Retrieving Security and NAT rules through API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Retrieving Security and NAT rules through API

L2 Linker

Hi all,

 

So far I've been able to sort out and match various device group objects according to my needs.

 

Now I'm trying to find in the API where I can retrieve information on Security and NAT rules so I can view attributes.

 

My goal is to see what sub-tags are available in the schema for those objects so I can discover via a script I'll write which of my objects are utilizing security rules.

 

The API browser shows "<show><rule-use><type>used</type></rule-use></show>" as an option, but when attempting to submit it states that rule-base is required. I added that tag into the query, then got a message saying device-group is required.

 

So, I added that as well along with my intended device group name, but then got the following as output:

<response status="success" code="19">
<result>
<msg>
<line>query job enqueued with jobid 222269</line>
</msg>
<job>222269</job>
</result>
</response>
 

 

Not really the information I'm after. If anyone knows the appropriate way to view what security rules are applied to device groups (or perhaps what device groups have security rules associated with them), or simply suggest a way to get more information on security or NAT rules, I'd be very grateful.

 

Cheers

1 accepted solution

Accepted Solutions

L2 Linker

Hi,

 

The query you are performing is to look at which rules have been used on the firewall since last reboot, not to query for the rules configured. I use this function to look for unused rules on our firewalls.

 

To get the rules for a firewall in Panorama I have used the following xpath:

 

?type=op&cmd=<show><config><running><xpath>devices/entry/device-group/entry[@name="DEVICEGROUP"]/post-rulebase/security</xpath></running></config></show>

 

Of course, adjust the post/pre-rulebase and security/nat as you see fit.

 

Hope that helps!

 

 

View solution in original post

4 REPLIES 4

L4 Transporter

I think I understand what you're saying, but just to be clear:

  • this is in reference to the Panorama API?
  • what information are you trying to gather as far as the security policies is concerned, and what are you using to identify them? Tags? Just the rule name?

Yes, this is in reference to the panorama API.
Right now I am just trying to find out what information is available in a valid response'schema so I can see what data I can sort, etc. with my scripts.

Basically I am doing some scripting to assist another engineer. I'm new to the Palo world but have been a coder for some time.

I would recommend looking at the API browser and see what the call returns to write your logic. There is some variance between PAN-OS versions so without specifically what you're trying to look into it would be hard to assess one way or the other.

L2 Linker

Hi,

 

The query you are performing is to look at which rules have been used on the firewall since last reboot, not to query for the rules configured. I use this function to look for unused rules on our firewalls.

 

To get the rules for a firewall in Panorama I have used the following xpath:

 

?type=op&cmd=<show><config><running><xpath>devices/entry/device-group/entry[@name="DEVICEGROUP"]/post-rulebase/security</xpath></running></config></show>

 

Of course, adjust the post/pre-rulebase and security/nat as you see fit.

 

Hope that helps!

 

 

  • 1 accepted solution
  • 6477 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!