Query a Firewall from Panorama (API)
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Query a Firewall from Panorama (API)
Thetarget parameter
on Panorama allows you to redirect queries to a managed firewall.
Redirecting queries to firewalls helps to reduce time and the number
of steps required to issue repetitive commands. Use the scripting
language of your choice to store firewall serial numbers and use
them to issue a query to several firewalls.
Because the PAN-OS XML API uses
a tree of XML nodes, in your API request you must specify the correct
type and action along with the XPath Node Selection. See Explore
the API to learn how to construct XML requests.
- Get a list of managed firewalls.curl -X POST 'https://<panorama>/api?&type=op&cmd=<show><devices><all></all></devices></show>'If you want to get a list of connected firewalls only, usecurl -X POST 'https://<panorama>/api?&type=op&cmd=<show><devices><connected></connected></devices></show>'The response includes the serial number (serial) of each firewall.<response status="success"> <result> <devices> name="007200002517"> <serial>007200002342</serial> <connected>yes</connected> <unsupported-version>no</unsupported-version> <deactivated>no</deactivated> <hostname>PM-6-1-VM</hostname> <ip-address>10.3.4.137</ip-address> <mac-addr /> <uptime>81 days, 20:39:41</uptime> <family>vm</family> <model>PA-VM</model> <sw-version>6.1.3</sw-version> <app-version>555-3129</app-version> <av-version>2254-2693</av-version> <wildfire-version>91873-10.274</wildfire-version> <threat-version>555-3129</threat-version> <url-db>paloaltonetworks</url-db> <url-filtering-version>2016.02.02.416</url-filtering-version> <logdb-version>6.1.3</logdb-version> <vpnclient-package-version /> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <vpn-disable-mode>no</vpn-disable-mode> <operational-mode>normal</operational-mode> <multi-vsys>no</multi-vsys> <vsys> name="vsys1"> <display-name>vsys1</display-name> <shared-policy-status /> <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> </entry> </vsys> </entry> <!--truncated --> </devices> </result> </response>The response contains a <serial> XML element for each firewall.
- Collect firewall serial numbers.
In your script or code, store the firewall serial numbers returned in the response to the previous request.- Query a firewall from Panorama.
A normal request to show system information on a firewall looks like this:curl -X POST 'https://<firewall>/api?&type=op&cmd=<show><system><info></info></system></show>'To directly target a firewall through Panorama, append the firewall serial number to the request:curl -X POST 'https://<panorama>/api?&type=op&cmd=<show><system><info></info></system></show>&target=<device-serial-number>'A successful response should look like this:<response status="success"> <result> <system> <hostname>firewall</hostname> <ip-address>10.41.0.8</ip-address> <netmask>255.255.224.0</netmask> <default-gateway>10.41.0.1</default-gateway> <is-dhcp>no</is-dhcp> <ipv6-address>unknown</ipv6-address> <ipv6-link-local-address>fe80::21c:17cf:feff:c04a/64</ipv6-link-local-address> <ipv6-default-gateway/> <mac-address>00:1b:17:fc:c0:4a</mac-address> <time>Tue Oct 27 13:39:09 2015</time> <uptime>12 days, 0:05:26</uptime> <devicename>pm-firewall</devicename> <family>3000</family> <model>PA-3020</model> <serial>001802000104</serial> <sw-version>7.1.0-c54</sw-version> <global-protect-client-package-version>2.0.0</global-protect-client-package-version> <app-version>537-2965</app-version> <app-release-date>2015/10/26 18:10:48</app-release-date> <av-version>2149-2586</av-version> <av-release-date>2015/10/26 15:31:55</av-release-date> <threat-version>537-2965</threat-version> <threat-release-date>2015/10/26 18:10:48</threat-release-date> <wf-private-version>0</wf-private-version> <wf-private-release-date>unknown</wf-private-release-date> <url-db>paloaltonetworks</url-db> <wildfire-version>80683-89773</wildfire-version> <wildfire-release-date>unknown</wildfire-release-date> <url-filtering-version>2015.10.27.226</url-filtering-version> <global-protect-datafile-version>1445974904</global-protect-datafile-version> <global-protect-datafile-release-date>2015/10/27 19:41:44</global-protect-datafile-release-date> <logdb-version>7.0.9</logdb-version> <platform-family>3000</platform-family> <vpn-disable-mode>off</vpn-disable-mode> <multi-vsys>on</multi-vsys> <operational-mode>normal</operational-mode> </system> </result> </response>Repeat this request for each managed or connected firewall. - Collect firewall serial numbers.