[python]Create and update object groups

I am experimenting a real life example, when server is created the hostname and ip address are assigned by an orchestrator. The orchestrator will then call the python script and pass the hostname to be object entry name and ip address.

This is the code sample. I referred to this link to understand the xml structure, the PA documentation only mention an example for creating a new rule.

The configuration set api required xpath. To find out the xpath use the https://your_PA_firewall/api/ to navigate Configuration Commands > devices > entry[@name='localhost.localdomain'] > vsys > entry[@name='vsys1'] > address

Here’s the code sample, can modify this to be more dynamic.

import requests, time
from bs4 import BeautifulSoup as bs

address_group_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group"
address_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address"

create_address = """
<entry name="member4">
    <ip-netmask>10.0.0.4</ip-netmask>
</entry>
    <entry name="member5">
    <ip-netmask>10.0.0.5</ip-netmask>
</entry>
<entry name="member6">
    <ip-netmask>10.0.0.6</ip-netmask>
</entry>
"""

create_address_group = """
<entry name="group1">
    <static>
        <member>member4</member>
        <member>member5</member>
        <member>member6</member>
    </static>
</entry>
"""

def get_key(username,password):
    response = requests.get('https://192.168.1.104/api/?type=keygen&user={}&password={}'.format(username,password), verify=False)
    soup = bs(response.content, 'html.parser')
    # store the data inside the <key>element
    pa_key = soup.find('key').text
    return pa_key

key = get_key('admin','admin')

requests.post("https://192.168.1.104/api?type=config&action=set&key={}&xpath={}&element={}".format(key,address_xpath,create_address), verify=False)
time.sleep(3)
requests.post("https://192.168.1.104/api/?type=config&action=set&key={}&xpath={}&element={}".format(key,address_group_xpath,create_address_group), verify=False)

You need to commit on the PAN OS UI, either on PA firewall locally or through Panorama, depending the destination of the rest api. For this code sample the destination is directly to firewall.

How it looks like:
Snip20171112_1.png

Snip20171112_4

Advertisements

One thought on “[python]Create and update object groups

  1. Hey,
    do you know how to create service “ports” in palo alto with API?
    I dont know wich $element i need use.
    Below my path:
    &type=config&action=set&xpath=/config/devices/entry[@name=’localhost.localdomain’]/vsys/entry[@name=%27vsys1%27]/service/entry[@name=’TCP-666′]&element=???

    Thanks,
    best regards

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s