- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-19-2015 01:58 PM
I need help with the XMP API to delete a firewall user from a security rule set.
I'm getting an XPath error code = 3 (internal API error) from the following scenario
When I do a config command with action = show, I get a XML structure like this:
<response status="success">
<result>
<security>
<rules>
<entry name="My-Big-Fat-FW-Rules">
<action>allow</action>
<source-user>
<member>xyz\123456</member>
<member>xyz\9876543</member>
</source-user>
<from>
<member>L1-trusted</member>
</from>
.... lots of xml stuff ...
</entry>
<next entry...>
.... more xml stuff ...
</entry>
</rules>
</security>
</result>
when I issue the following XPATH command:
<...preamble http stuff...>&action=edit&xpath=/config/devices/entry/vsys/entry/rulesbase/security/rules[@name='My-Big-Fat-FW-Rules']/source-user/member[@name='xyz\123456']&element=<member name='xya\10203040'/>"
the API returns
<response status="error" code="3"><msg><line>Could not get schema node for xpath /config/devices/entry/vsys/entry/rulesbase/security/rules[@name='My-Big-Fat-FW-Rules']/source-user/member[@name='xyz\123456']</line></msg></response>
The XML API guide says response code=3 is an internal API error.
My question:
Is the above XPATH statement the right syntax to navigate to rename the user 'xyz\123456' to 'xyz\10203040' ?
My second question is:
Can the Xpath edit action be used to remove the rule by editing 'xyz\123456' to '' ?
My third question is:
Since I want to delete this user from this rule, will the above XPATH syntax work with a config request and action=delete ?
My final question concerns commit locks:
Is it necessary for me to do a get on the commit-locks and issue an API commit to make the changes take effect ?
Is there a sequence diagram of the message flows for this ?
Thanks for your help!!!
10-21-2015 01:04 PM
I can comment on editting. The delete action was answered in your other post.
If you want to edit a member object, then you need to reference the original member object with member[text()='<value>'] and then use the element parameter for the modified member object value: element=<xml code>
You were pretty close.
For example using curl if the original member is xyz\12345
$ curl -k "https://<fw ip>/api/?type=config&action=edit&xpath=/config/devices/entry\[@name='localhost.localdomain'\]/vsys/entry\[@name='<vsys name>'\]/rulebase/security/rules/entry\[@name='<rulename>'\]/source-user/member\[text()='xyz\12345
<response status="success" code="20"><msg>command succeeded</msg></response>
12-11-2015 08:18 AM
Here is an example on how to delete a something from a rule. If this is truly a user in the rule, you could add this <source-user>user1</source-user>
curl --globoff -k "https://x.x.x.x/api/?type=config&action=delete&key=$KEY&xpath=/config/devices/entry[@name='localhost...
Michael Clark
Palo Alto Networks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!