Dynamic Tags via XML API with CIDR Range

hallerr — Tue, 16 Jan 2018 15:44:03 GMT

So the problem I'm running into is that its simple to interact with the XML API, but its not always so easy to figure out where the commands are or how they should be formatted. You guys should really consider some OpenAPI 3 style documentation.

We have a tag associated with policy that when I tag an API it applies the policy to the address being tagged. Its worked great one IP at a time, but for this use case I need to be able to tag CIDR or at very least address range.

So the (python) payload looks like this:

payload = { 'type': 'user-id', 'vsys': 'vsys1', 'cmd':'<uid-message> <version>1.0</version> <type>update</type> <payload> <register> <entry ip="192.168.1.1"> <tag> <member>Development</member> </tag> </entry> </register> </payload> </uid-message>', 'key': apikey}

and iut works great for single targeted IP addresses, but it wont take CIDR with the entry IP xml tag. It was suggested I try using the debug console to find the specific XML that the web console uses and I found it, but its doing it completely differently from the documentation and the method its using is undocumented.

<request cmd='op' cookie='######' vsys='vsys1' target-vsys='vsys1'>
<operations xml='yes'><set><user-id><data><![CDATA[<uid-message> <version>1.0</version> 
<type>update</type> <payload> <register> <ip-netmask>1.1.1.1/24</ip-netmask> 
<tag> <member>Development</member> </tag> </entry> </register> </payload> </uid-message>
]]></data></user-id></set></operations></request>

Im not positive how that equates to the working payload, but I tried a few iterations and it never seemed to be happy. I DID get the system to think it accepted the CIDR IP when I used this formatting

'<uid-message> <version>1.0</version> <type>update</type> <payload> <register> <entry ip-netmask="192.168.5.112/31"> <tag> <member>SOCDevelopment</member> </tag> </entry> </register> </payload> </uid-message>'

but then it was super confused in the CLI, reporting the IP address as just " :: # "

>show object registered-ip tag SOCDevelopment

registered IP Tags
:: #
"Development"
Total: 1 registered addresses

Thoughts or ideas would be great 🙂

Re: Dynamic Tags via XML API with CIDR Range

hallerr — Tue, 16 Jan 2018 16:53:31 GMT

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-API-configuration/ta-p/72917

this is helping a lot, pretty sure im getting closer to the right command/xml set

topic Dynamic Tags via XML API with CIDR Range in Automation/API Discussions

Dynamic Tags via XML API with CIDR Range

Re: Dynamic Tags via XML API with CIDR Range