I am experimenting a real life example, when server is created the hostname and ip address are assigned by an orchestrator. The orchestrator will then call the python script and pass the hostname to be object entry name and ip address.
This is the code sample. I referred to this link to understand the xml structure, the PA documentation only mention an example for creating a new rule.
The configuration set api required xpath. To find out the xpath use the https://your_PA_firewall/api/ to navigate Configuration Commands > devices > entry[@name='localhost.localdomain'] > vsys > entry[@name='vsys1'] > address
Here’s the code sample, can modify this to be more dynamic.
import requests, time
from bs4 import BeautifulSoup as bs
address_group_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group"
address_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address"
create_address = """
<entry name="member4">
<ip-netmask>10.0.0.4</ip-netmask>
</entry>
<entry name="member5">
<ip-netmask>10.0.0.5</ip-netmask>
</entry>
<entry name="member6">
<ip-netmask>10.0.0.6</ip-netmask>
</entry>
"""
create_address_group = """
<entry name="group1">
<static>
<member>member4</member>
<member>member5</member>
<member>member6</member>
</static>
</entry>
"""
def get_key(username,password):
response = requests.get('https://192.168.1.104/api/?type=keygen&user={}&password={}'.format(username,password), verify=False)
soup = bs(response.content, 'html.parser')
# store the data inside the <key>element
pa_key = soup.find('key').text
return pa_key
key = get_key('admin','admin')
requests.post("https://192.168.1.104/api?type=config&action=set&key={}&xpath={}&element={}".format(key,address_xpath,create_address), verify=False)
time.sleep(3)
requests.post("https://192.168.1.104/api/?type=config&action=set&key={}&xpath={}&element={}".format(key,address_group_xpath,create_address_group), verify=False)
You need to commit on the PAN OS UI, either on PA firewall locally or through Panorama, depending the destination of the rest api. For this code sample the destination is directly to firewall.
How it looks like:
cyruslab 
Hey,
do you know how to create service “ports” in palo alto with API?
I dont know wich $element i need use.
Below my path:
&type=config&action=set&xpath=/config/devices/entry[@name=’localhost.localdomain’]/vsys/entry[@name=%27vsys1%27]/service/entry[@name=’TCP-666′]&element=???
Thanks,
best regards