topic Re: PAN-OS 9.0.6 API Curl JSON output in General Topics

PAN-OS 9.0.6 API Curl JSON output

jwhughes — Thu, 09 Apr 2020 18:30:08 GMT

I'm working on a project to get information from the Palo Altos and use it for an input to a SIEM. I'm able to run the below and get XML output.

curl -k 'https://<PAN>/api/?type=op&cmd=<show><system><info></info></system></show>&key=<KEY>'

I would prefer getting this in json so I tried &output-format=json after the key and get XML. I did some research and see that /api appears to be XML output only. Is this the case? If so, is there an alternate to get the same output but in json?

TIA,

Joe

Re: PAN-OS 9.0.6 API Curl JSON output

OtakarKlier — Thu, 09 Apr 2020 21:11:10 GMT

Hello,

What information are you looking to get from the PANs to the SIEM?

Please advise,

Re: PAN-OS 9.0.6 API Curl JSON output

jwhughes — Thu, 09 Apr 2020 21:15:27 GMT

The hostname, ip address, serial number, ha peer, and ha state. Both the PAN team and the team I am on are tired of asking them if there are any new devices that we need the SIEM to monitor the feed of. If I could get that from the API only a weekly basis I wouldn't have to ask them and manually update the csv file that the SIEM reads.

Re: PAN-OS 9.0.6 API Curl JSON output

OtakarKlier — Thu, 09 Apr 2020 21:17:38 GMT

Hello,

So you are looking for new PAN's on the network? Sounds like something for a monitoring tool and not a SIEM?

Please advise,

Re: PAN-OS 9.0.6 API Curl JSON output

jwhughes — Thu, 09 Apr 2020 21:26:18 GMT

The SIEM monitors all the events from the PANs for correlating with other security appliances. The issue as a member of the SIEM team is keeping up with the changes the PAN team makes. That is why I'm looking for a way of getting a list of all the PANs. I can get it with

curl -k 'https://<PAN>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>&key=<KEY>'

Unfortunately the response is XML and the software I work with prefers JSON. So either I have to convert from XML to JSON or find out if there is an alternative method of getting the information that outputs as JSON.

Re: PAN-OS 9.0.6 API Curl JSON output

OtakarKlier — Thu, 09 Apr 2020 21:43:15 GMT

Hello,

Are you running that against the panorama? There should be logs that are generated when a new device connects. From there you should be able to generate an alert from the SIEM if that new IP is not being monitored.

Hope I understood you correctly.

Regards,

Re: PAN-OS 9.0.6 API Curl JSON output

jwhughes — Thu, 09 Apr 2020 21:48:09 GMT

Hi,

Correct. I'm running this against the Panorama. What do the logs look like? I still would like an answer to my original question to do a sanity check on what is currently there, but I can use the log for future PANs.

Regards

Re: PAN-OS 9.0.6 API Curl JSON output

OtakarKlier — Thu, 09 Apr 2020 21:50:37 GMT

Hello,

That is something I do not know. However it should be a 'system' log so you might be able to run a SIEM query against that type of log, check its contents and write an alarm/alert around it.

Regards,

Re: PAN-OS 9.0.6 API Curl JSON output

BPry — Thu, 09 Apr 2020 22:00:26 GMT

@jwhughes,

So your polling from a Panorama appliance then. Honestly this sounds far more like a process/people issue and not something I would solve like this, but whatever. The /api address will direct you to the XML API, so yes the output is XML.

There is a limited REST API available in 9.0 and above, but it's pretty limited in what it can do at the moment and can't do any sort of operational command.

You'll need to utilize the XML response at this time until the REST API gets to the point where it's fully functional or you fix your people/process problem.

Re: PAN-OS 9.0.6 API Curl JSON output

jwhughes — Thu, 09 Apr 2020 22:04:56 GMT

@BPryThanks. It isn't what I wanted to hear, but it is what it is. For now I will need to convert from XML to JSON in an external script.

Re: PAN-OS 9.0.6 API Curl JSON output

Retired Member — Thu, 09 Apr 2020 23:58:12 GMT

Assuming that you're using a Linux CLI for this: a combination of the xpath (or xmllint) and the logger commands might be an easy solution to achieve your goal.

Here's a good example:

curl --insecure 'https://10.1.1.1/api/?type=op&cmd=<show><session><info></info></session></show>&key=XXXXXXXXXXXXXXXXXXXXXXXX=' -s | xpath "//pps/text()" 2>/dev/null | xargs logger -t paloaltoapi -n 10.3.3.7 -P 514 Number of sessions from Palo Alto firewall: