https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222150#M5622 <P>Hey guys, I need to export a bunch of security rules of one of our FWs (PA-5250; 10.2.10-h9). I decided to do this via cli, but certain rules seem to have an incomplete list of applications. It looks like this:</P><P>&nbsp;</P><P><FONT face="courier new,courier">application/service [0:ms-scheduler/tcp/any/any 1:ms-scheduler/udp/any/any 2:ms-netlogon/tcp/any/49152-65535 3:ms-netlogon/tcp/any/135 4:ms-netlogon/tcp/any/139 5:ms-netlogon/tcp/any/445 6:ms-netlogon/tcp/any/1025-5000 7:ms-netlogon/udp/any/137 8:ms-netlogon/udp/any/138 9:ms-netlogon/udp/any/445 10:netbios-ss/tcp/any/139 11:msrpc-base/tcp/any/any 12:msrpc-base/udp/any/any 13:ms-ds-smb-base/tcp/any/139 14:ms-ds-smb-base/tcp/any/445 15:ms-ds-smb-base/udp/any/445 16:mssql-db-base/tcp/any/1433 17:mssql-db-base/udp/any/1433 18:mssql-mon/udp/any/1434 19:ms-service-contro/tcp/any/any 20:ms-wmi/tcp/any/any 21:windows-remote-ma/tcp/any/5985 22:windows-remote-ma/tcp/any/5986 23:ms-ds-smbv3/tcp/any/139 24:ms-ds-smbv3/tcp/any/445 25:ms-ds-smbv3/udp/any/445 26:ms-remote-registr/tcp/any/any 27:ms-remote-registr/udp/any/any 28:ms-event-log/tcp/any/any 29:ms-event-log/udp/any/any 30:ms-local-user-man/tcp/any/any 31:ms-local-user-man/udp/any/any ... ]</FONT></P><P>&nbsp;</P><P>See how it ends with "..."? There seems to be a limit of about ~930 characters. I already tried to set the output-format to xml, but I'm not sure, if i did it correctly since there is no change in format. I used: "<FONT face="courier new,courier">set cli config-output-format xml</FONT>"</P><P>&nbsp;</P><P>After running "<FONT face="courier new,courier">show running security-policy is incomplete</FONT>" there is no change.</P><P>After switching to configure-mode via "<FONT face="courier new,courier">configure</FONT>" and running "<FONT face="courier new,courier">show rulebase security rules</FONT>" it doesn't give me any output. Same when I switch back to default output format. Am I doing something wrong? Are there other ways to achieve what I need (export all applications of a certain security rule)?</P><P>&nbsp;</P><P>Many thanks</P> Thu, 27 Feb 2025 08:39:43 GMT Sergio_Voigt 2025-02-27T08:39:43Z https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222150#M5622 <P>Hey guys, I need to export a bunch of security rules of one of our FWs (PA-5250; 10.2.10-h9). I decided to do this via cli, but certain rules seem to have an incomplete list of applications. It looks like this:</P><P>&nbsp;</P><P><FONT face="courier new,courier">application/service [0:ms-scheduler/tcp/any/any 1:ms-scheduler/udp/any/any 2:ms-netlogon/tcp/any/49152-65535 3:ms-netlogon/tcp/any/135 4:ms-netlogon/tcp/any/139 5:ms-netlogon/tcp/any/445 6:ms-netlogon/tcp/any/1025-5000 7:ms-netlogon/udp/any/137 8:ms-netlogon/udp/any/138 9:ms-netlogon/udp/any/445 10:netbios-ss/tcp/any/139 11:msrpc-base/tcp/any/any 12:msrpc-base/udp/any/any 13:ms-ds-smb-base/tcp/any/139 14:ms-ds-smb-base/tcp/any/445 15:ms-ds-smb-base/udp/any/445 16:mssql-db-base/tcp/any/1433 17:mssql-db-base/udp/any/1433 18:mssql-mon/udp/any/1434 19:ms-service-contro/tcp/any/any 20:ms-wmi/tcp/any/any 21:windows-remote-ma/tcp/any/5985 22:windows-remote-ma/tcp/any/5986 23:ms-ds-smbv3/tcp/any/139 24:ms-ds-smbv3/tcp/any/445 25:ms-ds-smbv3/udp/any/445 26:ms-remote-registr/tcp/any/any 27:ms-remote-registr/udp/any/any 28:ms-event-log/tcp/any/any 29:ms-event-log/udp/any/any 30:ms-local-user-man/tcp/any/any 31:ms-local-user-man/udp/any/any ... ]</FONT></P><P>&nbsp;</P><P>See how it ends with "..."? There seems to be a limit of about ~930 characters. I already tried to set the output-format to xml, but I'm not sure, if i did it correctly since there is no change in format. I used: "<FONT face="courier new,courier">set cli config-output-format xml</FONT>"</P><P>&nbsp;</P><P>After running "<FONT face="courier new,courier">show running security-policy is incomplete</FONT>" there is no change.</P><P>After switching to configure-mode via "<FONT face="courier new,courier">configure</FONT>" and running "<FONT face="courier new,courier">show rulebase security rules</FONT>" it doesn't give me any output. Same when I switch back to default output format. Am I doing something wrong? Are there other ways to achieve what I need (export all applications of a certain security rule)?</P><P>&nbsp;</P><P>Many thanks</P> Thu, 27 Feb 2025 08:39:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222150#M5622 Sergio_Voigt 2025-02-27T08:39:43Z https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222177#M5623 <H6><EM><FONT color="#800000">Can you try using&nbsp;<SPAN class="hljs-built_in">set</SPAN> cli config-output-format <SPAN class="hljs-built_in">set</SPAN></FONT></EM><EM><FONT color="#800000">using set format</FONT></EM></H6> <H6><EM><FONT color="#800000">here the example :</FONT></EM></H6> <OL> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp category business-systems </FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp subcategory collaboration </FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp technology browser-based </FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp risk 3 </FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp default port tcp/8080</FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"> <SPAN class="hljs-built_in">set</SPAN> shared application MyApp <SPAN class="hljs-built_in">timeout</SPAN> 30 </FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp tcp-timeout 60</FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"> <SPAN class="hljs-built_in">set</SPAN> shared application MyApp udp-timeout 30</FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"> <SPAN class="hljs-built_in">set</SPAN> shared application MyApp tcp-keep-alive <SPAN class="hljs-built_in">yes</SPAN> </FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"><SPAN class="hljs-built_in">set</SPAN> shared application MyApp enable-default <SPAN class="hljs-built_in">yes</SPAN></FONT></EM></H6> </LI> <LI> <H6><EM><FONT color="#800000"> <SPAN class="hljs-built_in">set</SPAN> shared application MyApp description <SPAN class="hljs-string">"Custom business app running on TCP 8080"</SPAN></FONT></EM></H6> </LI> </OL> <P>&nbsp;</P> Thu, 27 Feb 2025 11:21:10 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222177#M5623 Mudhireddy 2025-02-27T11:21:10Z https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222381#M5630 <P>Hello Suresh, many thanks for replying. Unfortunately this didn't change the output format at all. Could it be that there is some kind of configuration on the FW, that makes it reject giving output for the command "show rulesbase security rules" or reject the "set"-command? Because whatever format I change it to, I won't show anything. With the exceptance of "show running security-policy" which gives the incomplete output as mentioned.</P><P>&nbsp;</P><P>Interestingly, with the XML API Browser I'm able to get what i need. A full output of all the enabled applications of a certain rule. Like this:</P><P>&lt;application&gt;<BR />&lt;member&gt;ms-ds-smb-base&lt;/member&gt;<BR />&lt;member&gt;ms-ds-smbv2&lt;/member&gt;<BR />&lt;member&gt;ms-ds-smbv3&lt;/member&gt;<BR />&lt;member&gt;ms-service-controller&lt;/member&gt;<BR />&lt;member&gt;msrpc&lt;/member&gt;<BR />&lt;member&gt;mssql-db&lt;/member&gt;<BR />&lt;member&gt;mssql-mon&lt;/member&gt;<BR />&lt;member&gt;netbios-ss&lt;/member&gt;<BR />&lt;/application&gt;</P><P>&nbsp;</P><P>With a little Excel magic this can easily be extracted.