PAN-OS API Basics

Palo Alto Networks PANOS has an XML API that can be used to script and automate any task.

The admin guide can be found here.

The official PANOS XML API information is here.

In addition to using cURL and PowerShell, you can (for the most part) just take the https commands and paste them straight into a web browser's address bar.

To get the API key, run

https://10.1.1.1/api/?type=keygen&user=YOUR_USERNAME_HERE&password=YOUR_PASSWORD_HERE

When using cURL, sometimes you need to replace whitespace and symbols with ASCII codes.

• white space should be replaced with %20
• “ should be replaced with %22
• ' should be replaced with %27
• @ should be replaced with %40
• < should be replaced with %3C
• > should be replaced with %3E
• [ should be replaced with %5B
• ] should be replaced with %5D
• ( should be replaced with %28
• ) should be replaced with %29
• / should be replaced with %2F

cURL for Windows can be found here.

With Curl, we use the following command to run XML API actions.

curl --insecure -g -X GET "URL_HERE"

• The –insecure flag tells Curl to ignore untrusted (self-signed) certificates.
• The -g flag allows Curl to process symbols such as [, ], <, >, /, @, ” and (Whitespace).
• The -X GET flat tells Curl that it is a GET request.
• The -s flag makes the progress output silent.

Sometimes we need to output to a file (e.g. if exporting configuration files or certificates) and we use -o output_filename.xyz. If we want to silence all output from the command, we can use -o nul.

If we want to upload a file, we remove -X GET and add –form file=Name_Of_File.xyz

You can move the key out of the URL and into a parameter to the cURL command using the following example

curl -H "X-PAN-KEY:API_KEY_HERE" --insecure -g -X GET "https://..."

When using Windows, you may find it easier to use PowerShell as that is built in and does not require you to download cURL.

Disclaimer: I am no expert in PowerShell. Any an all code here is derived from snippets I have found online.

The following line ensures the rest of the script uses TLS 1.2.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

To actually invoke a HTTPS request, run the following. I noticed that I had to use a FQDN and also make sure that the end point running the script trusted the management certificate in order to connect correctly.

$FIREWALL_FQDN = "firewall.example.local"
$URL = "https://$FIREWALL_FQDN/..."
$Output = Invoke-WebRequest -Uri $URL

If you remove the $Output = from the line then the HTTP response will be printed to the console window.

To output text to the screen, run

Write-Host "This prints a variable to the screen $VAR_NAME"

On some scripts, you may need the IP of the server the script is running on. This seems to work: (I found it here.

$ipaddress = $(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' } | out-null; $Matches[1])

debug cli on

here.