With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

With XML API, How does "Require audit comment on policies" check work? ( Panorama -> Management tab)

L1 Bithead

Settings

  • I believe adding/updating an Audit comment of a Policy rule is independent from making changes to the policies.
    • Operational command: Audit comment Update (type='op')

 

set audit-comment comment "paul manual edit" xpath​

 

  • Configuration command: Making changes to a Policy rule (type='config')

 

'/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']'​

 

HermanEdwards_1-1645848389351.png

 

HermanEdwards_0-1645848250022.png

 

Questions

From Panorama -> Management tab

HermanEdwards_2-1645848602426.png

With enabled "Require audit comment on policies", I keep getting this Error message:

 

OrderedDict([('response', OrderedDict([('@status', 'success'), ('@code', '13'), ('msg', \"Audit comments are missing for policy configuration being committed. Please add audit comments and try again.\\nList of xpaths:\\n/config/devices/entry/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-audit-comment-create-feb-24']\\n/config/devices/entry/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']\")]))]) "

 

 

  • Seeing that adding comments and making changes to a Policy rule requires 2 independent API calls, how can we make change both changes in one API call?
    • I believe we just need to do 2 requests: (1) Update Audit comment => (2) Update Policy rule => (3) Commit
  • Despite manually set the Audit comment of a rule to some texts, the Commit operation is still failing with the error message. Has anyone run into this before?
    • Am I doing the updates properly?
  • It's worth noting that I can manually commit via Web Browser though. It looks like committing via Web browser does not care about the Audit comment at all. I tried committing without any comment, and it still passes...

Attempts

  • Manually update the Audit comment of the Policy rule before committing, 

HermanEdwards_3-1645850461552.png

Commit API calls will still fail with the error message I post above.

 

 

Any help is greatly appreciated.

 

1 accepted solution

Accepted Solutions

Hi @HermanEdwards, yes, per the other thread, the localhost.localdomain is required. You will see it in the XML config file, in the API explorer, and other observable places (debugs, etc). I have requested that the documentation is changed to reflect this.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

3 REPLIES 3

L1 Bithead

Update

  • My bad. I miss the path in the error messages... the Policy update involves empty Device entry as you can see in the message.
  • Manually update the Audit comment via Web browser is done at /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']
    • Here, the Web browser specified the name for the Device entry.
    • As a result, updating the one on Web does not resolve the error.


Follow-up: While reading through XML API, some endpoints include Device entry name and some don't. 
If anyone know when the Device entry name should be ignored, please feel free to share.
For more info, examples where Device entry name gets ignored can be found at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/pan-os-xml-api-request-types/config...


So far, when editing the config of a Policy rule, I believe a device entry name should always be specified. This is b/c API explorer always shows it.

 

Hi @HermanEdwards, yes, per the other thread, the localhost.localdomain is required. You will see it in the XML config file, in the API explorer, and other observable places (debugs, etc). I have requested that the documentation is changed to reflect this.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L2 Linker

just my two cents here.  The audit comment feature is very buggy and there are / have been a number of issues with it.  If you are looking to use it as an a way for auditing change, you may be better suited to look to something outside of this feature.  We're told things are fixed in some newer releases but we've hit a number of issues.

  • 1 accepted solution
  • 3283 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!