</P><P>&nbsp;</P><P>&lt;show&gt;&lt;config&gt;&lt;running&gt;&lt;xpath&gt;&lt;/xpath&gt;&lt;/running&gt;&lt;/config&gt;&lt;/show&gt;</P><P>Via xpath I should also be able to get the output for a certain entry in the configuration, but it keeps giving me errors for whatever xpath I give. What's the correct xml command format?</P> Mon, 03 Mar 2025 07:37:27 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222381#M5630 Sergio_Voigt 2025-03-03T07:37:27Z https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222415#M5632 <P>You're on the right track using the XML API Browser to extract information. If you're trying to retrieve the enabled applications for a specific security rule using XPath, the correct XML command format should follow this structure:</P> <P>&lt;show&gt;<BR />&lt;config&gt;<BR />&lt;running&gt;<BR />&lt;xpath&gt;/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application&lt;/xpath&gt;<BR />&lt;/running&gt;<BR />&lt;/config&gt;<BR />&lt;/show&gt;</P> <P data-start="451" data-end="466"><STRONG data-start="451" data-end="466">Key Points:</STRONG></P> <UL data-start="467" data-end="738"> <LI data-start="467" data-end="532">Replace <CODE data-start="477" data-end="488">Rule_Name</CODE> with the actual name of your security rule.</LI> <LI data-start="533" data-end="608">The XPath should match the exact hierarchy of the firewall configuration.</LI> <LI data-start="609" data-end="738">The path generally follows:<BR data-start="638" data-end="641" /><CODE data-start="643" data-end="738">/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application</CODE><CODE data-start="643" data-end="738"></CODE>curl -k -X GET "https://&lt;FIREWALL_IP&gt;/api/?type=config&amp;action=show&amp;xpath=/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application&amp;key=&lt;API_KEY&gt;" <P data-start="974" data-end="1004">If you still encounter errors:</P> <OL data-start="1005" data-end="1677"> <LI data-start="1005" data-end="1308"> <P data-start="1008" data-end="1063"><STRONG data-start="1008" data-end="1040">Check the full XML structure</STRONG> using a broader query:&lt;show&gt;<BR />&lt;config&gt;<BR />&lt;running&gt;<BR />&lt;xpath&gt;/config/devices/entry/vsys/entry/rulebase/security/rules&lt;/xpath&gt;<BR />&lt;/running&gt;<BR />&lt;/config&gt;<BR />&lt;/show&gt;</P> </LI> <LI data-start="1005" data-end="1308"> <P data-start="1250" data-end="1308">This will return all rules—then you can refine your XPath.</P> </LI> <LI data-start="1005" data-end="1308"> <P data-start="1008" data-end="1063">&nbsp;</P> </LI> <LI data-start="1310" data-end="1433"> <P data-start="1313" data-end="1433"><STRONG data-start="1313" data-end="1340">Verify Case Sensitivity</STRONG><BR data-start="1340" data-end="1343" />The XML structure is case-sensitive. Ensure <CODE data-start="1390" data-end="1416">entry[@name='Rule_Name']</CODE> exactly matches.</P> </LI> <LI data-start="1005" data-end="1308"> <P data-start="1008" data-end="1063">&nbsp;</P> </LI> <LI data-start="1435" data-end="1677"> <P data-start="1438" data-end="1533"><STRONG data-start="1438" data-end="1474">Use <CODE data-start="1444" data-end="1447">|</CODE> in case of multiple VSYS</STRONG><BR data-start="1474" data-end="1477" />If you're working with multiple virtual systems, try:&lt;xpath&gt;/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule_Name']/application&lt;/xpath&gt;<BR /><BR /></P> </LI> </OL> <BR /><CODE data-start="643" data-end="738"></CODE></LI> </UL> Mon, 03 Mar 2025 15:40:55 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/application-list-via-show-running-security-policy-is-incomplete/m-p/1222415#M5632 Mudhireddy 2025-03-03T15:40:55Z