I’ve run into a challenge with using the REST API to get the security policy from device groups in Panorama. I’m hoping you may know someone who can answer this.
If I use the XML API and get the policy from a particular device group, I get only the rule that belong to that device group, which is what I want.
If I use the equivalent REST API to get the same policy, I end up getting all rules from all parent device groups, which is not what I want.
Assuming my device group hierarchy looks like the following:
Using XML API to get the PreRule security policy from Child2, I get only rules defined in Child2.
Using REST API to get the PreRule security policy from Child2, I get the rules from both Child1 and Child2.
At first, this looks like a bug, but if you think about it, returning the entire policy makes sense because the child2 policy does actually inherit all the rules from child1 and shared. I could live with this if the "location" field was set properly, unfortunately, the location field in the policy from child2 always lists "child2". IMHO this is a bug.
Why use Rest API when XML API does the job? The answer is quite simple, the JSON formatted output returned by the Rest API is so much more humane than the XML API. Not only is JSON way easier to deal with, but if you look at the actual data returned, the Rest API is so much cleaner than the XML API (at least for Policies).
For now, I am using the following workaround.
Fetch the security policy for child1, fetch the security policy for child2, diff them, any rule from child2 that does not appear in child1 must belong only to child2. This is an ugly workaround, but still better than dealing with the XML API.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!