topic Re: Confirm Xpath for rule build (not sure if github code is right for new rule add in VM-Series in the Public Cloud

Confirm Xpath for rule build (not sure if github code is right for new rule add

clyde.franklin — Fri, 19 May 2017 16:41:26 GMT

Can someone cofirm if belwow github syntax is correct? When I try it weird is that I see rule hit palo alto in the logs but rule never actual builds and when I try syntax via web it showns :<![CDATA[ clyde -> source has unexpected text. ]]> but command i show spt on mathch when comparing my script to xpath on git hub

parameters = {'xpath':"/config/devices/entry[@name=\'localhost.localdomain\']/vsys/entry[@name=\'vsys1\']/rulebase/security/rules/entry[@name=\'"+rule_params['name']+"\']",'element':"<to><member>"+rule_params['dstZone']+"</member></to><from><member>"+rule_params['srcZone']+"</member></from><source>"+rule_source_ip+"</source><destination>"+rule_destination_ip+"</destination><application><member>"+rule_params['application']+"</member></application><service><member>"+rule_params['service']+"</member></service><action>"+rule_params['action']+"</action><profile-setting><group><member>"+rule_params['spg']+"</member></group></profile-setting>"}

Re: Confirm Xpath for rule build (not sure if github code is right for new rule add

niyengar — Fri, 19 May 2017 16:52:47 GMT

What is your source on GitHub?

Just visually the xpath looks correct...

Re: Confirm Xpath for rule build (not sure if github code is right for new rule add

clyde.franklin — Fri, 19 May 2017 17:13:15 GMT

supposdly the paloalto.py file below should work

def paloalto_rule_add(pa_ip,pa_key,rule_params):
   # Add a new rule on Palo Alto gateway
   # Input: Palo Alto gateway IP, Palo Alto Access Key, and rule_params
   # rule_params are the parameters to be configured for the new rule. It is a dictionary with the following values:
   # rule_params['name']: name of the rule
   # rule_params['dstZone']: destination zone
   # rule_params['srcZone']: source zone
   # rule_params['srcIP']: list of source IP addresses
   # rule_params['dstIP']: list of destination IP addresses
   # rule_params['application']: application
   # rule_params['service']: service
   # rule_params['action']: rule action (allow, deny)
   # rule_params['spg']: name of security group profile to be set
   # Output: returns 'success' or 'fail' depending on the result


    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE


   cmd = "/api/?type=config&action=set&"
   parameters = {'xpath':"/config/devices/entry[@name=\'localhost.localdomain\']/vsys/entry[@name=\'vsys1\']/rulebase/security/rules/entry[@name=\'"+rule_params['name']+"\']",'element':"<to><member>"+rule_params['dstZone']+"</member></to><from><member>"+rule_params['srcZone']+"</member></from><source>"+rule_source_ip+"</source><destination>"+rule_destination_ip+"</destination><application><member>"+rule_params['application']+"</member></application><service><member>"+rule_params['service']+"</member></service><action>"+rule_params['action']+"</action><profile-setting><group><member>"+rule_params['spg']+"</member></group></profile-setting>"}

   url = "https://"+pa_ip+cmd+"Key="+pa_key+"&"+urllib.urlencode(parameters)

   response = urllib2.urlopen(url, context=ctx)

   contents= ET.fromstring(response.read())

   result = 'success'
   return result