XML API commit-all not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XML API commit-all not working

L3 Networker

Hi all,

 

Does anybody have an idea why the following happens, and what the solution might be?

 

I'm trying to perform a commit-all via the REST API using the the following URL:

https://panorama.domain/api/?REST_API_TOKEN=hash&type=commit&action=all&cmd=<commit-all><shared-policy><device-group>"Group-Name"</device-group></shared-policy></commit-all>

 

I get the following response even though the name of the device-group is correct:

 

<response status="error" code="17">
<msg>
<line>
commit-all -> shared-policy -> device-group has unexpected text.
</line>
<line>
commit-all -> shared-policy -> device-group is invalid
</line>
</msg>
</response>

 

1 accepted solution

Accepted Solutions

Community Team Member

 

The XML document format to commit shared policies to device groups on Panorama using the PAN-OS XML API has changed in PAN-OS 7.0. This change is due to an enhancement to permit a commit to devices within the device group: the device group name is now an attribute node instead of a text node.

 

The change in the XML API request is as follows:

 

– PAN-OS 6.1 and earlier releases: /api/?type=commit&action=all&cmd= DeviceGroupName

– PAN-OS 7.0 and later releases: /api/?type=commit&action=all&cmd= <entryname='devicegroupname'>

 

I did find some bugs related to this which all seem to be fixed in PAN-OS 7.0.3.

 

If you still see the issue on 7.0.3 then I'd recommend opening a case with TAC.

 

Hope it helps.

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

9 REPLIES 9

L6 Presenter

It seems like wrong device group name. I'd check again for some extra spaces or if it's maybe case sensitive. 

That's what I thought at first as well, so I've already renamed the device group, made sure there are no additional characters or special characters (even took the dash out) and still I keep running into this error. I've also made a new device group, and it still won't work.

Hi Johan,

 

This is what works for me on 6.1

 

<commit-all><shared-policy><device-group><name>PA_VM_6.1</name></device-group></shared-policy></commit-all>

 

Result:

 

<response status="success" code="19"><result><msg><line>Job enqueued with jobid 82</line></msg><job>82</job></result></response>

 

 

Were you missing name tag? Also,  it failed when I had space after PA_VM_6.1.

 

Can you try it?

That indeed works on 6.1, but still fails on 7.0:

 

<response status="error" code="17">
  <msg>
    <line> 
      commit-all -> shared-policy -> device-group -> name has unexpected text.
    </line>
    <line> 
      commit-all -> shared-policy -> device-group is invalid
</line> </msg> </response>

L1 Bithead

I have a PAN config that is in json format that I want to implement on a PAN fw.  It seems that the fw will only take config in "set" command format or .xml.  Is there a way to drop this json config onto the fw, or convert it to a .xml format?

i think you are putting this in the wrong thread 😛

Community Team Member

 

The XML document format to commit shared policies to device groups on Panorama using the PAN-OS XML API has changed in PAN-OS 7.0. This change is due to an enhancement to permit a commit to devices within the device group: the device group name is now an attribute node instead of a text node.

 

The change in the XML API request is as follows:

 

– PAN-OS 6.1 and earlier releases: /api/?type=commit&action=all&cmd= DeviceGroupName

– PAN-OS 7.0 and later releases: /api/?type=commit&action=all&cmd= <entryname='devicegroupname'>

 

I did find some bugs related to this which all seem to be fixed in PAN-OS 7.0.3.

 

If you still see the issue on 7.0.3 then I'd recommend opening a case with TAC.

 

Hope it helps.

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks, forgot to post the solution myself. It indeed works as designed with <entryname='devicegroupname'> instead of devicegroupname

Agreed, my apologies.

  • 1 accepted solution
  • 8683 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!