12-05-2017 08:46 AM
Version: PAN-OS 8
Hi all,
I am attempting to create new security rules in Panorama, but keep getting a response that says a schema node cannot be found
I have the following code in a PS function, where $Name is my intended rule name, and $DeviceAddress is my Panorama address
"Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='$Name']&element=$script:requestXML" -Method Post"
Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='MY Arbitrary Rule Name']
Can someone clarify what is incorrect about the XPath, please?
12-05-2017 11:56 AM
The rule-type seems to be optional, but I've always specified it.
However, that error you're getting has to do with the user you're using to do these operations. Looks like it needs more permissions to create the security rule:
https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/pan-os-xml-api-error-codes
12-05-2017 09:49 AM
Your xpath is wrong. If you're doing a `set`, you need to specify the node one above what you're actually setting. For `edit` and `delete` you specify the node itself.
In your case, since you're trying to `set`, your xpath should actually be this:
`/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules`
12-05-2017 09:52 AM - edited 12-05-2017 09:56 AM
So how does one specify a rule name in the xpath?
If I run
"$query = Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules" -Method Post"
I get an Unauthorized request as the response
12-05-2017 09:57 AM
The rule name should be in the XML document that you're posting, which could look something like this:
<entry name="MY Arbitrary Rule Name">
<rule-type>universal</rule-type>
<description></description>
<from><member>zone1</member></from>
<to><member>zone2</member></to>
<source><member>any</member></source>
<negate-source>no</negate-source>
<source-user><member>any</member></source-user>
<hip-profiles><member>any</member></hip-profiles>
<destination><member>any</member></destination>
<negate-destination>no</negate-destination>
<application><member>any</member></application>
<service><member>application-default</member></service>
<category><member>any</member></category>
<action>allow</action>
<log-start>no</log-start>
<log-end>yes</log-end>
<disabled>no</disabled>
<icmp-unreachable>no</icmp-unreachable>
<option><disable-server-response-inspection>no</disable-server-response-inspection></option>
</entry>
12-05-2017 11:51 AM - edited 12-05-2017 11:52 AM
Thanks @gfreeman
So far, I think I've figured out the proper way to pass an xml document in Powershell, but still get an Unauthorized Request response.
Is a rule-type required in the XML object?
Or rather, what fields are required in order to POST?
12-05-2017 11:56 AM
The rule-type seems to be optional, but I've always specified it.
However, that error you're getting has to do with the user you're using to do these operations. Looks like it needs more permissions to create the security rule:
https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/pan-os-xml-api-error-codes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
