Query a Firewall from Panorama (API)

The target parameter on Panorama allows you to redirect queries to a managed firewall. Redirecting queries to firewalls helps to reduce time and the number of steps required to issue repetitive commands. Use the scripting language of your choice to store firewall serial numbers and use them to issue a query to several firewalls.
Currently, you can only use type=op queries when redirecting queries through Panorama.
  1. Get a list of managed firewalls.
    https://<panorama>/api/?type=op&cmd=<show><devices><all></all></devices></show>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    If you want to get a list of connected firewalls only, use
    https://<panorama>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    The response includes the serial number (serial) of each firewall.
    <response
    status="success"> 
      <result> 
        <devices> 
           name="007200002517"> 
            <serial>007200002342</serial> 
            <connected>yes</connected> 
            <unsupported-version>no</unsupported-version> 
            <deactivated>no</deactivated> 
            <hostname>PM-6-1-VM</hostname> 
            <ip-address>10.3.4.137</ip-address> 
            <mac-addr /> 
            <uptime>81 days, 20:39:41</uptime> 
            <family>vm</family> 
            <model>PA-VM</model> 
            <sw-version>6.1.3</sw-version> 
            <app-version>555-3129</app-version> 
            <av-version>2254-2693</av-version> 
            <wildfire-version>91873-101074</wildfire-version> 
            <threat-version>555-3129</threat-version> 
            <url-db>paloaltonetworks</url-db> 
            <url-filtering-version>2016.02.02.416</url-filtering-version> 
            <logdb-version>6.1.3</logdb-version> 
            <vpnclient-package-version /> 
            <global-protect-client-package-version>0.0.0</global-protect-client-package-version> 
            <vpn-disable-mode>no</vpn-disable-mode> 
            <operational-mode>normal</operational-mode> 
            <multi-vsys>no</multi-vsys> 
            <vsys> 
               name="vsys1"> 
                <display-name>vsys1</display-name> 
                <shared-policy-status /> 
                <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> 
              </entry> 
            </vsys> 
          </entry> 
     
    	  <!--truncated --> 
     
        </devices> 
      </result> 
    </response> 
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    The response contains a <serial> XML element for each firewall.
  2. Collect firewall serial numbers.
    In your script or code, store the firewall serial numbers returned in the response to the previous request.
  3. Query a firewall from Panorama.
    A normal request to show system information on a firewall looks like this:
    https://<firewall>/api/?type=op&cmd=<show><system><info></info></system></show>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    To directly target a firewall through Panorama, append the firewall serial number to the request:
    https://<panorama>/api/?type=op&cmd=<show><system><info></info></system></show>&target=<device-serial-number>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    A successful response should look like this:
    <response
    status="success"> 
    <result> 
    <system> 
    <hostname>firewall</hostname> 
    <ip-address>10.41.0.8</ip-address> 
    <netmask>255.255.224.0</netmask> 
    <default-gateway>10.41.0.1</default-gateway> 
    <is-dhcp>no</is-dhcp> 
    <ipv6-address>unknown</ipv6-address> 
    <ipv6-link-local-address>fe80::21c:17cf:feff:c04a/64</ipv6-link-local-address> 
    <ipv6-default-gateway></ipv6-default-gateway> 
    <mac-address>00:1b:17:fc:c0:4a</mac-address> 
    <time>Tue Oct 27 13:39:09 2015</time> 
    <uptime>12 days, 0:05:26</uptime> 
    <devicename>pm-firewall</devicename> 
    <family>3000</family> 
    <model>PA-3020</model> 
    <serial>001802000104</serial> 
    <sw-version>7.1.0-c54</sw-version> 
    <global-protect-client-package-version>2.0.0</global-protect-client-package-version> 
    <app-version>537-2965</app-version> 
    <app-release-date>2015/10/26 18:10:48</app-release-date> 
    <av-version>2149-2586</av-version> 
    <av-release-date>2015/10/26 15:31:55</av-release-date> 
    <threat-version>537-2965</threat-version> 
    <threat-release-date>2015/10/26 18:10:48</threat-release-date> 
    <wf-private-version>0</wf-private-version> 
    <wf-private-release-date>unknown</wf-private-release-date> 
    <url-db>paloaltonetworks</url-db> 
    <wildfire-version>80683-89773</wildfire-version> 
    <wildfire-release-date>unknown</wildfire-release-date> 
    <url-filtering-version>2015.10.27.226</url-filtering-version> 
    <global-protect-datafile-version>1445974904</global-protect-datafile-version> 
    <global-protect-datafile-release-date>2015/10/27 19:41:44</global-protect-datafile-release-date> 
    <logdb-version>7.0.9</logdb-version> 
    <platform-family>3000</platform-family> 
    <vpn-disable-mode>off</vpn-disable-mode> 
    <multi-vsys>on</multi-vsys> 
    <operational-mode>normal</operational-mode> 
    </system> 
    </result> 
    </response>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    Repeat this request for each managed or connected firewall.

Related Documentation