topic Using API to update Permitted IP Addresses list in Panorama Discussions

Using API to update Permitted IP Addresses list

JDBailey — Fri, 14 Jun 2024 18:38:48 GMT

We use the Permitted IP Addresses list (Panorama>Setup>Interfaces) to restrict access to Panorama to our public IPs. The problem we run into is that some of our devices use cellular as backup (new public IP every two days) or worse--Starlink (who change your public IP several times per day).

Since this list only uses IP, not DNS, I can't just use a dynamic DNS entries. My solution is to update the list manually every time I need to push a config. I'd like to use a script that makes API calls, but I can't find any documentation for the API calls that gets to anything in the Panorama>Setup area. Any idea where these commands might be hiding? Or is the API limited to only select commands? Maybe I need to just script accessing the CLI and editing it there, but I'm not sure I've seen those commands either...

Re: Using API to update Permitted IP Addresses list

TomYoung — Fri, 14 Jun 2024 21:30:16 GMT

Hi @JDBailey ,

The XPath you are looking for is shown below.

/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/permitted-ip/entry[@name='172.16.0.0/12']

That example adds 172.16.0.0/12 with no description to the Permitted IP Addresses of the Panorama management interface.

There are a few ways to find an XML Path.

Dig through the API browser. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-api-browser
Use the CLI. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-cli-to-find-xml-api-syntax This one is very cool. Remember that the API and CLI are very similar.
If you have no idea where it is in the CLI, configure it in the GUI with a unique description and type 'show | match <unique-description>' in configuration mode. Make sure to type 'set cli config-output-format set' in operational mode 1st.
With practice, get used to the XML tree the same as you did CLI commands. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration/xpath-location-formats-determined-by-device-configuration

Thanks,

Tom

PS The CLI command is 'set deviceconfig system permitted-ip 172.16.0.0/12'.

Re: Using API to update Permitted IP Addresses list

JDBailey — Fri, 14 Jun 2024 21:33:47 GMT

Thank you! I've been looking for this for years, but every time I start my search some network emergency pulled me away. I'll give it a test and if it works, I'll accept the solution. Wasn't expecting a reply this week, honestly. You've made my week!

Re: Using API to update Permitted IP Addresses list

JDBailey — Fri, 21 Jun 2024 20:08:58 GMT

TomYoung's advice helped me find exactly what I was looking for at this time as well as helping me see how to use the debugger to figure out x-path for other things I'm trying to do. I was surprised at how well ChatGPT did at writing clean Python code to do what I wanted. I just had to tweak my prompt a few times. The following prompt yielded the code below (I comment out the place where I fixed how to access a particular piece of data) that will retrieve the allowed IPs into a Python dict.

create a python script that will retrieve the xml data from panorama x-path /config/devices/entry[@name="localhost.localdomain"]/deviceconfig/system/permitted-ip using an api key for authentication and convert it to a dictionary keyed off of description

import requests import xml.etree.ElementTree as ET ############# Start Unique Vallues ############### # Panorama API endpoint for retrieving permitted IPs panorama_url = 'https://my.panarama.url/api/' # API key for authentication api_key = 'myApiKey' ############# End Unique Vallues ############### # Parameters for the API request params = { 'type': 'config', 'action': 'get', 'key': api_key, 'xpath': '/config/devices/entry[@name="localhost.localdomain"]/deviceconfig/system/permitted-ip' } def retrieve_xml_data(): try: # Make the API request to Panorama response = requests.get(panorama_url, params=params, verify=False) # Set verify=True to verify SSL certificates if response.status_code == 200: # Parse the XML response root = ET.fromstring(response.text) # Initialize dictionary to store permitted IPs keyed off of 'description' permitted_ips = {} # Iterate over <entry> elements under <address> to extract data for entry in root.findall('.//entry'): description = entry.find('description').text.strip() ip_address = entry.attrib["name"] # entry.find('address').text.strip() permitted_ips[description] = ip_address return permitted_ips else: print(f"Failed to retrieve XML data. Status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") return None # Example usage: if __name__ == "__main__": xml_data_dict = retrieve_xml_data() if xml_data_dict: print("Permitted IPs:") for description, ip_address in xml_data_dict.items(): print(f"{description}: {ip_address}") else: print("Failed to retrieve XML data.")

Re: Using API to update Permitted IP Addresses list

TomYoung — Fri, 21 Jun 2024 20:12:42 GMT

That rocks!