Wildfire Cloud API calls for verdict changes since <Date> seems to be pulling ALL verdict changes, not just those tied to my API Key. This may be more of an issue with the API Service than the example code.

Hi,
Submit links in WildFire API will not take submit URL/String but it'll break URL on characters.

Example for: https://www.test.com/
{'wildfire': {'submit-link-info': [{'url': 'h', 'sha256': 'aaa9402664f1a41f40ebbc52c9993eb66aeb366602958fdfaa283b71e64db123', 'md5': '2510c39011c5be704182423e3a695e91'}, {'url': 't', 'sha256': 'e3b98a4da31a127d4bde6e43033f66ba274cab0eb7eb1c70ec41402bf6273dd8', 'md5': 'e358efa489f58062f10dd7316b65649e'}, {'url': 't', 'sha256': 'e3b98a4da31a127d4bde6e43033f66ba274cab0eb7eb1c70ec41402bf6273dd8', 'md5': 'e358efa489f58062f10dd7316b65649e'}, {'url': 'p', 'sha256': '148de9c5a7a44d19e56cd9ae1a554bf67847afb0c58f6e12fa29ac7ddfca9940', 'md5': '83878c91171338902e0fe0fb97a8c47a'}, {'url': 's', 'sha256': '043a718774c572bd8a25adbeb1bfcd5c0256ae11cecf9f9c3f925d0e52beaf89', 'md5': '03c7c0ace395d80182db07ae2c30f034'}, {'url': ':', 'sha256': 'e7ac0786668e0ff0f02b62bd04f45ff636fd82db63b1104601c975dc005f3a67', 'md5': '853ae90f0351324bd73ea615e6487517'}, {'url': '/', 'sha256': '8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1', 'md5': '6666cd76f96956469e7be39d750cc7d9'}, {'url': '/', 'sha256': '8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1', 'md5': '6666cd76f96956469e7be39d750cc7d9'}, {'url': 'w', 'sha256': '50e721e49c013f00c62cf59f2163542a9d8df02464efeb615d31051b0fddc326', 'md5': 'f1290186a5d0b1ceab27f4e77c0c5d68'}, {'url': 'w', 'sha256': '50e721e49c013f00c62cf59f2163542a9d8df02464efeb615d31051b0fddc326', 'md5': 'f1290186a5d0b1ceab27f4e77c0c5d68'}, {'url': 'w', 'sha256': '50e721e49c013f00c62cf59f2163542a9d8df02464efeb615d31051b0fddc326', 'md5': 'f1290186a5d0b1ceab27f4e77c0c5d68'}, {'url': '.', 'sha256': 'cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8', 'md5': '5058f1af8388633f609cadb75a75dc9d'}, {'url': 't', 'sha256': 'e3b98a4da31a127d4bde6e43033f66ba274cab0eb7eb1c70ec41402bf6273dd8', 'md5': 'e358efa489f58062f10dd7316b65649e'}, {'url': 'e', 'sha256': '3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea', 'md5': 'e1671797c52e15f763380b45e841ec32'}, {'url': 's', 'sha256': '043a718774c572bd8a25adbeb1bfcd5c0256ae11cecf9f9c3f925d0e52beaf89', 'md5': '03c7c0ace395d80182db07ae2c30f034'}, {'url': 't', 'sha256': 'e3b98a4da31a127d4bde6e43033f66ba274cab0eb7eb1c70ec41402bf6273dd8', 'md5': 'e358efa489f58062f10dd7316b65649e'}, {'url': '.', 'sha256': 'cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8', 'md5': '5058f1af8388633f609cadb75a75dc9d'}, {'url': 'c', 'sha256': '2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6', 'md5': '4a8a08f09d37b73795649038408b5f33'}, {'url': 'o', 'sha256': '65c74c15a686187bb6bbf9958f494fc6b80068034a659a9ad44991b08c58f2d2', 'md5': 'd95679752134a2d9eb61dbd7b91c4bcc'}, {'url': 'm', 'sha256': '62c66a7a5dd70c3146618063c344e531e6d4b59e379808443ce962b3abd63c5a', 'md5': '6f8f57715090da2632453988d9a1501b'}, {'url': '/', 'sha256': '8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1', 'md5': '6666cd76f96956469e7be39d750cc7d9'}]}}

Tested in latest version of pan-python: fb9fcc4
Palo Alto version: 7.1.5 (VMWare ESXi)
OS: Debian 8 and Ubuntu 16.04

When trying to display the diff between running and candidate configuration, I get the following:

[/tmp/pan-python] ./bin/panxapi.py -DD -jro '<show><config><diff></diff></config></show>'
element: "<show><config><diff></diff></config></show>"
__parse_path: /home/gohu/.panrc: { 'api_key': '******', 'hostname': '172.16.0.2'}
panrcs: [{ 'api_key': '******', 'hostname': '172.16.0.2'}]
panrc: { 'api_key': '******', 'hostname': '172.16.0.2'}
using legacy urllib
query: {'cmd': '<show><config><diff></diff></config></show>', 'type': 'op', 'key': '******'}
URI: https://172.16.0.2/api/?cmd=<show><config><diff></diff></config></show>&type=op&key=******
method: POST
HTTP response headers:
Server: 
Date: Mon, 13 Feb 2017 16:45:49 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 78
Connection: close
ETag: "24004-12b-57e5df77"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Access-Control-Allow-Origin: 
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: PHPSESSID=33e7b9ed7b247d9151446df11ce47555; path=/; secure; HttpOnly

response_attrib: {'status': 'error'}
path: ./msg/line [<Element 'line' at 0x7f31748898d0>]
op: error: "invalid client cli"
[/tmp/pan-python] 

The "invalid client cli" issue only happens with this specific operation command.
Is that expected?

@kevinsteves, I am randomly (i think) getting this error
raise PanXapiError('commit %s: %s' % (cmd, msg)) pan.xapi.PanXapiError: commit show jobs id "161421": URLError: code: 502 reason: Bad Gateway
while commiting via the XAPI.

I am making the request via
xapi.commit(cmd=commit, sync=True, interval=1.0)
And have tried with default interval also.

The error seems to happen when making many consecutive calls to panorama

panxapi.py -t TAG -jo 'show session id ID'

ends with error

op: error [code="17"]: " is unexpected"
{
"response": {
"code": "17",
"msg": {
"line": " is unexpected"
},
"status": "error"
}
}

The following template change failed,

commit-all template name MyTemplate

xapi.commit('', action="all")

Error is following:

File "pan-pass.py", line 31, in main
xapi.commit('', action="all")
File "/Library/Python/2.7/site-packages/pan/xapi.py", line 842, in commit
raise PanXapiError(self.status_detail)

Hello,

I am using the following short code just to verify connectivity to PA device:

p = pan.xapi.PanXapi(hostname='1.1.1.1', api_key= key, use_get= True, ssl_context= None)
print(p)

But it is giving me the following error:

_certificateerror: <class 'ssl.CertificateError'>
_legacy_api: False
_log: <bound method Logger.log of <Logger pan.xapi (WARNING)>>
api_key: ******
api_password: None
api_username: None
hostname: 1.1.1.1
port: None
serial: None
ssl_context: None
tag: None
timeout: None
uri: https://1.1.1.1/api/
use_get: True

Please, help.

Using pip3.4 as of writing I cannot successfully install pan. Looks like a missing file. Output:

Downloading/unpacking pan
Downloading pan-0.1.1.tar.gz
Running setup.py (path:/tmp/pip_build_root/pan/setup.py) egg_info for package pan
Traceback (most recent call last):
File "", line 17, in
File "/tmp/pip_build_root/pan/setup.py", line 1, in
import distribute_setup
ImportError: No module named 'distribute_setup'
Complete output from command python setup.py egg_info:
Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_root/pan/setup.py", line 1, in

import distribute_setup

ImportError: No module named 'distribute_setup'

Cleaning up...
Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/pan
Storing debug log for failure in /root/.pip/pip.log

Hello team we are trying to on board /add the new firewall to panorama via api , can anyone provide the api references for the same ?

I have used the script as follows, using the Python interpreter:

from pan.xapi import PanXapi

The virtual router is already configured, the aim is to add a static route to it

xpath = "/config/devices/entry[@name='localhost.localdomain']/network/virtual-router/entry[@name='VR-Route']/routing-table/ip/static-route/entry[@name='8.8.8.8n32']"
element = "8.8.8.8/32ethernet1/210.0.4.1"

.panrc was configured previously so admin user credentials reside in the directory

where I aim to run this program

xapi = PanXapi(tag=None, use_get=True)
xapi.set(xpath=xpath,element=element)
print(xapi.status)
'success'

Even though I have verified the configuration being configured, it only shows the following:

print(xapi.get(xpath=xpath))
None
xapi.commit(cmd="", sync=True, interval=1, timeout=0)
xapi.status
'success'
print(xapi.show(xpath=xpath))
None

Then I delete the configuration and try to show or get and get an error (which I should get, so this part works)

xapi.delete(xpath=xpath)
print(xapi.status)
success
xapi.commit(cmd="", sync=True, interval=1, timeout=0)
print(xapi.show(xpath=xpath))
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.7/site-packages/pan/xapi.py", line 721, in show
self.__type_config('show', query, extra_qs)
File "/usr/lib/python3.7/site-packages/pan/xapi.py", line 805, in __type_config
raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: No such node

There is some if that return None all the time even if the element has been configured. I have verified the configuration using panxapi.py right after commiting the changes:

1. when setting the static route:
   PS C:\Users\GBloise\Repositories\SINet Cloud Infrastructure\libraries> python panxapi.py -js $xpath
   show: success
   {
   "response": {
   "result": {
   "entry": [
   {
   "destination": "8.8.8.8/32",
   "interface": "ethernet1/2",
   "name": "8.8.8.8n32",
   "nexthop": {
   "ip-address": "10.0.4.1"
   }
   }
   ]
   },
   "status": "success"
   }
   }
2. When deleting the static route:
   PS C:\Users\GBloise\Repositories\SINet Cloud Infrastructure\libraries> python panxapi.py -js $xpath
   show: error: "No such node"
   {
   "response": {
   "msg": {
   "line": "No such node"
   },
   "status": "error"
   }

Hey @kevinsteves - thanks for this lib.

The actual CLI on devices does not produce valid output if users have newlines, quotes, etc in their descriptions, etc. So we recommend our Batfish users to use Panconf to fetch XML and then convert it to SET via panconf: https://pybatfish.readthedocs.io/en/latest/formats.html#from-panorama-preferred

We're running into an issue where XML nodes that contain complicated text (like JSON) make output files that are unparseable. Panconf is better than the device CLI, but it has similar issues. I think the culprit is this code:

It clearly will do the wrong thing on, e.g., a cell that contains only '" (single-quote double-quote) -- it will output ''"' (single/single/double/single) which is still not a valid string (three single-quotes).

Is this desired behavior for some reason? If not, would you be open to a PR that does some escaping to produce parseable output? Do you have an opinion for how that output should look?

Thanks!

Good Kevin
I am performing tests of the Api launched the query against a panorama. Both the panorama and the device have licenses and are synchronized.

When I create the policy "rule1" from Panorama, it is displayed correctly on the remote firewall device correctly.

But when I launch the query using the API, against panorama this does not return the corresponding rule:

Panxapi.py -h 10.0.0.2 -l admin: pass --serial XXXXXXXXXXXXXXX -sxr "/ config / devices / entry / vsys / entry [@ name = 'vsys1'] / rulebase / security / rules / entry [@ name = 'Rule1'] "

Show: error: "No such node"

If I do not use the option "--serial" the error is the same:

Panxapi.py -h 10.0.0.2 -l admin: pass   -sxr "/ config / devices / entry / vsys / entry [@ name = 'vsys1'] / rulebase / security / rules / entry [@ name = 'Rule1'] "
Show: error: "No such node"

The redirect works, since the reading is correct, if I create the policy on the remote device(rule3) with the same command if I can see it:

Panxapi.py -h 10.0.0.2 -l admin: pass  --serial XXXXXXXXXXXXXXX -sxr "/ config / devices / entry / vsys / entry [@ name = 'vsys1'] / rulebase / security / rules / entry [@ name = 'Rule3'] "

Show: success

With the api I can see and create policy when I launch the Api against panorama and the policy is created on the panorama?

A lot of thanks Kevin

If a LLDP neighbor has in its description (and probably other places) the symbol "<" (most likely others symbols as well), PanXapi will return the error:

pan.xapi.PanXapiError: ElementTree.fromstring ParseError: not well-formed (invalid token): line 72, column 26

Here is for example the line 72 of the returned XML:

<port-description>border2<=>fw2:eth1-14</port-description>

(python3-venv) [ac043s@sdnautosr12 ~]$ panxapi.py -h ptr120-vfw -l admin -k
Password:
keygen: "URLError: reason: Tunnel connection failed: 503 Service Unavailable"
(python3-venv) [ac043s@sdnautosr12 ~]$

(python3-venv) [ac043s@sdnautosr12 ~]$ ssh -l admin ptr120-vfw
Password:
Last login: Mon Jul 25 16:19:33 2022 from fd:192:168:53::246

Number of failed attempts since last successful login: 0

admin@ptr120-vfw>

@kevinsteves I'm trying to retrieve the nat rules for a specific ip on a device group from panaroma api but kind of confused on what call need to be used as part of the library.

Use of the panxapi.py script to update user-id ip-user mappings yields the following errors messages in the ms.log file of PAN-OS 7.1.12 and PAN-OS 8.0.5 firewalls

TIMESTAMP Getting authorization info for user USERNAME succeeded.
TIMESTAMP Error: _pan_schema_verify_node(pan_schema_obj.c:5515): unexpected here , node: value near line 1
TIMESTAMP Error: _pan_schema_verify_node(pan_schema_obj.c:5770): is unexpected , node: hide-ip near line 1
TIMESTAMP Error: _pan_schema_verify_node(pan_schema_obj.c:5770): is unexpected , node: cli near line 1
TIMESTAMP Error: _pan_schema_verify_node(pan_schema_obj.c:5770): is unexpected , node: set near line 1
TIMESTAMP client useridd reported op command was SUCCESSFUL

If the same example is submitted via https://firewall/api under API->user-id -> data, no error is observed in the ms.log and the firewall provides a response status of success.

Note - the error messages do not appear to impact implementation of ip-user-mappings.

To reproduce...
panxapi.py -h firewall --vsys $vsys -U path_of_xml.xml

Sample XML is:






update
1.0

$ pip install pan
Collecting pan
Using cached pan-0.1.1.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 1, in
File "/private/var/folders/47/ysvfpggx7fj4wjd3ncvstjdwhzv7dt/T/pip-build-vY9ibG/pan/setup.py", line 1, in
import distribute_setup
ImportError: No module named distribute_setup

Scripting the use of panxapi.py by users and services alike it would be great if the .panrc file could be read from a specified location.

I'm currently having to read the content of .panrc and parse it using [-K], but this will reveal the API key in the process tree and potentially logging.

Please could an option be added to supply an alternative path to this file?

Is there any reason for this library would not be compatible with latest update in SW version 8? When I try to generate a .panrc file an error shows up:

keygen: "URLError: reason: EOF occurred in violation of protocol (_ssl.c:645)"

Is there a REST equivalent to:

panxapi.py -t pan-python -h xx.xx.xx.xx -l xxxx -k

Getting Connection reset by peer error below, PAN 8.0.5, please advice

panxapi.py -h 10.0.0.85 -l admin:jenkins -k
keygen: "URLError: reason: [Errno 54] Connection reset by peer"

Hello,

An error is encountered when an dynamic objects update is done via PANORAMA to a specific TARGET, but it works when it's done directly to a PAN FW.

Error via PANORAMA :f. pan-python_dag_update-via_panorama
pan-python_dag_update-via_panorama.log

Success directly : cf. pan-python_dag_update-direct_to_pan_fw
pan-python_dag_update-direct_to_pan_fw.log

Regards,
Alexis

I got things a little mixed up between pip install pandevice and installing the newest version of pan-python. What's the best way to upgrade or simply delete the older version and install the latest?

Hi Kevin
I have problems using the rename function. On the "Cli debug all" i can do the chance with this log

#rename shared service RULE to RULE-TEST

<request cmd="rename" obj="/config/shared/service/entry[@name='RULE']" newname="RULE-TEST" cookie="4371695717039205"></request>

<response status="success" code="20"><msg>command succeeded</msg></response>

But the command build does not work for me. How i can pass this new new ? Could you illustrate me with an example?

#panxapi.py  -h 10.0.0.1 -l admin:admin -j  --rename "/config/shared/service/entry[@name='RULE-TEST']" "/config/shared/service/entry[@name='RULE']"

Extra options after xpath: ["/config/shared/service/entry[@name='RULE']"]
rename: error [code="8"]: "Can rename only one obj at a time"
{
  "response": {
    "code": "8",
    "msg": {
      "line": "Can rename only one obj at a time"
    },
    "status": "error"
  }
}

As always thanks for your work¡¡¡¡

Please add support for importing config files.

