Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Using the REST interface for XML API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using the REST interface for XML API

Not applicable

Howdy,

I have been using the REST interface for pulling reporting and config data using constructed URLs in scripts.  All that works well.  What I have been unable to do is use the set action for config.  I am using a key generated for a sysadmin user, but consistently get an "Unauthorized request" message:

<response status="unauth" code="16">

<msg>
<line>Unauthorized request</line>

</msg>

</response>

I am using the syntax from the Using the XML API document to send the request:

https://server/esp/restapi.esp?type=config&action=set&key=oursecretkey&xpath=devices/entry/vsys/entr...[@name='test']&element=<fqdn>test.domain.edu</fqdn>

Is this incorrect?  Is there more documentation somewhere that can give more detail on how these API URLs should be constructed?

I am using PANOS 4.0.4

Thank you,

Daniel

1 accepted solution

Accepted Solutions

L1 Bithead

Hi,

Try to update your request with the following parameters:

  • action=edit
  • xpath=/config/devices/entry/vsys/entry/address/entry[@name='test']

Regards,

Adrien

View solution in original post

8 REPLIES 8

Not applicable

I can give details of what I actually am trying to do:

1. Custom report that tells me top source IPs of blocked traffic

2. Use API to retrieve list

3. Based on list, create an address object for each source IP

4. Add each address object to an address group that is denied access

The the deny rule and the address group is already setup, I just need a way for my scripts to manage the addresses in the address group.

Hi,

This is a great example and I will use it for documenting some API examples next week for a primer I am drafting on working with the XML API.  Thank You for the details.

Marc

That's great!  I am looking forward to seeing that primer.  That is one of our workflows that we hope to setup, but there are others that I would like to implement once I can fully utilize the API.

L1 Bithead

Hi,

Try to update your request with the following parameters:

  • action=edit
  • xpath=/config/devices/entry/vsys/entry/address/entry[@name='test']

Regards,

Adrien

That did it!  I am on my way to dynamic and automated management of access!

Thanks Novidys.

I now have a script that looks at the top x unauthenticated blocked users in the last 24 hours, and if the repeat count is high enough, it creates an address entry for the ddns FQDN address (so it follows them), adds that address to an address group, which has a captive portal rule applied to force authentication.  That way, "good" users are not forced to authenticate, and "bad" users are.

This thread is dead by now but on the off chance. Why did you use edit instead of set? I too am getting this unauth error and cannot figure out why because other commands work like system updates.

 

BTW using the pan-python instead but I can try to hit the end point also. 

You can use 'edit' or 'set.  Edit will replace the existing config, Set will add to it.  Keep in mind when you use Edit you have to specify the element you're replacing.  Here are examples of set and edit used to modify the 'fqdn' of the address object:

 

  • action=set
  • xpath=/config/devices/entry/vsys/entry/address/entry[@name='test']
  • element=<fqdn>test.domain.edu</fqdn>

or

  • action=edit
  • xpath=/config/devices/entry/vsys/entry/address/entry[@name='test']/fqdn
  • element=<fqdn>test.domain.edu</fqdn>

 

For an example like this, set and edit are basically the same, but if you were performing set or edit on the address object, then they are different because set is non-destrictive and will merge the existing config with the new element, while edit is destrictive and will replace the existing address object with the new element.

 

Since you're using pan-python, you might also be interested in a new library from Palo Alto Networks called the Device Framework.  It allows you to interact with the API without having touch XML or XPaths.  Everything is object oriented so you just create and modify objects in python like you would on the firewall GUI or CLI.

 

With the Device Framework, the above address object could be created easily using this code.  No XML, XPaths, or API-Key required:

 

from pandevice import firewall, objects

fw = firewall.Firewall('10.0.0.1', 'admin', 'yourpassword')

address_obj = objects.AddressObject('test', 'test.domain.edu', 'fqdn')

fw.add(address_obj)

address_obj.create()

 

More information about the Palo Alto Networks Device Framework is available here:

 

Documentation
http://pandevice.readthedocs.io/en/latest/readme.html

Intro Presentation
http://paloaltonetworks.github.io/pandevice/

  • 1 accepted solution
  • 8122 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!