API calls to get config from Panorama (object, object groups, policies etc.)

L4 Transporter

API calls to get config from Panorama (object, object groups, policies etc.)

How can I get device group specific policies as well as shared object, object groups etc. from the Panorama. I tried with API browser and cli (with debug cli on) but could not find specific path/command. I have checked the xml running config and can see the path however not sure how to use it and the type of operation. Thanks in advance!

L4 Transporter

Re: API calls to get config from Panorama (object, object groups, policies etc.)

At this point, there are multiple ways to get and configure the firewall and Panorama without building a framework from scratch:

 

High level integrations:

* Ansible - http://panwansible.readthedocs.io/en/latest/

* Terraform - https://www.terraform.io/docs/providers/panos/index.html

 

Programatic integrations:

* pandevice (python) - https://github.com/PaloAltoNetworks/pandevice

 

Technically there's also pango (which Terraform support is built on), but that code should be considered alpha, as it sometimes makes breaking changes, so I wouldn't recommend using it directly right now.

 

L4 Transporter

Re: API calls to get config from Panorama (object, object groups, policies etc.)

@gfreeman Can I use Terraform or Ansible purely for getting data (no updating)? I am using Python with pan-python now.

L4 Transporter

Re: API calls to get config from Panorama (object, object groups, policies etc.)

To some extent yes.  Ansible has facts and Terraform has data sources.  If you give me a bit more info on what kind of data you'd want, I can be more specific..?

 

In addition to that, pan-python is a good library (it's what pandevice is built on top of).  pandevice functions very differently from pan-python, however if you're already not afraid of the API, maybe pandevice could be a good path forward.

L3 Networker

Re: API calls to get config from Panorama (object, object groups, policies etc.)

Hey Sly!

 

While the pan-python/pandevice and Ansible/Terraform frameworks really handy, for doing something as simple as pulling information from the Panorama/firewall config I tend to prefer rolling my own. In particular using the xmltodict module and then navigating the config as a Python dictionary can be much more intuitive and pythonic as you build out your program. Here's a sample function you can use for pulling in the Panorama configuration (in Python 3.6.5):

 

import requests
import xmltodict

def get_config(ip: str, api_key: str) -> dict: try: api_call_dict = { 'key': api_key, 'type': 'config', 'action': 'get', 'xpath': f"/config" }
url = f"https://{ip}/api" response = requests.post(url, api_call_dict, verify=False) parsed_response = xmltodict.parse(response.text) panorama_config = parsed_response['response']['result']['config'] return panorama_config except BaseException as be: print(f"get_config() failed due to {be}.") return {}

You could then access the shared address objects by running the function like this:

pano_ip = '10.1.1.1'
pano_api_key = 'ABCDEFKEY'
pano_cfg = get_config(pano_ip, pano_api_key)
print(pano_cfg['shared']['address'])

Hope that helps!

Nasir

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!