XML-API Use Case to Add & Delete TS-Agents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

As I explained in a previous blog, XML API can be a very useful and powerful tool to work with. Having different use case examples can help overcome some of the initial hurdles when using XML API. 

 

The following use case was created by our very own @vsathiamoo

Check out how to go about adding/deleting TS-agents using the XML API:

 

 

To use the API, generate the API key required for authenticating API calls.

 

Resources

 

Get API Key

URL Encoding

 

Using the following command, the Palo Alto Networks firewall running configuration can be retrieved:

 

Command Syntax (Running Configuration)

 

 

https://<<FW-IP>>/api/?type=op&cmd=<show><config><running></running></config></show>&key=<<API-KEY>>

 

Example (if your host is 10.192.16.170 and you obtained your key with admin/admin credentials):

 

 

https://10.192.16.170/api/?type=op&cmd=<show><config><running></running></config></show>&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09           

 

2018-03-19_12-25-25.jpg

 

 

The above example shows that there is a Terminal Services Agent (TEST-AGENT1 in our example) configured and the XPATH to use to configure a new Terminal Services Agemt would be the following :
 
XPATH
 
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='MYTSAGENT']

 

Using action=set you can add or create a new object at a specified location in the configuration hierarchy.  Use the xpath parameter to specify the location of the object in the configuration.

 

In the example below, we will add a Terminal Services Agent (TS-AGENT2).  The IP address and Port of the TS agent will be populated with the following API call.

 

Command Syntax (Add TS Agent)

 

https://<<FW-IP>/api?key=<<API-KEY>>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='TS AGENT NAME']&element=<host>IP ADDRESS</host><port>5009</port>

Example

 

https://10.192.16.170/api?key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='TS-AGENT2']&element=<host>10.1.1.2</host><port>5009</port>

 

Command Syntax (Add TS Agent with Alternative IP Addresses)

 

 

https://<<FW-IP>>/api?key=<<API-KEY>>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='TS AGENTNAME']&element=<host>IP1</host><port>5009</port><ip-list><member>Alternate IP1</member><member>Alternate IP2</member></ip-list>

  

Parameter Description
FW-IP Palo Alto Networks Firewall Management IP.
API-KEY API key for an administrator account
TSAGENTNAME A name to identify the TS agent.
IP1 IP address of the terminal server where the TS agent is installed
Alternate IP1 Additional IP addresses of TS agent
Alternate IP2 Additional IP addresses of TS agent (Note: TS agents can have upto 8 additional IP addresses)

 

Example

 

 

https://10.192.16.170/api?key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='TS-AGENT2']&element=<host>10.1.1.2</host><port>5009</port

  2018-03-19_12-48-13.jpg

 

The same command can be used to modify Terminal Services Agent properties (Host IP and Port).

 

Resources:

 

XPATH

XML API Request types

 

In a similar way, you can remove  a Terminal Services Agent (TS-AGENT2) from the firewall.

 

Command Syntax (Remove TS Agent)

 

https://<<FW-IP>>/api?key=<<API-KEY>>&type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='TSAGENTNAME']

Example

 

https://10.192.16.170/api?key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ts-agent/entry[@name='TS-AGENT2']

 
2018-03-19_13-01-30.jpg

 

 

 

There are plenty of XML API resources available on Live for you to get started. This is just one of many possible use cases where XML API can be useful for you!

 

Feel free to ask questions or share your XML API examples in the comments section below!

 

-Kiwi out!

 

2 Comments
L0 Member

Great example of using the API, but a simpler way is to simply SSH to your firewall or Panorama and switch to set config-output, then paste in the terminal server info?  I've looked for good examples on doing this, but couldn't find any, so I worked this out on my own:

 

Firewall:
set cli config-output-format set
set ts-agent TermServ01 host 10.20.30.40
set ts-agent TermServ01 port 5009
set ts-agent TermServ01 disabled no

Panorama:
set cli config-output-format set
set template "Firewall1_Template" config  vsys vsys1 ts-agent TermServ01 host 10.20.30.40
set template "Firewall1_Template" config  vsys vsys1 ts-agent TermServ01 port 5009
set template "Firewall1_Template" config  vsys vsys1 ts-agent TermServ01 disabled no

L3 Networker

Kind of curious if I have ran into a bug doing this. I can successfully set a new tsagent, but whe committing it fails with :

 

Details
Validation Error:
vsys -> vsys7 -> ts-agent -> laconico unexpected here
vsys -> vsys7 -> ts-agent is invalid

 

...however, when I go in the GUI, pull up the entry, the name "blah" is underlined in red, but if i click on it and don't change anything, it removes the red underline, I can hit ok, and commit fine.

  • 21967 Views
  • 2 comments
  • 3 Likes
Register or Sign-in
Labels