topic Re: EDL global find XML API in General Topics

EDL global find XML API

jyao — Wed, 18 Sep 2024 01:37:10 GMT

Hi dear all,

When I use /api/?type=op&cmd=<request><system><external-list><global-find><string></string></global-find></external-list></system></request> to search EDL with entry string, I can only search with IP list, for example, <request><system><external-list><global-find><string>5.167.66.138</string></global-find></external-list></system></request>, and I can get global find result as below:

<response status="success">
<result>
<line>/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/external-list/entry[@name='blocklistde-all.list']</line>
</result>
</response>

However, when I try to find URL or domain string, it cannot return any match even though the string is in the EDL entry list. Neither can I get global find result on FW UI.

May I know if any of you have such experience?

Thanks

Re: EDL global find XML API

kiwi — Wed, 18 Sep 2024 09:22:27 GMT

Hi @jyao ,

I believe this works for IP address only by design.

The firewall CLI also does not show the result of the command request system external-list global-find string "fqdn"

If you want to have this added as a feature request please reach out your local SE to create this feature request for you after which you and others can add their vote to it.

Kind regards,

-Kim.

Re: EDL global find XML API

TomYoung — Wed, 18 Sep 2024 09:42:47 GMT

Hi @jyao ,

That is a great question, and the PANW documentation could be improved to make the answer more clear.

You said "Neither can I get global find result on FW UI." I assume that means the List Entries and Exceptions tab in the EDL configuration is blank. The NGFW will not retrieve the contents of an EDL until it is enforced in a policy. (An EDL will always be blank on Panorama since it doesn't perform a lookup.)

An IP List EDL can be used as a source or destination object in a security policy rule.
A URL List EDL can be used as a URL Category in a security policy rule or a custom URL category in a URL Filtering security profile.
A Domain List can be used under DNS Policies in an Anti-Spyware security profile.

Once the EDL is enforced in a policy the NGFW will retrieve the contents at the 1st commit and then the specified interval. If the entries are still blank use the Test Source URL button to make sure it works and use a browser to verify it has entries.

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/view-external-dynamic-list-entries

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/enforce-policy-on-an-external-dynamic-list

This previous Live Community post is helpful. https://live.paloaltonetworks.com/t5/general-topics/external-list-not-populating/td-p/406809

If anyone in the Live Community sees that I missed something, please let me know! I will edit this post.

Thanks,

Tom

Re: EDL global find XML API

jyao — Tue, 24 Sep 2024 22:54:48 GMT

Hi Tom,

Thank you for your reply. I have attached EDL to a policy and enforce it, and I can EDL entries with XML api cmd=<request><system><external-list><show><type><{type}><num-records>1000</num-records><name>{name}</name></{type}></type></show></external-list></system></request>.

However, when I use '/api/?type=op&cmd=<request><system><external-list><global-find><string>{{EDLEntryString}}</string></global-find></external-list></system></request>', I can only search IP string, but not domain or URL string can be searched. According to Kim's comment, this endpoint only works for IP addresses by design.

Thanks again

Jonathan

Re: EDL global find XML API

jyao — Wed, 25 Sep 2024 00:34:03 GMT

Hi Tom,

May I know if I can get ip/url/domain EDL entries on Panorama? As I can only see predefined-ip amd predefined-url types on my Pamorama instance, I am sure if it relates to my Pamorama license.

When I try to get entries of my custom EDL, the API returns below error:

<msg>

<line>

<![CDATA[ request -> system -> external-list -> show -> type -> ip unexpected here]]>

</line>

<line>

<![CDATA[ request -> system -> external-list -> show -> type is invalid]]>

</line>

</msg>

</response>

Thanks for your comments.

Jonathan