Palo Alto Networks PANOS has an XML API that can be used to script and automate any task.

The admin guide can be found here.

The official PANOS XML API information is here.

In addition to using cURL and PowerShell, you can (for the most part) just take the https: commands and paste them straight into a web browser's address bar. =====Get API Key===== To get the API key, run <code>https://10.1.1.1/api/?type=keygen&user=YOUR_USERNAME_HERE&password=YOUR_PASSWORD_HERE</code> =====Escape Characters===== When using cURL, sometimes you need to replace whitespace and symbols with ASCII codes. * white space should be replaced with %20 * “ should be replaced with %22 * ' should be replaced with %27 * @ should be replaced with %40 * < should be replaced with %3C * > should be replaced with %3E * [ should be replaced with %5B * ] should be replaced with %5D * ( should be replaced with %28 * ) should be replaced with %29 * / should be replaced with %2F =====cURL===== cURL for Windows can be found here. With Curl, we use the following command to run XML API actions. <code>curl –insecure -g -X GET “URL_HERE”</code> * The –insecure flag tells Curl to ignore untrusted (self-signed) certificates. * The -g flag allows Curl to process symbols such as [, ], <, >, /, @, ” and (Whitespace). * The -X GET flat tells Curl that it is a GET request. Sometimes we need to output to a file (e.g. if exporting configuration files or certificates) and we use -o output_filename.xyz. If we want to silence all output from the command, we can use -o nul. If we want to upload a file, we remove -X GET and add –form file=Name_Of_File.xyz You can move the key out of the URL and into a parameter to the cURL command using the following example <code>curl -H “X-PAN-KEY:API_KEY_HERE” –insecure -g -X GET “https://...”</code> =====PowerShell===== When using Windows, you may find it easier to use PowerShell as that is built in and does not require you to download cURL. Disclaimer: I am no expert in PowerShell. Any an all code here is derived from snippets I have found online. The following line ensures the rest of the script uses TLS 1.2. <code>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12</code> To actually invoke a HTTPS request, run the following. I noticed that I had to use a FQDN and also make sure that the end point running the script trusted the management certificate in order to connect correctly. <code>$FIREWALL_FQDN = “firewall.example.local” $URL = “https:$FIREWALL_FQDN/…” $Output = Invoke-WebRequest -Uri $URL</code> If you remove the $Output = from the line then the HTTP response will be printed to the console window. To output text to the screen, run <code>Write-Host “This prints a variable to the screen $VAR_NAME”</code> On some scripts, you may need the IP of the server the script is running on. This seems to work: (I found it here. <code>$ipaddress = $(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' } | out-null; $Matches[1])</code>