Commiting some candidate configuration to a single Palo Alto using panxapi.py reports the commit job was successful, even though the message reports it failed:

reynolds@admin-1:~/wc/pan-python-0.12.0/bin$ ./panxapi.py -t xapilab -C '' --sync
commit: success: "vsys1
Error: vsys1 decryption: forward decrypt trust cert is not configured
Error: Failed to parse decryption policy
(Module: device)
Commit failed"

I expect the commit to fail, but the panxapi.py script should report this. It doesn't seem to raise a pan.xapi.PanXapiError exception.

https://github.com/kevinsteves/pan-python/blob/master/lib/pan/config.py#L584-L609

This code specifies which xpaths are relevant for different versions of PANOS, but 10.0 and 10.1 are both not in the list. As a result, it seems to fall back to 4.1. Looks like we need to add support for these new versions to get correct behavior.

When using the log method on the pan.xapi.PanXapi

xapi = pan.xapi.PanXapi (tag = 'FIREWALL')
query = "src in 10.189.169.121 and vsys eq vsys1"
a = xapi.log (log_type = 'traffic' , nlogs = 1, filter = query)

full response xapi.xml_root() as below.
'<response status="success"><result>\n <job>\n <tenq>12:21:26</tenq>\n <tdeq>12:21:26</tdeq>\n <tlast>12:21:26</tlast>\n <status>FIN</status>\n <id>33185</id>\n </job>\n <log>\n <logs count="1" progress="100">\n <entry logid="6785292413440213847">\n <domain>1</domain>\n <receive_time>2020/01/24 12:20:39</receive_time>\n <serial>0011C103892</serial>\n <seqno>127157259159</seqno>\n <actionflags>0x0</actionflags>\n <type>TRAFFIC</type>\n <subtype>end</subtype>\n <config_ver>0</config_ver>\n <time_generated>2020/01/24 12:20:39</time_generated>\n <src>10.189.169.121</src>\n <dst>10.101.136.7</dst>\n <rule>Allow_Usr_SplkUFs</rule>\n <srcuser>au\\heyre</srcuser>\n <srcloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</srcloc>\n <dstloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</dstloc>\n <app>ssl</app>\n <vsys>vsys1</vsys>\n <from>rdc-ext</from>\n <to>rdc-appsrv</to>\n <inbound_if>ae1</inbound_if>\n <outbound_if>ae3</outbound_if>\n <time_received>2020/01/24 12:20:39</time_received>\n <sessionid>34084684</sessionid>\n <repeatcnt>1</repeatcnt>\n <sport>56822</sport>\n <dport>9998</dport>\n <natsport>0</natsport>\n <natdport>0</natdport>\n <flags>0x104053</flags>\n <flag-pcap>no</flag-pcap>\n <flag-flagged>no</flag-flagged>\n <flag-proxy>no</flag-proxy>\n <flag-url-denied>no</flag-url-denied>\n <flag-nat>no</flag-nat>\n <captive-portal>no</captive-portal>\n <non-std-dport>yes</non-std-dport>\n <transaction>no</transaction>\n <pbf-c2s>no</pbf-c2s>\n <pbf-s2c>no</pbf-s2c>\n <temporary-match>no</temporary-match>\n <sym-return>no</sym-return>\n <decrypt-mirror>no</decrypt-mirror>\n <credential-detected>no</credential-detected>\n <flag-mptcp-set>no</flag-mptcp-set>\n <flag-tunnel-inspected>no</flag-tunnel-inspected>\n <flag-recon-excluded>no</flag-recon-excluded>\n <proto>tcp</proto>\n <action>allow</action>\n <tunnel>N/A</tunnel>\n <tpadding>0</tpadding>\n <cpadding>0</cpadding>\n <dg_hier_level_1>0</dg_hier_level_1>\n <dg_hier_level_2>0</dg_hier_level_2>\n <dg_hier_level_3>0</dg_hier_level_3>\n <dg_hier_level_4>0</dg_hier_level_4>\n <vsys_name>RDC Exchange</vsys_name>\n <device_name>FIREWALL</device_name>\n <vsys_id>1</vsys_id>\n <tunnelid_imsi>0</tunnelid_imsi>\n <parent_session_id>0</parent_session_id>\n <bytes>48613</bytes>\n <bytes_sent>29335</bytes_sent>\n <bytes_received>19278</bytes_received>\n <packets>177</packets>\n <start>2020/01/24 12:19:18</start>\n <elapsed>78</elapsed>\n <category>any</category>\n <padding>0</padding>\n <pkts_sent>86</pkts_sent>\n <pkts_received>91</pkts_received>\n <session_end_reason>tcp-rst-from-client</session_end_reason>\n <action_source>from-policy</action_source>\n <tunnelid>0</tunnelid>\n <imsi />\n <monitortag />\n <imei />\n </entry>\n </logs>\n </log>\n <meta>\n <devices>\n <entry name="localhost.localdomain">\n <hostname>localhost.localdomain</hostname>\n <vsys>\n <entry name="vsys1">\n <display-name>RDC Exchange</display-name>\n </entry>\n <entry name="vsys2">\n <display-name>TAP Zone</display-name>\n </entry>\n <entry name="vsys3">\n <display-name>Perimeter</display-name>\n </entry>\n <entry name="vsys4">\n <display-name>DIGITAL_DELTA</display-name>\n </entry>\n </vsys>\n </entry>\n </devices>\n </meta>\n</result></response>'

In better format

<?xml version="1.0" encoding="UTF-8"?>
<response status="success">
   <result>
      <job>
         <tenq>12:21:26</tenq>
         <tdeq>12:21:26</tdeq>
         <tlast>12:21:26</tlast>
         <status>FIN</status>
         <id>33185</id>
      </job>
      <log>
         <logs count="1" progress="100">
            <entry logid="6785292413440213847">
               <domain>1</domain>
               <receive_time>2020/01/24 12:20:39</receive_time>
               <serial>0011C103892</serial>
               <seqno>127157259159</seqno>
               <actionflags>0x0</actionflags>
               <type>TRAFFIC</type>
               <subtype>end</subtype>
               <config_ver>0</config_ver>
               <time_generated>2020/01/24 12:20:39</time_generated>
               <src>10.189.169.121</src>
               <dst>10.101.136.7</dst>
               <rule>Allow_Usr_SplkUFs</rule>
               <srcuser>au\\heyre</srcuser>
               <srcloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</srcloc>
               <dstloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</dstloc>
               <app>ssl</app>
               <vsys>vsys1</vsys>
               <from>rdc-ext</from>
               <to>rdc-appsrv</to>
               <inbound_if>ae1</inbound_if>
               <outbound_if>ae3</outbound_if>
               <time_received>2020/01/24 12:20:39</time_received>
               <sessionid>34084684</sessionid>
               <repeatcnt>1</repeatcnt>
               <sport>56822</sport>
               <dport>9998</dport>
               <natsport>0</natsport>
               <natdport>0</natdport>
               <flags>0x104053</flags>
               <flag-pcap>no</flag-pcap>
               <flag-flagged>no</flag-flagged>
               <flag-proxy>no</flag-proxy>
               <flag-url-denied>no</flag-url-denied>
               <flag-nat>no</flag-nat>
               <captive-portal>no</captive-portal>
               <non-std-dport>yes</non-std-dport>
               <transaction>no</transaction>
               <pbf-c2s>no</pbf-c2s>
               <pbf-s2c>no</pbf-s2c>
               <temporary-match>no</temporary-match>
               <sym-return>no</sym-return>
               <decrypt-mirror>no</decrypt-mirror>
               <credential-detected>no</credential-detected>
               <flag-mptcp-set>no</flag-mptcp-set>
               <flag-tunnel-inspected>no</flag-tunnel-inspected>
               <flag-recon-excluded>no</flag-recon-excluded>
               <proto>tcp</proto>
               <action>allow</action>
               <tunnel>N/A</tunnel>
               <tpadding>0</tpadding>
               <cpadding>0</cpadding>
               <dg_hier_level_1>0</dg_hier_level_1>
               <dg_hier_level_2>0</dg_hier_level_2>
               <dg_hier_level_3>0</dg_hier_level_3>
               <dg_hier_level_4>0</dg_hier_level_4>
               <vsys_name>Zone1</vsys_name>
               <device_name>FIREWALL</device_name>
               <vsys_id>1</vsys_id>
               <tunnelid_imsi>0</tunnelid_imsi>
               <parent_session_id>0</parent_session_id>
               <bytes>48613</bytes>
               <bytes_sent>29335</bytes_sent>
               <bytes_received>19278</bytes_received>
               <packets>177</packets>
               <start>2020/01/24 12:19:18</start>
               <elapsed>78</elapsed>
               <category>any</category>
               <padding>0</padding>
               <pkts_sent>86</pkts_sent>
               <pkts_received>91</pkts_received>
               <session_end_reason>tcp-rst-from-client</session_end_reason>
               <action_source>from-policy</action_source>
               <tunnelid>0</tunnelid>
               <imsi />
               <monitortag />
               <imei />
            </entry>
         </logs>
      </log>
      <meta>
         <devices>
            <entry name="localhost.localdomain">
               <hostname>localhost.localdomain</hostname>
               <vsys>
                  <entry name="vsys1">
                     <display-name>vsys1</display-name>
                  </entry>
                  <entry name="vsys2">
                     <display-name>vsys2</display-name>
                  </entry>
                  <entry name="vsys3">
                     <display-name>vsys3</display-name>
                  </entry>
                  <entry name="vsys4">
                     <display-name>vsys4</display-name>
                  </entry>
               </vsys>
            </entry>
         </devices>
      </meta>
   </result>
</response>

However, xapi.xml_result () is not in the xml format

\n <job>\n <tenq>12:21:26</tenq>\n <tdeq>12:21:26</tdeq>\n <tlast>12:21:26</tlast>\n <status>FIN</status>\n <id>33185</id>\n </job>\n <log>\n <logs count="1" progress="100">\n <entry logid="6785292413440213847">\n <domain>1</domain>\n <receive_time>2020/01/24 12:20:39</receive_time>\n <serial>0011C103892</serial>\n <seqno>127157259159</seqno>\n <actionflags>0x0</actionflags>\n <type>TRAFFIC</type>\n <subtype>end</subtype>\n <config_ver>0</config_ver>\n <time_generated>2020/01/24 12:20:39</time_generated>\n <src>10.189.169.121</src>\n <dst>10.101.136.7</dst>\n <rule>Allow_Usr_SplkUFs</rule>\n <srcuser>au\\heyre</srcuser>\n <srcloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</srcloc>\n <dstloc cc="10.0.0.0-10.255.255.255" code="10.0.0.0-10.255.255.255">10.0.0.0-10.255.255.255</dstloc>\n <app>ssl</app>\n <vsys>vsys1</vsys>\n <from>Zone1</from>\n <to>rdc-appsrv</to>\n <inbound_if>ae1</inbound_if>\n <outbound_if>ae3</outbound_if>\n <time_received>2020/01/24 12:20:39</time_received>\n <sessionid>34084684</sessionid>\n <repeatcnt>1</repeatcnt>\n <sport>56822</sport>\n <dport>9998</dport>\n <natsport>0</natsport>\n <natdport>0</natdport>\n <flags>0x104053</flags>\n <flag-pcap>no</flag-pcap>\n <flag-flagged>no</flag-flagged>\n <flag-proxy>no</flag-proxy>\n <flag-url-denied>no</flag-url-denied>\n <flag-nat>no</flag-nat>\n <captive-portal>no</captive-portal>\n <non-std-dport>yes</non-std-dport>\n <transaction>no</transaction>\n <pbf-c2s>no</pbf-c2s>\n <pbf-s2c>no</pbf-s2c>\n <temporary-match>no</temporary-match>\n <sym-return>no</sym-return>\n <decrypt-mirror>no</decrypt-mirror>\n <credential-detected>no</credential-detected>\n <flag-mptcp-set>no</flag-mptcp-set>\n <flag-tunnel-inspected>no</flag-tunnel-inspected>\n <flag-recon-excluded>no</flag-recon-excluded>\n <proto>tcp</proto>\n <action>allow</action>\n <tunnel>N/A</tunnel>\n <tpadding>0</tpadding>\n <cpadding>0</cpadding>\n <dg_hier_level_1>0</dg_hier_level_1>\n <dg_hier_level_2>0</dg_hier_level_2>\n <dg_hier_level_3>0</dg_hier_level_3>\n <dg_hier_level_4>0</dg_hier_level_4>\n <vsys_name>Zone1</vsys_name>\n <device_name>FIREWALL</device_name>\n <vsys_id>1</vsys_id>\n <tunnelid_imsi>0</tunnelid_imsi>\n <parent_session_id>0</parent_session_id>\n <bytes>48613</bytes>\n <bytes_sent>29335</bytes_sent>\n <bytes_received>19278</bytes_received>\n <packets>177</packets>\n <start>2020/01/24 12:19:18</start>\n <elapsed>78</elapsed>\n <category>any</category>\n <padding>0</padding>\n <pkts_sent>86</pkts_sent>\n <pkts_received>91</pkts_received>\n <session_end_reason>tcp-rst-from-client</session_end_reason>\n <action_source>from-policy</action_source>\n <tunnelid>0</tunnelid>\n <imsi />\n <monitortag />\n <imei />\n </entry>\n </logs>\n </log>\n <meta>\n <devices>\n <entry name="localhost.localdomain">\n <hostname>localhost.localdomain</hostname>\n <vsys>\n <entry name="vsys1">\n <display-name>vsys1</display-name>\n </entry>\n <entry name="vsys2">\n <display-name>vsys2</display-name>\n </entry>\n <entry name="vsys3">\n <display-name>vsys3</display-name>\n </entry>\n <entry name="vsys4">\n <display-name>vsys4</display-name>\n </entry>\n </vsys>\n </entry>\n </devices>\n </meta>\n

