This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Create a new Zone Protection Profile using XPath?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create a new Zone Protection Profile using XPath?

JBishop
L0 Member

‎12-02-2022 12:52 PM

I am trying to add a Zone Protection Profile from an XML document to a firewall using the XPath API.  I don't want to have to iterate through each element and add it to the profile.  Is there a way to add it from an XML file or block?

 

 

def add_dos_profile(self):

    ret = True

    with open("DOS.xml") as f:
        element = f.read()

        api_url = "https://" + self.host + "/api/?                 type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/dns-proxy&element=" + element

       try:
            response = requests.get(api_url, params=self.location, verify=False, headers=self.api_headers)

            print("response")
            print(response)
            if response.status_code == 200:
                 if ret != False:
                      ret = True
                else:
                     ret = False

    except:
            print("ERROR add_dos_profile : connetcting to host. ")
            sys.exit(0)

    return ret

 

Here is the XML file:

<entry name="ZPP-3">
<flood>
<tcp-syn>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</tcp-syn>
<udp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</udp>
<icmp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmp>
<icmpv6>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmpv6>
<other-ip>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</other-ip>
</flood>
<ipv6>
<filter-ext-hdr>
<hop-by-hop-hdr>yes</hop-by-hop-hdr>
<routing-hdr>yes</routing-hdr>
<dest-option-hdr>yes</dest-option-hdr>
</filter-ext-hdr>
<ignore-inv-pkt>
<dest-unreach>yes</dest-unreach>
<pkt-too-big>yes</pkt-too-big>
<time-exceeded>yes</time-exceeded>
<param-problem>yes</param-problem>
<redirect>yes</redirect>
</ignore-inv-pkt>
<ipv4-compatible-address>yes</ipv4-compatible-address>
<anycast-source>yes</anycast-source>
<icmpv6-too-big-small-mtu-discard>yes</icmpv6-too-big-small-mtu-discard>
<options-invalid-ipv6-discard>yes</options-invalid-ipv6-discard>
<reserved-field-set-discard>yes</reserved-field-set-discard>
</ipv6>
<scan>
<entry name="8001">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
<entry name="8002">
<action>
<block/>
</action>
<interval>10</interval>
<threshold>100</threshold>
</entry>
<entry name="8003">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
</scan>
<discard-ip-spoof>yes</discard-ip-spoof>
<discard-strict-source-routing>yes</discard-strict-source-routing>
<discard-loose-source-routing>yes</discard-loose-source-routing>
<discard-timestamp>yes</discard-timestamp>
<discard-unknown-option>yes</discard-unknown-option>
<discard-malformed-option>yes</discard-malformed-option>
<discard-overlapping-tcp-segment-mismatch>yes</discard-overlapping-tcp-segment-mismatch>
<tcp-reject-non-syn>yes</tcp-reject-non-syn>
<remove-tcp-timestamp>yes</remove-tcp-timestamp>
<discard-icmp-ping-zero-id>yes</discard-icmp-ping-zero-id>
<discard-icmp-frag>yes</discard-icmp-frag>
<discard-icmp-large-packet>yes</discard-icmp-large-packet>
<suppress-icmp-timeexceeded>yes</suppress-icmp-timeexceeded>
<suppress-icmp-needfrag>yes</suppress-icmp-needfrag>
<description>Created by Scrip</description>
<asymmetric-path>bypass</asymmetric-path>
<discard-icmp-error>yes</discard-icmp-error>
</entry>

0 Likes Likes
1 REPLY 1

JimmyHolland
L5 Sessionator

‎01-09-2023 08:17 AM

You could use "load config partial" via the API?

 

First upload the XML snippet file (DOS.xml): https://{{host}}/api?key={{key}}&type=import&category=configuration, passing in the XML file as form-data

Second, load the XML as "partial config": https://{{host}}/api?key={{key}}&type=op&cmd=<load><config><partial><mode>append</mode><from-xpath>entry</from-xpath><to-xpath>/config/devices/entry[@name="localhost.localdomain"]/network/profiles/zone-protection-profile</to-xpath><from>DOS.xml</from></partial></config></load>

 

Hope that helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes
  • 1303 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks