topic Re: Retrieving Security and NAT rules through API in Automation/API Discussions

Retrieving Security and NAT rules through API

f1r3withf1r3 — Thu, 19 Oct 2017 20:22:00 GMT

Hi all,

So far I've been able to sort out and match various device group objects according to my needs.

Now I'm trying to find in the API where I can retrieve information on Security and NAT rules so I can view attributes.

My goal is to see what sub-tags are available in the schema for those objects so I can discover via a script I'll write which of my objects are utilizing security rules.

The API browser shows "<show><rule-use><type>used</type></rule-use></show>" as an option, but when attempting to submit it states that rule-base is required. I added that tag into the query, then got a message saying device-group is required.

So, I added that as well along with my intended device group name, but then got the following as output:

<response status="success" code="19">
<result>
<msg>
<line>query job enqueued with jobid 222269</line>
</msg>
<job>222269</job>
</result>
</response>

Not really the information I'm after. If anyone knows the appropriate way to view what security rules are applied to device groups (or perhaps what device groups have security rules associated with them), or simply suggest a way to get more information on security or NAT rules, I'd be very grateful.

Cheers

Re: Retrieving Security and NAT rules through API

nigelswift — Thu, 19 Oct 2017 20:47:51 GMT

I think I understand what you're saying, but just to be clear:

this is in reference to the Panorama API?
what information are you trying to gather as far as the security policies is concerned, and what are you using to identify them? Tags? Just the rule name?

Re: Retrieving Security and NAT rules through API

f1r3withf1r3 — Thu, 19 Oct 2017 22:22:16 GMT

Yes, this is in reference to the panorama API.
Right now I am just trying to find out what information is available in a valid response'schema so I can see what data I can sort, etc. with my scripts.

Basically I am doing some scripting to assist another engineer. I'm new to the Palo world but have been a coder for some time.

Re: Retrieving Security and NAT rules through API

nigelswift — Fri, 20 Oct 2017 13:13:02 GMT

I would recommend looking at the API browser and see what the call returns to write your logic. There is some variance between PAN-OS versions so without specifically what you're trying to look into it would be hard to assess one way or the other.

Re: Retrieving Security and NAT rules through API

rodvand — Sat, 21 Oct 2017 15:29:25 GMT

Hi,

The query you are performing is to look at which rules have been used on the firewall since last reboot, not to query for the rules configured. I use this function to look for unused rules on our firewalls.

To get the rules for a firewall in Panorama I have used the following xpath:

?type=op&cmd=<show><config><running><xpath>devices/entry/device-group/entry[@name="DEVICEGROUP"]/post-rulebase/security</xpath></running></config></show>

Of course, adjust the post/pre-rulebase and security/nat as you see fit.

Hope that helps!