XML API: Panorama: How to Create/Get/Update the field "Audit Comment" of a Security Policy rule?

HermanEdwards · ‎02-24-2022

Settings

Panorama version: 10.1 (latest)
When creating/updating a Security Policy rule (see attached images for more info), I'm able to add/update Audit comment for a rule via Web browser by following this guide https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/policies/audit-comment-archi... . However, I fail to use XML API to simulate the same behaviours.
On Panorama XML API request, there is no option to get/set the field "audit-comment". I followed this guide https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api... to explore all fields for a given Policy rule. There is no "comment" or "audit-comment" field.

What's expected:

Similar to how we can edit/read the Description field of a Security Policy rule, we should be able to edit/read the Audit comment field of a rule as well.
I believe we should have xpath like "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='paul']/pre-rulebase/security/rules/entry[@name='paul-feb-24']/audit-comment" to read or update here.

What's happening:

From viewing Chrome's network tab (see attached), you can see that we should be able to access "audit-comment" for a Policy rule. However, I cannot access that field via XML API browser or manually calling it via curl.
Could you tell me if this is something possible on Panorama?
- If yes, How do I access this Audit Comment field?
- If yes, Is this feature available from Panorama 8.0 as well?

Your help is much appreciated.

JimmyHolland · ‎02-25-2022

Hi @HermanEdwards, audit comments are not stored in the configuration, hence you don't see it in the API browser. There is an operational CLI command that shows the audit comments (show config list audit-comments xpath {{xpath to security policy rule}}) and this translates to XML API call:

https://{{host}}/api/?key={{key}}&type=op&cmd=<show><config><list><audit-comments><xpath>/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{device-group-name}}']/pre-rulebase/security/rules/entry[@name='{{rule-name}}']</xpath></audit-comments></list></config></show>

Sometimes external XML API calls are not exact replicas of the web GUI behaviour.

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

HermanEdwards · ‎02-24-2022

Reposting the 2 images, since the first 2 look very blurry:

1. Missing Audit comment field under the Policy rule

2. Network tab proves that we should have that field

JimmyHolland · ‎02-25-2022

Hi @HermanEdwards, audit comments are not stored in the configuration, hence you don't see it in the API browser. There is an operational CLI command that shows the audit comments (show config list audit-comments xpath {{xpath to security policy rule}}) and this translates to XML API call:

https://{{host}}/api/?key={{key}}&type=op&cmd=<show><config><list><audit-comments><xpath>/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{device-group-name}}']/pre-rulebase/security/rules/entry[@name='{{rule-name}}']</xpath></audit-comments></list></config></show>

Sometimes external XML API calls are not exact replicas of the web GUI behaviour.

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

HermanEdwards · ‎02-25-2022

@JimmyHolland Thank you very much! This is working.

It looks like Audit comment need to be created only after a policy has been created. This is b/c it relies on a separate API call (i.e. type='op') here.

Also, the CLI is great! I find that we can perform the Audit comment create/update with `set audit-comment comment "my update via cli" xpath <path_to_policy_node"`
It's also displayed under Web API explorer:

HermanEdwards · ‎02-25-2022

@JimmyHolland When you have time, do you know if a Device entry name (e.g. 'localhost.localdomain') is always required in the xpath? Can it be left as blank? If blank, does it default to some values?

For more info, when submitting the Audit comment update without specifying the Device entry name, the update is still successful. However, the update is applied to the wrong path, resulting in no update on the UI. This makes sense, as the xpath should represent a path to certain object.

However, I see examples where Device entry name is left as blank on XML API guide. I'm wondering if some default value get used when entry is blank. Or if I should always default the Device entry name to 'localhost.localdomain' (i.e. I assume all Panorama come with the device entry name 'localhost.localdomain')

JimmyHolland · ‎03-04-2022

Hi @HermanEdwards, I answered this in your separate thread, and the localhost.localdomain is indeed required.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Unlock your full community experience!

XML API: Panorama: How to Create/Get/Update the field "Audit Comment" of a Security Policy rule?

XML API: Panorama: How to Create/Get/Update the field "Audit Comment" of a Security Policy rule?

Show your appreciation!