topic Re: Palo Alto REST API - test security-policy-match in Automation/API Discussions

Palo Alto REST API - test security-policy-match

LarsRugaard — Fri, 21 Oct 2016 12:28:23 GMT

Hello,

I have been trying using the command "test security-policy-match" with REST API. I do get a proper response, but i'm missing some valuable information.

From the CLI i get the following response:
admin@KAS-PaloAlto> test security-policy-match from KAS- zone-1 to KAS-zone-2 source 10.1.1.25 destination 10.2.2.25 protocol 1

Ping {
from KAS-zone-1;
source 10.1.1.25;
source-region none;
to KAS-zone-2;
destination 10.2.2.25;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

When i use the following API:

https://x.x.x.x//api/?type=op&cmd=<test><security-policy-match><from>KAS-zone-1</from><to>KAS-zone-2</to><source>10.1.1.25</source><destination>10.2.2.25</destination><protocol>1</protocol></security-policy-match></test>&key=my.key

I get the following response:

<response cmd="status" status="success">
<result>
<rules>
<entry>Ping</entry>
</rules>
</result>
</response>

As you see i dont get the information within the brackets, like in the CLI.

Any suggestions?

Re: Palo Alto REST API - test security-policy-match

btorresgil — Tue, 25 Oct 2016 02:33:04 GMT

That additional data in brackets represets the configuration of the security rule. It is pulled via a seperate API call and displayed on the CLI, but when using the API you have to make that API call yourself. For example, this would pull the same information about the rule:

https://x.x.x.x/api/?type=config&action=show&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Ping']

Response:

<response status="success" code="19">
<result total-count="1" count="1">
<entry name="Ping">
  <from>
    <member>Trust</member>
  </from>
  <to>
    <member>Internet</member>
  </to>
  <source>
    <member>any</member>
  </source>
  <destination>
    <member>any</member>
  </destination>
  <source-user>
    <member>any</member>
  </source-user>
  <category>
    <member>any</member>
  </category>
  <application>
    <member>ping</member>
  </application>
  <service>
    <member>any</member>
  </service>
  <hip-profiles>
    <member>any</member>
  </hip-profiles>
  <action>allow</action>
  <log-start>no</log-start>
  <log-end>yes</log-end>
  <negate-source>no</negate-source>
  <negate-destination>no</negate-destination>
  <log-setting>default</log-setting>
</entry>
</result>
</response>

Re: Palo Alto REST API - test security-policy-match

SameerT — Wed, 23 Sep 2020 06:22:21 GMT

Hi,

While running below api i am getting some error and when i am checking XMI API from palo alto i dont see any config&action=show&xptah(showis not present.

https://x.x.x.x/api/?type=config&action=show&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Ping']