Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Trying to programmatically move an address and address group via the api

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Trying to programmatically move an address and address group via the api

L1 Bithead

Hi all.  Relatively new to using the API, and having an issue that is troubling me.  Perhaps someone could help out. 

 

We have a requirement to move a large number of addresses and address-groups from the Shared region, to specific device-groups, as part of a major clean-up operation.  I have taken this on, as the automation guy, and am running into an error that doesn't make total sense to me, when i try to move an address.  My feeling is that there is a mistake in the request that I'm making that is causing the error to occur, but I'm not familiar enough with the API syntax to be able to readily diagnose.

 

I am trying to move the address 'python test' from Shared to DC03-QAINTERNET, and I've been basing the attempts off the notes here:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/config...

 

Here is the call I'm making:

https://URL/api/?APIKEY&type=config&action=move&xpath=/config/shared/address/entry[@name='python test']
&cmd=
<request cmd="multi-move" to="/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Extranet-Shared']/address">
  <selected-list>
    <source xpath="/config/shared/address">
      <member>python test</member>
    </source>
  </selected-list>
  <all-errors>no</all-errors>
</request>

(I've broken out the xml for easier reading)

I have edited this call from the original call in the documentation I found, but the result is the same.  I got the above xml from using the Debug feature, recording the move when I did it in the UI, and tried to incorporate it using the documentation.

 

I get this response:

<response status="error" code="13"><msg><line>Cannot move a top level object that is not moveable</line></msg></response>
 

the problem is that I know this is a moveable address, as I have moved it back and forth using the UI.  I'm using the show command before calling the move command, and that is working successfully.  I have created this address in the Shared space, and it is not in an address group, so that's not an issue.

 

I have edited the call from the original call in the documentation I found, but the result is the same.  I got the above xml from using the Debug feature, recording the move when I did it in the UI.

 

Another thing that I wonder about is that, looking up the error codes here (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...) i see that error code 13 is 'Object not found', which makes me thing that there's something in my syntax that's off a little. 

 

Any help with this would be greatly appreciated.

 

Thank you,

-Timothy

4 REPLIES 4

L5 Sessionator

Hi @MarketAxess,

You were on the right path. The documentation for this one is here (on 9.1 as per your docs link in the original post).

The multi-move option is one of the options for action, when making XML API calls of type config. Where move is another option, you would not combine them together. Others include set, edit, delete etc:

Screenshot 2022-11-01 at 11.53.43.png

 

What worked for me and hopefully for you, to move an address object from shared to a DG, would be:

https://{{host}}/api/?key={{key}}&type=config&action=multi-move&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{device-group-name}}']/address&element=<selected-list><source xpath="/config/shared/address"><member>{{address-object-name}}</member></source></selected-list><all-errors>yes</all-errors>

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L2 Linker

Hi Market,

you can use PANOS Python Module to do this task. It can be an alternative way. After i knew this module, i didn´t spend time trying use the Rest-API. However, there are some configuration that are more efficient through Rest-API. Anyway, hope that the following suggestions work for you:

 

 

#Import Modules

from panos import base
from panos import firewall
from panos import panorama
from panos import policies
from panos import objects
from panos import network
from panos import device

 

#Credentials

username = 'admin'
password = 'admin'
device_name = 'panoramalab.mylab.com'

 

#You need to instanciate a panorama login object:

pano = panorama.Panorama(device_name, username, password)

 

#You can use the bellow script to pull all Templates:

templates_pan = panorama.Template.refreshall(pano)

 

#You can use the bellow script to pull all DeviceGroups from Panorama:

device_grp_pan = panorama.DeviceGroup.refreshall(pano)

 

#Optional step: You will receive a list with Templates or Devicegroup python objects:

print(templates_pan)
print(device_grp_pan)

 

#Optional step:
#Since that the objects are an iterable object, you can do a 'for' through each object in the list:

for template in templates_pan:
    '''You can use the "about" method to verify some Template parameters'''
    print(template.about())

 

#Optional step:
#Since that the objects are an iterable object, you can do a 'for' through each object in the list:

for dg in device_grp_pan:
    '''You can use the "about" method to verify some Device-Group parameters'''
    print(dg.about())

 

#Optional step:

print(template_definition.about())
print(dg_definition.about())

 

#Since that we want to get Shared address, we have two options to get address from Shared DG:
#Method 1:

addresses = objects.AddressObject.refreshall(pano)

 

#And you can verify the addresses as below:

for addr in addresses:
    print(addr.about())

 

#Method 2:
#Define the device group 'Shared'

source_dg = panorama.DeviceGroup('Shared')
pano.add(source_dg)

 

#Define the Destination Device-Group:

destination_df = panorama.DeviceGroup('Asimov_DG')
pano.add(destination_dg)

 

#Get address objects from Shared:

addresses = objects.AddressObject.refreshall(pano)

for addr in addresses:
    print(addr.about())

 

#So since that you have the address from Shared DG, you can remove from the Shared DG:
#First, ensure that the object is not being used by any other device-group or address-group
#Or You will receive a similar error as below:
'''PanDeviceXapiError:   20.20.20.1 cannot be deleted because of references from:
 shared -> address-group -> test -> static
 shared -> address-group -> Test-1 -> static
'''

 

for addr in addresses:
    delete_srv = objects.AddressObject(**addr.about())
    pano.add(delete_srv)
    #Use method "delete" to delete address
    #You´re not commiting anything, if required you can do a rollback in the own panorama
    delete_srv.delete()
    print(f'[-] Object below removed from DG: {source_dg.name}')
    print(addr.about())
    print('*'*60)

 

#To apply the addresses in the destination DG, you can do this through another FOR:

for addr in addresses:
    apply_in_dg = objects.AddressObject(**addr.about())
    destination_dg.add(apply_in_dg)
    apply_in_dg.create()
    print(f'The following address is deployed in the Device-Group: {destination_dg.name}')
    print(addr.about())
    

 

#OR, you can do delete from Shared and include in the Dedicated DG at once:

for addr in addresses:
    address_object = objects.AddressObject(**addr.about())
    pano.add(address_object)
    #Use method "delete" to delete address
    #You´re not commiting anything, if required you can do a rollback in the own panorama
    address_object.delete()
    print(f'[-] Object below removed from DG: {source_dg.name}')
    print(addr.about())
    print('*'*60)    
    destination_dg.add(address_object)
    address_object.create()
    print(f'The following address is deployed in the Device-Group: {destination_dg.name}')
    print(addr.about())

 

 

Thank you so much.  That solved the issue.  And thanks for the link to the documentation.  For some reason, I was unable to find that page in all my searching.  I'll bookmark it, and start my next search from there.

 

-Timothy

This is awesome.  Thank you so much!  I will definitely be looking into this on my next steps.  It looks like it will be much easier than the API, and can speed development going forward.  I'll definitely look into it!

 

-Timothy

  • 3272 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!