- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-24-2023 04:23 PM
02-24-2023 07:38 PM - edited 02-25-2023 07:02 PM
Hi @Shruthi123 ,
Look at the bottom of this doc -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/config.... It works. I tested it with curl.
The API browser is missing the &action=set parameter. I guess it browses only. 😁 You can also make the change with the REST API, but the URL is different.
Thanks,
Tom
02-26-2023 02:03 PM
Hello Tom,
Thanks much for helping in providing the API details. I tried to disable a specific policy using the API provided. I think I am not passing the value correctly.
02-26-2023 04:02 PM
Hi @Shruthi123 ,
Certainly! Here is the URL without the < or > surrounding the variables. Variables are now in UPPER_CASE and need to replaced. if there are spaces in the rule name, you need the single quotes. The < and > around the disabled are XML and remain.
"https: //FIREWALL_IP/api/?key=API_KEY&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='RULE_NAME']&element=<disabled>yes</disabled>"
These entries are most likely correct as is since they are default. Notice the < and > around vsys1 have been removed.
02-27-2023 05:13 AM
Hello Tom,
I tried to pass parameters as suggested above. But I still observe the below error:
ERROR: "Could not get schema node for xpath"
Also i browsed by "https: //FIREWALL_IP/api/?key=API_KEY&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain'], to check the XML shema but it looks very complicated.
Can you please suggest if there is PAN-OS restapi to disable the specific rule?
02-27-2023 06:02 AM
Hi @Shruthi123 ,
The REST API will be more complicated. For the API browser, don't put the other stuff in the URL. Browse to https: //FIREWALL_IP/api. Then you can drill down on the links to verify the correct. There is no shortcut. You have to verify the XML Path is correct.
Thanks,
Tom
02-27-2023 04:25 PM - edited 02-27-2023 04:27 PM
Hello Tom,
I was able to find the Xpath from the below code:
02-27-2023 05:44 PM
Hi @Shruthi123 ,
The XPath looks correct. This is a tough one. I would verify the XPath with the curl command just like in the documentation. Then you should be able to narrow it down to the URL or the Python script you are using. If the curl command fails, it is the URL. Your script is good, but you can also browse to https: //FIREWALL_IP/api.
Thanks,
Tom
02-28-2023 01:55 PM
Do you have experience scripting in any language? There's plenty of libraries that exist that may make this easier, but not knowing what you have experience in the API is going to be the default suggestion from people that we expect the requester to have some experience with. If you have a preferred scripting language you're used to working in, that may be easier.
As for the REST API, that documentation is available directly on the device at https://<firewallip>/restapi-doc/
You're looking to disable the rule which would be an edit, so you'll look under Policies/SecurityRules under PUT. Keep in mind that if you use the REST API you'll still need to use the XML API to actually commit the change if you want this process to be automated. The REST API still isn't feature complete, which is why any API discussion is going to generally default to the XML API.
03-08-2023 05:31 PM
I was able to disable the policy by making few changes to xpath as per the configuration setup in our environment .
But when i try to disable and enable fields while testing i observe the "disable" field entry in the XML getting vanished.
i.e. <dsabled>yes<disabled> --> This field is getting vanished in XML
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!