11-22-2016 11:57 AM
Okay, I still can't figure this guy out. All the other commands work perfectly fine but as soon as I try to 'set' a new rule I get an error saying that it's malformed. I've looked through all of the documentation that I can find but nothing will get the request to come across properly
https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test-API']&element=<source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negatedestination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><logend>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to>
11-22-2016 06:50 PM
There are two things to change:
1. There is a hiphen missing from two of your elements: logend should be log-end, and negatedestination should be negate-destination
2. I recommend to always give your 'element' parameter a root element. So rather than start with <source> and end with </to>, you should start with <entry name='Test-API'> and end with </entry>. That way the beginning and end of the tags match. Of course, this means removing '/entry[@name='Test-API'] from the end of your xpath.
In summary, this API call should work for you:
https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules&element=<entry name='Test-API'><source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><log-end>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to></entry>
If you're using python, you might consider using pan-python or Palo Alto Networks Device Framework to craft your API calls to eliminate these pesky XML/Xpath issues. For example, here's how you would make the same API call using the Device Framework in python:
from pandevice import firewall, policies
fw = firewall.Firewall('10.191.136.7', 'admin', 'yourpassword')
rulebase = fw.add(policies.Rulebase())
rule1 = policies.SecurityRule('Test-API',
source='10.181.135.66',
destination='8.8.8.8',
fromzone='inside',
tozone='outside',
action='allow',
description='testing')
rulebase.add(rule1)
rule1.create()In this example, you don't need to mess with XML or XPaths to create the security rule. More information about the Palo Alto Networks Device Framework is availabe here:
Documentation
http://pandevice.readthedocs.io/en/latest/readme.html
Presentation
11-22-2016 06:50 PM
There are two things to change:
1. There is a hiphen missing from two of your elements: logend should be log-end, and negatedestination should be negate-destination
2. I recommend to always give your 'element' parameter a root element. So rather than start with <source> and end with </to>, you should start with <entry name='Test-API'> and end with </entry>. That way the beginning and end of the tags match. Of course, this means removing '/entry[@name='Test-API'] from the end of your xpath.
In summary, this API call should work for you:
https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules&element=<entry name='Test-API'><source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negate-destination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><log-end>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to></entry>
If you're using python, you might consider using pan-python or Palo Alto Networks Device Framework to craft your API calls to eliminate these pesky XML/Xpath issues. For example, here's how you would make the same API call using the Device Framework in python:
from pandevice import firewall, policies
fw = firewall.Firewall('10.191.136.7', 'admin', 'yourpassword')
rulebase = fw.add(policies.Rulebase())
rule1 = policies.SecurityRule('Test-API',
source='10.181.135.66',
destination='8.8.8.8',
fromzone='inside',
tozone='outside',
action='allow',
description='testing')
rulebase.add(rule1)
rule1.create()In this example, you don't need to mess with XML or XPaths to create the security rule. More information about the Palo Alto Networks Device Framework is availabe here:
Documentation
http://pandevice.readthedocs.io/en/latest/readme.html
Presentation
11-23-2016 05:55 AM
Thanks, I'll have to look into pandevice more. I keep hearing that it's really nice and easier to use.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
