Obtaining Policy Descriptions Through the API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Obtaining Policy Descriptions Through the API

L0 Member

Thanks for taking the time to read my message. I'm an intern tasked with writing a program that returns all device descriptions from a set of policies using the PA APIs. I'm unable to find any APIs that return the policy description - only data such as name, rule type, etc. Is it possible to obtain the description through an API call, or would I need to use a workaround method?

4 REPLIES 4

L4 Transporter
Hello You can read the rule comment (I assume that's what you are looking for) the same way as you can read src, dst, from, to, ...

Hi Jeorg, thanks for the response. I'm relatively new to working with Palo Alto, so I'm not sure what you mean by this. Would you be willing to provide a sample API call that would produce this information?

 

EDIT: I’m unable to find the policy description in the comment fields of any of the endpoints I’ve tried from in the API documentation. Things like src, dst, from, etc. are all there, but the specific description field is not.

Hello

 

Stupid me, it is "desciption" (as you already wrote).

I'm mainly dealing with the config in xpath format. This simplifies running a diff hence the scope/context is still valid.

The base xpath is "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='firewall_xyz']/" when using a panorama.

.../pre-rulebase/security/rules/entry[@name='access to abc']/profile-setting/group/member     default
.../pre-rulebase/security/rules/entry[@name='access to abc']/target/negate    no
.../pre-rulebase/security/rules/entry[@name='access to abc']/to/member        DMZ_Campus
.../pre-rulebase/security/rules/entry[@name='access to abc']/from/member      LAN
.../pre-rulebase/security/rules/entry[@name='access to abc']/source/member    pc_123
.../pre-rulebase/security/rules/entry[@name='access to abc']/destination/member       n_x.y.z.0_24
.../pre-rulebase/security/rules/entry[@name='access to abc']/destination/member       n_x.y.zz.0_24
.../pre-rulebase/security/rules/entry[@name='access to abc']/category/member  any
.../pre-rulebase/security/rules/entry[@name='access to abc']/application/member       ms-rdp
.../pre-rulebase/security/rules/entry[@name='access to abc']/service/member   tcp_rdp
.../pre-rulebase/security/rules/entry[@name='access to abc']/hip-profiles/member      any
.../pre-rulebase/security/rules/entry[@name='access to abc']/action   allow
.../pre-rulebase/security/rules/entry[@name='access to abc']/description      'some text'
.../pre-rulebase/security/rules/entry[@name='access to abc']/log-setting      panorama
.../pre-rulebase/security/rules/entry[@name='access to abc']/source-user/member       any

or as XML if you prefere this format

<entry name="access to abc">
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
<target>
<negate>no</negate>
</target>
<to>
<member>DMZ_Campus</member>
</to>
<from>
<member>LAN</member>
</from>
<source>
<member>pc_123</member>
</source>
<destination>
<member>n_x.y.z.0_24</member>
<member>n_x.y.zz.0_24</member>
</destination>
<category>
<member>any</member>
</category>
<application>
<member>ms-rdp</member>
</application>
<service>
<member>tcp_rdp</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
<description>some text</description>
<log-setting>panorama</log-setting>
<source-user>
<member>any</member>
</source-user>
</entry>

At this point, there are multiple API wrappers Palo Alto Networks has put out that remove having to deal with XML / XPATH directly, I would strongly recommend you use one of those.  Since you're just trying to do read operations, there are 3 options:

 

* pandevice - A python library that makes xpath handling a bit more intuitive.

* The Ansible Galaxy role (specifically, panos_security_rule_facts) - The Ansible Galaxy role Palo Alto Networks has is also using pandevice to do the heavy lifting, but dealing with Ansible may be desireable to having to use python directly.

* pango - Kind of similar to pandevice, but the language is golang instead of python, so you would need to be comfortable coding the solution yourself.

 

  • 4511 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!