Panorama Edit a security post-rule REST-API logic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Edit a security post-rule REST-API logic

L1 Bithead

Hi,

 

I was wondering if I'm using the edit security post-rule endpoint correctly or I'm missing something here.

 

I am sending an HTTP PUT request to the panorama to update an existing security rule, but according to the documentation, if I want to update a single field (say the Source Address list), I need to send in the payload all the other fields that are already configured on the rule, even though I'm not changing them.  I tried sending the PUT request with just the source field, bit I got a response that I'm missing required fields.

 

Is this the normal behaviour of the edit endpoint? It's treating it the same way as the Add endpoint (POST Create a Security Post Rule). Any way I can use that endpoint by just sending the field I need to update and not every single field configured on the rule that I'm not editing?

 

An example of the PUT request sent that failed cause of missing fields:

 

requests.put(url="https://{{host}}/restapi/v9.1/Policies/SecurityPostRules?location=device-group&device-group={{dg_name}}&name={{rule_name}}", headers={"X-PAN-KEY": "{{key}}"}, data={"entry": {\"@name\": "{{rule_name}}", "source": {"member": ["NEW_ADDR_GRP"]}}}, verify=False)

 

And we get this response:

 

{"code":3,"message":"Invalid Object","details":[{"@type":"CauseInfo","causes":[{"code":12,"module":"panui_mgmt","description":"Invalid Object:  {{rule_name}}  is missing 'from'."}]}])

 When I add "from" to the pauload I get i'm missing "to", and this goes on until I have all the required fields from the Create endpoint in the payload, but it overwrites the optional fields that I did not include in my Edit payload.

 

Thanks

 

Panorama

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @abedJawhar, yes, this is expected behaviour for a PUT in a RESTful API, where PUT methods normally expect the entire definition of a resource, because it replaces the resource definition. This is useful to maintain idempotent operations amongst other reasons. The PAN-OS REST API works in the same way with the PUT-based methods. It would be best to, in your code, do a GET first, modify the resource, then do a PUT.

 

A feature request for future would be a PATCH-based HTTP method for the PAN-OS REST API to be able to provide partial resource definitions.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

2 REPLIES 2

L5 Sessionator

Hi @abedJawhar, yes, this is expected behaviour for a PUT in a RESTful API, where PUT methods normally expect the entire definition of a resource, because it replaces the resource definition. This is useful to maintain idempotent operations amongst other reasons. The PAN-OS REST API works in the same way with the PUT-based methods. It would be best to, in your code, do a GET first, modify the resource, then do a PUT.

 

A feature request for future would be a PATCH-based HTTP method for the PAN-OS REST API to be able to provide partial resource definitions.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Thanks for the info

 

  • 1 accepted solution
  • 1945 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!