policy rules hit count from API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

policy rules hit count from API

L1 Bithead

I am trying to figure out how to get the hit count for rules via the REST API. 

 

I used the REST API browser and found that the URI path is

https://URL-to-Palo/api/?type=op&cmd=<show><rule-hit-count></rule-hit-count></show>&key=<key>

.

 

However when I run the comamnd in a rest client (Insomnia or postman)I get a code 400. If I run just cmd=<show><rule-hit-count></rule-hit-count></show> I get "Illegal parameter [request]".

 

I have tried running:

 

https://URL-to-Palo/api/?type=op&cmd=<show><rule-hit-count>'rulename'</rule-hit-count></show>&key=<key>

 (where rule name is the name of a rule)

 

But I get the following output:

 

 

<response status="error" code="17">
  <msg>
    <line>
      <![CDATA[ show -> rule-hit-count unexpected here]]>
    </line>
    <line>
      <![CDATA[ show -> rule-hit-count  is unexpected ]]>
    </line>
    <line>
      <![CDATA[ show  is unexpected ]]>
    </line>
  </msg>
</response>

 

 

 

I have tried different ways to get this to work but so far I have been unsuccessfull. 

 

Any help would be greatly appreciated. 

 

 

 

1 accepted solution

Accepted Solutions

L4 Transporter

I believe this is an issue with the syntax being used. I did notice this command is not as well documented as some of the others, especially considering it takes additional arguments such as the rule name. This includes the API browser and the XML API guide.

 

What I ended up doing is using "debug cli on" from an SSH session to the firewall and then performing the command in question. Specifically the output from this that is helpful looks like this:

<request cmd="op" cookie="2010229745062995" uid="500"><operations><show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member
></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show></operations></request>

From this, I know what I'm looking for is in between <show> and </show> (this pattern should be consistent for all operational commands, specific to whatever word is in the beginning of the command for instance "request ..." would be different). This piece is the cmd argument of your API call.

 

Tying this all together, a call for a specific rule called "Trust-to-Untrust" would look like this:

 

https://IP_ADDRESS/api/?type=op&key=APIKEY&cmd=<show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member
></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show>

where the rule name could be swapped where you see "Trust-to-Untrust". Tested this in my lab and it is working as expected.

 

 

If you have any other issues with this particular call, feel free to reply here and I'd be happy to take a look.

View solution in original post

6 REPLIES 6

L4 Transporter

I believe this is an issue with the syntax being used. I did notice this command is not as well documented as some of the others, especially considering it takes additional arguments such as the rule name. This includes the API browser and the XML API guide.

 

What I ended up doing is using "debug cli on" from an SSH session to the firewall and then performing the command in question. Specifically the output from this that is helpful looks like this:

<request cmd="op" cookie="2010229745062995" uid="500"><operations><show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member
></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show></operations></request>

From this, I know what I'm looking for is in between <show> and </show> (this pattern should be consistent for all operational commands, specific to whatever word is in the beginning of the command for instance "request ..." would be different). This piece is the cmd argument of your API call.

 

Tying this all together, a call for a specific rule called "Trust-to-Untrust" would look like this:

 

https://IP_ADDRESS/api/?type=op&key=APIKEY&cmd=<show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member
></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show>

where the rule name could be swapped where you see "Trust-to-Untrust". Tested this in my lab and it is working as expected.

 

 

If you have any other issues with this particular call, feel free to reply here and I'd be happy to take a look.

Thank you for the information, it helped.  I did not think of running the command in the CLI with debug on. I will need to look up on how to do that!

It's pretty easy, just typing in "debug cli on" will enable the debugging. It's only persists for your SSH session, so you won't have to worry about turning it off if you're using the CLI for other things and don't like the extraneous output, just do it when you actually want to see the calls.

L0 Member

I am trying to figure out how to get the hit count for all rules via the REST API. If we specify the rule name it works, 

Is there a way to get a hit count of all the rules from the panorama? which ideally means instead of rule-name use the world "all"

 

When you do all rules on Panorama it just comes back as "used" or "unused".  If you want to check specific rule counts, I think you need to do it via rule name.

I wanted to second this.  And/or last hit date from the rest api

 

  • 1 accepted solution
  • 9709 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!