API - Security Rule Syntax

cancel
Showing results for 
Search instead for 
Did you mean: 

API - Security Rule Syntax

L2 Linker

Version: PAN-OS 8

 

Hi all,

 

I am attempting to create new security rules in Panorama, but keep getting a response that says a schema node cannot be found

 

I have the following code in a PS function, where $Name is my intended rule name, and $DeviceAddress is my Panorama address

 

"Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='$Name']&element=$script:requestXML" -Method Post"

 

Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='MY Arbitrary Rule Name']

 

Can someone clarify what is incorrect about the XPath, please?

1 ACCEPTED SOLUTION

Accepted Solutions

The rule-type seems to be optional, but I've always specified it.

 

However, that error you're getting has to do with the user you're using to do these operations.  Looks like it needs more permissions to create the security rule:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/pan-os-xml-api-error-codes

 

View solution in original post

5 REPLIES 5

L4 Transporter

Your xpath is wrong.  If you're doing a `set`, you need to specify the node one above what you're actually setting.  For `edit` and `delete` you specify the node itself.

 

In your case, since you're trying to `set`, your xpath should actually be this:

 

    `/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules`

 

 

@gfreeman,

 

So how does one specify a rule name in the xpath?

 

If I run

"$query = Invoke-RestMethod "https://$DeviceAddress/api/?type=config&action=set&key=$apiKey&xpath=config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules" -Method Post"

 

I get an Unauthorized request as the response

 

The rule name should be in the XML document that you're posting, which could look something like this:

 

<entry name="MY Arbitrary Rule Name">

  <rule-type>universal</rule-type>

  <description></description>

  <from><member>zone1</member></from>

  <to><member>zone2</member></to>

  <source><member>any</member></source>

  <negate-source>no</negate-source>

  <source-user><member>any</member></source-user>

  <hip-profiles><member>any</member></hip-profiles>

  <destination><member>any</member></destination>

  <negate-destination>no</negate-destination>

  <application><member>any</member></application>

  <service><member>application-default</member></service>

  <category><member>any</member></category>

  <action>allow</action>

  <log-start>no</log-start>

  <log-end>yes</log-end>

  <disabled>no</disabled>

  <icmp-unreachable>no</icmp-unreachable>

  <option><disable-server-response-inspection>no</disable-server-response-inspection></option>

</entry>

Thanks @gfreeman

 

So far, I think I've figured out the proper way to pass an xml document in Powershell, but still get an Unauthorized Request response.

 

 

Is a rule-type required in the XML object?

 

Or rather, what fields are required in order to POST?

The rule-type seems to be optional, but I've always specified it.

 

However, that error you're getting has to do with the user you're using to do these operations.  Looks like it needs more permissions to create the security rule:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/pan-os-xml-api-error-codes

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!