Order Stack Management on PaloAlto

Goal

To understand how to use the Microservice order stack with the portal and how it's related to the use of the REST API.

Documentation on order stack API is available here.

Lab Setup

This use case requires a PaloAlto device, provisioned in the MSA and a Microservice to do some simple configuration.

We will use a Microservice to manage Address IP Range on PaloAlto because it's simple and doesn't require anything else to be used.

Case 1: Use the UI to Stack Orders, the REST API to View the Stack and the UI to Apply the Config

Initial state: the device doesn't have any address IP range configured.


The PaloAlto UI shows a consistent view.


Use the Microservice console to add a few addresses.


Let's also perform a modification of the stack and change the value of addr2.


Use the Microservice Order Stack Management API to view the stack.

[root@MSA ~]# curl -u ncroot:PASSWORD -XGET http://127.0.0.1/ubi-api-rest/orderstack/125
[{
    "commandId": 1,
    "commandName": "CREATE",
    "parameters": "{\"address_ip_range\":{\"addr1\":{\"_order\":\"1551192995131\",\"endaddress\":\"1.1.1.10\",\"startaddress\":\"1.1.1.1\",\"object_id\":\"addr1\"}}}"
}, {
    "commandId": 2,
    "commandName": "CREATE",
    "parameters": "{\"address_ip_range\":{\"addr2\":{\"_order\":\"1551193022811\",\"endaddress\":\"2.2.2.20\",\"startaddress\":\"2.2.2.2\",\"object_id\":\"addr2\"}}}"
}, {
    "commandId": 3,
    "commandName": "UPDATE",
    "parameters": "{\"address_ip_range\":{\"addr2\":{\"_order\":\"1551193022811\",\"endaddress\":\"2.2.2.25\",\"startaddress\":\"2.2.2.2\",\"object_id\":\"addr2\"}}}"
}]
[root@MSA ~]#


Then, apply the configuration with the "Apply Configuration" action on the portal. The MSA will build the configuration from the stack and apply it by calling the PaloAlto adapter.

Case 2: Use the UI to Stack Orders, the REST API to View the Stack and Apply the Config

With the same stack as in case 1, the API call below will trigger a configuration update.

[root@MSA ~]# curl -u ncroot:fuj-ts_sandbox -XPOST http://127.0.0.1/ubi-api-rest/orderstack/execute/125
[{
    "commandId": 1,
    "message": "type=config&action=set&xpath=%2Fconfig%2Fdevices%2Fentry%5B%40name%3D%27localhost.localdomain%27%5D%2Fvsys%2Fentry%5B%40name%3D%27vsys1%27%5D%2Faddress%2Fentry%5B%40name%3D%27addr1%27%5D&element=%3Cip-range%3E1.1.1.1-1.1.1.10%3C%2Fip-range%3E\n",
    "status": "OK"
}, {
    "commandId": 2,
    "message": "type=config&action=set&xpath=%2Fconfig%2Fdevices%2Fentry%5B%40name%3D%27localhost.localdomain%27%5D%2Fvsys%2Fentry%5B%40name%3D%27vsys1%27%5D%2Faddress%2Fentry%5B%40name%3D%27addr2%27%5D&element=%3Cip-range%3E2.2.2.2-2.2.2.2%3C%2Fip-range%3E\n",
    "status": "OK"
}, {
    "commandId": 3,
    "message": "type=config&action=edit&xpath=%2Fconfig%2Fdevices%2Fentry%5B%40name%3D%27localhost.localdomain%27%5D%2Fvsys%2Fentry%5B%40name%3D%27vsys1%27%5D%2Faddress%2Fentry%5B%40name%3D%27addr2%27%5D%2Fip-range&element=%3Cip-range%3E2.2.2.2-2.2.2.25%3C%2Fip-range%3E\n",
    "status": "OK"
}]
[root@MSA ~]#


And build the same configuration on the PaloAlto.