policy rules hit count from API

Reply
Highlighted
L1 Bithead

policy rules hit count from API

I am trying to figure out how to get the hit count for rules via the REST API. 

 

I used the REST API browser and found that the URI path is

https://URL-to-Palo/api/?type=op&cmd=<show><rule-hit-count></rule-hit-count></show>&key=<key>

.

 

However when I run the comamnd in a rest client (Insomnia or postman)I get a code 400. If I run just cmd=<show><rule-hit-count></rule-hit-count></show> I get "Illegal parameter [request]".

 

I have tried running:

 

https://URL-to-Palo/api/?type=op&cmd=<show><rule-hit-count>'rulename'</rule-hit-count></show>&key=<key>

 (where rule name is the name of a rule)

 

But I get the following output:

 

 

<response status="error" code="17">
  <msg>
    <line>
      <![CDATA[ show -> rule-hit-count unexpected here]]>
    </line>
    <line>
      <![CDATA[ show -> rule-hit-count  is unexpected ]]>
    </line>
    <line>
      <![CDATA[ show  is unexpected ]]>
    </line>
  </msg>
</response>

 

 

 

I have tried different ways to get this to work but so far I have been unsuccessfull. 

 

Any help would be greatly appreciated. 

 

 

 

Tags (1)
L4 Transporter

Re: policy rules hit count from API

I believe this is an issue with the syntax being used. I did notice this command is not as well documented as some of the others, especially considering it takes additional arguments such as the rule name. This includes the API browser and the XML API guide.

 

What I ended up doing is using "debug cli on" from an SSH session to the firewall and then performing the command in question. Specifically the output from this that is helpful looks like this:

<request cmd="op" cookie="2010229745062995" uid="500"><operations><show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member
></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show></operations></request>

From this, I know what I'm looking for is in between <show> and </show> (this pattern should be consistent for all operational commands, specific to whatever word is in the beginning of the command for instance "request ..." would be different). This piece is the cmd argument of your API call.

 

Tying this all together, a call for a specific rule called "Trust-to-Untrust" would look like this:

 

https://IP_ADDRESS/api/?type=op&key=APIKEY&cmd=<show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member
></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show>

where the rule name could be swapped where you see "Trust-to-Untrust". Tested this in my lab and it is working as expected.

 

 

If you have any other issues with this particular call, feel free to reply here and I'd be happy to take a look.

L1 Bithead

Re: policy rules hit count from API

Thank you for the information, it helped.  I did not think of running the command in the CLI with debug on. I will need to look up on how to do that!

L4 Transporter

Re: policy rules hit count from API

It's pretty easy, just typing in "debug cli on" will enable the debugging. It's only persists for your SSH session, so you won't have to worry about turning it off if you're using the CLI for other things and don't like the extraneous output, just do it when you actually want to see the calls.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!