11-02-2017 05:38 AM
Hello!
This morning started with me pulling my hair out...just like yesterday ended. So, here I am. I want to query our Palo Alto firewall via the API to show me security rules...not a big deal. However, the device as two vsys's (or however you write that), and the API query only revealed one security policy, which I know is not right. I've been using the API GUI to poke around, but I keep getting the same results:
/config/devices/entry[@name=<thingy>]/vsys/entry[@name='vsys1']/rulebase/security
Gives me:
response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>
blah blah blah
I know this can't be right. I've checked the other vsys via this query and it has ZERO results, which is also wrong. Is this, perhaps, a permissions issue? Or, is the way our device is split in to two vsys's causing the problem?
Of very interesting note: I exported the running config directly from this device and got the same results! Only one security policy shows up under vsys1 and ZERO are in vsys2? I don't understand...
11-02-2017 06:23 AM
Exactly. It only shows local configuration where you're looking. Alternatively, you can do type=op and cmd=<show><running><security-policy></security-policy></running></show> which should return all the ones in effect if that's what you're after.
11-02-2017 05:50 AM
Are the ones in question Panorama pushed configuration or local configuration? What code branch and model are you dealing with?
11-02-2017 05:53 AM
Sorry...I committed the cardinal sin. Here's what we're working with:
All configs are pushed via Panorama.
Panorama and the device in question are both on 7.1.12. I should be looking at the API in Panorama, shouldn't I?
11-02-2017 06:23 AM
Exactly. It only shows local configuration where you're looking. Alternatively, you can do type=op and cmd=<show><running><security-policy></security-policy></running></show> which should return all the ones in effect if that's what you're after.
11-02-2017 06:48 AM
Got it...thx.
Any luck calling an API key via PowerShell instead of embedding it in the request? I wonder if Palo Alto's API can't accept additional headers? I can't seem to find this information anywhere. If I embed my API key in my GET request, I auth successfully. When I call the API key using the "-headers" function in PowerShell, no worky. Thoughts? I know this is a separate concept, but I'm grasping at straws here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
