Application list via show running security-policy is incomplete

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Application list via show running security-policy is incomplete

L1 Bithead

Hey guys, I need to export a bunch of security rules of one of our FWs (PA-5250; 10.2.10-h9). I decided to do this via cli, but certain rules seem to have an incomplete list of applications. It looks like this:

 

application/service [0:ms-scheduler/tcp/any/any 1:ms-scheduler/udp/any/any 2:ms-netlogon/tcp/any/49152-65535 3:ms-netlogon/tcp/any/135 4:ms-netlogon/tcp/any/139 5:ms-netlogon/tcp/any/445 6:ms-netlogon/tcp/any/1025-5000 7:ms-netlogon/udp/any/137 8:ms-netlogon/udp/any/138 9:ms-netlogon/udp/any/445 10:netbios-ss/tcp/any/139 11:msrpc-base/tcp/any/any 12:msrpc-base/udp/any/any 13:ms-ds-smb-base/tcp/any/139 14:ms-ds-smb-base/tcp/any/445 15:ms-ds-smb-base/udp/any/445 16:mssql-db-base/tcp/any/1433 17:mssql-db-base/udp/any/1433 18:mssql-mon/udp/any/1434 19:ms-service-contro/tcp/any/any 20:ms-wmi/tcp/any/any 21:windows-remote-ma/tcp/any/5985 22:windows-remote-ma/tcp/any/5986 23:ms-ds-smbv3/tcp/any/139 24:ms-ds-smbv3/tcp/any/445 25:ms-ds-smbv3/udp/any/445 26:ms-remote-registr/tcp/any/any 27:ms-remote-registr/udp/any/any 28:ms-event-log/tcp/any/any 29:ms-event-log/udp/any/any 30:ms-local-user-man/tcp/any/any 31:ms-local-user-man/udp/any/any ... ]

 

See how it ends with "..."? There seems to be a limit of about ~930 characters. I already tried to set the output-format to xml, but I'm not sure, if i did it correctly since there is no change in format. I used: "set cli config-output-format xml"

 

After running "show running security-policy is incomplete" there is no change.

After switching to configure-mode via "configure" and running "show rulebase security rules" it doesn't give me any output. Same when I switch back to default output format. Am I doing something wrong? Are there other ways to achieve what I need (export all applications of a certain security rule)?

 

Many thanks

1 accepted solution

Accepted Solutions

You're on the right track using the XML API Browser to extract information. If you're trying to retrieve the enabled applications for a specific security rule using XPath, the correct XML command format should follow this structure:

<show>
<config>
<running>
<xpath>/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>
</running>
</config>
</show>

Key Points:

  • Replace Rule_Name with the actual name of your security rule.
  • The XPath should match the exact hierarchy of the firewall configuration.
  • The path generally follows:
    /config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/applicationcurl -k -X GET "https://<FIREWALL_IP>/api/?type=config&action=show&xpath=/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application&key=<API_KEY>"

    If you still encounter errors:

    1. Check the full XML structure using a broader query:<show>
      <config>
      <running>
      <xpath>/config/devices/entry/vsys/entry/rulebase/security/rules</xpath>
      </running>
      </config>
      </show>

    2. This will return all rules—then you can refine your XPath.

    3.  

    4. Verify Case Sensitivity
      The XML structure is case-sensitive. Ensure entry[@name='Rule_Name'] exactly matches.

    5.  

    6. Use | in case of multiple VSYS
      If you're working with multiple virtual systems, try:<xpath>/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>


Best Regards,
Suresh

View solution in original post

3 REPLIES 3

L4 Transporter
Can you try using set cli config-output-format setusing set format
here the example :
  1. set shared application MyApp category business-systems
  2. set shared application MyApp subcategory collaboration
  3. set shared application MyApp technology browser-based
  4. set shared application MyApp risk 3
  5. set shared application MyApp default port tcp/8080
  6. set shared application MyApp timeout 30
  7. set shared application MyApp tcp-timeout 60
  8. set shared application MyApp udp-timeout 30
  9. set shared application MyApp tcp-keep-alive yes
  10. set shared application MyApp enable-default yes
  11. set shared application MyApp description "Custom business app running on TCP 8080"

 

Best Regards,
Suresh

L1 Bithead

Hello Suresh, many thanks for replying. Unfortunately this didn't change the output format at all. Could it be that there is some kind of configuration on the FW, that makes it reject giving output for the command "show rulesbase security rules" or reject the "set"-command? Because whatever format I change it to, I won't show anything. With the exceptance of "show running security-policy" which gives the incomplete output as mentioned.

 

Interestingly, with the XML API Browser I'm able to get what i need. A full output of all the enabled applications of a certain rule. Like this:

<application>
<member>ms-ds-smb-base</member>
<member>ms-ds-smbv2</member>
<member>ms-ds-smbv3</member>
<member>ms-service-controller</member>
<member>msrpc</member>
<member>mssql-db</member>
<member>mssql-mon</member>
<member>netbios-ss</member>
</application>

 

With a little Excel magic this can easily be extracted.

 

<show><config><running><xpath></xpath></running></config></show>

Via xpath I should also be able to get the output for a certain entry in the configuration, but it keeps giving me errors for whatever xpath I give. What's the correct xml command format?

You're on the right track using the XML API Browser to extract information. If you're trying to retrieve the enabled applications for a specific security rule using XPath, the correct XML command format should follow this structure:

<show>
<config>
<running>
<xpath>/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>
</running>
</config>
</show>

Key Points:

  • Replace Rule_Name with the actual name of your security rule.
  • The XPath should match the exact hierarchy of the firewall configuration.
  • The path generally follows:
    /config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/applicationcurl -k -X GET "https://<FIREWALL_IP>/api/?type=config&action=show&xpath=/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='Rule_Name']/application&key=<API_KEY>"

    If you still encounter errors:

    1. Check the full XML structure using a broader query:<show>
      <config>
      <running>
      <xpath>/config/devices/entry/vsys/entry/rulebase/security/rules</xpath>
      </running>
      </config>
      </show>

    2. This will return all rules—then you can refine your XPath.

    3.  

    4. Verify Case Sensitivity
      The XML structure is case-sensitive. Ensure entry[@name='Rule_Name'] exactly matches.

    5.  

    6. Use | in case of multiple VSYS
      If you're working with multiple virtual systems, try:<xpath>/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule_Name']/application</xpath>


Best Regards,
Suresh
  • 1 accepted solution
  • 439 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!