Retrieve Configuration - show and get

The panxapi.py -s option performs the type=config&action=show API request to get the active (also called running) configuration. The -g option performs the type=config&action=get API request to get the candidate configuration. xpath selects the parts of the configuration to return and is the last argument on the command line.

Example: Retrieve Administrator Accounts using get and show

$ panxapi.py -xs "/config/mgt-config/users"
show: success
<response status="success"><result><users>
  <entry name="admin">
    <phash>$1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/</phash>
    <permissions>
      <role-based>
        <superuser>yes</superuser>
      </role-based>
    </permissions>
  </entry>
  <entry name="adminr">
    <permissions>
      <role-based>
        <superreader>yes</superreader>
      </role-based>
    </permissions>
    <phash>$1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1</phash>
  </entry>
</users></result></response>

$ panxapi.py -xg "/config/mgt-config/users"
get: success [code="19"]
<response code="19" status="success"><result count="1" total-count="1">
  <users>
    <entry name="admin">
      <phash>$1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/</phash>
      <permissions>
        <role-based>
          <superuser>yes</superuser>
        </role-based>
      </permissions>
    </entry>
    <entry name="adminr">
      <permissions>
        <role-based>
          <superreader>yes</superreader>
        </role-based>
      </permissions>
      <phash>$1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1</phash>
    </entry>
  </users>
</result></response>

Note

See the Abbreviated Syntax section of https://www.w3.org/TR/1999/REC-xpath-19991116/ for examples of path selection.

The get response contains additional XML attributes (e.g., code and count) in the response and result nodes.

Lab 4

  1. Use panxapi.py to perform a get (-g) request to display the XML output of the rule1 security policy.
  2. Use panxapi.py to perform a show (-s) request to display the XML output of the rule1 security policy.
  3. Review the output and identify differences.

Tip

SSH to your firewall and use > debug cli on then > configure and # show rulebase security rules rule1 to determine the XPath to use in the request.

You can use shell output redirection to redirect the output to a file (e.g., > get.xml) and compare using a utility like diff.

Both get and show XML documents are in a pretty format, however the indentation and format can vary. The diff -b option can be used to ignore changes in white space.

Shell quoting for the XPath is important. Using double outer quotes and single inner quotes for the XPath is recommended; for example:

$ panxapi.py -s "/config/mgt-config/users/entry[@name='admin']"
show: success

Solution

admin@PA-VM> debug cli on
admin@PA-VM> configure
admin@PA-VM# show rulebase security rules rule1

<request cmd="get" obj="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']"></request>

$ panxapi.py -sx "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']" >show.xml
show: success

$ panxapi.py -gx "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']" >get.xml
get: success [code="19"]

$ diff -bu show.xml get.xml
--- show.xml    Tue Apr 10 07:33:16 2018
+++ get.xml     Tue Apr 10 07:33:29 2018
@@ -1,4 +1,5 @@
-<response status="success"><result><entry name="rule1">
+<response code="19" status="success"><result count="1" total-count="1">
+  <entry name="rule1">
     <to>
       <member>untrust</member>
     </to>
@@ -27,4 +28,5 @@
     <member>any</member>
   </hip-profiles>
   <action>allow</action>
-</entry></result></response>
+  </entry>
+</result></response>

Lab 5

  1. The panxapi.py -r option removes the outer response and result nodes from the XML response. Repeat the get and show requests, but this time add a -r (Note that -r implies -x, so you can replace -x with -r).
  2. The panxapi.py -j option displays the XML response in JSON. Repeat the get and show requests with -j and -jr.