topic Re: API Key Lifetime functionality - Giving different keys within the Lifetime period itself. in Automation/API Discussions

API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

ArunkumarDurais — Wed, 27 Oct 2021 17:25:05 GMT

Hi Team,

We have API Key Lifetime configured to 20 mins. But if we are trying to get the API key within 5 mins gap (for example) it is giving different keys. Kindly help me to understand this function. I am trying to view the keys using the below URL, its giving the different keys but always first few and last few string are same.

https://<hostname>/api/?type=keygen&user=<username>&password=<password>.

Re: API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

JimmyHolland — Wed, 03 Nov 2021 12:40:39 GMT

Hi @ArunkumarDurais, that API command is a "keygen" command, for API key generation. Every time you call it, you generate a new key, so this is expected behaviour. If you have already done a keygen command, I would suggest to store the key in a variable (in whatever language/script/tool you are using) so that you can reuse it for the next 19 minutes. Hope that helps...

Re: API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

ArunkumarDurais — Wed, 03 Nov 2021 13:56:35 GMT

Hi JimmyHolland,

Thanks for the update, even i suspected the same. Is there any way to see the current key in the firewall using any API command without any external scripts.

We have a compliant for Firemon integration that the firewall is rejecting the connection even if the Firemon is presenting same key within the API Key lifetime. So we are trying to confirm whether the firewall is holding the same within the Key lifetime period or not.

Re: API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

JimmyHolland — Wed, 03 Nov 2021 15:01:20 GMT

Hi @ArunkumarDurais, I don't believe there is a way to see generated keys (which is not uncommon for API keys in various systems), hence whatever system does the keygen needs to store the key, for the lifetime it is valid per your config. I would run the keygen manually with the API command you quoted at the start of this thread, then use it a few minutes later for a simple info query API command e.g.

https://{{host}}/api?key={{key}}&type=op&cmd=<show><system><info/></system></show>

It should work, and should work at 19 minutes, and should then stop working by 21 minutes (if you have lifetime set to 20 minutes.) That should prove that PAN-OS is working correctly; if that fails, open a TAC case. It if works, something Firemon is doing is not correct. Hope that helps?

Re: API Key Lifetime functionality - Giving different keys within the Lifetime period itself.

batd2 — Thu, 02 Dec 2021 13:09:56 GMT

@ArunkumarDurais There is a bit of misconception about how the API keys work on firewalls/Panorama.

The keys are not "generated" and thus not saved. The key a hash function of the account username, password and time/date of generation (and this is the reason you get different key every time).

The key lifetime was introduced in PanOS9. Before 9, the API key was only a function of the username and password and you used to get the same every time you "generate" it.

So when you send the key to firewall, it user its algorithm to convert it to the date/time of generation, username and password. If the time is within you API configured lifetime, then the username and password will be used for authentication. If not or if you changed the password, then authentication will fail.