API Authentication and Security
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
API Authentication and Security
To use the API (XML or REST), you must
enable API access for
your administrators and
get your API key. By default,
the firewall and Panorama support API requests over HTTPS. To make
API request over HTTP, you must configure an
interface management profile.
To authenticate your API request to the firewall or Panorama,
provide the API key in any of the following ways:
-
Use the custom HTTP header,X-PAN-KEY: <key> to include the API key in the HTTP header.
-
For the XML API, include the API key as a query parameter in the HTTP request URL.
-
Use Basic Authentication to pass the admin credentials asusername:password with Base64 encoding in an Authorization header field.Authorization: Basic amJPbLxpbw9UaTpXb3JrKjIwMDA=As a best practice:
- Set an API key lifetime to enforce key rotation; you can also revoke all API keys to protect from accidental exposure.
- Use a POST request for any call that may contain sensitive information.
You cannot use basic authentication when you Get Your API Key.To enforce key rotation set an API key lifetime; you can also revoke all API keys to protect from accidental exposure.