Using API to update Permitted IP Addresses list

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using API to update Permitted IP Addresses list

L1 Bithead

We use the Permitted IP Addresses list (Panorama>Setup>Interfaces) to restrict access to Panorama to our public IPs. The problem we run into is that some of our devices use cellular as backup (new public IP every two days) or worse--Starlink (who change your public IP several times per day).

 

Since this list only uses IP, not DNS, I can't just use a dynamic DNS entries. My solution is to update the list manually every time I need to push a config. I'd like to use a script that makes API calls, but I can't find any documentation for the API calls that gets to anything in the Panorama>Setup area. Any idea where these commands might be hiding? Or is the API limited to only select commands? Maybe I need to just script accessing the CLI and editing it there, but I'm not sure I've seen those commands either...

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @JDBailey ,

 

The XPath you are looking for is shown below.

 

/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/permitted-ip/entry[@name='172.16.0.0/12']

 

That example adds 172.16.0.0/12 with no description to the Permitted IP Addresses of the Panorama management interface.

 

There are a few ways to find an XML Path.

 

  1. Dig through the API browser.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...
  2. Use the CLI.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...  This one is very cool.  Remember that the API and CLI are very similar.
  3. If you have no idea where it is in the CLI, configure it in the GUI with a unique description and type 'show | match <unique-description>' in configuration mode.  Make sure to type 'set cli config-output-format set' in operational mode 1st.
  4. With practice, get used to the XML tree the same as you did CLI commands.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...

Thanks,

 

Tom

 

PS The CLI command is 'set deviceconfig system permitted-ip 172.16.0.0/12'.

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @JDBailey ,

 

The XPath you are looking for is shown below.

 

/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/permitted-ip/entry[@name='172.16.0.0/12']

 

That example adds 172.16.0.0/12 with no description to the Permitted IP Addresses of the Panorama management interface.

 

There are a few ways to find an XML Path.

 

  1. Dig through the API browser.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...
  2. Use the CLI.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...  This one is very cool.  Remember that the API and CLI are very similar.
  3. If you have no idea where it is in the CLI, configure it in the GUI with a unique description and type 'show | match <unique-description>' in configuration mode.  Make sure to type 'set cli config-output-format set' in operational mode 1st.
  4. With practice, get used to the XML tree the same as you did CLI commands.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...

Thanks,

 

Tom

 

PS The CLI command is 'set deviceconfig system permitted-ip 172.16.0.0/12'.

Help the community: Like helpful comments and mark solutions.

Thank you! I've been looking for this for years, but every time I start my search some network emergency pulled me away. I'll give it a test and if it works, I'll accept the solution. Wasn't expecting a reply this week, honestly. You've made my week!

L1 Bithead

TomYoung's advice helped me find exactly what I was looking for at this time as well as helping me see how to use the debugger to figure out x-path for other things I'm trying to do. I was surprised at how well ChatGPT did at writing clean Python code to do what I wanted. I just had to tweak my prompt a few times. The following prompt yielded the code below (I comment out the place where I fixed how to access a particular piece of data) that will retrieve the allowed IPs into a Python dict.

create a python script that will retrieve the xml data from panorama x-path /config/devices/entry[@name="localhost.localdomain"]/deviceconfig/system/permitted-ip using an api key for authentication and convert it to a dictionary keyed off of description

import requests
import xml.etree.ElementTree as ET

############# Start Unique Vallues ###############
# Panorama API endpoint for retrieving permitted IPs
panorama_url = 'https://my.panarama.url/api/'

# API key for authentication
api_key = 'myApiKey'
#############  End Unique Vallues  ###############


# Parameters for the API request
params = {
    'type': 'config',
    'action': 'get',
    'key': api_key,
    'xpath': '/config/devices/entry[@name="localhost.localdomain"]/deviceconfig/system/permitted-ip'
}

def retrieve_xml_data():
    try:
        # Make the API request to Panorama
        response = requests.get(panorama_url, params=params, verify=False)  # Set verify=True to verify SSL certificates

        if response.status_code == 200:
            # Parse the XML response
            root = ET.fromstring(response.text)
            
            # Initialize dictionary to store permitted IPs keyed off of 'description'
            permitted_ips = {}

            # Iterate over <entry> elements under <address> to extract data
            for entry in root.findall('.//entry'):
                description = entry.find('description').text.strip()
                ip_address = entry.attrib["name"] # entry.find('address').text.strip()
                permitted_ips[description] = ip_address

            return permitted_ips

        else:
            print(f"Failed to retrieve XML data. Status code: {response.status_code}")
            return None

    except requests.exceptions.RequestException as e:
        print(f"An error occurred: {e}")
        return None

# Example usage:
if __name__ == "__main__":
    xml_data_dict = retrieve_xml_data()
    if xml_data_dict:
        print("Permitted IPs:")
        for description, ip_address in xml_data_dict.items():
            print(f"{description}: {ip_address}")
    else:
        print("Failed to retrieve XML data.")

Cyber Elite
Cyber Elite

That rocks!

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 717 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!