Modify Configuration - set and edit

The panxapi.py -S option performs the type=config&action=set API request, and the -e option performs the type=config&action=edit API request. The element argument specifies the object’s XML data, and the xpath argument specifies the object’s node in the configuration. element can be an XML string, a path to a file containing XML, or the value “-” (single minus character) to specify the XML is on stdin.

Example: Disable and Enable Security Rule Using set and edit

$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule2']"

$ panxapi.py -S '<disabled>yes</disabled>' $XPATH
set: success [code="20"]: "command succeeded"

$ panxapi.py -gx $XPATH/disabled
get: success [code="19"]
<response code="19" status="success"><result count="1" total-count="1">
  <disabled admin="admin" dirtyId="4" time="2018/04/14 08:38:45">yes</disabled>
</result></response>

$ panxapi.py -e '<disabled>no</disabled>' $XPATH/disabled
edit: success [code="20"]: "command succeeded"

$ panxapi.py -gx $XPATH/disabled
get: success [code="19"]
<response code="19" status="success"><result count="1" total-count="1">
  <disabled admin="admin" dirtyId="4" time="2018/04/14 08:39:44">no</disabled>
</result></response>

Difference between set and edit

set

edit

merge at node specified by XPath

replace at node specified by XPath

create, update objects during merge

create, update, delete objects during replace

non-overlapping element at XPath and XML

overlapping element at XPath and XML

Lab Firewall address Objects

The lab firewall configuration contains 5 address objects, a static address-group with 3 members, and a dynamic address-group:

$ panxapi.py -sr "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address"
show: success
<address>
  <entry name="addr1">
    <ip-netmask>10.0.0.1</ip-netmask>
  </entry>
  <entry name="addr2">
    <ip-netmask>10.0.0.2</ip-netmask>
  </entry>
  <entry name="addr3">
    <ip-netmask>10.0.0.3</ip-netmask>
  </entry>
  <entry name="addr4">
    <ip-netmask>10.0.0.4</ip-netmask>
  </entry>
  <entry name="addr5">
    <ip-netmask>10.0.0.5</ip-netmask>
  </entry>
</address>

$ panxapi.py -sr "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group"
show: success
<address-group>
  <entry name="group1">
    <static>
      <member>addr1</member>
      <member>addr2</member>
      <member>addr3</member>
    </static>
  </entry>
  <entry name="group2">
    <dynamic>
      <filter>"tag01" or "tag02"</filter>
    </dynamic>
  </entry>
</address-group>

Lab 6

  1. Use panxapi.py to add address addr4 to address-group group1.

    Note

    This can be performed with a set or edit API request; for this lab use set.

  2. Verify results using get (-g).

Solution

admin@PA-VM> debug cli on
admin@PA-VM> configure
admin@PA-VM# set address-group group1 static addr4

<request cmd="set" obj="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static" cookie="5913639088473413"><member>addr4</member></request>

admin@PA-VM# delete address-group group1 static addr4

$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static"

$ panxapi.py -S '<member>addr4</member>' $XPATH
set: success [code="20"]: "command succeeded"

$ panxapi.py -gr $XPATH
get: success [code="19"]
  <static admin="admin" dirtyId="4" time="2018/04/14 08:46:00">
    <member>addr1</member>
    <member>addr2</member>
    <member>addr3</member>
    <member admin="admin" dirtyId="4" time="2018/04/14 08:46:00">addr4</member>
  </static>

Note

After the configuration mode set command to determine the XPath and XML for the API request, delete removes the member before performing the API set request.

Note

The new addr4 you created has a few extra attributes like admin, dirtyId, and time. These show up only during a get and indicate this part of the configuration is ‘dirty’, meaning it has been changed. This metadata tells you which administrator who made the change, and when they made it. It can be safely ignored, and will disappear after a commit.

Lab 7

  1. Use panxapi.py to update address-group group1 to contain only the 2 members: addr3 and addr4 (delete members addr1 and addr2).

    Note

    This can be performed with a delete API request; for this lab use edit.

  2. Verify results using get (-g).

Tip

The configuration mode edit command does not perform the API edit request, and cannot be used to determine the XML and XPath for this lab (edit is used to change context to a lower level in the configuration hierarchy).

In this lab, the XPath is the same as Lab 6, and you must change the XML to have an overlapping element with the XPath, and different members.

Solution

$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static"

$ panxapi.py -e '<static><member>addr3</member><member>addr4</member></static>' $XPATH
edit: success [code="20"]: "command succeeded"

$ panxapi.py -gr $XPATH
get: success [code="19"]
  <static admin="admin" dirtyId="4" time="2018/04/14 08:48:49">
    <member admin="admin" dirtyId="4" time="2018/04/14 08:48:49">addr3</member>
    <member admin="admin" dirtyId="4" time="2018/04/14 08:48:49">addr4</member>
  </static>

Note the overlapping <static/> within the xpath and element arguments which is required for the edit request.

Lab 8

  1. Use panxapi.py to update address-group group1 to contain the 5 members: addr1-addr5.

    Note

    This can be performed using either set or edit.

    Hint

    This XML document can be used for this lab as the argument to -e. It can be retrieved using curl or wget.

  2. Verify results using get (-g).

Solution

$ XPATH="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='group1']/static"

$ cat edit-group1.xml
<static>
  <member>addr1</member>
  <member>addr2</member>
  <member>addr3</member>
  <member>addr4</member>
  <member>addr5</member>
</static>

$ panxapi.py -e edit-group1.xml $XPATH
edit: success [code="20"]: "command succeeded"

$ panxapi.py -gr $XPATH
get: success [code="19"]
  <static admin="admin" dirtyId="4" time="2018/04/14 08:55:19">
    <member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr1</member>
    <member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr2</member>
    <member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr3</member>
    <member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr4</member>
    <member admin="admin" dirtyId="4" time="2018/04/14 08:55:19">addr5</member>
  </static>