This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using XML API to query policy post rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using XML API to query policy post rules

Go to solution
julio.toledo
L1 Bithead

‎07-14-2021 08:46 AM - edited ‎07-15-2021 07:58 AM

Trying to find the correct syntax for querying Panorama for policy post rules by matching IP address (source or destination IP) using the PanOS XML API.

 

I have looked at:

  1. our XML API Browser page (i.e. https://<mypanoramahostname>/api),
  2. the online docs (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/),
  3. A documented Postman collection(https://documenter.getpostman.com/view/2937330/7LgDQwG), and
  4. this LIVEcommunity site.

Still not finding what I am looking for. Is it me, or is API not sufficiently well documented? Can anyone point me to where I can find documentation for each PanOS XML API endpoint, preferably with syntax examples for all possible endpoint parameters?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
JimmyHolland
L5 Sessionator
In response to julio.toledo

‎07-23-2021 02:07 AM

Hi @julio.toledo, the API structure for this feature will match what you see in the GUI, where there are indeed mandatory fields (the red boxes) like destination ports, and protocol is a drop-down between TCP/UDP/ICMP:

 

Test Policy Match GUI ScreenshotTest Policy Match GUI Screenshot

 

I think this feature is designed to give people a way to test if specific traffic will theoretically pass through the firewall, rather than the very broad and almost audit-type requirement which you have. If you talk with your allocated Systems Engineer or reseller (if you're unsure who they are, send me a direct message on here and I will assist) then they will be able to discuss your requirements and potentially raise a feature request.


Other options to fulfil your requirements would involve an approach of systematically checking the live configurations of your firewall estate, by exporting the Panorama running config and walking through the XML data in your programming language of choice.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

0 Likes Likes
(1)
7 REPLIES 7

Go to solution
JimmyHolland
L5 Sessionator

‎07-19-2021 10:13 AM

Hi @julio.toledo, I believe you're trying to use the "test policy match" feature via API? If so, I did something similar a couple of weeks ago. I did NAT rules, but you could easily change the API call below to use security rules instead.

 

https://{{panorama-host}}/api?key={{key}}&type=op&cmd=<request-batch><op-command><device><entry name="{{fw1-serial}}"><vsys><list><member>vsys1</member></list></vsys></entry><entry name="{{fw2-serial}}"><vsys><list><member>vsys1</member></list></vsys></entry></device><test><nat-policy-match><from>Management</from><to>External</to><source>172.31.10.50</source><destination>8.8.8.8</destination><destination-port>443</destination-port><protocol>6</protocol></nat-policy-match></test></op-command></request-batch>

 

I find the easiest way to find API calls is to debug the GUI, or debug the CLI.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
(1)

Go to solution
julio.toledo
L1 Bithead
In response to JimmyHolland

‎07-19-2021 11:28 AM - edited ‎07-19-2021 11:31 AM

Thanks @JimmyHolland. Yes, I am trying to query security rules via API, either aggregate rules from all devices or from a particular device. However I am not a network or firewall engineer, so things like PanOS CLI commands and Panorama schema (objects, properties, etc.) are new to me.

I find it hard to understand that there is no online reference to the Panorama schema and how it maps to either CLI commands and/or API requests. Reverse engineering it by debugging the GUI or the CLI seems rather backwards, don't you agree?

0 Likes Likes

Go to solution
JimmyHolland
L5 Sessionator
In response to julio.toledo

‎07-19-2021 12:44 PM

Hi @julio.toledo, I understand learning the PAN-OS schema must be a challenge if you are new to PAN-OS and firewalls/network-security/networking. There is no exhaustive list of XML API endpoints to the full extent, which is why the debug approach usually works best, especially as the CLI/GUI are themselves clients of the XML API. The newer REST API is improving this situation, however, and continues to gain coverage with each release of PAN-OS, so that's something to keep an eye on.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes
(1)

Go to solution
julio.toledo
L1 Bithead
In response to JimmyHolland

‎07-22-2021 09:23 AM

Thanks @JimmyHolland I figured out how to structure a 'security-policy-match', however it's requiring arguments that make the query far too specific/narrow. It seems that both 'protocol' and 'destination-port' are required, and neither one allows 'any' or '*' or even a range of values (integers only).

Is there a way to match policies across:

  1. all PAN-OS devices (without having to explicitly enumerate them)
  2. all destination-ports (i.e. "any")
  3. all IP protocols ( i.e. "any", or at least {6,17} ).
0 Likes Likes

Go to solution
JimmyHolland
L5 Sessionator
In response to julio.toledo

‎07-23-2021 02:07 AM

Hi @julio.toledo, the API structure for this feature will match what you see in the GUI, where there are indeed mandatory fields (the red boxes) like destination ports, and protocol is a drop-down between TCP/UDP/ICMP:

 

Test Policy Match GUI ScreenshotTest Policy Match GUI Screenshot

 

I think this feature is designed to give people a way to test if specific traffic will theoretically pass through the firewall, rather than the very broad and almost audit-type requirement which you have. If you talk with your allocated Systems Engineer or reseller (if you're unsure who they are, send me a direct message on here and I will assist) then they will be able to discuss your requirements and potentially raise a feature request.


Other options to fulfil your requirements would involve an approach of systematically checking the live configurations of your firewall estate, by exporting the Panorama running config and walking through the XML data in your programming language of choice.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes
(1)

Go to solution
julio.toledo
L1 Bithead
In response to JimmyHolland

‎07-23-2021 08:49 AM

Ding, ding, ding! We have a winner. So what I am looking to accomplish is audit/research level work.

 

On a competitor's product (which shall remain nameless) I am able to issue the following simple, single-line CLI command (on a device-by-device basis) and get back an exhaustive std output of every member rule matching the IP that I'm searching for --either as source or as destination:

show access-list | include {{ lookupIP }}

 This is exactly the kind of functionality that I'm looking for from Panorama/PAN-OS.

0 Likes Likes

Go to solution
JimmyHolland
L5 Sessionator

‎08-03-2021 02:30 AM

Thanks for confirming @julio.toledo. Per DM, we've connected you with your SE in order to discuss this topic in more detail.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes
  • 1 accepted solution
  • 7291 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks