Retrieve Device List and VSys names using Pan Rest API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Retrieve Device List and VSys names using Pan Rest API

L1 Bithead

Hi All,

Our Panorama is configured to talk to multiple devices. These devices have multiple "vsys" configured. I am trying to use the Pan REST API to get a list of devices and vsys names that are in the Panorama, so a customer can choose which device and vsys the config commands can be sent to.

What API calls do I need to do to achieve this?

Thanks,

Venkat

1 accepted solution

Accepted Solutions

L4 Transporter

http(s)://your-panorama/api/?type=op&key=your-api-key&cmd=<show><devices><connected></connected></devices></show>

View solution in original post

10 REPLIES 10

L4 Transporter

http(s)://your-panorama/api/?type=op&key=your-api-key&cmd=<show><devices><connected></connected></devices></show>

Thank you ! That helped Smiley Happy

another alternative may be to use 'get' with the xpath below.

$ panxapi -t panorama -gxr /config/devices/entry/device-group/entry/devices

get: success

<devices><entry name="001606000471"/></devices><devices><entry name="0004C101452"><vsys><entry name="vsys2"/></vsys></entry></devices><devices><entry name="0004C101452"><vsys><entry name="vsys3"/></vsys></entry></devices><devices/>

L1 Bithead

Similarly, how can you retrieve a list of vsys names on a single firewall using the API? I know you can pull the whole /config/devices/entry/vsys tree, but that takes forever and returns a lot of extra data. I'm currently looking at pulling /config/devices/entry/vsys/entry[@name='vsysX']/display-name starting with X=1 and incrementing until I get an error, but that seems really dumb. Ideally I'd use /config/devices/entry/vsys/*/display-name but it looks like the "xpath" expressions in the API don't support wildcards.

Have you tried using the XPath contains() method with wildcard? As the API is using XPath 1.0, it seems you'd probably want to use this if you didn't want to iterate through a range of numbers as you had described.

I had not, but I just did. Unfortunately, a request for /config/devices/entry[@name='localhost.localdomain']/vsys/entry[contains(@name,'vsys')]/display-name returns "No such node".

Regarding the vsys question where you want to get the vsys id and display-name for all vsys without pulling the entire vsys configuration, there are a few ways to do this, some better than others.  Here are your options:

 

Option 1. Use OR or wildcard in xpath:

 

Example of or:

 

`/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1' or @name='vsys2' or @name='vsys3']/display-name`

 

Example of wildcard:

 

`/config/devices/entry[@name='localhost.localdomain']/vsys/entry[contains(@name, 'vsys')]/display-name`

 

These are both tested working, but the problem is you can't tell which vsys id corresponds to which vsys.  So if one vsys doesn't have a name, then the results can't be mapped to the right vsys.  I don't suggest using this method.

 

Option 2: Use action=complete

 

If you change the action parameter from 'get' to 'complete' you will get the vsys id and the vsys display-name in one line:

 

<response status="success" code="19">
  <completions>
    <completion value="vsys3" vxpath="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']" current="yes" help-string="My-name" />
    <completion value="vsys1" vxpath="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']" current="yes" />
    <completion value="vsys2" vxpath="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys2']" current="yes" help-string="Another-name" />
  </completions>
</response>

This works if all you need is 'display-name'.  But if you need other Vsys attributes like 'import's then this won't help you.  Also, although there are no plans for the behavior of action=complete to change, it is an undocumeted and relatively unofficial action, so it is possible for the behavior to change without notice.

 

Option 3:  Use @name xpath followed by pulling attributes of the vsys individually

 

This is the most effective and well supported, but not necessarily the most efficient.  Start by pulling all the vsys IDs with this XPath:

 

`/config/devices/entry[@name='localhost.localdomain']/vsys/entry/@name`

 

 

<responseresponse status="success" code="19">
  <result total-count="3" count="3">
    <entry name="vsys1" />
    <entry name="vsys2" />
    <entry name="vsys3" />
  </result>
</response>

 

 Then, for each vsys ID, get the atribute of the Vsys that you want such as display-name using this Xpath:

 

`/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/display-name`

 

Call that xpath once for each vsys you got from the list of vsys to get each vsys display-name.  

