PAN-OS® and Panorama™API Usage Guide
    : Query a Firewall from Panorama (API)
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS® and Panorama™API Usage Guide
    4. PAN-OS XML API Use Cases
    5. Query a Firewall from Panorama (API)
    Download PDF

    PAN-OS® and Panorama™API Usage Guide

    Query a Firewall from Panorama (API)

    Table of Contents

    Query a Firewall from Panorama (API)

    Thetarget parameter on Panorama allows you to redirect queries to a managed firewall. Redirecting queries to firewalls helps to reduce time and the number of steps required to issue repetitive commands. Use the scripting language of your choice to store firewall serial numbers and use them to issue a query to several firewalls.
    Because the PAN-OS XML API uses a tree of XML nodes, in your API request you must specify the correct type and action along with the XPath Node Selection. See Explore the API to learn how to construct XML requests.
    1. Get a list of managed firewalls.
      curl -X POST 'https://<panorama>/api?&type=op&cmd=<show><devices><all></all></devices></show>'
      If you want to get a list of connected firewalls only, use 
      curl -X POST 'https://<panorama>/api?&type=op&cmd=<show><devices><connected></connected></devices></show>'
      The response includes the serial number (serial) of each firewall.
      
						<response

							status="success">
							<result>
							<devices>
							name="007200002517">
							<serial>007200002342</serial>
							<connected>yes</connected>
							<unsupported-version>no</unsupported-version>
							<deactivated>no</deactivated>
							<hostname>PM-6-1-VM</hostname>
							<ip-address>10.3.4.137</ip-address>
							<mac-addr />
							<uptime>81 days, 20:39:41</uptime>
							<family>vm</family>
							<model>PA-VM</model>
							<sw-version>6.1.3</sw-version>
							<app-version>555-3129</app-version>
							<av-version>2254-2693</av-version>
							<wildfire-version>91873-10.274</wildfire-version>
							<threat-version>555-3129</threat-version>
							<url-db>paloaltonetworks</url-db>
							<url-filtering-version>2016.02.02.416</url-filtering-version>
							<logdb-version>6.1.3</logdb-version>
							<vpnclient-package-version />
							<global-protect-client-package-version>0.0.0</global-protect-client-package-version>
							<vpn-disable-mode>no</vpn-disable-mode>
							<operational-mode>normal</operational-mode>
							<multi-vsys>no</multi-vsys>
							<vsys>
							name="vsys1">
							<display-name>vsys1</display-name>
							<shared-policy-status />
							<shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum>
							</entry>
							</vsys>
							</entry>
							<!--truncated -->
							</devices>
							</result>
							</response>
      The response contains a <serial> XML element for each firewall.
    2. Collect firewall serial numbers.
      In your script or code, store the firewall serial numbers returned in the response to the previous request.
    3. Query a firewall from Panorama.
      A normal request to show system information on a firewall looks like this:
      curl -X POST 'https://<firewall>/api?&type=op&cmd=<show><system><info></info></system></show>'
      To directly target a firewall through Panorama, append the firewall serial number to the request:
      curl -X POST 'https://<panorama>/api?&type=op&cmd=<show><system><info></info></system></show>&target=<device-serial-number>'
      A successful response should look like this:
      
						<response status="success">
  <result>
    <system>
      <hostname>firewall</hostname>
      <ip-address>10.41.0.8</ip-address>
      <netmask>255.255.224.0</netmask>
      <default-gateway>10.41.0.1</default-gateway>
      <is-dhcp>no</is-dhcp>
      <ipv6-address>unknown</ipv6-address>
      <ipv6-link-local-address>fe80::21c:17cf:feff:c04a/64</ipv6-link-local-address>
      <ipv6-default-gateway/>
      <mac-address>00:1b:17:fc:c0:4a</mac-address>
      <time>Tue Oct 27 13:39:09 2015</time>
      <uptime>12 days, 0:05:26</uptime>
      <devicename>pm-firewall</devicename>
      <family>3000</family>
      <model>PA-3020</model>
      <serial>001802000104</serial>
      <sw-version>7.1.0-c54</sw-version>
      <global-protect-client-package-version>2.0.0</global-protect-client-package-version>
      <app-version>537-2965</app-version>
      <app-release-date>2015/10/26 18:10:48</app-release-date>
      <av-version>2149-2586</av-version>
      <av-release-date>2015/10/26 15:31:55</av-release-date>
      <threat-version>537-2965</threat-version>
      <threat-release-date>2015/10/26 18:10:48</threat-release-date>
      <wf-private-version>0</wf-private-version>
      <wf-private-release-date>unknown</wf-private-release-date>
      <url-db>paloaltonetworks</url-db>
      <wildfire-version>80683-89773</wildfire-version>
      <wildfire-release-date>unknown</wildfire-release-date>
      <url-filtering-version>2015.10.27.226</url-filtering-version>
      <global-protect-datafile-version>1445974904</global-protect-datafile-version>
      <global-protect-datafile-release-date>2015/10/27 19:41:44</global-protect-datafile-release-date>
      <logdb-version>7.0.9</logdb-version>
      <platform-family>3000</platform-family>
      <vpn-disable-mode>off</vpn-disable-mode>
      <multi-vsys>on</multi-vsys>
      <operational-mode>normal</operational-mode>
    </system>
  </result>
</response>
      Repeat this request for each managed or connected firewall.

    © 2024 Palo Alto Networks, Inc. All rights reserved.