topic How to delete a firewall user name from the security rule set using the XML API ??? in Automation/API Discussions

How to delete a firewall user name from the security rule set using the XML API ???

Robert-Wilmes — Mon, 19 Oct 2015 20:58:48 GMT

I need help with the XMP API to delete a firewall user from a security rule set.

I'm getting an XPath error code = 3 (internal API error) from the following scenario

When I do a config command with action = show, I get a XML structure like this:

<rules>

<action>allow</action>

<source-user>

</source-user>

<from>

<member>L1-trusted</member>

</from>

.... lots of xml stuff ...

</entry>

.... more xml stuff ...

</entry>

</rules>

</security>

</result>

when I issue the following XPATH command:

<...preamble http stuff...>&action=edit&xpath=/config/devices/entry/vsys/entry/rulesbase/security/rules[@name='My-Big-Fat-FW-Rules']/source-user/member[@name='xyz\123456']&element=<member name='xya\10203040'/>"

the API returns

<response status="error" code="3"><msg><line>Could not get schema node for xpath /config/devices/entry/vsys/entry/rulesbase/security/rules[@name='My-Big-Fat-FW-Rules']/source-user/member[@name='xyz\123456']</line></msg></response>

The XML API guide says response code=3 is an internal API error.

My question:

Is the above XPATH statement the right syntax to navigate to rename the user 'xyz\123456' to 'xyz\10203040' ?

My second question is:

Can the Xpath edit action be used to remove the rule by editing 'xyz\123456' to '' ?

My third question is:

Since I want to delete this user from this rule, will the above XPATH syntax work with a config request and action=delete ?

My final question concerns commit locks:

Is it necessary for me to do a get on the commit-locks and issue an API commit to make the changes take effect ?

Is there a sequence diagram of the message flows for this ?

Thanks for your help!!!

Re: How to delete a firewall user name from the security rule set using the XML API ???

fcasido — Wed, 21 Oct 2015 20:04:00 GMT

I can comment on editting. The delete action was answered in your other post.

If you want to edit a member object, then you need to reference the original member object with member[text()='<value>'] and then use the element parameter for the modified member object value: element=<xml code>

You were pretty close.

For example using curl if the original member is xyz\123456 and you want to change it to xya\10203040

$ curl -k "https://<fw ip>/api/?type=config&action=edit&xpath=/config/devices/entry\[@name='localhost.localdomain'\]/vsys/entry\[@name='<vsys name>'\]/rulebase/security/rules/entry\[@name='<rulename>'\]/source-user/member\[text()='xyz\123456'\]&element=<member>xya\10203040</member>&key=<API-KEY>"

<response status="success" code="20"><msg>command succeeded</msg></response>

Re: How to delete a firewall user name from the security rule set using the XML API ???

miclark1 — Fri, 11 Dec 2015 16:18:26 GMT

Here is an example on how to delete a something from a rule. If this is truly a user in the rule, you could add this <source-user>user1</source-user>

curl --globoff -k "https://x.x.x.x/api/?type=config&action=delete&key=$KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='allowany']&element=<to><member>any</member></to><from><member>any</member></from><source><member>API-3</member></source><destination><member>API-1</member></destination><application><member>any</member></application><service><member>any</member></service><action>allow</action><log-start>yes</log-start>"

Michael Clark

Palo Alto Networks