XML API config action 'set'

Reply
Highlighted
L7 Applicator

XML API config action 'set'

Okay, I still can't figure this guy out. All the other commands work perfectly fine but as soon as I try to 'set' a new rule I get an error saying that it's malformed. I've looked through all of the documentation that I can find but nothing will get the request to come across properly

 

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test-API']&element=<source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negatedestination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><logend>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to>

L4 Transporter

Re: XML API config action 'set'

There are two things to change:

 

1.  There is a hiphen missing from two of your elements:  logend should be log-end, and negatedestination should be negate-destination

 

2.  I recommend to always give your 'element' parameter a root element.  So rather than start with <source> and end with </to>, you should start with <entry name='Test-API'> and end with </entry>.  That way the beginning and end of the tags match.  Of course, this means removing '/entry[@name='Test-API'] from the end of your xpath.

 

In summary, this API call should work for you:

 

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules&element=<entry name='Test-API'><source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><log-end>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to></entry>

If you're using python, you might consider using pan-python or Palo Alto Networks Device Framework to craft your API calls to eliminate these pesky XML/Xpath issues.  For example, here's how you would make the same API call using the Device Framework in python:

 

from pandevice import firewall, policies

fw = firewall.Firewall('10.191.136.7', 'admin', 'yourpassword')

rulebase = fw.add(policies.Rulebase())

rule1 = policies.SecurityRule('Test-API',
                              source='10.181.135.66',
                              destination='8.8.8.8',
                              fromzone='inside',
                              tozone='outside',
                              action='allow',
                              description='testing')
rulebase.add(rule1)
rule1.create()

In this example, you don't need to mess with XML or XPaths to create the security rule.  More information about the Palo Alto Networks Device Framework is availabe here:

 

Documentation

http://pandevice.readthedocs.io/en/latest/readme.html

 

Presentation

http://paloaltonetworks.github.io/pandevice/

L7 Applicator

Re: XML API config action 'set'

Thanks, I'll have to look into pandevice more. I keep hearing that it's really nice and easier to use. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!