Automatically Check for and Install Content Updates (API)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Automatically Check for and Install Content Updates (API)
Using the XML API, you can programmatically
check and install new content updates, including antivirus, WildFire,
and GlobalProtect updates. Check for new updates available and download
updates that have been released for at least one week.
Download,
upgrade, and installation requests are asynchronous. The API responds
with a job ID while it processes your request. In your subsequent
request, you use this job ID to check on the result of your original
request:
curl -X POST 'https://firewall/api?type=op&cmd=<show><jobs><id></id></jobs></show>&key=<apikey>"
- Check for installed content on your firewall.
Run the following request to view current system information:curl -X POST 'https://firewall/api?type=op&cmd=<show><system><info></info></system></show>&key=<apikey>"
- Confirm that the API response to the request in the previous step includes the currently installed updates on your firewall:
<response status="success"> <result> <system> <hostname>pm-firewall</hostname> <ip-address>10.47.0.8</ip-address> <netmask>255.255.254.0</netmask> <default-gateway>10.47.0.1</default-gateway> <is-dhcp>no</is-dhcp> <ipv6-address>unknown</ipv6-address> <ipv6-link-local-address>fe80::21b:17ff:feff:c04a/64</ipv6-link-local-address> <ipv6-default-gateway/> <mac-address>00:1b:17:ff:c0:4a</mac-address> <time>Mon Jul 11 17:51:37 2016</time> <uptime>11 days, 7:38:34</uptime> <devicename>pm-firewall</devicename> <family>3000</family> <model>PA-3020</model> <serial>0018010.1104</serial> <sw-version>7.1.3</sw-version> <global-protect-client-package-version>2.0.0</global-protect-client-package-version> <app-version>598-3427</app-version> <app-release-date>2016/07/09 22:30:55</app-release-date> <av-version>2416-2855</av-version> <av-release-date>2016/07/10 11:27:57</av-release-date> <threat-version>598-3427</threat-version> <threat-release-date>2016/07/09 22:30:55</threat-release-date> <wf-private-version>0</wf-private-version> <wf-private-release-date>unknown</wf-private-release-date> <url-db>paloaltonetworks</url-db> <wildfire-version>80426-81466</wildfire-version> <wildfire-release-date>2016/07/11 17:45:11</wildfire-release-date> <url-filtering-version>2016.07.11.248</url-filtering-version> <global-protect-datafile-version>1468280405</global-protect-datafile-version> <global-protect-datafile-release-date>2016/07/11 23:40:05</global-protect-datafile-release-date> <logdb-version>7.0.9</logdb-version> <platform-family>3000</platform-family> <vpn-disable-mode>off</vpn-disable-mode> <multi-vsys>on</multi-vsys> <operational-mode>normal</operational-mode> </system> </result> </response>- Note the currently installed versions for the following updates, so that you can compare the values after you check for the latest updates:
- global-protect-client-package-version: GlobaProtect
- app-version: Application and threat signatures.
- av-version: Antivirus signatures
- wildfire-version: WildFire malware and antivirus signatures
- Check for new, available updates with the following requests and store the version field in the response, which is the version field for GlobalProtect, and the app-version field for all others:
- GlobalProtect:
curl -X POST 'https://firewall/api?type=op&cmd=<request><global-protect-client><software><check></check></software></global-protect-client></request>&key=<apikey>"- WildFire:
curl -X POST 'https://firewall/api?type=op&cmd=<request><wildfire><upgrade><check></check></upgrade></wildfire></request>&key=<apikey>"- Application & Threat:
curl -X POST 'https://firewall/api?type=op&cmd=<request><content><upgrade><check></check></upgrade></content></request>&key=<apikey>"- Antivirus:
curl -X POST 'https://firewall/api?type=op&cmd=<request><anti-virus><upgrade><check></check></upgrade></anti-virus></request>&key=<apikey>"Example response:<response status="success"> <result> <sw-updates last-updated-at="2016/05/19 14:34:34"> <msg/> <versions> <entry> <version>4.0.0-c16</version> <filename>PanGP-4.0.0-c16</filename> <size>44</size> <size-kb>45321</size-kb> <released-on>2016/07/08 15:41:18</released-on> <release-notes> <![CDATA[ https://firewall/updates/ReleaseNotes.aspx?type=sw&versionNumber=4.0.0-c16&product=gpclient&platform=any ]]> </release-notes> <downloaded>no</downloaded> <current>no</current> <latest>no</latest> <uploaded>no</uploaded> </entry> <!--TRUNCATED-->Take note of the released-on XML field to verify that updates have been released for at least a week.- In your script or code, compare the version values for currently installed updates to new, available updates. It is recommended that you only install updates that have been available for at least a week.
- Download the latest content updates with these requests:
- GlobalProtect:
curl -X POST 'https://firewall/api?type=op&cmd=<request><global-protect-client><software><download><version>versionnumber</version></download></software></global-protect-client></request>&key=<apikey>"- WildFire:
curl -X POST 'https://firewall/api?type=op&cmd=<request><wildfire><upgrade><download><latest></latest></download></upgrade></wildfire></request>&key=<apikey>"- Application & Threat:
curl -X POST 'https://firewall/api?type=op&cmd=<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"- Antivirus:
curl -X POST 'https://firewall/api?type=op&cmd=<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>&key=<apikey>"The response contains a job ID that you can use to check on the status of the request. Example:<response status="success" code="19"> <result> <msg> <line>Content install job enqueued with jobid 299</line> </msg> <job>299</job> </result> </response>Learn more about Asynchronous and Synchronous Requests to the PAN-OS XML API.- Install the latest content updates with these requests:
- GlobalProtect:
curl -X POST 'https://firewall/api?type=op&cmd=<request><global-protect-client><software><activate><version>versionnumber</version></activate></software></global-protect-client></request>&key=<apikey>"- WildFire:
curl -X POST 'https://firewall/api?type=op&cmd=<request><wildfire><upgrade><install><version>latest</version></install></upgrade></wildfire></request>&key=<apikey>"- Application & Threat:
curl -X POST 'https://firewall/api?type=op&cmd=<request><content><upgrade><install>latest</latest></install></upgrade></content></request>&key=<apikey>"- Antivirus:
curl -X POST 'https://firewall/api?type=op&cmd=<request><anti-virus><upgrade><install><version>latest</version></install></upgrade></anti-virus></request>&key=<apikey>"The response contains a job ID that you can use to check on the status of the request. - Confirm that the API response to the request in the previous step includes the currently installed updates on your firewall: