RESTAPI call for Dynamic Address Group members

T_Hoedemaekers · ‎02-29-2024

For one of my automation use-cases I need to check what IP's are a member of a Dynamic Address Group, this list:

I haven't found an API request that results in this data. I know I will be able to grab the data from cli but ssh'ing into panorama is a solution I try to avoid.

Using /restapi/v10.2/Objects/AddressGroups I receive the filter as output, not the membership:

                "@name": "ACI-TEST_Monitoring_Monitoring1",
                "@location": "device-group",
                "@device-group": "**",
                "@loc": "**",
                "dynamic": {
                    "filter": "'**.tn_TEST.ap_Monitoring.epg_Monitoring1'"
                }

Am I missing something? Is there a way to get this data via the rest API?
And if not, is there a way to request this as a feature in a future panorama release?

T_Hoedemaekers · ‎03-05-2024

I have implemented a workaround solution by monitoring the ip tag logs using the XML api.
I'm dumping my code here, this can be used as a starting point for your own use-case.

I am still interested in having a way to monitor DAG members directly using the REST API. This way is, in my opinion, not elegant.

import requests, re, datetime, xmltodict, time

pa_user = 'username'
pa_password = 'password'
panorama_url = 'panorama.domain'
pan_base_url = 'https://' + panorama_url

def generate_pa_key(fwl_dns=panorama_url):
    response = requests.get(
        'https://{0}/api/?type=keygen&user={1}&password={2}'.format(fwl_dns, pa_user, pa_password), verify=False)
    result = re.findall("<key>.*</key>", response.text)
    key = result[0][5:-6]
    return key

def panorama_get(key, sub_url):
    header = {'X-PAN-Key': "{}".format(key)}    
    return requests.get(pan_base_url+sub_url, headers=header)

def get_ip_tag_logs():
    #generate panoramakey
    key = generate_pa_key(panorama_url)
    
    #generate correct time for query
    current_time = datetime.datetime.now()
    new_time = current_time - datetime.timedelta(minutes=9)
    formatted_time = new_time.strftime("%Y/%m/%d %H:%M:%S")
    
    #query on ip of monitoring VM, for firewall device-name
    query = "(ip in '10.10.10.10') and (device_name eq 'device-name') and (time_generated geq '{}') and (vsys eq 'vsys5')".format(formatted_time).replace(' ','%20')
    sub_url = 'api?type=log&log-type=iptag&query=' + query
    result = panorama_get(key, sub_url)
    
    if result.status_code != 200:
        #failure_reason = 'error: query job generation failed. {0}. {1}'.format(result,result.text)
        #add_failure(failure_reason)
        return False
    
    if result.status_code == 200:    
        job_id_dict = xmltodict.parse(result.text)
        job_id = job_id_dict['response']['result']['job'] 
        sub_url = '/api?type=log&action=get&job-id={}'.format(job_id)
        result = panorama_get(key,sub_url)
        #stop unending loops
        while_count = 0
        while result.status_code == 200:
            while_count += 1
            if while_count > 5:
                #add_failure('querying for logs took too long')
                break     
            if xmltodict.parse(result.text)['response']['result']['job']['status'] != 'FIN':
                time.sleep(10)
                result = panorama_get(key,sub_url)
            elif xmltodict.parse(result.text)['response']['result']['job']['status'] == 'FIN':
                return xmltodict.parse(result.text)['response']['result']['log']['logs']
    else:
        return -1

Unlock your full community experience!

RESTAPI call for Dynamic Address Group members

RESTAPI call for Dynamic Address Group members

Show your appreciation!