====== PAN-OS API Basics ======
Palo Alto Networks PANOS has an XML API that can be used to script and automate any task.
The admin guide can be found [[https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api#|here]].
=====PANOS API=====
The official PANOS XML API information is [[https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/about-the-pan-os-xml-api.html|here]].
In addition to using cURL and PowerShell, you can (for the most part) just take the //https// commands and paste them straight into a web browser's address bar.
=====Get API Key=====
To get the API key, run
https://10.1.1.1/api/?type=keygen&user=YOUR_USERNAME_HERE&password=YOUR_PASSWORD_HERE
=====Escape Characters=====
When using cURL, sometimes you need to replace whitespace and symbols with ASCII codes.
* white space should be replaced with ''%20''
* ''"'' should be replaced with ''%22''
* '' ' '' should be replaced with ''%27''
* ''@'' should be replaced with ''%40''
* ''<'' should be replaced with ''%3C''
* ''>'' should be replaced with ''%3E''
* ''['' should be replaced with ''%5B''
* '']'' should be replaced with ''%5D''
* ''('' should be replaced with ''%28''
* '')'' should be replaced with ''%29''
* ''/'' should be replaced with ''%2F''
=====cURL=====
cURL for Windows can be found [[https://curl.haxx.se/windows/|here]].
With Curl, we use the following command to run XML API actions.
curl --insecure -g -X GET "URL_HERE"
* The ''--insecure'' flag tells Curl to ignore untrusted (self-signed) certificates.
* The ''-g'' flag allows Curl to process symbols such as ''['', '']'', ''<'', ''>'', ''/'', ''@'', ''"'' and '' '' (Whitespace).
* The ''-X GET'' flat tells Curl that it is a GET request.
* The ''-s'' flag makes the progress output silent.
Sometimes we need to output to a file (e.g. if exporting configuration files or certificates) and we use ''-o output_filename.xyz''. If we want to silence all output from the command, we can use ''-o nul''.
If we want to upload a file, we remove ''-X GET'' and add ''--form file=Name_Of_File.xyz''
You can move the key out of the URL and into a parameter to the cURL command using the following example
curl -H "X-PAN-KEY:API_KEY_HERE" --insecure -g -X GET "https://..."
=====PowerShell=====
When using Windows, you may find it easier to use PowerShell as that is built in and does not require you to download cURL.
Disclaimer: I am no expert in PowerShell. Any an all code here is derived from snippets I have found online.
The following line ensures the rest of the script uses TLS 1.2.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
To actually invoke a HTTPS request, run the following. I noticed that I had to use a FQDN and also make sure that the end point running the script trusted the management certificate in order to connect correctly.
$FIREWALL_FQDN = "firewall.example.local"
$URL = "https://$FIREWALL_FQDN/..."
$Output = Invoke-WebRequest -Uri $URL
If you remove the ''$Output = '' from the line then the HTTP response will be printed to the console window.
To output text to the screen, run
Write-Host "This prints a variable to the screen $VAR_NAME"
On some scripts, you may need the IP of the server the script is running on. This seems to work: (I found it [[https://stackoverflow.com/questions/27277701/powershell-get-ipv4-address-into-a-variable|here]].
$ipaddress = $(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' } | out-null; $Matches[1])
===== Get XML Data =====
debug cli on
[[https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-cli-to-find-xml-api-syntax|here]].