02-27-2025 12:39 AM
Hey guys, I need to export a bunch of security rules of one of our FWs (PA-5250; 10.2.10-h9). I decided to do this via cli, but certain rules seem to have an incomplete list of applications. It looks like this:
application/service [0:ms-scheduler/tcp/any/any 1:ms-scheduler/udp/any/any 2:ms-netlogon/tcp/any/49152-65535 3:ms-netlogon/tcp/any/135 4:ms-netlogon/tcp/any/139 5:ms-netlogon/tcp/any/445 6:ms-netlogon/tcp/any/1025-5000 7:ms-netlogon/udp/any/137 8:ms-netlogon/udp/any/138 9:ms-netlogon/udp/any/445 10:netbios-ss/tcp/any/139 11:msrpc-base/tcp/any/any 12:msrpc-base/udp/any/any 13:ms-ds-smb-base/tcp/any/139 14:ms-ds-smb-base/tcp/any/445 15:ms-ds-smb-base/udp/any/445 16:mssql-db-base/tcp/any/1433 17:mssql-db-base/udp/any/1433 18:mssql-mon/udp/any/1434 19:ms-service-contro/tcp/any/any 20:ms-wmi/tcp/any/any 21:windows-remote-ma/tcp/any/5985 22:windows-remote-ma/tcp/any/5986 23:ms-ds-smbv3/tcp/any/139 24:ms-ds-smbv3/tcp/any/445 25:ms-ds-smbv3/udp/any/445 26:ms-remote-registr/tcp/any/any 27:ms-remote-registr/udp/any/any 28:ms-event-log/tcp/any/any 29:ms-event-log/udp/any/any 30:ms-local-user-man/tcp/any/any 31:ms-local-user-man/udp/any/any ... ]
See how it ends with "..."? There seems to be a limit of about ~930 characters. I already tried to set the output-format to xml, but I'm not sure, if i did it correctly since there is no change in format. I used: "set cli config-output-format xml"
After running "show running security-policy is incomplete" there is no change.
After switching to configure-mode via "configure" and running "show rulebase security rules" it doesn't give me any output. Same when I switch back to default output format. Am I doing something wrong? Are there other ways to achieve what I need (export all applications of a certain security rule)?
Many thanks
03-03-2025 07:40 AM
You're on the right track using the XML API Browser to extract information. If you're trying to retrieve the enabled applications for a specific security rule using XPath, the correct XML command format should follow this structure:
<show>
<config>
<running>
<xpath>/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>
</running>
</config>
</show>
Key Points:
Rule_Name with the actual name of your security rule./config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/applicationIf you still encounter errors:
Check the full XML structure using a broader query:<show>
<config>
<running>
<xpath>/config/devices/entry/vsys/entry/rulebase/security/rules</xpath>
</running>
</config>
</show>
This will return all rules—then you can refine your XPath.
Verify Case Sensitivity
The XML structure is case-sensitive. Ensure entry[@name='Rule_Name'] exactly matches.
Use | in case of multiple VSYS
If you're working with multiple virtual systems, try:<xpath>/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>
02-27-2025 03:20 AM - edited 02-27-2025 03:21 AM
03-02-2025 11:37 PM
Hello Suresh, many thanks for replying. Unfortunately this didn't change the output format at all. Could it be that there is some kind of configuration on the FW, that makes it reject giving output for the command "show rulesbase security rules" or reject the "set"-command? Because whatever format I change it to, I won't show anything. With the exceptance of "show running security-policy" which gives the incomplete output as mentioned.
Interestingly, with the XML API Browser I'm able to get what i need. A full output of all the enabled applications of a certain rule. Like this:
<application>
<member>ms-ds-smb-base</member>
<member>ms-ds-smbv2</member>
<member>ms-ds-smbv3</member>
<member>ms-service-controller</member>
<member>msrpc</member>
<member>mssql-db</member>
<member>mssql-mon</member>
<member>netbios-ss</member>
</application>
With a little Excel magic this can easily be extracted.
<show><config><running><xpath></xpath></running></config></show>
Via xpath I should also be able to get the output for a certain entry in the configuration, but it keeps giving me errors for whatever xpath I give. What's the correct xml command format?
03-03-2025 07:40 AM
You're on the right track using the XML API Browser to extract information. If you're trying to retrieve the enabled applications for a specific security rule using XPath, the correct XML command format should follow this structure:
<show>
<config>
<running>
<xpath>/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>
</running>
</config>
</show>
Key Points:
Rule_Name with the actual name of your security rule./config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/applicationIf you still encounter errors:
Check the full XML structure using a broader query:<show>
<config>
<running>
<xpath>/config/devices/entry/vsys/entry/rulebase/security/rules</xpath>
</running>
</config>
</show>
This will return all rules—then you can refine your XPath.
Verify Case Sensitivity
The XML structure is case-sensitive. Ensure entry[@name='Rule_Name'] exactly matches.
Use | in case of multiple VSYS
If you're working with multiple virtual systems, try:<xpath>/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
