RESTAPI call for Dynamic Address Group members

T_Hoedemaekers — Thu, 29 Feb 2024 16:55:15 GMT

For one of my automation use-cases I need to check what IP's are a member of a Dynamic Address Group, this list:

I haven't found an API request that results in this data. I know I will be able to grab the data from cli but ssh'ing into panorama is a solution I try to avoid.

Using /restapi/v10.2/Objects/AddressGroups I receive the filter as output, not the membership:

                "@name": "ACI-TEST_Monitoring_Monitoring1",
                "@location": "device-group",
                "@device-group": "**",
                "@loc": "**",
                "dynamic": {
                    "filter": "'**.tn_TEST.ap_Monitoring.epg_Monitoring1'"
                }

Am I missing something? Is there a way to get this data via the rest API?
And if not, is there a way to request this as a feature in a future panorama release?

Re: RESTAPI call for Dynamic Address Group members

T_Hoedemaekers — Tue, 05 Mar 2024 09:46:21 GMT

I have implemented a workaround solution by monitoring the ip tag logs using the XML api.
I'm dumping my code here, this can be used as a starting point for your own use-case.

I am still interested in having a way to monitor DAG members directly using the REST API. This way is, in my opinion, not elegant.

import requests, re, datetime, xmltodict, time pa_user = 'username' pa_password = 'password' panorama_url = 'panorama.domain' pan_base_url = 'https://' + panorama_url def generate_pa_key(fwl_dns=panorama_url): response = requests.get( 'https://{0}/api/?type=keygen&user={1}&password={2}'.format(fwl_dns, pa_user, pa_password), verify=False) result = re.findall("<key>.*</key>", response.text) key = result[0][5:-6] return key def panorama_get(key, sub_url): header = {'X-PAN-Key': "{}".format(key)} return requests.get(pan_base_url+sub_url, headers=header) def get_ip_tag_logs(): #generate panoramakey key = generate_pa_key(panorama_url) #generate correct time for query current_time = datetime.datetime.now() new_time = current_time - datetime.timedelta(minutes=9) formatted_time = new_time.strftime("%Y/%m/%d %H:%M:%S") #query on ip of monitoring VM, for firewall device-name query = "(ip in '10.10.10.10') and (device_name eq 'device-name') and (time_generated geq '{}') and (vsys eq 'vsys5')".format(formatted_time).replace(' ','%20') sub_url = 'api?type=log&log-type=iptag&query=' + query result = panorama_get(key, sub_url) if result.status_code != 200: #failure_reason = 'error: query job generation failed. {0}. {1}'.format(result,result.text) #add_failure(failure_reason) return False if result.status_code == 200: job_id_dict = xmltodict.parse(result.text) job_id = job_id_dict['response']['result']['job'] sub_url = '/api?type=log&action=get&job-id={}'.format(job_id) result = panorama_get(key,sub_url) #stop unending loops while_count = 0 while result.status_code == 200: while_count += 1 if while_count > 5: #add_failure('querying for logs took too long') break if xmltodict.parse(result.text)['response']['result']['job']['status'] != 'FIN': time.sleep(10) result = panorama_get(key,sub_url) elif xmltodict.parse(result.text)['response']['result']['job']['status'] == 'FIN': return xmltodict.parse(result.text)['response']['result']['log']['logs'] else: return -1

topic Re: RESTAPI call for Dynamic Address Group members in Panorama Discussions

RESTAPI call for Dynamic Address Group members

Re: RESTAPI call for Dynamic Address Group members