https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189199#M1512 <P>Ended up realizing my own fail - was using the URL for panorama and not the device I wanted to target (d'oh!)</P><P>&nbsp;</P><P>For anyone seeing this later, here's a Powershell function I wrote to pull the information I was after:</P><P>Function Get-LocalDeviceSecurityPolicies($DeviceIP)<BR />{<BR />$response = Invoke-RestMethod "https://$DeviceIP/api/?key=$apiKey&amp;type=config&amp;action=get&amp;xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security"<BR />return $response.response.result.security.rules.entry<BR />}</P> Wed, 29 Nov 2017 20:35:21 GMT f1r3withf1r3 2017-11-29T20:35:21Z https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189120#M1508 <P>Hi all,</P><P>&nbsp;</P><P>I'm searching through the API browser on my PAN-OS 8 instance, and wondering where the syntax exists for exploring/getting the local policies per-physical device.</P><P>&nbsp;</P><P>Or for clarity's sake - what API endpoint would return all of the local device's security policies. I am using some from Panorama globally, and cleaning up local security policies.</P><P>&nbsp;</P><P>Not asking for someone to write a query for me, just point me to the right place in the API, please.</P><P>&nbsp;</P><P>Any help appreciated!</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 29 Nov 2017 14:08:41 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189120#M1508 f1r3withf1r3 2017-11-29T14:08:41Z https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189164#M1509 <P class="p1"><SPAN class="s1">Policies on firewalls are located in `rulebase` under the vsys (for vsys1 below):</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">Policies on panorama are split between `pre-rulebase` and `post-rulebase` (for device group `Some group` below):</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Some group']/pre-rulebase</SPAN></P> <P class="p1"><SPAN class="s1">/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Some group']/post-rulebase</SPAN></P> Wed, 29 Nov 2017 16:58:23 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189164#M1509 gfreeman 2017-11-29T16:58:23Z https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189172#M1510 <P>Awesome, thanks so much <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46544">@gfreeman</a>!</P> Wed, 29 Nov 2017 18:13:52 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189172#M1510 f1r3withf1r3 2017-11-29T18:13:52Z https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189173#M1511 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46544">@gfreeman</a>, if I enter:</P><P>&nbsp;</P><P><SPAN>/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>into the XPath search in the API browser, I get a 403 response of:</SPAN></P><P>&nbsp;</P><P><STRONG>panCmsHandleDeviceContextReq: getRemoteContent() got response code 403</STRONG></P><P>&nbsp;</P><P>and same response if I try and submit:</P><P>&nbsp;</P><P>/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='nameofmyfirewall']/rulebase</P><P>&nbsp;</P><P>I'm a super user on my Panorama instance, and have 1 vsys in it, so not sure why that query when hitting submit isn't working.</P><P>&nbsp;</P><P>Halps?</P> Wed, 29 Nov 2017 18:46:42 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189173#M1511 f1r3withf1r3 2017-11-29T18:46:42Z https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189199#M1512 <P>Ended up realizing my own fail - was using the URL for panorama and not the device I wanted to target (d'oh!)</P><P>&nbsp;</P><P>For anyone seeing this later, here's a Powershell function I wrote to pull the information I was after:</P><P>Function Get-LocalDeviceSecurityPolicies($DeviceIP)<BR />{<BR />$response = Invoke-RestMethod "https://$DeviceIP/api/?key=$apiKey&amp;type=config&amp;action=get&amp;xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security"<BR />return $response.response.result.security.rules.entry<BR />}</P> Wed, 29 Nov 2017 20:35:21 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/show-local-device-policies/m-p/189199#M1512 f1r3withf1r3 2017-11-29T20:35:21Z