>
    Enabling API Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. API Authentication and Security
    4. Enabling API Access
    Download PDF
    Next-Generation Firewall

    Enabling API Access

    Table of Contents

    Enabling API Access

    The PAN-OS API requires that access you grant access to an administrator account. The API supports the following types of Administrators and Admin roles:
    • Dynamic roles: Superuser, Superuser (readonly), Device admin, Device admin (readonly), Vsys admin, Vsys admin (readonly)
    • Role-based Admins: Device, Vsys, Panorama.
    Admin Role profiles enable or disable features on the management interfaces of the firewall or Panorama, XML API, web interface, and CLI. For more details on Administrative Roles, see Configure an Admin Role Profile.
    By default, the firewall and Panorama support API requests over HTTPS. To make API request over HTTP, you must configure an interface management profile.
    As a best practice:
    • Set an API key lifetime to enforce key rotation; you can also revoke all API keys to protect from accidental exposure.
    • Use a POST request for any call that may contain sensitive information.
    To enforce key rotation set an API key lifetime; you can also revoke all API keys to protect from accidental exposure.
    As a best practice, set up a separate admin account for XML API access.
    1. Select an Admin Role profile.
      Go to DeviceAdmin Roles and select or create an admin role.
    2. Select features available to the admin role.
      1. Select the XML API tab.
      2. Enable or disable XML API features from the list, such as Report, Log, and Configuration.
      3. Select OK to confirm your change.
    3. Assign the admin role to an administrator account.
      See Configure an Administrative Account.

    © 2025 Palo Alto Networks, Inc. All rights reserved.