NetApp® ONTAP® REST APIs are available starting with ONTAP 9.6, the primary external-facing API for the long term. To help CLI and ONTAP users transition to the ONTAP REST API, ONTAP provides a private REST API endpoint that can be used to access any CLI command.

Note: Use of this API call is recorded to prioritize future scoped requirements.

In order to execute the advanced and diagnostic mode commands, or to get advanced attributes per user needs and use cases, you can drill down to the CLI to execute the commands. This option helps many customers and partners to address the existing ONTAPI to REST APIs and to complete their automation story.

ONTAP REST APIs exactly mirror the CLI command to the API endpoint. In terms of verbs used in the CLI for create, read, update, and delete (CRUD) operations, it maps to corresponding http methods, as shown in the following table,

Show GET
Create POST
Modify PATCH


Any space in a full CLI command becomes a forward slash in this private REST API endpoint with the default prefix /api/private/cli/.


Let’s look at a simple example of how a CLI command is executed.

CLI command:

AFF_RTP_Array::> system fru-check show

REST APIs endpoint:

  • /api/private/cli/system/fru-check?fields=node,fru_name,fru_status
  • show gets converted to the http method GET call.
  • From the CLI, look at the required field names and pass them as a comma-separated value in fields= in the API endpoint.

Note: If the field name contains a hyphen (-), convert it to an underscore in the REST API field. For example, fru-name → fru_name.

In the above figure, the CLI command system fru-check show gets converted to the API endpoint with a forward slash for every word prefixing /api/private/cli.

The below CLI interface screenshot shows fields that can be retrieved in an equivalent REST call.

User just needs to remember the ground rules for field -- If the field name contains hyphen (-), convert it to an underscore in REST APIs field.

  • For e.g.: fru-name → fru_name, serial-number → serial_number in CLI call

In post and patch operations, you would pass the values in JSON format, as show in the following code snippet.

def create_ntfs_policy(cluster: str, headers_inc: str, vserver: str, policy_name: str ):

"""Module to create NTFS policy"""

dataobj = {

'vserver': vserver,

'policy-name': policy_name


url = "https://{}/api/private/cli/vserver/security/file-directory/policy/".format(cluster)

response =, headers=headers_inc, json=dataobj, verify=False)

Execution of advanced and diagnostic mode commands

CLI Passthrough allows you to execute even advanced and diagnostic mode CLI commands with just one setting in the API endpoint. You should add privilege_level=diagnostic or privilege_level=advanced in the API endpoint.

For example, to delete the service policy, you would use the CLI command, network interface service-policy delete, which is a diagnostic mode command. The URL of the REST APIs endpoint would look like the following code snippet.

def delete_service_policy(cluster: str, headers_inc: str):

"""Module to delete the existing service policy"""

dataobj = {

'vserver': vserver,

'policy': policy_name


cli_endpoint = "network/interface/service-policy/"

url=“https://{}/api/private/cli/{}?privilege_level=diagnostic".format(cluster, cli_endpoint)

response = requests.delete( url, headers=headers_inc, json=dataobj, verify=False)

Python Client Library makes it even easier

For CLI Passthrough using the Python Client library, it’s even easier., You can just pass the whole CLI command “” and execute call performs the required function. Here is a simple example:

response = CLI().execute("vserver services web  show").

For full information about CLI Passthrough using the Python Client Library, go to this link.

What are you waiting for?

This CLI Passthrough option is available in ONTAP REST APIs for customers to confidently automate in their environment. This advanced option of executing CLI commands makes ONTAP REST APIs even more powerful and flexible.

Sample scripts for CLI Passthrough usage are posted on the GitHub site. To gain more clarity about usage, look into the following code:


 The primary limitation is that private CLI passthrough doesn't handle any 'systemshell', 'node run', 'statistics' commands, and any commands that ask for non-confirmation user input (like passwords). Any command that requires interactive input that doesn't have an alternative way to pass that data (like a hidden parameter) would fail


For more information and examples, look into the Using Private CLI Passthrough section under ONTAP REST APIs features. If you have questions, contact us on slack channel #api and visit our one-stop-shop site,

About Mahalakshmi G

Mahalakshmi works as Subject Matter Expert at NetApp with over 6 years of experience in Data Storage Industry. She is part of ONTAP Manageability Product Management team. She currently focuses on Automation and Tools portfolio such as ONTAP REST APIs, NetApp Manageability SDK and PSTK. She loves solving real-world customer issues and always looks for a way to automate complex storage management operations. Apart from work, Mahalakshmi is keen on music, an opacarophile, avid-book reader and enjoys traveling to historical places.

Pin It on Pinterest