API - Security Rule Syntax

Reply
L2 Linker

API - Security Rule Syntax

Version: PAN-OS 8

 

Hi all,

 

I am attempting to create new security rules in Panorama, but keep getting a response that says a schema node cannot be found

 

I have the following code in a PS function, where $Name is my intended rule name, and $DeviceAddress is my Panorama address

 

"Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='$Name']&element=$script:requestXML" -Method Post"

 

Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='MY Arbitrary Rule Name']

 

Can someone clarify what is incorrect about the XPath, please?

L4 Transporter

Re: API - Security Rule Syntax

Your xpath is wrong.  If you're doing a `set`, you need to specify the node one above what you're actually setting.  For `edit` and `delete` you specify the node itself.

 

In your case, since you're trying to `set`, your xpath should actually be this:

 

    `/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules`

 

 

L2 Linker

Re: API - Security Rule Syntax

@gfreeman,

 

So how does one specify a rule name in the xpath?

 

If I run

"$query = Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules" -Method Post"

 

I get an Unauthorized request as the response

L4 Transporter

Re: API - Security Rule Syntax

 

The rule name should be in the XML document that you're posting, which could look something like this:

 

<entry name="MY Arbitrary Rule Name">

  <rule-type>universal</rule-type>

  <description></description>

  <from><member>zone1</member></from>

  <to><member>zone2</member></to>

  <source><member>any</member></source>

  <negate-source>no</negate-source>

  <source-user><member>any</member></source-user>

  <hip-profiles><member>any</member></hip-profiles>

  <destination><member>any</member></destination>

  <negate-destination>no</negate-destination>

  <application><member>any</member></application>

  <service><member>application-default</member></service>

  <category><member>any</member></category>

  <action>allow</action>

  <log-start>no</log-start>

  <log-end>yes</log-end>

  <disabled>no</disabled>

  <icmp-unreachable>no</icmp-unreachable>

  <option><disable-server-response-inspection>no</disable-server-response-inspection></option>

</entry>

L2 Linker

Re: API - Security Rule Syntax

Thanks @gfreeman

 

So far, I think I've figured out the proper way to pass an xml document in Powershell, but still get an Unauthorized Request response.

 

 

Is a rule-type required in the XML object?

 

Or rather, what fields are required in order to POST?

L4 Transporter

Re: API - Security Rule Syntax

The rule-type seems to be optional, but I've always specified it.

 

However, that error you're getting has to do with the user you're using to do these operations.  Looks like it needs more permissions to create the security rule:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/pan-os-xml-api-error-codes

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!