Hi Kevin
I have a problem with how to delete a service defined in a Rule:

With the following command I am able to create the service previously defined in an existing rule:

#panxapi.py -h 10.0.0.1 -l admin:admin -j -S '<service><member>tcp_10007</member></service>' "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='"VIRTUAL"']/pre-rulebase/security/rules/entry[@name='rule-test']"

set: success [code="20"]: "command succeeded"
{
  "response": {
    "code": "20",
    "msg": "command succeeded",
    "status": "success"
  }
}

But when I want to erase, I get the following error:

#panxapi.py  -h 10.0.0.1 -l admin:admin -j -d '<service><member>tcp_10007</member></service>' "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='"VIRTUAL"']/pre-rulebase/security/rules/entry[@name='rule-test']"

Extra options after xpath: ["/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='VIRTUAL']/pre-rulebase/security/rules/entry[@name='rule-test']"]

delete: unauth [code="16"]: "Unauthorized request"
{
  "response": {
    "code": "16",
    "msg": {
      "line": "Unauthorized request"
    },
    "status": "unauth"
  }
}

Am I using the commands correctly? , Or should use another methodology to delete the services.
Greetings and thanks

Using Python 3.7.3 and Ubuntu 18.04, everything seems to work as described in the docs.

Using Python 3.7.3 and Windows 7, not so much:

~> panxapi.py --help
pan.xapi.PanXapi: hostname argument required
~> panxapi.py -h 10.X.X.X -l apitest:p@ssw0rd -k
pan.xapi.PanXapi: hostname argument required

Am I doing something wrong?

Hi,

When testing the the following towards 9.x, it does not return any content.
xapi.op(cmd='show system resources', cmd_xml=True)

I suspect that the reason for this is that the output of the top command has changed from: 8.x
----snip----
top - 10:29:54 up 1:14, 2 users, load average: 0.56, 0.78, 1.00
Tasks: 132 total, 2 running, 130 sleeping, 0 stopped, 0 zombie
Cpu(s): 11.6%us, 6.0%sy, 0.4%ni, 81.8%id, 0.1%wa, 0.0%hi, 0.2%si, 0.0%st
Mem: 4561772k total, 4150224k used, 411548k free, 46492k buffers
Swap: 0k total, 0k used, 0k free, 2245248k cached
----snip----

to the following in 9.x
----snip----
top - 17:27:58 up 3 days, 9:24, 1 user, load average: 2.18, 2.15, 2.20
Tasks: 135 total, 3 running, 132 sleeping, 0 stopped, 0 zombie
%Cpu(s): 52.5 us, 1.2 sy, 0.7 ni, 45.6 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 4119652 total, 272224 free, 1901384 used, 1946044 buff/cache
KiB Swap: 1972 total, 1972 free, 0 used. 1740796 avail Mem
----snip----

/Kim

Can't for the life of me figure out how to pass a filter to a log query. Hoping to avoid picking apart the source to figure it out...

I am trying to pip the pan-python in to my server with no success. Trying to get an understand where this is suppose to be install.

i use xapi.edit, but it just override.

how can i Edit Address Group? not Override

Incredible work, many congratulations¡¡¡
I am testing with the API and I have a question at the moment of moving a rule in a certain position.

To perform this action I perform the following command:

panxapi.py -h 10.0.0.1 -l admin:PASSWORD --move "/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='rule-test']" before "/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='rule-test1']"

But it gives me the following error:

Invalid where: "/config/devices/entry/vsys/entry/rulebase/security/rules/entry[@name='rule-test1']"

move: error [code="7"]: "no target specified in move"

I have tried several combinations but it gives me error can you show me some examples?

Thanks and Regards

"panconf.py --config /path/to/file.xml --set > output.set " does not convert templates to a configuration that uses the set syntax.