Security rules via API with two vsys

Reply
L1 Bithead

Security rules via API with two vsys

Hello!

This morning started with me pulling my hair out...just like yesterday ended.  So, here I am.  I want to query our Palo Alto firewall via the API to show me security rules...not a big deal.  However, the device as two vsys's (or however you write that), and the API query only revealed one security policy, which I know is not right.  I've been using the API GUI to poke around, but I keep getting the same results:

/config/devices/entry[@name=<thingy>]/vsys/entry[@name='vsys1']/rulebase/security

 

Gives me:

 

response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>

blah blah blah

 

I know this can't be right.  I've checked the other vsys via this query and it has ZERO results, which is also wrong.  Is this, perhaps, a permissions issue?  Or, is the way our device is split in to two vsys's causing the problem?  

 

Of very interesting note: I exported the running config directly from this device and got the same results! Only one security policy shows up under vsys1 and ZERO are in vsys2?  I don't understand...

L4 Transporter

Re: Security rules via API with two vsys

Are the ones in question Panorama pushed configuration or local configuration? What code branch and model are you dealing with?

L1 Bithead

Re: Security rules via API with two vsys

Sorry...I committed the cardinal sin.  Here's what we're working with:

 

All configs are pushed via Panorama.

Panorama and the device in question are both on 7.1.12.  I should be looking at the API in Panorama, shouldn't I?

L4 Transporter

Re: Security rules via API with two vsys

Exactly. It only shows local configuration where you're looking. Alternatively, you can do type=op and cmd=<show><running><security-policy></security-policy></running></show> which should return all the ones in effect if that's what you're after.

L1 Bithead

Re: Security rules via API with two vsys

Got it...thx.

Any luck calling an API key via PowerShell instead of embedding it in the request?  I wonder if Palo Alto's API can't accept additional headers?  I can't seem to find this information anywhere.  If I embed my API key in my GET request, I auth successfully.  When I call the API key using the "-headers" function in PowerShell, no worky.  Thoughts?  I know this is a separate concept, but I'm grasping at straws here.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!