topic Re: Security rules via API with two vsys in Automation/API Discussions

Security rules via API with two vsys

turturici — Thu, 02 Nov 2017 12:38:54 GMT

Hello!

This morning started with me pulling my hair out...just like yesterday ended. So, here I am. I want to query our Palo Alto firewall via the API to show me security rules...not a big deal. However, the device as two vsys's (or however you write that), and the API query only revealed one security policy, which I know is not right. I've been using the API GUI to poke around, but I keep getting the same results:

/config/devices/entry[@name=<thingy>]/vsys/entry[@name='vsys1']/rulebase/security

Gives me:

response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>

blah blah blah

I know this can't be right. I've checked the other vsys via this query and it has ZERO results, which is also wrong. Is this, perhaps, a permissions issue? Or, is the way our device is split in to two vsys's causing the problem?

Of very interesting note: I exported the running config directly from this device and got the same results! Only one security policy shows up under vsys1 and ZERO are in vsys2? I don't understand...

Re: Security rules via API with two vsys

nigelswift — Thu, 02 Nov 2017 12:50:25 GMT

Are the ones in question Panorama pushed configuration or local configuration? What code branch and model are you dealing with?

Re: Security rules via API with two vsys

turturici — Thu, 02 Nov 2017 12:53:10 GMT

Sorry...I committed the cardinal sin. Here's what we're working with:

All configs are pushed via Panorama.

Panorama and the device in question are both on 7.1.12. I should be looking at the API in Panorama, shouldn't I?

Re: Security rules via API with two vsys

nigelswift — Thu, 02 Nov 2017 13:23:11 GMT

Exactly. It only shows local configuration where you're looking. Alternatively, you can do type=op and cmd=<show><running><security-policy></security-policy></running></show> which should return all the ones in effect if that's what you're after.

Re: Security rules via API with two vsys

turturici — Thu, 02 Nov 2017 13:48:41 GMT

Got it...thx.

Any luck calling an API key via PowerShell instead of embedding it in the request? I wonder if Palo Alto's API can't accept additional headers? I can't seem to find this information anywhere. If I embed my API key in my GET request, I auth successfully. When I call the API key using the "-headers" function in PowerShell, no worky. Thoughts? I know this is a separate concept, but I'm grasping at straws here.