topic Re: XML API config action 'set' in Automation/API Discussions

XML API config action 'set'

BPry — Tue, 22 Nov 2016 19:57:50 GMT

Okay, I still can't figure this guy out. All the other commands work perfectly fine but as soon as I try to 'set' a new rule I get an error saying that it's malformed. I've looked through all of the documentation that I can find but nothing will get the request to come across properly

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test-API']&element=<source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negatedestination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><logend>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to>

Re: XML API config action 'set'

btorresgil — Wed, 23 Nov 2016 02:50:25 GMT

There are two things to change:

1. There is a hiphen missing from two of your elements: logend should be log-end, and negatedestination should be negate-destination

2. I recommend to always give your 'element' parameter a root element. So rather than start with <source> and end with </to>, you should start with <entry name='Test-API'> and end with </entry>. That way the beginning and end of the tags match. Of course, this means removing '/entry[@name='Test-API'] from the end of your xpath.

In summary, this API call should work for you:

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules&element=<entry name='Test-API'><source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><log-end>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to></entry>

If you're using python, you might consider using pan-python or Palo Alto Networks Device Framework to craft your API calls to eliminate these pesky XML/Xpath issues. For example, here's how you would make the same API call using the Device Framework in python:

from pandevice import firewall, policies

fw = firewall.Firewall('10.191.136.7', 'admin', 'yourpassword')

rulebase = fw.add(policies.Rulebase())

rule1 = policies.SecurityRule('Test-API',
                              source='10.181.135.66',
                              destination='8.8.8.8',
                              fromzone='inside',
                              tozone='outside',
                              action='allow',
                              description='testing')
rulebase.add(rule1)
rule1.create()

In this example, you don't need to mess with XML or XPaths to create the security rule. More information about the Palo Alto Networks Device Framework is availabe here:

Documentation

http://pandevice.readthedocs.io/en/latest/readme.html

Presentation

http://paloaltonetworks.github.io/pandevice/

Re: XML API config action 'set'

BPry — Wed, 23 Nov 2016 13:55:20 GMT

Thanks, I'll have to look into pandevice more. I keep hearing that it's really nice and easier to use.