Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Api to disable specific policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Api to disable specific policy

L1 Bithead
 
9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @Shruthi123 ,

 

Look at the bottom of this doc -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/config....  It works.  I tested it with curl.

 

The API browser is missing the &action=set parameter.  I guess it browses only.  😁  You can also make the change with the REST API, but the URL is different.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello Tom,

 

Thanks much for helping in providing the API details. I tried to disable a specific policy using the API provided. I think I am not passing the value correctly.

api_url=f"https://<FIREWALL IP>/api/?key=<apikey>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='<vsys1>']/rulebase/security/rules/entry[@name=<rule_name>]&element=<disabled>yes</disabled>"
 
response1 = requests.request("GET"api_url,verify=False)
print (response1.text)
 
ERROR:
======
<response status="error" code="13"><msg><line>Could not find schema node for xpath 
 
I am confused as to what details to pass for the below :
entry[@name='localhost.localdomain']
entry[@name='<vsys1>']
 
Can you please guide me?

Cyber Elite
Cyber Elite

Hi @Shruthi123 ,

 

Certainly!  Here is the URL without the < or > surrounding the variables.  Variables are now in UPPER_CASE and need to replaced.  if there are spaces in the rule name, you need the single quotes.  The < and > around the disabled are XML and remain.

 

"https: //FIREWALL_IP/api/?key=API_KEY&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='RULE_NAME']&element=<disabled>yes</disabled>"

 

These entries are most likely correct as is since they are default.  Notice the < and > around vsys1 have been removed.

entry[@name='localhost.localdomain'] = default local NGFW name
entry[@name='vsys1'] = default vsys
 
FYI You can verify your XML Paths with the API browser on the NGFW, https: //FIREWALL_IP/api, and clicking through the menu.
 
PS I put spaces after the https: so that it wouldn't automatically create a hyperlink.
 
Thanks,
 
Tom
 
Help the community: Like helpful comments and mark solutions.

Hello Tom,

 

I tried to pass parameters as suggested above. But I still observe the below error:

ERROR: "Could not get schema node for xpath"

 

Also i browsed by "https: //FIREWALL_IP/api/?key=API_KEY&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain'], to check the XML shema but it looks very complicated.

 

Can you please suggest if there is PAN-OS restapi  to disable the specific rule?

Cyber Elite
Cyber Elite

Hi @Shruthi123 ,

 

The REST API will be more complicated.  For the API browser, don't put the other stuff in the URL.  Browse to https: //FIREWALL_IP/api.  Then you can drill down on the links to verify the correct.  There is no shortcut.  You have to verify the XML Path is correct.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello Tom,

 

I was able to find the Xpath from the below code:

 

fw = panos.firewall.Firewall('hostname',user,password)
rulebase = panos.policies.Rulebase()
fw.add(rulebase)
rule = SecurityRule('test-rule')
rulebase.add(rule)
val=rule.xpath()
print (val)
 
OUTPUT: 
=======
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='test-rule']
 
 
Later i tried to execute as below but again got the same error:
 
api_url=f"https://10.101.1.10/api/?key={key}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='test-rule']&element=<disabled>yes</disabled>"

response1=requests.get(api_url,verify=False)
print(response1.text)
 
OUTPUT:
======
<response status="error" code="3"><msg><line>Could not get schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='test-rule']
 
Please help me on this.
 


 

 

Cyber Elite
Cyber Elite

Hi @Shruthi123 ,

 

The XPath looks correct.  This is a tough one.  I would verify the XPath with the curl command just like in the documentation.  Then you should be able to narrow it down to the URL or the Python script you are using.  If the curl command fails, it is the URL.  Your script is good, but you can also browse to https: //FIREWALL_IP/api.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@Shruthi123,

Do you have experience scripting in any language? There's plenty of libraries that exist that may make this easier, but not knowing what you have experience in the API is going to be the default suggestion from people that we expect the requester to have some experience with. If you have a preferred scripting language you're used to working in, that may be easier.

 

As for the REST API, that documentation is available directly on the device at https://<firewallip>/restapi-doc/

You're looking to disable the rule which would be an edit, so you'll look under Policies/SecurityRules under PUT. Keep in mind that if you use the REST API you'll still need to use the XML API to actually commit the change if you want this process to be automated. The REST API still isn't feature complete, which is why any API discussion is going to generally default to the XML API.

I was able to disable the policy by making few changes to xpath as per the configuration setup in our environment .

But when i try to disable and enable fields while testing i observe the "disable" field entry in the XML getting vanished.

i.e. <dsabled>yes<disabled>  --> This field is getting vanished in XML

  • 2862 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!