Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

EDL global find XML API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

EDL global find XML API

L1 Bithead

Hi dear all,

When I use /api/?type=op&cmd=<request><system><external-list><global-find><string></string></global-find></exte... to search EDL with entry string, I can only search with IP list, for example, <request><system><external-list><global-find><string>5.167.66.138</string></global-find></external-list></system></request>, and I can get global find result as below:

<response status="success">
<result>
<line>/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/external-list/entry[@name='blocklistde-all.list']</line>
</result>
</response>

However, when I try to find URL or domain string, it cannot return any match even though the string is in the EDL entry list. Neither can I get global find result on FW UI.

May I know if any of you have such experience?

 

Thanks

 

1 accepted solution

Accepted Solutions

Community Team Member

Hi @jyao ,

 

I believe this works for IP address only by design.

The firewall CLI also does not show the result of the command request system external-list global-find string "fqdn"

 

If you want to have this added as a feature request please reach out your local SE to create this feature request for you after which you and others can add their vote to it.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

4 REPLIES 4

Community Team Member

Hi @jyao ,

 

I believe this works for IP address only by design.

The firewall CLI also does not show the result of the command request system external-list global-find string "fqdn"

 

If you want to have this added as a feature request please reach out your local SE to create this feature request for you after which you and others can add their vote to it.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Hi @jyao ,

 

That is a great question, and the PANW documentation could be improved to make the answer more clear.

 

You said "Neither can I get global find result on FW UI."  I assume that means the List Entries and Exceptions tab in the EDL configuration is blank.  The NGFW will not retrieve the contents of an EDL until it is enforced in a policy.  (An EDL will always be blank on Panorama since it doesn't perform a lookup.)

 

  1. An IP List EDL can be used as a source or destination object in a security policy rule.
  2. A URL List EDL can be used as a URL Category in a security policy rule or a custom URL category in a URL Filtering security profile.
  3. A Domain List can be used under DNS Policies in an Anti-Spyware security profile.

Once the EDL is enforced in a policy the NGFW will retrieve the contents at the 1st commit and then the specified interval.  If the entries are still blank use the Test Source URL button to make sure it works and use a browser to verify it has entries.

 

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

 

This previous Live Community post is helpful.  https://live.paloaltonetworks.com/t5/general-topics/external-list-not-populating/td-p/406809

 

If anyone in the Live Community sees that I missed something, please let me know!  I will edit this post.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

Thank you for your reply. I have attached EDL to a policy and enforce it, and I can EDL entries with XML api cmd=<request><system><external-list><show><type><{type}><num-records>1000</num-records><name>{name}</name></{type}></type></show></external-list></system></request>.

However, when I use '/api/?type=op&cmd=<request><system><external-list><global-find><string>{{EDLEntryString}}</string></global-find></external-list></system></request>', I can only search IP string, but not domain or URL string can be searched. According to Kim's comment, this endpoint only works for IP addresses by design.

 

Thanks again 

Jonathan

Hi Tom,

May I know if I can get ip/url/domain EDL entries on Panorama? As I can only see predefined-ip  amd predefined-url types on my Pamorama instance, I am sure if it relates to my Pamorama license.

jyao_0-1727224085274.png

When I try to get entries of my custom EDL, the API returns below error:

<response status="error" code="17">
    <msg>
        <line>
            <![CDATA[ request -> system -> external-list -> show -> type -> ip unexpected here]]>
        </line>
        <line>
            <![CDATA[ request -> system -> external-list -> show -> type is invalid]]>
        </line>
    </msg>
</response>

jyao_1-1727224394762.png

 

Thanks for your comments.

 

Jonathan

 

 

  • 1 accepted solution
  • 618 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!