Palo Alto Firewall Generate Api Key
- Palo Alto Api Key
- Palo Alto Firewall Api
- Generate Api Key For Palo Alto
- Palo Alto Firewall Generate Api Key Download
- Palo Alto Xml Api
- Palo Alto Firewall Products
Dec 28, 2012 I script almost entirely in powershell, so I wanted to find a way to talk to the Palo Alto firewalls from powershell. The first option was to use putty/plink to just run commands and parse the output; this doesn’t work very well due to limitations in plink. Luckily, Palo Alto Networks firewalls provide a pretty nice RESTful api. There are two types of address groups in the Palo Alto Networks firewalls; dynamic and static. By default, the firewall creates a static address group if you do not explicitly select dynamic. Therefore, you need to add the static element at the time of address group creation. Jul 21, 2015 Palo Alto – Bulk rule editing via API and scripting July 21, 2015 nikmat Leave a comment Go to comments Perhaps all serious admins of Palo Alto firewalls have heard about the REST API that PAN provides with their firewalls. API’s are very important to Palo Alto Networks. Security automation is key to the success of any organization in preventing cyber attacks. So Palo Alto Networks products have comprehensive APIs to enable automation. In this lab we’ll focus on the PAN-OS API, which is the API for the Palo Alto Networks Next-generation Firewall and Panorama Management Center. When connecting to the PAN-OS API. The expiration date of the API key is the same date as that of the latest subscription in your support account. If you renew your current subscriptions and need to reset the expiration date of the API key, you can either regenerate a key (and replace the existing key with this new key wherever you've used it) or contact Palo Alto Networks support for help with extending the term of your existing API key.
About the API¶
API’s are very important to Palo Alto Networks. Security automation iskey to the success of any organization in preventing cyber attacks. SoPalo Alto Networks products have comprehensive APIs to enable automation.
In this lab we’ll focus on the PAN-OS API, which is theAPI for the Palo Alto Networks Next-generation Firewalland Panorama Management Center.
When connecting to the PAN-OS API:
Palo Alto Api Key
- Access the API on the management interface using HTTPS, just as you would connect to the GUI.
- Connections to the API are treated as general web admin access. They create a session just like you were accessing the GUI.
- Authentication requires an API key which is generated through an API call.
Some examples of how you might use the PAN-OS API include, but are not limited to:
- Read, write, verify, and commit configuration
- Download reports in XML format
- Execute operational commands to check health and status
- Collect logs and pcaps
- Update dynamic address groups
- Update user-id mappings
- And much more!
The API Browser¶
The Next-generation Firewall and Panorama have an APIBrowser built in which allows you to explore the APIand trigger simple API calls in the browser itself.
You can access the API Browser by adding /api to the URL afterthe IP address of the firewall. For example, if your firewall isat 10.0.0.1, the URL of the API Browser is https://10.0.0.1/api
Palo Alto Firewall Api
The internal crypto library key generation api failed informix. Lab exercise: Try connecting to the API Browser on the firewallin your lab. Explore a little to get familiar, then continue with the lab.
API Command Types¶
There are several API types as shown in the main page of the API browser.
API Types
| API Type | Description |
|---|---|
| keygen | Generate an API Key (not shown in API Browser) |
| config | Retrieve or modify the configuration |
| commit | Commit the configuration |
| export | Export files, packet captures, and keys |
| import | Import files, certificates, response pages, and branding |
| op | Operational commands (like ‘show’ commands) |
| report | Retrieve predefined, dynamic, and custom reports |
| user-id | User/IP mappings and Dynamic Address Groups |
This lab focuses on the following 5 types, but the concepts needed to understand these 5 types are the same concepts for all the other types.
- keygen
- config
- commit
- op
- user-id
Continue to Introducing pan-python in Module 1 to begin the first lab.
My role as a Systems Engineer here at lockstep revolves mostly around networking and firewall design and implementation. However, in addition to that, I do a lot of automation scripting. I script almost entirely in powershell, so I wanted to find a way to talk to the Palo Alto firewalls from powershell. The first option was to use putty/plink to just run commands and parse the output; this doesn’t work very well due to limitations in plink. Luckily, Palo Alto Networks firewalls provide a pretty nice RESTful api. So I started working on a powershell module for this purpose and I’m happy to introduce poweralto!
