topic Re: With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab) in Automation/API Discussions

With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

HermanEdwards — Sat, 26 Feb 2022 04:50:27 GMT

Settings

I believe adding/updating an Audit comment of a Policy rule is independent from making changes to the policies.
- Operational command: Audit comment Update (type='op')

set audit-comment comment "paul manual edit" xpath

Configuration command: Making changes to a Policy rule (type='config')

'/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']'

Questions

From Panorama -> Management tab

With enabled "Require audit comment on policies", I keep getting this Error message:

OrderedDict([('response', OrderedDict([('@status', 'success'), ('@code', '13'), ('msg', \"Audit comments are missing for policy configuration being committed. Please add audit comments and try again.\\nList of xpaths:\\n/config/devices/entry/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-audit-comment-create-feb-24']\\n/config/devices/entry/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']\")]))]) "

Seeing that adding comments and making changes to a Policy rule requires 2 independent API calls, how can we make change both changes in one API call?
- I believe we just need to do 2 requests: (1) Update Audit comment => (2) Update Policy rule => (3) Commit
Despite manually set the Audit comment of a rule to some texts, the Commit operation is still failing with the error message. Has anyone run into this before?
- Am I doing the updates properly?
It's worth noting that I can manually commit via Web Browser though. It looks like committing via Web browser does not care about the Audit comment at all. I tried committing without any comment, and it still passes...

Attempts

Manually update the Audit comment of the Policy rule before committing,

Commit API calls will still fail with the error message I post above.

Any help is greatly appreciated.

Re: With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

HermanEdwards — Sat, 26 Feb 2022 05:12:56 GMT

Update

My bad. I miss the path in the error messages... the Policy update involves empty Device entry as you can see in the message.
Manually update the Audit comment via Web browser is done at /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']
- Here, the Web browser specified the name for the Device entry.
- As a result, updating the one on Web does not resolve the error.

Follow-up: While reading through XML API, some endpoints include Device entry name and some don't.
If anyone know when the Device entry name should be ignored, please feel free to share.
For more info, examples where Device entry name gets ignored can be found at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/pan-os-xml-api-request-types/configuration-api/set-configuration.html

So far, when editing the config of a Policy rule, I believe a device entry name should always be specified. This is b/c API explorer always shows it.

Re: With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

JimmyHolland — Fri, 04 Mar 2022 12:29:19 GMT

Hi @HermanEdwards, yes, per the other thread, the localhost.localdomain is required. You will see it in the XML config file, in the API explorer, and other observable places (debugs, etc). I have requested that the documentation is changed to reflect this.

Re: With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

RyanBess — Tue, 05 Apr 2022 00:14:57 GMT

just my two cents here. The audit comment feature is very buggy and there are / have been a number of issues with it. If you are looking to use it as an a way for auditing change, you may be better suited to look to something outside of this feature. We're told things are fixed in some newer releases but we've hit a number of issues.