Palo Alto REST API - test security-policy-match

L0 Member

Palo Alto REST API - test security-policy-match

Hello,

I have been trying using the command "test security-policy-match" with REST API. I do get a proper response, but i'm missing some valuable information.

From the CLI i get the following response:
admin@KAS-PaloAlto> test security-policy-match from KAS- zone-1 to KAS-zone-2 source 10.1.1.25 destination 10.2.2.25 protocol 1

 

Ping {
from KAS-zone-1;
source 10.1.1.25;
source-region none;
to KAS-zone-2;
destination 10.2.2.25;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

When i use the following API:

https://x.x.x.x//api/?type=op&cmd=<test><security-policy-match><from>KAS-zone-1</from><to>KAS-zone-2</to><source>10.1.1.25</source><destination>10.2.2.25</destination><protocol>1</protocol></security-policy-match></test>&key=my.key

I get the following response:

<response cmd="status" status="success">
<result>
<rules>
<entry>Ping</entry>
</rules>
</result>
</response>

As you see i dont get the information within the brackets, like in the CLI.

Any suggestions?

L4 Transporter

Re: Palo Alto REST API - test security-policy-match

That additional data in brackets represets the configuration of the security rule. It is pulled via a seperate API call and displayed on the CLI, but when using the API you have to make that API call yourself. For example, this would pull the same information about the rule:

https://x.x.x.x/api/?type=config&action=show&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Ping']

 

Response:

<response status="success" code="19">
<result total-count="1" count="1">
<entry name="Ping">
  <from>
    <member>Trust</member>
  </from>
  <to>
    <member>Internet</member>
  </to>
  <source>
    <member>any</member>
  </source>
  <destination>
    <member>any</member>
  </destination>
  <source-user>
    <member>any</member>
  </source-user>
  <category>
    <member>any</member>
  </category>
  <application>
    <member>ping</member>
  </application>
  <service>
    <member>any</member>
  </service>
  <hip-profiles>
    <member>any</member>
  </hip-profiles>
  <action>allow</action>
  <log-start>no</log-start>
  <log-end>yes</log-end>
  <negate-source>no</negate-source>
  <negate-destination>no</negate-destination>
  <log-setting>default</log-setting>
</entry>
</result>
</response>
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!