topic Re: Add or remove application in a security rule in Panorama Discussions

Add or remove application in a security rule

ssovee — Sun, 01 Oct 2023 17:40:51 GMT

Hello.......
curl -k -X GET "https://10.10.10.10/api/?key=LUFRPT16R......................Mg==&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='GP']/pre-rulebase/security/rules/entry[@name='Policy-1']&element=<source><member>any</member></source><destination><member>any</member></destination><service><member>any</member></service><application><member>zoom</member><member>quic</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>no</disabled><log-start>yes</log-start><log-end>yes</log-end><description>description</description><from><member>trust</member></from><to><member>untrust</member></to>"
Using the above command I can create a policy. But If I want to add or delete applications in the same policy then what will be the way? I tried edit option instead of set but it shows <response status="error" code="12"><msg><line>Edit breaks config validity</line></msg></response> . Also I tried delete option to remove the application but it removes the Policy itself.
Maybe I am missing something. My goal is to update the policy by adding or removing applications using api.

Re: Add or remove application in a security rule

TomYoung — Mon, 02 Oct 2023 14:54:27 GMT

Hi @ssovee ,

The following URLs worked for me:

To add an application to an existing rule:
https://<fw ip>/api/?key=<API-KEY>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test']/application&element=<member>zoom</member>
To delete an application from an existing rule:

https://<fw ip>/api/?key=<API-KEY>&type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test']/application/member[text()='zoom']
To replace all applications in an existing rule:

https://<fw ip>/api/?key=<API-KEY>&type=config&action=edit&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test']/application&element=<application><member>zoom</member><member>webex</member><member>ms-teams-audio-video</member></application>

Here is a list of XML API actions: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/pan-os-xml-api-request-types-and-actions/configuration-actions/actions-for-modifying-a-configuration

The action works on the xpath, which is why for set (add) and edit (replace) the application xpath is listed with specifics part of &element. Since the delete action requires an xpath to the specific application, the /member[text()=''] is used.

Depending upon the automation desired, the REST API may be more consistent. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/methods-supported-rest-api#id8f0d57ab-ff2b-482a-913f-eb4f84525803

Thanks,

Tom

Re: Add or remove application in a security rule

ssovee — Tue, 03 Oct 2023 05:08:47 GMT

Hi TomYoung,

Thanks for the reply. It is very helpful. Add & Edit works for me. But delete didn't. Here below is the status of that.

[root@ansible-manager-stg ~]# curl -k -X GET "https: //10.10.10.10/api/?key=LUFRPT16Rzg0ek03S3NINWZEanBPTFZmVFg0SFcyNWc9..........xdUUvenoyK0RkbTZOQ05Ga3dOTlFUMg==&type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='GP']/pre-rulebase/security/rules/entry[@name='Dcup']/application/member[text()='zoom']"
curl: (3) bad range in URL position 291:
https: //10.10.10.10/api/?key=LUFRPT16Rzg0ek03S3NINWZEanBPTFZmVFg0SFcyNWc9..........xdUUvenoyK0RkbTZOQ05Ga3dOTlFUMg==&type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='GP']/pre-rulebase/security/rules/entry[@name='Dcup']/application/member[text()='zoom']

Re: Add or remove application in a security rule

TomYoung — Tue, 03 Oct 2023 05:13:25 GMT

Hi @ssovee ,

I do not see the ] at the end of your delete URL. Is it missing? I promise I tested the delete syntax above.

Also, you should change your API key since you have posted it on this forum. 😊

Thanks,

Tom

Re: Add or remove application in a security rule

ssovee — Tue, 03 Oct 2023 07:46:07 GMT

Hi TomYoung

Could you please give me the exact delete URL based on my given URL. Somehow I do not understand about missing ].

Re: Add or remove application in a security rule

TomYoung — Wed, 04 Oct 2023 13:43:55 GMT

Hi @ssovee ,

Sorry! I have been busy. You should be able to get the exact URL from your API browser on Panorama and then add the /member[text()='zoom'] part to the end. In order for a successful delete, the App-ID zoom will need to be in the rule.

Thanks,

Tom

Re: Add or remove application in a security rule

gmurugan — Tue, 12 Dec 2023 20:22:30 GMT

action=delete with the following syntax is not working for me

https://firewall/api/?type=config&action=delete&key=key&xpath=/config/shared/pre-rulebase/security/rules/entry[@name='45205-XXDOE-77787']/service/member[text()='service-https']

throwing the following error

<msg>

<line>

<![CDATA[ shared -> pre-rulebase -> security -> rules -> 45205-XXDOE-77787 -> service is invalid. Missing service value ]]>

</line>

</msg>

</response>