API Key Lifetime

In PAN-OS 9.0 you can use an API key with a limited lifetime allowing you to enforce key rotation at a regular cadence to safeguardyour network and adhere to compliance standards. You can also expire all APIkeys simultaneously, if you suspect accidental exposure or a leak.
To use the API on the firewall and Panorama, you need to generate an API key that authenticates API calls to the XML API and new REST API. Starting with PAN-OS 9.0, you can now specify an API key lifetime to enforce key rotation and have the ability to revoke all currently valid API keys, in the event one or more keys are compromised. When you generate a new API key, after upgrading to PAN-OS 9.0, each key size is larger and each key is unique because it includes the key creation timestamp. These new capabilities help you protect your keys and meet the audit and compliance requirements for your enterprise.
  1. Select DeviceSetupManagement.
  2. Edit Authentication Settings to specify the API Key Lifetime (min).
    api-key-lifetime.png
    Set the API key lifetime to protect against compromise and to reduce the effects of an accidental exposure. By default, the API key lifetime is set to 0, which means that the keys will never expire. To ensure that your keys are frequently rotated and each key is unique when regenerated, you must specify a validity period that ranges between 1—525600 minutes. Refer to the audit and compliance policies for your enterprise to determine how you should specify the lifetime for which your API keys are valid.
  3. Commit the changes.

Related Documentation