Unable to create an address object using the API from Powershell

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to create an address object using the API from Powershell

L0 Member

Hello,

 

I am attempting to add an address object using the API via PowerShell. I am able to logon, get the key, and pull down the current list of shared objects. When I attempt to add one, I receive a 400 error. Here is my script. If you are able to help I would appreciate it. 

 

#Step 1 | set the environment up so that it will ignore the cert error

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

#Step 2 | acquire Credentials from the user

$username = read-host 'Username: ' 
$password = read-host 'Password: ' 

#Step 3 | exchange credentials for your personal API Key

$Response = Invoke-WebRequest -URI https://<DEVICE_URL>/api/?type=keygen"&"user=$username"&"password=$password 

#Step 4 | Strip chaff and re-format

$Response = $response.content.substring(42) 
$key = $Response.Substring(0,$Response.Length-26) 
$xkey = @{ 'X-PAN-KEY' = $key}

#Step 5 | Clean up variables we no longer need

Remove-Variable username
Remove-Variable password
Remove-Variable key

#TODO / Beyond here is in varying states of broken

Invoke-WebRequest -Method POST -Header $xkey -URI https://<DEVICE_URL>/restapi/9/Objects/Addresses?location=shared"&"name=TutorialEntry -body $body
Best Regards,

Jeff
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @jkostic1,

 

I can't help much on the PowerShell side, but the final line in your script needs to have a request that looks something like this:

 

https://{{host}}/restapi/v10.0/Objects/Addresses?name={{object-name}}&location=vsys&vsys=vsys1

 

 

Then the body you pass in needs to look something like this (you didn't share what's in the $body variable):

 

{
    "entry": {
        "@name": "My-Address",
        "ip-netmask": "8.8.8.8",
        "description": "My test address"
    }
}

 

 

POSTing my REST API call above with Postman works fine, so you just need to translate that into your PowerShell script with the variable names you're using.

 

Maybe it's the shared part in your location, are you on single-vsys or multi-vsys firewall?

 

Or the version? These are the acceptable versions in the API endpoint URI (obvisouly you can only go up to the version which matches the PAN-OS version your firewall is currently running, you can't target v10.0 on a v9.1 firewall, etc):

 

https://{{host}}/restapi/9.0/...
https://{{host}}/restapi/v9.1/...
https://{{host}}/restapi/v10.0/...

 

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

3 REPLIES 3

L5 Sessionator

Hi @jkostic1,

 

I can't help much on the PowerShell side, but the final line in your script needs to have a request that looks something like this:

 

https://{{host}}/restapi/v10.0/Objects/Addresses?name={{object-name}}&location=vsys&vsys=vsys1

 

 

Then the body you pass in needs to look something like this (you didn't share what's in the $body variable):

 

{
    "entry": {
        "@name": "My-Address",
        "ip-netmask": "8.8.8.8",
        "description": "My test address"
    }
}

 

 

POSTing my REST API call above with Postman works fine, so you just need to translate that into your PowerShell script with the variable names you're using.

 

Maybe it's the shared part in your location, are you on single-vsys or multi-vsys firewall?

 

Or the version? These are the acceptable versions in the API endpoint URI (obvisouly you can only go up to the version which matches the PAN-OS version your firewall is currently running, you can't target v10.0 on a v9.1 firewall, etc):

 

https://{{host}}/restapi/9.0/...
https://{{host}}/restapi/v9.1/...
https://{{host}}/restapi/v10.0/...

 

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L0 Member

Hey Jimmy,

Thanks for the quick reply! You helped me a great deal just by mentioning using a client instead of Powershell. My original request works now as I had it except I used a client and used your JSON formatting. 

Best Regards,

Jeff

L5 Sessionator

Great news @jkostic1, happy to help. There are parameters to control the input/output format too (e.g. &input-format=json&output-format=json) in case you wanted to use XML.

For future reference, the docs are here (and there's a PDF download button too): https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-panorama-api/get-started-with-the-pan-os-rest-a.... Also the firewall has docs onboard, at https://{{firewall-hostname}}/restapi-doc

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 1 accepted solution
  • 3402 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!