topic Re: API - Security Rule Syntax in Automation/API Discussions

API - Security Rule Syntax

f1r3withf1r3 — Tue, 05 Dec 2017 16:46:02 GMT

Version: PAN-OS 8

Hi all,

I am attempting to create new security rules in Panorama, but keep getting a response that says a schema node cannot be found

I have the following code in a PS function, where $Name is my intended rule name, and $DeviceAddress is my Panorama address

"Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='$Name']&element=$script:requestXML" -Method Post"

Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='MY Arbitrary Rule Name']

Can someone clarify what is incorrect about the XPath, please?

Re: API - Security Rule Syntax

gfreeman — Tue, 05 Dec 2017 17:49:11 GMT

Your xpath is wrong. If you're doing a `set`, you need to specify the node one above what you're actually setting. For `edit` and `delete` you specify the node itself.

In your case, since you're trying to `set`, your xpath should actually be this:

`/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules`

Re: API - Security Rule Syntax

f1r3withf1r3 — Tue, 05 Dec 2017 17:56:30 GMT

@gfreeman,

So how does one specify a rule name in the xpath?

If I run

"$query = Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules" -Method Post"

I get an Unauthorized request as the response

Re: API - Security Rule Syntax

gfreeman — Tue, 05 Dec 2017 17:57:44 GMT

The rule name should be in the XML document that you're posting, which could look something like this:

<rule-type>universal</rule-type>

<negate-source>no</negate-source>

<source-user><member>any</member></source-user>

<hip-profiles><member>any</member></hip-profiles>

<negate-destination>no</negate-destination>

<service><member>application-default</member></service>

<action>allow</action>

<log-start>no</log-start>

<log-end>yes</log-end>

<icmp-unreachable>no</icmp-unreachable>

</entry>

Re: API - Security Rule Syntax

f1r3withf1r3 — Tue, 05 Dec 2017 19:52:05 GMT

Thanks @gfreeman

So far, I think I've figured out the proper way to pass an xml document in Powershell, but still get an Unauthorized Request response.

Is a rule-type required in the XML object?

Or rather, what fields are required in order to POST?

Re: API - Security Rule Syntax

gfreeman — Tue, 05 Dec 2017 19:56:09 GMT

The rule-type seems to be optional, but I've always specified it.

However, that error you're getting has to do with the user you're using to do these operations. Looks like it needs more permissions to create the security rule:

https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/pan-os-xml-api-error-codes