Dynamic Tags via XML API with CIDR Range

L2 Linker

Dynamic Tags via XML API with CIDR Range

 So the problem I'm running into is that its simple to interact with the XML API, but its not always so easy to figure out where the commands are or how they should be formatted. You guys should really consider some OpenAPI 3 style documentation.

 

We have a tag associated with policy that when I tag an API it applies the policy to the address being tagged. Its worked great one IP at a time, but for this use case I need to be able to tag CIDR or at very least address range.

 

So the (python) payload looks like this:

 

payload = { 'type': 'user-id', 'vsys': 'vsys1', 'cmd':'<uid-message> <version>1.0</version> <type>update</type> <payload> <register> <entry ip="192.168.1.1"> <tag> <member>Development</member> </tag> </entry> </register> </payload> </uid-message>', 'key': apikey}

and iut works great for single targeted IP addresses, but it wont take CIDR with the entry IP xml tag. It was suggested I try using the debug console to find the specific XML that the web console uses and I found it, but its doing it completely differently from the documentation and the method its using is undocumented.

 

<request cmd='op' cookie='######' vsys='vsys1' target-vsys='vsys1'>
<operations xml='yes'><set><user-id><data><![CDATA[<uid-message> <version>1.0</version>
<type>update</type> <payload> <register> <ip-netmask>1.1.1.1/24</ip-netmask>
<tag> <member>Development</member> </tag> </entry> </register> </payload> </uid-message> ]]></data></user-id></set></operations></request>

Im not positive how that equates to the working payload, but I tried a few iterations and it never seemed to be happy. I DID get the system to think it accepted the CIDR IP when I used this formatting

 

'<uid-message> <version>1.0</version> <type>update</type> <payload> <register> <entry ip-netmask="192.168.5.112/31"> <tag> <member>SOCDevelopment</member> </tag> </entry> </register> </payload> </uid-message>'

but then it was super confused in the CLI, reporting the IP address as just " :: # "

 

>show object registered-ip tag SOCDevelopment
registered IP Tags :: # "Development" Total: 1 registered addresses

Thoughts or ideas would be great :)

L2 Linker

Re: Dynamic Tags via XML API with CIDR Range

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-API-configuration/ta-p/72917

 

this is helping a lot, pretty sure im getting closer to the right command/xml set

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!