The PAN-OS API requires that access you grant access to an administrator account. The
API supports the following types of Administrators and Admin roles:
Dynamic roles: Superuser, Superuser (readonly), Device admin, Device admin
(readonly), Vsys admin, Vsys admin (readonly)
Role-based Admins: Device, Vsys, Panorama.
Admin Role profiles enable or disable features on the management interfaces of the
firewall or Panorama, XML API, web interface, and CLI. For more details on
Administrative Roles, see
Configure an Admin Role Profile.
By default, the firewall and Panorama support API requests over HTTPS. To make API
request over HTTP, you must configure an
interface management profile.
As a best practice:
- Set an API key lifetime to enforce key
rotation; you can also revoke all API keys to protect from accidental
exposure.
- Use a POST request for any call that may contain sensitive information.
To enforce key rotation set an
API key lifetime; you can also revoke all
API keys to protect from accidental exposure.
As a best practice, set up a separate admin account for XML API access.
