Retrieve Configuration - show and get¶
The panxapi.py -s option performs the
type=config&action=show API request to get the active (also
called running) configuration. The -g option performs
the type=config&action=get API request to get the candidate configuration.
xpath selects the parts of the configuration
to return and is the last argument on the command line.
Example: Retrieve Administrator Accounts using get and show¶
$ panxapi.py -xs "/config/mgt-config/users"
show: success
<response status="success"><result><users>
<entry name="admin">
<phash>$1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/</phash>
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
</entry>
<entry name="adminr">
<permissions>
<role-based>
<superreader>yes</superreader>
</role-based>
</permissions>
<phash>$1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1</phash>
</entry>
</users></result></response>
$ panxapi.py -xg "/config/mgt-config/users"
get: success [code="19"]
<response code="19" status="success"><result count="1" total-count="1">
<users>
<entry name="admin">
<phash>$1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/</phash>
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
</entry>
<entry name="adminr">
<permissions>
<role-based>
<superreader>yes</superreader>
</role-based>
</permissions>
<phash>$1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1</phash>
</entry>
</users>
</result></response>
Note
See the Abbreviated Syntax section of https://www.w3.org/TR/1999/REC-xpath-19991116/ for examples of path selection.
The get response contains additional XML attributes
(e.g., code and count) in the response and result nodes.
Lab 4¶
Use panxapi.py to perform a get (-g) request to display the XML output of the rule1 security policy.
Use panxapi.py to perform a show (-s) request to display the XML output of the rule1 security policy.
Review the output and identify differences.
Tip
SSH to your firewall and use > debug cli on then >
configure and # show rulebase security rules rule1 to
determine the XPath to use in the request.
You can use shell output redirection to redirect the output to a
file (e.g., > get.xml) and compare using a utility like
diff.
Both get and show XML documents are in a pretty format,
however the indentation and format can vary. The diff -b
option can be used to ignore changes in white space.
Shell quoting for the XPath is important. Using double outer quotes and single inner quotes for the XPath is recommended; for example:
$ panxapi.py -s "/config/mgt-config/users/entry[@name='admin']"
show: success
Solution
admin@PA-VM> debug cli on
admin@PA-VM> configure
admin@PA-VM# show rulebase security rules rule1
<request cmd="get" obj="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']"></request>
$ panxapi.py -sx "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']" >show.xml
show: success
$ panxapi.py -gx "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']" >get.xml
get: success [code="19"]
$ diff -bu show.xml get.xml
--- show.xml Tue Apr 10 07:33:16 2018
+++ get.xml Tue Apr 10 07:33:29 2018
@@ -1,4 +1,5 @@
-<response status="success"><result><entry name="rule1">
+<response code="19" status="success"><result count="1" total-count="1">
+ <entry name="rule1">
<to>
<member>untrust</member>
</to>
@@ -27,4 +28,5 @@
<member>any</member>
</hip-profiles>
<action>allow</action>
-</entry></result></response>
+ </entry>
+</result></response>
Lab 5¶
The panxapi.py -r option removes the outer
responseandresultnodes from the XML response. Repeat the get and show requests, but this time add a -r (Note that -r implies -x, so you can replace -x with -r).The panxapi.py -j option displays the XML response in JSON. Repeat the get and show requests with -j and -jr.