Wildcards in rest api configuration query?

Reply
Highlighted
L2 Linker

Wildcards in rest api configuration query?

Hi,

 

I'm trying to write a reporting tool that will go throguh various device groups and identify rules that have certain keywords (change numbers in my case) in the description.

 

I'm querying panorama configuration and using rest api directly from python (e.g. requests module or pan.xapi)

 

For example, this query works perfectly for me and as a result I get two rules returned back, if description contains only one string CHG99646:

 

/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Perth']/pre-rulebase/security/rules/entry[description="CHG99646"]

 
<response status="success" code="19">
<result total-count="2" count="2">
Tags (3)
L4 Transporter

Re: Wildcards in rest api configuration query?

Hi,

 

 The API is not designed for that. It has limited support for XPath and pulling data locally is probably the only way. 

 

 There are as well exisiting utilities which can do what you are looking for already, like one of mine here: https://live.paloaltonetworks.com/t5/API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CL...

L2 Linker

Re: Wildcards in rest api configuration query?

OK, so Palo Alto decided not to implement %like% in their rest api. Understood.

 

Do you know if there is an op command that I could incorporate instead of using wildcards in the xpath matching? Something similar to global find in panorama gui or a | match when I am running show configuration? I mean, anything that will return a security rule name(s) based on text I want to find in description.

 

Cheers,

Milos

L4 Transporter

Re: Wildcards in rest api configuration query?

What I mean is that PAN is using Xpath, so you can use what Xpath has available:

 

In your case, something like that should work : 

[contains(text(),'whatYouWantHere')]

 

concerning your other question about Global Find and such : it's not exposed to through API unfortunatly. But it's somethign available on my project if you dont mind using it and/or developping in PHP ;)

L2 Linker

Re: Wildcards in rest api configuration query?

I'm trying to use your suggestion with contains text but I am not able to match anything

 

Could you give a full xpath example for matching description field with [contains(text(),'whatYouWantHere')]? I'm missing something when trying to use your suggestion.

 

For the PHP I have minimal knowledge there :)

 

Milos

L2 Linker

Re: Wildcards in rest api configuration query?

YES! Figured it out:

 

/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Perth']/pre-rulebase/security/rules/entry[description[contains(text(), 'CHG129149')]]

 

This works as a charm and gives me exactly what I need.

 

Thsi is so cool. I am going to accept your answer as the solution!

 

Thanks so much for your help.

 

Milos

L4 Transporter

Re: Wildcards in rest api configuration query?

you are welcome! Remember it's just standard XPath 1.0 so you can google for more examples of syntaxes

 

Concerning my PHP lib: it's a set of utilities that are ready to run (no scripting skills involved, just invoke them) and a framework for devs. You might want to have a look if you dont want to reinvent the wheel.

 

cheers !

L2 Linker

Re: Wildcards in rest api configuration query?

I see that you are very good with xpath 1.0. I'm wondering if you have any suggestions/solutions for the following scenario or if this is not possible to achieve.

 

Say I use query xpath like this:

/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Tokyo']/pre-rulebase/security/rules/entry[description[contains(text(), 'CHG84226')]]

 

As a response I get the entry (or entries) with attribute 'loc' that's set to the current device group:

 

<response status="success" code="19">
<result total-count="1" count="1">
<entry name="Rule1293" loc="Tokyo">
<profile-setting>
<group>
<member>SecProfile2</member>
</group>
</profile-setting>

 

Now if I change Xpath to ommit the part for device group as I want to build a search that will identify description with certain CHG text value on all device groups and find security rules accross all device groups, I get the positive response and entry is listed back, but I lose the *loc* attribute so my policy doesn't show where exactly it belongs to.

 

Example (device group entry part is replaced with //:

/config/devices/entry[@name='localhost.localdomain']/device-group//pre-rulebase/security/rules/entry[description[contains(text(), 'CHG84226')]]

 

<response status="success" code="19">
<result total-count="8" count="8">
<entry name="Rule1341">
<option>
<disable-server-response-inspection>no</disable-server-response-inspection>
</option>
<from>
<member>trust</member>
</from>
<to>
<member>untrust</member>
</to>
<source>

 

Any ideas what could I possibly use in xpath to return something meaningful that can help me identifying where exactly this rule belongs to (rules in the case above as 'CHG84226' exists as a description on 8 rules accross 8 different device groups). I know that I can use rule name and query individual device groups one by one but in my case I've got 20 device groups and one query costs around 1 second so it adds up to a large waiting time when the script is executed.

 

If you reckon I should post this as a separate question, I don't mind reposting this in its entirety.

 

Thanks for suggestions.

 

L4 Transporter

Re: Wildcards in rest api configuration query?

this 'loc' property is added by PANOS, it's not part of XPath at all.

 

The fact it displaying in one case but not another is a mystery to me : it's not even a 'documented' feature of PANOS.

 

You will find yourself quickly limited with XPath because it doesn't fit all purposes.

 

I would usually script that : download the candidate config -> parse what I want (you can use XPath inside python as well if you don't want to code navigate through Xml tree by yourself.

 

Can I ask what kind of action you would like to do after you foudn the rules you need ?

L2 Linker

Re: Wildcards in rest api configuration query?

Hello again,

 

I'm writing an application in Python Django to expose certain areas of palo altos to our developers so they can be self sufficient and be able to identify changes that we made on firewalls, find out if their application is being blocked by deny policy and so on. We don't want to give people access to palo altos themselves + most of the people wouldn't know what to do once they connect to firewalls.

 

In my way, my simple web interface would provide just enough functionality to do simple tasks such as what I mentioned above.

 

I get your point for downloading the entire config. In my case that won't be efficient.

 

$ ./rt.py

Start

/config/devices

End request, returned XML in 28.5984241962

Converting XML to DICT

End xmltodict

Done

Finished conversion 44.2386090755

 

It takes ~28 seconds to download the entire config in XML format. As I can't really use XML for the rest of my python stuff and Dictionary / OrderedDict is something much more useful, I then convert XML to Python Dictionary. As you can see it takes additional 16 seconds to convert literary everything to a massive dict that I'm only using a ridiculously small portion of.

 

In total 44.2 seconds, that's a lot of time to waitfor each request ;)

 

And all I need to do is to display few policies to someone who enters a description text to search for. I don't think that's very efficient and this is why I am trying to find the way to limit the output as much as I can with xpath but still have enough information to work with to display necessary info to the user.

 

Cheers,

Milos

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!