https://live.paloaltonetworks.com/t5/general-topics/using-api-to-dynamically-register-and-tag-can-ip-address-be-a/m-p/315165#M81215 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9726">@alterioc</a>,</P><P>Because you are utilizing user-id&nbsp; to accomplish this, you'll only ever be able to utilize this via a single IP address at a time.&nbsp;</P> Sun, 08 Mar 2020 05:43:23 GMT BPry 2020-03-08T05:43:23Z https://live.paloaltonetworks.com/t5/general-topics/using-api-to-dynamically-register-and-tag-can-ip-address-be-a/m-p/315054#M81197 <P>In one of our firewalls we have zone A which has network x.x.x.x/24, and zone B which has network y.y.y.y/24. There is a rule allowing traffic between them. Some high-ranking people at my company need to be able to block this traffic automatically at any time.&nbsp; I wrote a powershell script which is triggered by the incident management system when an authorized person submits a ticket. &nbsp;The PS script uses the API to disable the rule that allows the traffic and then do a commit. It works, but ideally I'd like to use something that does not require a commit.</P><P>&nbsp;</P><P>I read about dynamic ip address &amp; tag registration via xml api and I want to use this method to populate a dynamic address group, and use that group in a deny rule above the allow rule. The match criteria for the address group will be dynamic tag "blockme"; the api will add tag "blockme" to x.x.x.x/24, that address will get added to the dynamic address group, and access will be blocked. I got it to work but it appears that I can only register one ip address per command (versus x.x.x.x/24).&nbsp;&nbsp;</P><P>&nbsp;</P><P>The command I am using in the PS script is:</P><P>$AddTag=Invoke-RestMethod -uri "https://<EM>&lt;firewall&gt;</EM>/api/?type=user-id&amp;command=&lt;uid-message&gt;&lt;type&gt;update&lt;/type&gt;&lt;payload&gt;&lt;register&gt;&lt;entry ip=`"x.x.x.x`"&gt;&lt;tag&gt;&lt;member&gt;blockme&lt;/member&gt;&lt;/tag&gt;&lt;/entry&gt;&lt;/register&gt;&lt;/payload&gt;&lt;/uid-message&gt;&amp;key=$key"</P><P>&nbsp;</P><P>Is this possible to do?&nbsp; My attempts have failed and I can't find an example where it's done.&nbsp; If not, then has anyone else had a need to do something similar, and found a better way than what I'm doing? I looked at auto-tagging but it doesn't seem to be a good fit for this situation.&nbsp; &nbsp;</P><P>&nbsp;</P><P>The firewall is running 8.1.&nbsp; Thank you for reading.</P> Sat, 07 Mar 2020 06:04:53 GMT https://live.paloaltonetworks.com/t5/general-topics/using-api-to-dynamically-register-and-tag-can-ip-address-be-a/m-p/315054#M81197 alterioc 2020-03-07T06:04:53Z https://live.paloaltonetworks.com/t5/general-topics/using-api-to-dynamically-register-and-tag-can-ip-address-be-a/m-p/315165#M81215 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9726">@alterioc</a>,</P><P>Because you are utilizing user-id&nbsp; to accomplish this, you'll only ever be able to utilize this via a single IP address at a time.&nbsp;</P> Sun, 08 Mar 2020 05:43:23 GMT https://live.paloaltonetworks.com/t5/general-topics/using-api-to-dynamically-register-and-tag-can-ip-address-be-a/m-p/315165#M81215 BPry 2020-03-08T05:43:23Z