To successfully license firewalls that do not have direct internet access, Palo Alto Networks provides a licensing API. You can use this API with a custom script or an orchestration service to register auth codes, retrieve licenses attached to an auth code, renew licenses, and to deactivate all licenses on a VM-Series firewall ( Deactivate VM).
The API also allows you to view the details of an auth code so that you can track the number of unused licenses attached to an auth-code or auth-code bundle that enables you to license more than one instance of the firewall. An auth-code bundle includes the VM-Series model, subscriptions and support in a single, easy to order format; you can use this bundle multiple times to license VM-Series firewalls as you deploy them.
To use the API, each support account is assigned a unique key. Each API call is a POST request, and the request must include the API key to authenticate the request to the licensing server. When authenticated, the licensing server sends the response in json (content-type application/json).
Manage the Licensing API Key
Manage the Licensing API Key
Get your Licensing API key. Log in to the Palo Alto Networks Support portal. Select Licensing API from the —Go To— drop-down. Click Enable to view your key and copy it for use. Once you generate a key, the key is enabled until you regenerate or disable it.
Regenerate or revoke the API key. You can generate a new API key or revoke the use of the key. Click Regenerate to generate a new key. If you suspect that an API key may be compromised, you can generate a new key, which process automatically invalidates the old key. Select Disable if you no longer plan to use the key. Disabling the API key revokes it.
Use the Licensing API
The base URI for accessing the licensing API is https://api.paloaltonetworks.com/api/license ; based on the task you want to perform, for example activate licenses, deactivate licenses, or track license use—the URL will change.
An API request must use the HTTP POST method, and you must include the API key in the apikey HTTP request header and pass the request parameters as URL-encoded form data with content-type application/x-www-form-urlencoded.
The API Version is optional and can include the following values—0 or 1. If specified, it must be included in the version HTTP request header. The current API version is 1; if you do not specify a version, or specify version 0, the request uses the current API version.
All API responses are represented in json.
Use the Licensing API
Get your Licensing API key. Select the task you want to perform. Activate Licenses Deactivate Licenses Track License Usage
Activate Licenses URL: https://api.paloaltonetworks.com/api/license/activate Parameters: uuid, cpuid, authCode, and serialNumber. Use these parameters to accomplish the following: For first time or initial license activation, provide the cpuid, uuid, auth-code in the API request. If you did not save the license keys or had a network connection trouble during initial license activation, to retrieve the license(s) again for a firewall that you have previously activated, you can either provide the cpuid and uuid in the API request, or provide the serial number of the firewall in the API request. Header: apikey Sample request for initial license activation using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode cpuid=51060400FFFBAB1F --data-urlencode uuid=564D0E5F-3F22-5FAD-DA58-47352C6229FF --data-urlencode authCode=I7115398 https://api.paloaltonetworks.com/api/license/activate Sample API response : [{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premium","feature_descField":"24 x 7 phone support; advanced replacement hardware service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAxanB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQXKvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgField":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseField":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016 12:00:00 AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP","featureField":"Threat Prevention","feature_descField":"Threat Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQjPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dVZ7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgField":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField":"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseField":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016 12:00:00 AM","PropertyChanged":null} ...<truncated> The feature_Field in the response indicates the type of key that follows in the keyField. Copy each key to a text file and save it with the .key extension. Because the key is in json format, it does not have newlines; make sure to convert it to newlines if needed for your parser. Make sure to name each key appropriately and save it to the /license folder of the bootstrap package. For example, include the authcode with the type of key to name it as I3306691_1pa-vm.key (for the capacity license key), I3306691_1threat.key (for the Threat Prevention license key), I3306691_1wildfire.key (for the WildFire subscription license key). Sample API request for retrieving previously activated licenses using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode serialNumber=007200006142 https://api/paloaltonetworks.com/api/license/activate
Sample API response : [{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premium","feature_descField":"24 x 7 phone support; advanced replacement hardware service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAxanB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQXKvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgField":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseField":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016 12:00:00 AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP","featureField":"Threat Prevention","feature_descField":"Threat Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQjPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dVZ7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgField":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField":"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseField":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016 12:00:00 AM","PropertyChanged":null} ...<truncated>
Deactivate Licenses URL: https://api.paloaltonetworks.com/api/license/deactivate Parameters: encryptedToken To deactivate the license(s) on a firewall that does not have direct internet access, you must generate the license token file locally on the firewall and then use this token file in the API request. For details on generating the license token file, see Deactivate VM or Deactivate a Feature License or Subscription Using the CLI. Header: apikey Request: https://api.paloaltonetworks.com/api/license/deactivate?encryptedtoken@<token> Sample API request for license deactivation using Curl : curl -i -H "apikey:$APIKEY" --data-urlencode encryptedtoken@dact_lic.05022016.100036.tok https://api.paloaltonetworks.com/api/license/deactivate Sample API response: [{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}]$
Track License Usage URL: https://api.paloaltonetworks.com/api/license/get Parameters: authCode Header: apikey Request: https://api.paloaltonetworks.com/api/license/get?authCode=<authcode> Sample API request for tracking license usage using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode authcode=I9875031 https://api.paloaltonetworks.com/api/license/get Sample API response: HTTP/1.1 200 OK Date: Thu, 05 May 2016 20:07:16 GMT Content-Length: 182 {"AuthCode":"I9875031","UsedCount":4,"TotalVMCount":10,"UsedDeviceDetails":[{"UUID":"420006BD-113D-081B-F500-2E7811BE80C 9","CPUID":"D7060200FFFBAB1F","SerialNumber":"007200006142"}]}.....
Licensing API Error Codes
The HTTP Error Codes that the licensing server returns are as follows:
200 Success 400 Error 401 Invalid API Key 500 Server Error

Related Documentation