 

Option 4: Use the Device Framework

 

The Device Framework is an object model for the firewall in a python library.  You can use this to easily pull all vsys attributes in a similar way to Option 3, but without having to use xpaths and xml.  Here's an example of how you would do this in python using the Device Framework:

 

### This section pulls the names of the vsys first, then for each vsys
### it pulls all the attributes including display-name, interfaces,
### virtual-routers, settings, etc.
>>> fw = firewall.Firewall('10.0.1.1', 'admin', 'password')
>>> all_vsys = device.Vsys.refreshall(fw, name_only=True)
>>> for vsys in all_vsys:
>>>    vsys.refresh(refresh_children=False)

>>> all_vsys[1]
<Vsys vsys2 0x10f3b9790>

### Here you can see all the attributes of vsys2
>>> all_vsys[1].about()
{'decrypt_forwarding': None,
 'display_name': 'My-name',
 'dns_proxy': None,
 'interface': ['ethernet1/7',
  'ethernet1/12.1234',
  'ethernet1/12.1800',
  'ethernet1/19',
  'ethernet1/19.2'],
 'name': 'vsys2',
 'virtual_routers': ['vsys2_vr'],
 'virtual_wires': None,
 'visible_vsys': None,
 'vlans': ['myvlan44']}

If there are N vsys, this method results in N+1 API calls, and is efficient because it gets all attributes of the Vsys without getting all the XML for the objects in the Vsys.

 

Another answer to original question on Panorama

 

Regarding the original question about how to get all the vsys and names from Panorama, you could also do this with the Device Framework.  Here is an example:

 

>>> pano = panorama.Panorama('10.0.0.2', 'admin', 'password')
>>> all_vsys = pano.refresh_devices(include_device_groups=False)

>>> all_vsys
[<Firewall '017200005065' 'vsys1' at 0x10f598710>,
 <Firewall '011101028983' 'vsys1' at 0x10f598c50>,
 <Firewall '011101428983' 'vsys2' at 0x10f5a01d0>,
 <Firewall '011101228983' 'vsys3' at 0x10f5a0710>,
 <Firewall '017100101301' 'vsys1' at 0x10f5a0c50>,
 <Firewall '017200801165' 'vsys1' at 0x10f5a0390>,
 <Firewall '011801328993' 'vsys1' at 0x10f5aa410>,
 <Firewall '017200301300' 'vsys1' at 0x10f5aa950>,
 <Firewall '017230601305' 'vsys1' at 0x10f5aae90>,
 <Firewall '017230001426' 'vsys1' at 0x10f666410>,
 <Firewall '011805028948' 'vsys1' at 0x10f666950>,
 <Firewall '011706005540' 'vsys1' at 0x10f666e90>,
 <Firewall '011707005540' 'vsys3' at 0x10f671410>,
 <Firewall '011708005540' 'vsys2' at 0x10f671950>,
 <Firewall '017201002065' 'vsys1' at 0x10f5aab10>,
 <Firewall '011702005529' 'vsys1' at 0x10f671fd0>,
 <Firewall '011701005729' 'vsys2' at 0x10f679550>,
 <Firewall '011701005629' 'vsys3' at 0x10f679a90>,
 <Firewall '017200005164' 'vsys1' at 0x10f679fd0>]
 
>>> all_vsys[0].serial
'017200005065'
>>> all_vsys[0].vsys 'vsys1' >>> all_vsys[0].vsys_name 'My-vsys-name'

 

Thanks! I'm now able to get things working using a wildcard match. Your suggestion of using action=complete doesn't work for me, though - when I use it, I get back an empty document like this:

 

<response status="success" code="19">
    <completions/>
</response>

Great, glad my suggestions were helpful!

 

For action=complete, make sure you're using this xpath:

 

`/config/devices/entry[@name='localhost.localdomain']/vsys`

Great, that's just what I need. Thanks!

  • 1 accepted solution
  • 11133 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!