Focus

Next-Generation Firewall

Generate an API Key Certificate

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Enabling API Access

Getting Started with the PAN-OS XML API

Generate an API Key Certificate

How to use a Palo Alto Networks certificate to encrypt your API Key.

Where Can I Use This?	What Do I Need?
NGFW	An administrator account with API Access

With PAN-OS and Panorama, you can encrypt the PAN-OS API Key using a device certificate when you retrieve your API key. This feature utilizes the PAN-OS device certificate management function to encrypt the API key for enhanced protection.

When using the PAN-OS API key certificate with Panorama:

If you generate the API key from Panorama, a secure connection will persist from Panorama to the managed firewalls.
The Expire all API Keys button will only affect the local device the API key was generated with.

Once you generate your API Key, you can use the API key in subsequent requests using the X-PAN-KEY Header.

For Example:

curl -X POST 'https://firewall/api?&type=config&action=get&xpath=/config/devices/entry[@name=%27localhost.localdomain%27]/network/interface/ethernet' -H 'X-PAN-KEY: ************************'

Generate a Certificate
For the key generation Algorithm, select an RSA value at or above 3,072 bits.
- All API Certificates used for API key encryption must meet a minimum threshold of 3,072 bits.
- Each API Key Certificate must be a self-signed CA Certificate.
- You must place the Certificate in a shared location.
Edit the DeviceSetupManagementAuthentication settings.
Select the API Key Certificate field to select the certificate you generated in step 1.

As a best practice, Palo Alto Networks recommends you select a short API Key Lifetime.
Commit the changes for the API Key Certificate to begin encrypting the API key.
It's important to note that when you start encrypting API keys with a certificate:
- The firewall will invalidate all existing API keys.
- If you start managing a firewall with Panorama, Panorama will invalidate any existing API key or keys as the Panorama key will take precedence.
To generate an API key, make a POST request to the firewall’s hostname or IP addresses using the administrative credentials andtype=keygen. For example: curl -H "Content-Type: application/x-www-form-urlencoded" -X POST https://firewall/api/?type=keygen -d 'user=<user>&password=<password>'.
The newly generated API Key is encrypted using the certificate.
PAN-OS invalidates generated API keys, when:
- The user who generated the API key is deleted.
- The user's password changes.
- The token lifetime elapses.
- The API Key certificate is reconfigured
- The API Key certificate expires.
- PAN-OS can't decrypt the API key.

Enabling API Access

Getting Started with the PAN-OS XML API

Next-Generation Firewall Docs

Generate an API Key Certificate

Next-Generation Firewall Docs

Generate an API Key Certificate

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner