Wildcards in rest api configuration query?

KostiM · ‎03-28-2017

Hi,

I'm trying to write a reporting tool that will go throguh various device groups and identify rules that have certain keywords (change numbers in my case) in the description.

I'm querying panorama configuration and using rest api directly from python (e.g. requests module or pan.xapi)

For example, this query works perfectly for me and as a result I get two rules returned back, if description contains only one string CHG99646:

/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Perth']/pre-rulebase/security/rules/entry[description="CHG99646"]

<entry name="Rule139" loc="Perth">...</entry>
 ...
 
 
However, my queries stop working in case description contains multiple lines. E.g if my rule entry is like this:
 
<response status="success" code="19">
<result total-count="1" count="1">
<entry name="Rule87" loc="Perth">
<profile-setting>
<group>
<member>Source123</member>
</group>
...
...
<action>allow</action>
<description>CHG128742 CHG135069 CHG139311 CHG142080</description>
 
I am unable to find this rule if I put a query like
/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Perth']/pre-rulebase/security/rules/entry[description="CHG139311"]
 
Is there any way to have ~ (like) matching here or to use wildcards (e.g. .*<matchpattern>.*) so I could identify rule(s) based on part of the description content and not the entire decription content?
 
I am aware that I can pull the entire rulebase and then parse it localy. But the point here is to avoid this. If there are e.g. 20 device groups and each device group has 1000+ rules, pulling 20.000 rules will take forever and it would be much more efficient if I can just return rules matching certain patterns like explained above.
 
Thanks,
Milos

cpainchaud · ‎03-30-2017

Unfortinately, PANOS doesn't provide API features to search for objects and such. The XPath is oringally designed to name a 'path' in the XML rather than doing searches.

Why does it take so long to get the condicate config ? Bandwidth issue or PANOS is too slow ? It should be instant almost

KostiM · ‎03-30-2017

Config is 18MB in size

$ ./rt.py

Start

/config/devices

End request, returned XML in 28.5243420601

Size in bytes: 18714100

Converting XML to DICT

End xmltodict

Done

Finished conversion 44.2015681267

And palo alto Panorama is located on the other side of the world (accessing it over WAN)

What is your config size that you are normally downloading when you say it is almost instant?

Even if it was instant I still have about 18 seconds to convert XML to Dictionary but I could live with that (if only was instant as you say 🙂 🙂 )

cpainchaud · ‎03-30-2017

I quit using XML to dictionary/json/arrays a long time ago : it's way too slow. I parse XML directly with libxml and alike.

In your case, to solve your bandwidth issues, I would have a middleware/application-proxy that would be excuted in the same datacenter as the firewall/panorama. This mini-API of yours would be able to acess the firewall without any bandwidth or latency constraint and would then just return the pieces of interest to you.

cpainchaud · ‎03-30-2017

client requests MiddleAPI.getAllRulesMatchingX ->

MiddleAPI requests PAN_API.getFullConfigDump

MiddleAPI parse XML, filters records of interest, add a 'loc' property

MiddleAPI sends answer to client

Wildcards in rest api configuration query?

Wildcards in rest api configuration query?

Show your appreciation!