XML API config action 'set'

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XML API config action 'set'

Cyber Elite
Cyber Elite

Okay, I still can't figure this guy out. All the other commands work perfectly fine but as soon as I try to 'set' a new rule I get an error saying that it's malformed. I've looked through all of the documentation that I can find but nothing will get the request to come across properly

 

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test-API']&element=<source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negatedestination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><logend>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to>

1 accepted solution

Accepted Solutions

L4 Transporter

There are two things to change:

 

1.  There is a hiphen missing from two of your elements:  logend should be log-end, and negatedestination should be negate-destination

 

2.  I recommend to always give your 'element' parameter a root element.  So rather than start with <source> and end with </to>, you should start with <entry name='Test-API'> and end with </entry>.  That way the beginning and end of the tags match.  Of course, this means removing '/entry[@name='Test-API'] from the end of your xpath.

 

In summary, this API call should work for you:

 

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules&element=<entry name='Test-API'><source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><log-end>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to></entry>

If you're using python, you might consider using pan-python or Palo Alto Networks Device Framework to craft your API calls to eliminate these pesky XML/Xpath issues.  For example, here's how you would make the same API call using the Device Framework in python:

 

from pandevice import firewall, policies

fw = firewall.Firewall('10.191.136.7', 'admin', 'yourpassword')

rulebase = fw.add(policies.Rulebase())

rule1 = policies.SecurityRule('Test-API',
                              source='10.181.135.66',
                              destination='8.8.8.8',
                              fromzone='inside',
                              tozone='outside',
                              action='allow',
                              description='testing')
rulebase.add(rule1)
rule1.create()

In this example, you don't need to mess with XML or XPaths to create the security rule.  More information about the Palo Alto Networks Device Framework is availabe here:

 

Documentation

http://pandevice.readthedocs.io/en/latest/readme.html

 

Presentation

http://paloaltonetworks.github.io/pandevice/

View solution in original post

2 REPLIES 2

L4 Transporter

There are two things to change:

 

1.  There is a hiphen missing from two of your elements:  logend should be log-end, and negatedestination should be negate-destination

 

2.  I recommend to always give your 'element' parameter a root element.  So rather than start with <source> and end with </to>, you should start with <entry name='Test-API'> and end with </entry>.  That way the beginning and end of the tags match.  Of course, this means removing '/entry[@name='Test-API'] from the end of your xpath.

 

In summary, this API call should work for you:

 

https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules&element=<entry name='Test-API'><source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><log-end>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to></entry>

If you're using python, you might consider using pan-python or Palo Alto Networks Device Framework to craft your API calls to eliminate these pesky XML/Xpath issues.  For example, here's how you would make the same API call using the Device Framework in python:

 

from pandevice import firewall, policies

fw = firewall.Firewall('10.191.136.7', 'admin', 'yourpassword')

rulebase = fw.add(policies.Rulebase())

rule1 = policies.SecurityRule('Test-API',
                              source='10.181.135.66',
                              destination='8.8.8.8',
                              fromzone='inside',
                              tozone='outside',
                              action='allow',
                              description='testing')
rulebase.add(rule1)
rule1.create()

In this example, you don't need to mess with XML or XPaths to create the security rule.  More information about the Palo Alto Networks Device Framework is availabe here:

 

Documentation

http://pandevice.readthedocs.io/en/latest/readme.html

 

Presentation

http://paloaltonetworks.github.io/pandevice/

Thanks, I'll have to look into pandevice more. I keep hearing that it's really nice and easier to use. 

  • 1 accepted solution
  • 2642 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!