02-14-2022 03:57 AM
Hello everyone!
I am planning to create around 200 new subnets on my firewall managed by Panorama template. We plan to restructure our network.
I want to do this via the Rest API of Panorama. I was able to create a ae interface via the API, no problem. But I cannot create subinterfaces for this ae interface.
We are running Panorama 10.1.3-h1.
The following is the JSON body I send to the AggregateEthernetInterfaces enpoint restapi/v10.1/Network/AggregateEthernetInterfaces?name=ae2.155&location=template&template=MyTemplate
{
"entry": {
"@name": "ae2.155",
"ip": {
"entry": [
{
"@name": "10.10.155.1"
}
]
},
"tag": "155"
}
}
I am getting the following response:
{
"code": 3,
"message": "Invalid Object",
"details": [
{
"@type": "CauseInfo",
"causes": [
{
"code": 12,
"module": "panui_mgmt",
"description": "Invalid Object: ae2.155 'ae2.155' is not a valid reference."
}
]
}
]
}
{
"entry": {
"@name": "ae2.155",
"ip": {
"entry": [
{
"@name": "10.10.12.12"
}
]
},
"tag": "155"
}
}
{
"code": 9,
"message": "Parent Interface Not Found: Parent interface ae2 does not exist.",
"details": [
{
"@type": "CauseInfo",
"causes": [
{
"code": 200,
"module": "panui_restapi",
"description": "Parent Interface Not Found: Parent interface ae2 does not exist."
}
]
}
]
}
09-05-2025 04:00 AM
Hi everyone,
After now 3 years of working with automation in the whole Palo Alto Strata Universe (hardware firewalls, vmseries firewalls, Strata Cloud Manager, Panorama) since I created this post, I found that in the most cases the ansible collection for Pan-OS is very robust and can do alot of automation tasks.
So my suggestion would be to use ansible for these kind of operations. See https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/docs
Best regards,
Martin
02-14-2022 04:37 AM
Hello @MHuschenbett
I guess you need to embrace your call with another layer holding the name of the ae interface. For us it is obvious that ae2.155 is below ae2, but how should the machine know this.
02-14-2022 07:39 AM - edited 02-14-2022 07:45 AM
Hi Joerg,
Thank you for the answer.
The machine should know that ae2.155 is below ae2, because I can create a "normal" subinterface ethernet1/1.155 under ethernet1/1 without telling the API what the parent is (as you can see in the attached screenshots)
Also, in the mean time I was able to fullfill my task with the ansible panos collection.
But still, the question is how to do it via api...
Best Regards,
Martin
09-05-2025 03:44 AM
Hi,
Today I faced the same problem while trying to create subinterfaces under an aggregate interface. After one hour of try and fail I successfully got the solution. In my example I wanted to create ae1.106.
REST endpoint: restapi/v11.1/Network/AggregateEthernetInterfaces?name=ae1
Payload must obey this format where you edit ae1 agg-interface (which was already created):
payload = {
"entry": [
{
"@name": "ae1",
"layer3": {
"units": {
"entry": {
"@name": 'ae1.106',
"ip": {"entry":[{"@name": '192.168.0.254/24'}]},
"tag": '106',
"comment": "something here"
}
}
}
}
]
}
Use put with the referred REST endpoint to modify ae1, sending this payload inside.
If you need to add more than one subinterface, you must add multiple entries under units -> entry in the same call. Otherwise you will be replacing the existing subinterfaces already created. So, take caution with it when using this example several times or you will be loosing already working subinterfaces.
09-05-2025 04:00 AM
Hi everyone,
After now 3 years of working with automation in the whole Palo Alto Strata Universe (hardware firewalls, vmseries firewalls, Strata Cloud Manager, Panorama) since I created this post, I found that in the most cases the ansible collection for Pan-OS is very robust and can do alot of automation tasks.
So my suggestion would be to use ansible for these kind of operations. See https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/docs
Best regards,
Martin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
