Proposal to Enhance PAN-OS XSD with `version_item` Element

[s-polasa]

Overview

Currently, the PAN-OS XSD (OVAL 5.12 and 6.0) defines the config_item element to collect configuration data from the PAN-OS Web API using the request:

https://[PAN-OS-DEVICE]/api/?type=export&category=configuration

However, real-time system analysis indicates that this API request does not provide comprehensive system details. Specifically, critical information such as the device name and software version is not included in the response.

Proposed Enhancement

Element Name	Description
config_item (Existing)	Captures only the current running configuration on the PAN-OS device. However, key details like device name and version are missing.
version_item (New)	A new element that gathers device-specific information such as model name, software version, and license status.comprehensive system details. Specifically, critical information such as the device name and software version is not included in the response.

Real Time Device Analysis on PANOS :

Device Used : PA-VM (KVM)

Analysis 1 (11.0.0) :

Output from CLI Command (show system info):

admin@PA-VM> show system info

hostname: PA-VM
ip-address: 192.168.122.26
...
family: vm
model: PA-VM
serial: unknown
...
vm-license: none
...
sw-version: 11.0.0
...

API Request & Response (show system info):

$ curl -s -k 'https://192.168.122.26/api/?type=keygen&user=admin&password=admin'
<response status = 'success'>
    <result>
        <key>API-KEY-SAMPLE</key>
    </result>
</response>

$ APIKEY="API-KEY-SAMPLE"
$
$ curl -s -k "https://192.168.122.26/api/?key=$APIKEY&type=op&cmd=<show><system><info/></system></show>"
<response status="success">
    <result>
        <system>
            <hostname>PA-VM</hostname>
            <ip-address>192.168.122.26</ip-address>
            ...
            <devicename>PA-VM</devicename>
            <family>vm</family>
            <model>PA-VM</model>
            <serial>unknown</serial>
            ...
            <vm-license>none</vm-license>
            <vm-mode>KVM</vm-mode>
            <sw-version>11.0.0</sw-version>
            ...
        </system>
    </result>
</response>

API Request & Response (export, configuration):

$ curl -s -k 'https://192.168.122.26/api/?type=keygen&user=admin&password=admin'
<response status = 'success'>
    <result>
        <key>API-KEY-SAMPLE</key>
    </result>
</response>

$ APIKEY="API-KEY-SAMPLE"
$
$ curl -s -k "https://192.168.122.26/api/?key=$APIKEY&type=export&category=configuration""
<config version="11.0.0" urldb="paloaltonetworks" detail-version="11.0.0">
    <mgt-config>
        ...
    </mgt-config>
    ...
</config>

Analysis 2 (8.0.5) :

Output from CLI Command (show system info):

admin@PA-VM> show system info

hostname: PA-VM
ip-address: 192.168.122.25
...
family: vm
model: PA-VM
serial: unknown
...
vm-license: none
...
sw-version: 8.0.5
...

API Reques & Response (show system info) :

$ curl -s -k 'https://192.168.122.25/api/?type=keygen&user=admin&password=admin'
<response status = 'success'>
    <result>
        <key>API-KEY-SAMPLE</key>
    </result>
</response>

$ APIKEY="API-KEY-SAMPLE"
$
$ curl -s -k "https://192.168.122.25/api/?key=$APIKEY&type=op&cmd=<show><system><info/></system></show>"
<response status="success">
    <result>
        <system>
            <hostname>PA-VM</hostname>
            <ip-address>192.168.122.25</ip-address>
            ...
            <devicename>PA-VM</devicename>
            <family>vm</family>
            <model>PA-VM</model>
            <serial>unknown</serial>
            ...
            <vm-license>none</vm-license>
            <vm-mode>KVM</vm-mode>
            <sw-version>8.0.5</sw-version>
            ...
        </system>
    </result>
</response>

API Request & Response (export, configuration):

$ curl -s -k 'https://192.168.122.25/api/?type=keygen&user=admin&password=admin'
<response status = 'success'>
    <result>
        <key>API-KEY-SAMPLE</key>
    </result>
</response>

$ APIKEY="API-KEY-SAMPLE"
$
$ curl -s -k "https://192.168.122.26/api/?key=$APIKEY&type=export&category=configuration""
<config version="8.0.0" urldb="paloaltonetworks">
    <mgt-config>
        ...
    </mgt-config>
    ...
</config>

Conclusion :

By comparing the outputs from type=export&category=configuration and type=op&cmd=<show><system><info/></system></show>, we observe that the configuration API category=configuration does not reliably update the system version when the device is upgraded. The CLI command or operational API cmd=<show><system><info/></system></show> provides the correct version information.

Version	Output from type=export&category=configuration	Output from type=op&cmd=<show><system></info></system></show>
8.0.5	8.0.0	8.0.5
11.0.0	11.0.0	11.0.0

Proposed Change

Adding the version_item element to the PAN-OS XSD will ensure that developers have accurate and complete system information, improving overall clarity and reliability.

[vanderpol]

@s-polasa, thank you for your input on this. We will discuss at our upcoming OVAL board meeting and likely will include this change in OVAL 5.12.1 and OVAL 6.0.1. I may reach out to you to perform or review the Pull Request, if the change is approved.

[s-polasa]

@vanderpol, thank you for considering this change for OVAL 5.12.1 and OVAL 6.0.1. I appreciate the opportunity to contribute and would be happy to assist with the Pull Request review or implementation if the change is approved.

Please feel free to reach out when needed. Looking forward to the board’s decision.

[vanderpol]

@OVAL-Community/oval-board-members looking for feedback on this proposal.