Modify Configuration - set and edit¶
The panxapi.py -S option performs the
type=config&action=set API request, and the -e option performs
the type=config&action=edit API request. The element argument
specifies the object’s XML data, and the xpath argument specifies
the object’s node in the configuration. element can be an XML string,
a path to a file containing XML, or the value “-” (single minus character)
to specify the XML is on stdin.
Example: Disable and Enable Security Rule Using set and edit¶
$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule2']"
$ panxapi.py -S '<disabled>yes</disabled>' $XPATH
set: success [code="20"]: "command succeeded"
$ panxapi.py -gx $XPATH/disabled
get: success [code="19"]
<response code="19" status="success"><result count="1" total-count="1">
<disabled admin="admin" dirtyId="4" time="2018/04/14 08:38:45">yes</disabled>
</result></response>
$ panxapi.py -e '<disabled>no</disabled>' $XPATH/disabled
edit: success [code="20"]: "command succeeded"
$ panxapi.py -gx $XPATH/disabled
get: success [code="19"]
<response code="19" status="success"><result count="1" total-count="1">
<disabled admin="admin" dirtyId="4" time="2018/04/14 08:39:44">no</disabled>
</result></response>
Difference between set and edit¶
| set | edit |
|---|---|
| merge at node specified by XPath | replace at node specified by XPath |
| create, update objects during merge | create, update, delete objects during replace |
| non-overlapping element at XPath and XML | overlapping element at XPath and XML |
Lab Firewall address Objects¶
The lab firewall configuration contains 5 address objects, a static address-group with 3 members, and a dynamic address-group:
$ panxapi.py -sr "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address"
show: success
<address>
<entry name="addr1">
<ip-netmask>10.0.0.1</ip-netmask>
</entry>
<entry name="addr2">
<ip-netmask>10.0.0.2</ip-netmask>
</entry>
<entry name="addr3">
<ip-netmask>10.0.0.3</ip-netmask>
</entry>
<entry name="addr4">
<ip-netmask>10.0.0.4</ip-netmask>
</entry>
<entry name="addr5">
<ip-netmask>10.0.0.5</ip-netmask>
</entry>
</address>
$ panxapi.py -sr "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group"
show: success
<address-group>
<entry name="group1">
<static>
<member>addr1</member>
<member>addr2</member>
<member>addr3</member>
</static>
</entry>
<entry name="group2">
<dynamic>
<filter>"tag01" or "tag02"</filter>
</dynamic>
</entry>
</address-group>
Lab 6¶
Use panxapi.py to add address
addr4to address-groupgroup1.Note
This can be performed with a set or edit API request; for this lab use set.
Verify results using get (-g).
Solution
admin@PA-VM> debug cli on
admin@PA-VM> configure
admin@PA-VM# set address-group group1 static addr4
<request cmd="set" obj="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static" cookie="5913639088473413"><member>addr4</member></request>
admin@PA-VM# delete address-group group1 static addr4
$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static"
$ panxapi.py -S '<member>addr4</member>' $XPATH
set: success [code="20"]: "command succeeded"
$ panxapi.py -gr $XPATH
get: success [code="19"]
<static admin="admin" dirtyId="4" time="2018/04/14 08:46:00">
<member>addr1</member>
<member>addr2</member>
<member>addr3</member>
<member admin="admin" dirtyId="4" time="2018/04/14 08:46:00">addr4</member>
</static>
Note
After the configuration mode set command to determine the XPath and XML for the API request, delete removes the member before performing the API set request.
Note
The new addr4 you created has a few extra attributes
like admin, dirtyId, and time. These show up only during
a get and indicate this part of the configuration is ‘dirty’,
meaning it has been changed. This metadata tells you which administrator
who made the change, and when they made it. It can be safely ignored, and
will disappear after a commit.
Lab 7¶
Use panxapi.py to update address-group
group1to contain only the 2 members:addr3andaddr4(delete membersaddr1andaddr2).Note
This can be performed with a delete API request; for this lab use edit.
Verify results using get (-g).
Tip
The configuration mode edit command does not perform the API edit request, and cannot be used to determine the XML and XPath for this lab (edit is used to change context to a lower level in the configuration hierarchy).
In this lab, the XPath is the same as Lab 6, and you must change the XML to have an overlapping element with the XPath, and different members.
Solution
$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static"
$ panxapi.py -e '<static><member>addr3</member><member>addr4</member></static>' $XPATH
edit: success [code="20"]: "command succeeded"
$ panxapi.py -gr $XPATH
get: success [code="19"]
<static admin="admin" dirtyId="4" time="2018/04/14 08:48:49">
<member admin="admin" dirtyId="4" time="2018/04/14 08:48:49">addr3</member>
<member admin="admin" dirtyId="4" time="2018/04/14 08:48:49">addr4</member>
</static>
Note the overlapping <static/> within the xpath and element arguments
which is required for the edit request.
Lab 8¶
Use panxapi.py to update address-group
group1to contain the 5 members:addr1-addr5.Note
This can be performed using either set or edit.
Hint
This XML document can be used for this lab as the argument to -e. It can be retrieved using curl or wget.
Verify results using get (-g).
Solution
$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static"
$ cat edit-group1.xml
<static>
<member>addr1</member>
<member>addr2</member>
<member>addr3</member>
<member>addr4</member>
<member>addr5</member>
</static>
$ panxapi.py -e edit-group1.xml $XPATH
edit: success [code="20"]: "command succeeded"
$ panxapi.py -gr $XPATH
get: success [code="19"]
<static admin="admin" dirtyId="4" time="2018/04/14 08:55:19">
<member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr1</member>
<member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr2</member>
<member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr3</member>
<member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr4</member>
<member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr5</member>
</static>