Poweralto is written entirely in native powershell and is completely open source. Today, I’m going to go over how it works and a couple of my favorite cmdlets.
First, a little on the PA api. Every api call has a type and an action, usually there is also an xpath, and sometimes and element. Any call that isn’t generating your api token also contains a key. The following describes these components briefly:
- type: what kind of request is it; keygen, config, op, report, export, import, log, or user-id
- action: these differ based on the type; show, get, set, edit, delete, rename, clone, move, etc…
- xpath: this is an xml path to the portion of the config you want to work with
- element: this would refer to the node in the xml that you’re attempting to edit
- key: your generated api key
Access to the RESTful api is accomplished over http or https. In order to do this in powershell, I use a .net call to the System.Net.Webclient class.
Generate Api Key For Palo Alto
$WebClient = New-Object System.Net.WebClient
$url = 'https://url_to_api_call'
$WebClient.DownloadString($url)
These are all the thing you need to communicate between powershell and the PA. Now lets do some stuff. First thing you need to do is generate your API key. This is done by issuing the following call:
http(s)://hostname/api/?type=keygen&user=username&password=password
This will return a string that is your key to use for any other calls. Now, you could do that and manually provide that key to all your future scripts. Or, you could use poweralto! The first cmdlet you’ll want to use in any script is Get-PaConnectionString. All you need to do is provide it with the ip/hostname of your PA, it will prompt your creds and return the beginning of a valid api call url.
C:> Get-PaConnectionString 10.10.42.73
https://10.10.42.73/api/?key=LUFRPT1SanJaQVpiNEg4TnBkNGVpTmRpZTRIamR4OUE9Q2lMTU
JGREJXOCs3SjBTbzEyVSt6UT00
In addition to returning the string, Get-PaConnectionString will also add it to a global variable ($global:PaConnectionArray) that all the other cmdlets know to look in for connections. This is an array so you can run the cmdlet multiple times against multiple systems and easily script commands across all of them at once.
So, now you’ve got yourself a valid way to connect, you need only append the rest of an api call url string to this and you’re in business. Of course, there’s no reason to do that yourself. Next up, we have Send-PaApiQuery, as the name suggests, this function is what I use to send all my queries. The rest of the cmdlets are simply fancy ways to use this one. Don’t get me wrong, they’re cool, they do things with the data, add in error checking, progress bars, etc… But the meat of this module is right here.
Currently you can perform any and all api queries with this cmdlet except for: import, log and user-id types, or anything else that is going to send a file to the PA. This is mostly because the WebClient class hasn’t been cooperating with me on that front. But I do intend to get that working in the future. So here’s a few examples:
$Interfaces = Send-PaApiQuery -config show -xpath '/config/devices/entry/network/virtual-router/entry[@name='default']/interface'
This query will return the following xml:
or in powershell:
Palo Alto Firewall Generate Api Key Download
C:> $interfaces.response.result.interface
member
——
{ethernet1/1, ethernet1/2, ethernet1/3, ethernet1/4…}
View currently logged in admins:
C:> $admins = Send-PaApiQuery -op '<show><admins></admins></show>'
C:> $admins.response.result.admins.entry
admin : admin
from : 10.10.42.11
type : Web
session-start : 12/28 10:09:06
idle-for : 00:00:00s
admin : admin
from : 10.10.42.11
type : Web
session-start : 12/28 09:39:47
idle-for : 00:00:38s
admin : admin
from : 10.10.42.11
type : Web
session-start : 12/28 10:09:04
idle-for : 00:40:13s
Palo Alto Xml Api
Commit the current candidate config:
C:> $commit = Send-PaApiQuery -Commit
C:> $commit.response.result
msg job
— —
msg 133
Palo Alto Firewall Products
So there you go, I’m sure you can see how this can be used in your scripts to make some pretty cool things happen automatically. This is just a small subset of what poweralto is capable of, there are currently 16 cmdlets and I’ve been adding more every couple of weeks. Be sure and checkout poweralto.com for the full skinny. I’d certainly welcome any ideas or issues you run into, just submit them to my github.