Next-Generation Firewall
Explore the XML API
Table of Contents
Explore the XML API
Learn about getting started with PAN-OS XML API
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To use the PAN-OS XML API, first use your admin credentials to get an API key through the
keygen command type. You can then use the API key using the
X-PAN-KEY header attribute to authenticate your reqeusts when making calls from a client
separate from a typical user interfacing browser.
This guide exercises API requests using cURL
commands. However, you can use other API tools such as Postman and
RESTClient
to make API requests. By default, PAN-OS uses a self-signed certificate, so you will
need to use -k parameter with cURL requests. Alternatively, you can replace the
self-signed certificate with one from a known certificate authority. If you have an
internal certificate authority, generate your own certificate and install it on the
firewall.
It's a good idea to ensure you are have created an XML API account and generated an API
key before attempting to use the XML API with a client that isn't the firewall
interface. Palo Alto Networks recommends you encrypt your API key using a certificate.
You can explore the XML API directly with the web browser to test different API calls and
learn to format your XML correctly. Targeting nodes using XPATH syntax is crucial to
building fine grained commands especially when targeting objects.
There are three ways Palo Alto Networks recommends to find the commands you want to use
for the XML API.
XML API Browser
Using the UI, you can log in to the browser by navigating to the URL:
https://firewall/api. When you first open the API browser, the
available Request
Types display.
You can drill down on the request types to see
further more detailed nodes available in the API, for example, the reports node
gives you many different types of predefined reports to retrieve.
Drilling down to the
predefined reports sections you can see a report like
top-application-categories available to you.
If you click on the URL, it sends a request through your browser and retrieves
the XML API response.
Along with the URL, the API browser also provides the XPath as necessary, as
shown here for a description of a predefined application:
CLI
Use an SSH client or terminal to access your firewall or Panorama CLI.
You can use the debug mode to see the underlying XML API requests used
for the PAN-OS appliance.
Enter the following command to activate debug mode:
debug cli on
Running a CLI command, will give you the syntax for the XML API equivalent. For example
the command,
Returns the following:test url http://paloaltonetworks.com
<request cmd="op" cookie="7581536015878829" uid="1206"><operations><test><url>http://paloaltonetworks.com</url></test></operations></request>
The first part of the query corresponds to the command type. With the response, you can
formulate the corresponding XML call, like
so:
https://<firewall>/api/?type=op&cmd=<test><url>http://paloaltonetworks.com</url></test>&key=<apikey>
Depending on the CLI command, the XML tag values forcmd will
vary. For example, here is a CLI command for showing firewall
information:run show system info
The corresponding API call looks like this:
curl -X POST 'https://firewall/api?type=op&cmd=<show><system><info></info></system></show>&key=<apikey>"
