Saucepan

User Tools

Site Tools

Trace: bad_session_end zone_protection url_override response_pages master_key qos useful_security_policies edl set_configuration basics
paloaltonetworks:api:basics

This is an old revision of the document!

Table of Contents

PAN-OS API Basics

Palo Alto Networks PANOS has an XML API that can be used to script and automate any task.

The admin guide can be found here.

PANOS API

The official PANOS XML API information is here.

In addition to using cURL and PowerShell, you can (for the most part) just take the https commands and paste them straight into a web browser's address bar.

Get API Key

To get the API key, run 

https://10.1.1.1/api/?type=keygen&user=YOUR_USERNAME_HERE&password=YOUR_PASSWORD_HERE

Escape Characters

When using cURL, sometimes you need to replace whitespace and symbols with ASCII codes.

  • white space should be replaced with %20
  • should be replaced with %22
  • ' should be replaced with %27
  • @ should be replaced with %40
  • < should be replaced with %3C
  • > should be replaced with %3E
  • [ should be replaced with %5B
  • ] should be replaced with %5D
  • ( should be replaced with %28
  • ) should be replaced with %29
  • / should be replaced with %2F

cURL

cURL for Windows can be found here.

With Curl, we use the following command to run XML API actions. 

curl --insecure -g -X GET "URL_HERE"
  • The –insecure flag tells Curl to ignore untrusted (self-signed) certificates.
  • The -g flag allows Curl to process symbols such as [, ], <, >, /, @, and (Whitespace).
  • The -X GET flat tells Curl that it is a GET request.

Sometimes we need to output to a file (e.g. if exporting configuration files or certificates) and we use -o output_filename.xyz. If we want to silence all output from the command, we can use -o nul.

If we want to upload a file, we remove -X GET and add –form file=Name_Of_File.xyz

You can move the key out of the URL and into a parameter to the cURL command using the following example 

curl -H "X-PAN-KEY:API_KEY_HERE" --insecure -g -X GET "https://..."

PowerShell

When using Windows, you may find it easier to use PowerShell as that is built in and does not require you to download cURL.

Disclaimer: I am no expert in PowerShell. Any an all code here is derived from snippets I have found online.

The following line ensures the rest of the script uses TLS 1.2. 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

To actually invoke a HTTPS request, run the following. I noticed that I had to use a FQDN and also make sure that the end point running the script trusted the management certificate in order to connect correctly. 

$FIREWALL_FQDN = "firewall.example.local"
$URL = "https://$FIREWALL_FQDN/..."
$Output = Invoke-WebRequest -Uri $URL

If you remove the $Output = from the line then the HTTP response will be printed to the console window.

To output text to the screen, run 

Write-Host "This prints a variable to the screen $VAR_NAME"

On some scripts, you may need the IP of the server the script is running on. This seems to work: (I found it here. 

$ipaddress = $(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' } | out-null; $Matches[1])
paloaltonetworks/api/basics.1590157577.txt.gz · Last modified: (external edit)