10-19-2017 01:07 PM - edited 10-19-2017 01:22 PM
Hi all,
So far I've been able to sort out and match various device group objects according to my needs.
Now I'm trying to find in the API where I can retrieve information on Security and NAT rules so I can view attributes.
My goal is to see what sub-tags are available in the schema for those objects so I can discover via a script I'll write which of my objects are utilizing security rules.
The API browser shows "<show><rule-use><type>used</type></rule-use></show>" as an option, but when attempting to submit it states that rule-base is required. I added that tag into the query, then got a message saying device-group is required.
So, I added that as well along with my intended device group name, but then got the following as output:
<response status="success" code="19"> <result> <msg> <line>query job enqueued with jobid 222269</line> </msg> <job>222269</job> </result> </response>
Not really the information I'm after. If anyone knows the appropriate way to view what security rules are applied to device groups (or perhaps what device groups have security rules associated with them), or simply suggest a way to get more information on security or NAT rules, I'd be very grateful.
Cheers
10-21-2017 08:29 AM
Hi,
The query you are performing is to look at which rules have been used on the firewall since last reboot, not to query for the rules configured. I use this function to look for unused rules on our firewalls.
To get the rules for a firewall in Panorama I have used the following xpath:
?type=op&cmd=<show><config><running><xpath>devices/entry/device-group/entry[@name="DEVICEGROUP"]/post-rulebase/security</xpath></running></config></show>
Of course, adjust the post/pre-rulebase and security/nat as you see fit.
Hope that helps!
10-19-2017 01:47 PM
I think I understand what you're saying, but just to be clear:
10-19-2017 03:22 PM
10-20-2017 06:13 AM
I would recommend looking at the API browser and see what the call returns to write your logic. There is some variance between PAN-OS versions so without specifically what you're trying to look into it would be hard to assess one way or the other.
10-21-2017 08:29 AM
Hi,
The query you are performing is to look at which rules have been used on the firewall since last reboot, not to query for the rules configured. I use this function to look for unused rules on our firewalls.
To get the rules for a firewall in Panorama I have used the following xpath:
?type=op&cmd=<show><config><running><xpath>devices/entry/device-group/entry[@name="DEVICEGROUP"]/post-rulebase/security</xpath></running></config></show>
Of course, adjust the post/pre-rulebase and security/nat as you see fit.
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
