This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

Go to solution
HermanEdwards
L1 Bithead

‎02-25-2022 08:50 PM

Settings

  • I believe adding/updating an Audit comment of a Policy rule is independent from making changes to the policies.
    • Operational command: Audit comment Update (type='op')

 

set audit-comment comment "paul manual edit" xpath​

 

  • Configuration command: Making changes to a Policy rule (type='config')

 

'/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']'​

 

HermanEdwards_1-1645848389351.png

 

HermanEdwards_0-1645848250022.png

 

Questions

From Panorama -> Management tab

HermanEdwards_2-1645848602426.png

With enabled "Require audit comment on policies", I keep getting this Error message:

 

OrderedDict([('response', OrderedDict([('@status', 'success'), ('@code', '13'), ('msg', \"Audit comments are missing for policy configuration being committed. Please add audit comments and try again.\\nList of xpaths:\\n/config/devices/entry/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-audit-comment-create-feb-24']\\n/config/devices/entry/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']\")]))]) "

 

 

  • Seeing that adding comments and making changes to a Policy rule requires 2 independent API calls, how can we make change both changes in one API call?
    • I believe we just need to do 2 requests: (1) Update Audit comment => (2) Update Policy rule => (3) Commit
  • Despite manually set the Audit comment of a rule to some texts, the Commit operation is still failing with the error message. Has anyone run into this before?
    • Am I doing the updates properly?
  • It's worth noting that I can manually commit via Web Browser though. It looks like committing via Web browser does not care about the Audit comment at all. I tried committing without any comment, and it still passes...

Attempts

  • Manually update the Audit comment of the Policy rule before committing, 

HermanEdwards_3-1645850461552.png

Commit API calls will still fail with the error message I post above.

 

 

Any help is greatly appreciated.

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
JimmyHolland
L5 Sessionator
In response to HermanEdwards

‎03-04-2022 04:29 AM

Hi @HermanEdwards, yes, per the other thread, the localhost.localdomain is required. You will see it in the XML config file, in the API explorer, and other observable places (debugs, etc). I have requested that the documentation is changed to reflect this.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

3 REPLIES 3

Go to solution
HermanEdwards
L1 Bithead

‎02-25-2022 09:12 PM

Update

  • My bad. I miss the path in the error messages... the Policy update involves empty Device entry as you can see in the message.
  • Manually update the Audit comment via Web browser is done at /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']
    • Here, the Web browser specified the name for the Device entry.
    • As a result, updating the one on Web does not resolve the error.


Follow-up: While reading through XML API, some endpoints include Device entry name and some don't. 
If anyone know when the Device entry name should be ignored, please feel free to share.
For more info, examples where Device entry name gets ignored can be found at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/pan-os-xml-api-request-types/config...


So far, when editing the config of a Policy rule, I believe a device entry name should always be specified. This is b/c API explorer always shows it.

 

0 Likes Likes

Go to solution
JimmyHolland
L5 Sessionator
In response to HermanEdwards

‎03-04-2022 04:29 AM

Hi @HermanEdwards, yes, per the other thread, the localhost.localdomain is required. You will see it in the XML config file, in the API explorer, and other observable places (debugs, etc). I have requested that the documentation is changed to reflect this.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Go to solution
RyanBess
L2 Linker

‎04-04-2022 05:14 PM

just my two cents here.  The audit comment feature is very buggy and there are / have been a number of issues with it.  If you are looking to use it as an a way for auditing change, you may be better suited to look to something outside of this feature.  We're told things are fixed in some newer releases but we've hit a number of issues.

0 Likes Likes
  • 1 accepted solution
  • 4123 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks