Prisma Access APIs

Prisma Access APIs

Table of Contents

Prisma Access APIs

Find the APIs to use with Prisma Access.
In addition to the XML APIs that are available for configuration and management in Panorama, there are XML APIs for the Cloud Services plugin that you can use to perform tasks specific to Prisma Access. Use these APIs through a third-party service, application, or script to automate configuration and reporting tasks for Prisma Access.

Access the API Using the Browser and Web Interface

To access the API using the browser, log in to the Panorama that manages Prisma Access with administrator privileges, then enter /api at the end of the URL. The URL changes to the XML API browser interface.
The Prisma Access APIs are located in the following XML Path Language (XPath) nodes in the XML tree:
  • Configuration Commands: XML APIConfiguration Commandsdevicesentry[@name='localhost.localdomain']pluginscloud_services
  • Operational Commands: XML APIOperational Commandsrequestplugins cloud_servicesprisma-access
As you navigate in the XML tree, Prisma Access populates the tree in the XML area. You can enter required values in the XML area and click Submit to process an XML request. For example, to request the onboarding status of a job, navigate to XML APIOperational Commandsrequestpluginscloud_servicesprisma-accessjob-statusjobid, enter the Job id in the jobid field, enter the Service Type servicetype area, and click Submit to submit your request.
This XML only retrieves the onboarding status of a job. To retrieve the status of all commit operations, use the Prisma Access UI.
Prisma Access returns the output in XML format.
You can also use the web interface to find APIs in Panorama.

Use curl Commands to Retrieve API Commands

If you prefer to use CLI to retrieve API command results, you can use APIs in conjunction with the the API you use to retrieve public and infrastructure IP addresses for Prisma Access. To do so, use the following command:
Configuration Commands:
curl -k -X GET "https://<panorama-ip-address>/api/?key=<api-key>&type=config&cmd=<api-parameters></api-parameters>
Operational Commands:
curl -k -X GET "https://<panorama-ip-address>/api/?key=<api-key>&type=op&cmd=<api-parameters></api-parameters>
  • <panorama-ip-address> is the IP address of the Panorama that manages Prisma Access.
  • <api-key> is the API key for Prisma Access (PanoramaCloud ServicesConfigurationService SetupGenerate API Key).
  • <api-parameters> and </api-parameters> are the API parameters you use to retrieve the requested information from the API.
If you have a multi-tenant deployment, you add the name of the tenant for which you want to retrieve API information into the API.
For example, given a Prisma Access deployment that has the following parameters:
  • Panorama IP Address:
  • API key: 12345abcde
  • Tenant name: tenant-1
If you wanted to retrieve the number of active mobile users for that tenant, you would enter the following curl command:
curl -k -X GET "<request><plugins><cloud_services><prisma-access><multi-tenant><tenant-name><entry%20name='tenant-1'></entry></tenant-name><remote-active-users-count/></multi-tenant></prisma-access></cloud_services></plugins></request>"

Use CLI Commands with Panorama Managed Prisma Access

Prisma Access allows you to use CLI commands to retrieve Prisma Access data. To access the CLI, establish a SSH connection using the IP address of the Panorama that manages Prisma Access.
The CLI uses the same modes and has the same behavior as PAN-OS commands, with the exception of entering the tenant name for multi-tenant deployments; you enter the tenant name using the tenant-name tenant-name command. For example, given a tenant name of tenant-1, enter the following command to retrieve to retrieve the active user count in a multi-tenant deployment:
admin-Panorama> request plugins cloud_services prisma-access multi-tenant remote-active-users-count tenant-name tenant-1

Current User Count: 253
xThanks for visiting To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.