Palo Alto Networks OpenConfig plugin allows you to programmatically access the firewall based on OpenConfig data models and protocols to automate configuration and telemetry retrieval. To Learn more about OpenConfig, visit https://www.openconfig.net. The OpenConfig interface uses gRPC Network Management Interface (gNMI) protocol for configuration management, telemetry based on the OpenConfig data models, and gRPC Network Operations Interface (gNOI) for operational services defined by OpenConfig.

Using the plugin, you can manage configuration, generate streaming telemetry, and carry out operational services on the firewall. The OpenConfig plugin is supported on the hardware, VM-Series firewalls, and Panorama.

The gMNI protocol uses a client-server messaging model. The OpenConfig plugin implements a gNMI server that listens for client requests and supports all of the gNMI request types: Set, Get, Subscribe, and Capabilities. The Set request carries out transaction based edit operations whether it be single or multiple requests.

If successful, the Set request is treated as an atomic operation which takes effect immediately as an implicit commit request. The Get request retrieves a model’s configuration and state data. The Subscribe returns a model’s state data. The Capabilities request can be used to determine the models supported by the firewall.

Familiarize yourself with each of the sections below before using the OpenConfig plugin.

For successful set requests, the effects take place immediately as part of a multi-request configuration operation that deletes and updates certain specified paths and immediately commits the operations.

The client returns a job ID if applicable for the specific request.

If any part of the configuration is rejected, all of the operations are reverted and no change takes place.

The PAN-OS OpenConfig plugin listens for requests on the management interface’s assigned IP address on port 9339.To send gNMI requests to the firewall, use the management IP address, for example: 10.1.1.1:9339.

If you want to change the IP address for gNMI requests, you should first configure the management interface for the firewall. How to Configure the Management Interface IP shows how you can set the management IP of a firewall.

The PAN-OS OpenConfig plugin uses the default self-signed certificate assigned to the management interface. The certificate must be installed on the client to send and receive requests from the firewall.

The Keys and Certificates section of the PAN-OS Administrators guide provides more information about the process for certificate management.

As a best practice, Configure an Admin Role Profile to use as the profile for gNMI requests to usea custom role-based administrator. Enable XML API access for the admin role you configure for OpenConfig.

The OpenConfig plugin supports both direct model data tree paths, JSON format for gNMI requests sent to the firewall. The examples in this guide primarily use the path and the JSON equivalent. The encoding type for all of the examples is JSON_IETF.

For subscribe requests, the Firewall supports Protocol Buffer (protobuf). The keys are strings that line up with the requested system resources. The values identity operational state behavior.

The OpenConfig plugin supports the capabilities call to get a list of models available for use on the firewall.

Below is an example call used with the gNMI client to retrieve models supported.

All examples in the PAN-OS OpenConfig guide use the gNMIC OpenConfig client.

Third party gNMI clients you can use to test the examples include: