Skip to content

Proposal: Add version_item Element to PAN-OS OVAL Schema #283#331

Open
sharathshivalingappa wants to merge 5 commits into
OVAL-Community:5.12.3_developfrom
sharathshivalingappa:283-Proposal-Add-version_item-Element-to-PAN-OS-OVAL-Schema
Open

Proposal: Add version_item Element to PAN-OS OVAL Schema #283#331
sharathshivalingappa wants to merge 5 commits into
OVAL-Community:5.12.3_developfrom
sharathshivalingappa:283-Proposal-Add-version_item-Element-to-PAN-OS-OVAL-Schema

Conversation

@sharathshivalingappa
Copy link
Copy Markdown

@sharathshivalingappa sharathshivalingappa commented May 29, 2026

Abstarct

This PR enhances the PAN-OS OVAL schema by introducing a new element version_item in both definitions and system-characteristics schemas. As per the current PAN-OS XSD Statement (OVAL 5.12 and 6.0), the <config_item> element only collects information from:

https://<PAN-OS-DEVICE>/api/?type=export&category=configuration

This API is not sufficient to capture full system information.

Real-Time System Analysis Summary:

Element Name Description
config_item Only collects the running configuration from the PAN-OS device. Information like DeviceName, DeviceVersion, etc., is missing in the response.
version_item Collects device-specific information such as Model Name, Device Version, License Status, etc.

➡️ version_item is proposed as a new schema element to bridge this gap.

Real-Time Device Analysis (PA-VM - PAN-OS v11.0.5)

Example CLI Output:

admin@PA-VM> show system info

hostname: PA-VM
ip-address: 192.168.122.26
family: vm
model: PA-VM
serial: unknown
vm-license: none
sw-version: 11.0.5

Example API Request Flow:

# Get API Key
curl -s -k 'https://192.168.122.26/api/?type=keygen&user=admin&password=admin'

# Example Response
<response status='success'>
  <result>
    <key>LUFRPT1X...</key>
  </result>
</response>

# Use API Key to get config
APIKEY="LUFRPT1X..."
curl -s -k "https://192.168.122.26/api/?key=$APIKEY&type=export&category=configuration"

Example Configuration Output:

<config version="11.0.0" urldb="paloaltonetworks" detail-version="11.0.0">
  <mgt-config>...</mgt-config>
</config>

➡️ As seen above, sw-version and other critical system information are not represented in the configuration XML — hence the need for version_item.

Changes Introduced

  • version_item in panos-definitions-schema.xsd
  • version_item in panos-system-characteristics-schema.xsd

A-Biggs
A-Biggs requested changes May 29, 2026
View reviewed changes
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
A-Biggs
A-Biggs reviewed May 29, 2026
View reviewed changes
Comment thread oval-schemas/panos-system-characteristics-schema.xsd Outdated
@A-Biggs
Copy link
Copy Markdown
Contributor

A-Biggs commented Jun 2, 2026

@vanderpol I've reviewed this PR, and have implemented this in the Joval engine, so it should be good to include it in the official release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@A-Biggs A-Biggs A-Biggs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sharathshivalingappa @A-Biggs