from the XML file, also if Panorama API is used.
(the first step of each task for API usage, is to download the XML configuration).
if you are using argument 'debugapi' you can check in detail which information is requested

based on this downloaded XML file, the available/picked virtual-router is checked for static routing entries.
these static routing entries are used to calculate the zones.

Summarisation:
Dynamic Routing is NOT used in pan-os-php framework for zone calculation.
Neither RIB or FIB is used, the tool is using the XML config file to do it's own calculation based on the configured static routing information!

[swaschkut]

if you like to test another tool where Zone calculation is implemented, please check the Palo Alto Networks Expedition tool.
But please be aware that there is also no implementation available to calculate zones based on dynamic routing information

[bethatasitmay]

It appears that I owe you an apology.

I understood what you were saying this whole time, but I guess I'm remembering things wrong which lead to my...opposition to what you were saying.

When we looked at this last year, I had asked if it was possible to include dynamic routes and at the time you had said you understood what I was asking and would make some changes (this was on our Zoom call).

I assumed the changes were the dynamic routes but it looks like it may have been a bug fix.

What further compounded this is that in my (apparently flawed) memory is that I thought I had run this and it found zones from dynamic routes. Well, I just ran it again on a rule that has BGP routes for the source and OSPF routes for the destination and it failed to find any.

Furthermore, I now remember having seen the warnings it shows about not finding a matching interface for various routes. I do recall at the time not knowing (realizing) what I was seeing as I was running an append command on over 3,000 rules and so it would fly by and I couldn't scroll back to see what might have been happening.

[bethatasitmay]

Regarding Expedition, I thought that v1.x also was limited to static routes/connected interfaces. Does it actually look at dynamic routes (not that I want to use it)?