Move a firewall from a device group to another using API

Reply
Highlighted
L0 Member

Move a firewall from a device group to another using API

Hi,

 

I have developed a script that provisions firewalls to activate and update when it connects to Panorama.

 

I am now trying to get the script to move a firewall from a "Provisioning" to a "Provisioned" device group within Panorama.

 

In the GUI I have to remove the device from a group and add it to the new group.

 

Does anyone know what API commands I can use this to achieve this?

 

Many thanks

Ben

 

 

 

Tags (2)
L4 Transporter

Re: Move a firewall from a device group to another using API

You'll need to do a GET to get the current device group info, then do an EDIT to remove it from the old device group (or a targeted DELETE would also work), then you can do an EDIT to add it to the new device group (or a targeted SET would also work).

 

You can play around with moving a firewall in the GUI and see what PAN-OS is doing, then mimic that:

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

You can also use pandevice if you wanted.  I think moving firewalls between vsys is handled by having a Firewall object under a DeviceGroup object, then you can do .delete() with it under the old DeviceGroup, add it to the object heirarchy for the new DeviceGroup, then .create() with it under the new device group.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!