This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using API to update Permitted IP Addresses list

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using API to update Permitted IP Addresses list

Go to solution
JDBailey
L0 Member

‎06-14-2024 11:38 AM

We use the Permitted IP Addresses list (Panorama>Setup>Interfaces) to restrict access to Panorama to our public IPs. The problem we run into is that some of our devices use cellular as backup (new public IP every two days) or worse--Starlink (who change your public IP several times per day).

 

Since this list only uses IP, not DNS, I can't just use a dynamic DNS entries. My solution is to update the list manually every time I need to push a config. I'd like to use a script that makes API calls, but I can't find any documentation for the API calls that gets to anything in the Panorama>Setup area. Any idea where these commands might be hiding? Or is the API limited to only select commands? Maybe I need to just script accessing the CLI and editing it there, but I'm not sure I've seen those commands either...

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎06-14-2024 02:30 PM

Hi @JDBailey ,

 

The XPath you are looking for is shown below.

 

/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/permitted-ip/entry[@name='172.16.0.0/12']

 

That example adds 172.16.0.0/12 with no description to the Permitted IP Addresses of the Panorama management interface.

 

There are a few ways to find an XML Path.

 

  1. Dig through the API browser.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...
  2. Use the CLI.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...  This one is very cool.  Remember that the API and CLI are very similar.
  3. If you have no idea where it is in the CLI, configure it in the GUI with a unique description and type 'show | match <unique-description>' in configuration mode.  Make sure to type 'set cli config-output-format set' in operational mode 1st.
  4. With practice, get used to the XML tree the same as you did CLI commands.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...

Thanks,

 

Tom

 

PS The CLI command is 'set deviceconfig system permitted-ip 172.16.0.0/12'.

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎06-14-2024 02:30 PM

Hi @JDBailey ,

 

The XPath you are looking for is shown below.

 

/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system/permitted-ip/entry[@name='172.16.0.0/12']

 

That example adds 172.16.0.0/12 with no description to the Permitted IP Addresses of the Panorama management interface.

 

There are a few ways to find an XML Path.

 

  1. Dig through the API browser.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...
  2. Use the CLI.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...  This one is very cool.  Remember that the API and CLI are very similar.
  3. If you have no idea where it is in the CLI, configure it in the GUI with a unique description and type 'show | match <unique-description>' in configuration mode.  Make sure to type 'set cli config-output-format set' in operational mode 1st.
  4. With practice, get used to the XML tree the same as you did CLI commands.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...

Thanks,

 

Tom

 

PS The CLI command is 'set deviceconfig system permitted-ip 172.16.0.0/12'.

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
JDBailey
L0 Member
In response to TomYoung

‎06-14-2024 02:33 PM

Thank you! I've been looking for this for years, but every time I start my search some network emergency pulled me away. I'll give it a test and if it works, I'll accept the solution. Wasn't expecting a reply this week, honestly. You've made my week!

  • 1 accepted solution
  • 247 Views
  • 2 replies
  • 0 Likes
  • 29 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks