Next-Generation Firewall
Configuration (API)
Table of Contents
Configuration (API)
The requests examples in these topics illustrate how you can use the PAN-OS XML API to
configure your firewall.
View Configuration Node Values for XPath
Useaction=complete action along with an XPath to see possible
values that are available with the XPath node.
curl -X POST 'https://firewall/api?type=config&action=complete&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys&key=apikey"
Using XPATH to Retrieve Configuration Information
Use thexpath parameter to target a specific portion of the
configuration. For example, to retrieve just the security
rulebase:xpath=/config/devices/entry/vsys/entry/rulebase/security
curl -X POST 'https://firewall/api?type=config&action=show&xpath=/config/devices/entry/vsys/entry/rulebase/security"
There is no trailing backslash character at the end of the XPath.
Using XPATH to Retrieve ARP Configuration
curl -X POST 'https://<firewall>//api/?type=op&command=<show><arp><entry name='all'/></arp></show>'
Get Candidate Configuration
Get the candidate configuration from a firewall by specifying the portion of the
configuration to get. Use the following request, including
thexpath parameter to specify the portion of the
configuration to get.
curl -X POST 'https://firewall/api?type=config&action=get&xpath=<path-to-config-node>"
|
Configuration Node
|
API Request
|
|---|---|
|
Firewall candidate configuration
|
|
|
Firewall candidate configuration through Panorama
|
|
|
Firewall candidate configuration through Panorama without
specifying a firewall
|
|
|
Address objects in a virtual system (vsys).
| The response looks similar to the following:
|
|
Pre-rules pushed from Panorama.
|
|
|
Full list of all applications.
|
|
|
Details on the specific application.
|
|
Set Configuration
Useaction=set to add or create a new object at a specified
location in the PAN-OS configuration. Use thexpath parameter
to specify the location of the object in the configuration. For example, if you are
adding a new rule to the security rulebase, the xpath-value would be:
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security
Use theelement parameter to specify a value for the object you
are adding or creating using XML.
|
Configuration Node
|
API Request
|
|---|---|
|
Create a new rule called rule1 in security policy
| where the xpath-value is: and the element-value is:
|
|
Add an additional member to an address group or list
|
Include the 'list' node in the xpath using
themember[text()='name'] syntax and
include the members in the element parameter. For example, to
add an additional static address object
namedabc to an address group
namedtest, use:
|
|
Create a new IP address on a specific interface
|
Specify the interface and IP address in the request:
|
|
Enable or disable a security rule
| Altenatively, use<disabled>no</disabled> to enable a rule. |
Edit Configuration
Use action=edit to replace an existing object hierarchy at a specified location in the configuration with a new value. Use the xpath parameter to specify the location of the object, including the node to be replaced. Use the element parameter to specify a new value for the object using its XML object hierarchy (as seen in the output of action=show. Replace the application(s) currently used in a rule rule1 with a new application:curl -X POST 'https://firewall/api?type=config&action=edit&xpath=xpath-value&element=element-value"
where
xpath=/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='rule1']/application&element=<application><member>app-name</member></application>
Use the response from the config show API request to create the
XML body for the
element.
curl -X POST 'https://firewall/api?type=config&action=show"
Rename Configuration
Use the following API query to rename an address object
calledold_address
tonew_address
curl -X POST 'https://firewall/api?type=config&action=rename&xpath=/config/devices/entry/vsys/entry[@name='vsys1']/address/entry[@name='old_address']&newname=new_address"
Clone Configuration
Useaction=clone to clone an existing configuration object. Use
thexpath parameter to specify the location of the object
to be cloned. Use thefrom parameter to specify the source
object, and thenewname parameter to provide a name for the
cloned object.
curl -X POST 'https://firewall/api?type=config&action=clone&xpath=/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules&from=/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']&newname=rule2"
Move Configuration
Useaction=move to move the location of an existing
configuration object. Use thexpath parameter to specify the
location of the object to be moved, thewhere parameter to
specify type of move, anddst parameter to specify the
destination path.
- where=after&dst=xpath
- where=before&dst=xpath
- where=top
- where=bottom
Use the following API query to move a security policy
calledrule1 to come
afterrule2
curl -X POST 'https://firewall/api?type=config&action=move&xpath=/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']&where=after&dst=rule2"
Override Configuration
Useaction=override to override a setting that was pushed to a
firewall from a template. Use thexpath parameter to specify
the location of the object to override.
curl -X POST 'https://firewall/api?type=config&action=override&xpath=/config/shared/log-settings/snmptrap&element=<entry name="snmp" src="tpl"><version src="tpl"><v2c src="tpl"><server src="tpl"><entry name="test" src="tpl"><manager src="tpl">2.2.2.2</manager><community src="tpl">test</community></entry></server></v2c></version></entry>"
Multi-Move and Multi-Clone
Use theaction=multi-move
andaction=multi-clone actions to move and clone
addresses, address groups, services, and more across device groups and virtual
systems. Templates do not support the multi-move and multi-clone capability.
The syntax for multi-move and multi-clone specifies the xpath for the destination
where the addresses will be moved to, the xpath for the source and the list of
objects within the specified source. It also includes a flag for displaying the
errors when the firewall performs a referential integrity check on the multi-move or
multi-clone action.
Move addressesaddr1,addr2, to device
groupnorcal from device
groupsocal
Clone addressesaddr1,addr2, to device groupnorcal from device groupsocalcurl -X POST 'https://firewall/api?type=config&action=multi-move&xpath=/config/devices/entry[@name='localhost.localdomain']/devicegroup/entry[@name='norcal']/address&element=<selected-list><source xpath="/config/devices/entry[@name='localhost.localdomain']/devicegroup/entry[@name='socal']/address"><member>addr1</member><member>addr2</member></source></selected-list><all-errors>no</all-errors>"
curl -X POST 'https://firewall/api?type=config&action=multi-clone&xpath=/config/devices/entry[@name='localhost.localdomain']/devicegroup/entry[@name='norcal']/address&element=<selected-list><source xpath="/config/devices/entry[@name='localhost.localdomain']/devicegroup/entry[@name='socal']/address"><member>addr1</member><member>addr2</member></source></selected-list><all-errors>no</all-errors>"