Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-27-2021 08:45 AM
Hello,
I am attempting to add an address object using the API via PowerShell. I am able to logon, get the key, and pull down the current list of shared objects. When I attempt to add one, I receive a 400 error. Here is my script. If you are able to help I would appreciate it.
#Step 1 | set the environment up so that it will ignore the cert error
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
#Step 2 | acquire Credentials from the user
$username = read-host 'Username: '
$password = read-host 'Password: '
#Step 3 | exchange credentials for your personal API Key
$Response = Invoke-WebRequest -URI https://<DEVICE_URL>/api/?type=keygen"&"user=$username"&"password=$password
#Step 4 | Strip chaff and re-format
$Response = $response.content.substring(42)
$key = $Response.Substring(0,$Response.Length-26)
$xkey = @{ 'X-PAN-KEY' = $key}
#Step 5 | Clean up variables we no longer need
Remove-Variable username
Remove-Variable password
Remove-Variable key
#TODO / Beyond here is in varying states of broken
Invoke-WebRequest -Method POST -Header $xkey -URI https://<DEVICE_URL>/restapi/9/Objects/Addresses?location=shared"&"name=TutorialEntry -body $body
05-27-2021 09:41 AM - edited 05-27-2021 09:43 AM
Hi @jkostic1,
I can't help much on the PowerShell side, but the final line in your script needs to have a request that looks something like this:
https://{{host}}/restapi/v10.0/Objects/Addresses?name={{object-name}}&location=vsys&vsys=vsys1
Then the body you pass in needs to look something like this (you didn't share what's in the $body variable):
{
"entry": {
"@name": "My-Address",
"ip-netmask": "8.8.8.8",
"description": "My test address"
}
}
POSTing my REST API call above with Postman works fine, so you just need to translate that into your PowerShell script with the variable names you're using.
Maybe it's the shared part in your location, are you on single-vsys or multi-vsys firewall?
Or the version? These are the acceptable versions in the API endpoint URI (obvisouly you can only go up to the version which matches the PAN-OS version your firewall is currently running, you can't target v10.0 on a v9.1 firewall, etc):
https://{{host}}/restapi/9.0/...
https://{{host}}/restapi/v9.1/...
https://{{host}}/restapi/v10.0/...
Hope that helps!
05-27-2021 09:41 AM - edited 05-27-2021 09:43 AM
Hi @jkostic1,
I can't help much on the PowerShell side, but the final line in your script needs to have a request that looks something like this:
https://{{host}}/restapi/v10.0/Objects/Addresses?name={{object-name}}&location=vsys&vsys=vsys1
Then the body you pass in needs to look something like this (you didn't share what's in the $body variable):
{
"entry": {
"@name": "My-Address",
"ip-netmask": "8.8.8.8",
"description": "My test address"
}
}
POSTing my REST API call above with Postman works fine, so you just need to translate that into your PowerShell script with the variable names you're using.
Maybe it's the shared part in your location, are you on single-vsys or multi-vsys firewall?
Or the version? These are the acceptable versions in the API endpoint URI (obvisouly you can only go up to the version which matches the PAN-OS version your firewall is currently running, you can't target v10.0 on a v9.1 firewall, etc):
https://{{host}}/restapi/9.0/...
https://{{host}}/restapi/v9.1/...
https://{{host}}/restapi/v10.0/...
Hope that helps!
05-27-2021 11:19 AM
Hey Jimmy,
Thanks for the quick reply! You helped me a great deal just by mentioning using a client instead of Powershell. My original request works now as I had it except I used a client and used your JSON formatting.
05-28-2021 03:25 AM
Great news @jkostic1, happy to help. There are parameters to control the input/output format too (e.g. &input-format=json&output-format=json) in case you wanted to use XML.
For future reference, the docs are here (and there's a PDF download button too): https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-panorama-api/get-started-with-the-pan-os-rest-a.... Also the firewall has docs onboard, at https://{{firewall-hostname}}/restapi-doc
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
