Description about PAN-OS OpenConfig benefits and capabilities
Palo Alto Networks OpenConfig plugin
allows you to programmatically access the firewall based on OpenConfig
data models and protocols to automate configuration and telemetry
retrieval. To Learn more about OpenConfig, visit
OpenConfig interface uses gRPC Network Management Interface (gNMI)
protocol for configuration management, telemetry based on the OpenConfig
data models, and gRPC Network Operations Interface (gNOI) for operational
services defined by OpenConfig.
Using the plugin, you can manage configuration, generate streaming
telemetry, and carry out operational services on the firewall. The OpenConfig
plugin is supported on the hardware and VM-Series firewalls. The
OpenConfig data models currently support up to Layer 4 networking.
The gMNI protocol uses a client-server messaging model. The OpenConfig
plugin implements a gNMI server that listens for client requests and
supports all of the gNMI request types: Set, Get, Subscribe, and
Capabilities. The Set request carries out transaction based edit
operations whether it be single or multiple requests.
If successful, the Set request is treated as an atomic operation
which takes effect immediately as an implicit commit request. The
Get request retrieves a model’s configuration and state data. The
Subscribe returns a model’s state data. The Capabilities request
can be used to determine the models supported by the firewall.
Familiarize yourself with each of the sections below before using
the OpenConfig plugin.
For successful set requests, the
effects take place immediately as part of a multi-request configuration
operation that deletes and updates certain specified paths and immediately
commits the operations.
The client returns a job ID if applicable
for the specific request.
If using the gNMIC client,
specify the --format prototext flag to return the job ID.
any part of the configuration is rejected, all of the operations
are reverted and no change takes place.
The PAN-OS OpenConfig plugin
listens for requests on the management interface’s assigned IP address
on port 9339.To send gNMI requests to the firewall, use the management
IP address, for example:
you want to change the IP address for gNMI requests, you should
first configure the management interface for the firewall.
How to Configure the Management
Interface IP shows how you can set the management IP of a
The PAN-OS OpenConfig
plugin uses the default self-signed certificate assigned to the
management interface. The certificate must be installed on the client
to send and receive requests from the firewall.
Keys and Certificates section
of the PAN-OS Administrators guide provides more information about
the process for certificate management.
As a best practice,
Configure an Admin Role Profile to
use as the profile for gNMI requests to usea custom role-based administrator.
Enable XML API access for the admin role you configure forOpenConfig.
The OpenConfig plugin
supports both direct model data tree paths and JSON format for gNMI
requests sent to the firewall. The examples in this guide primarily
use the path and the JSON equivalent. The encoding type for all
of the examples is JSON_IETF.
Capabilities Request Type
plugin supports the capabilities call to get a list of models available
for use on the firewall.
Below is an example call used with
the gNMI client to retrieve models supported.
networkip:9339 -u username -p Password --skip-verify capabilities
Wild Card Support
The gNMI server accepts
characters in paths to specify every item in a list entry, for example:
level wildcards are not supported.
Third-Party gNMI Clients Used in Examples
examples in the PAN-OS OpenConfig guide use the gNMIC OpenConfig
Third party gNMI clients you can use to test the examples