Getting Started with the API

Printer Friendly Page

Overview

This document is for first-time API users to get started and try out the basics of the PAN-OS API.  This document leverages the pan-python SDK to get you started with some basic examples of API usage.

 

Step 1:  Get python

Windows:  Download Python 2.7.x or 3.x.x for Windows here:  https://www.python.org/downloads/windows/

When installing python on Windows, be sure to enable "Add python.exe to Path"

 

Mac OSX:  Python 2.7.x is already installed.  Go to step 2.

 

Linux:  Python is already installed (usually 2.7.x).  Go to step 2.

 

Step 2:  Get pan-python

Go to https://github.com/kevinsteves/pan-python/releases

 

Windows:  Download the Source Code (.zip)

 

Mac OSX and Linux:  Download pan-python-x.x.x.tar.gz

 

Uncompress the file.

 

Step 3:  Open a terminal

Windows:  Press WinKey+R.  In the Run dialog, type 'cmd' and press enter

 

Mac OSX:  Navigate to Applications -> Utilities -> Terminal

 

Linux:  Most distributions have a terminal program you can run.

 

Step 4:  Navigate to pan-python in terminal

In the terminal, use the 'cd' command to navigate to the "bin" directory in the new directory you uncompressed earlier.

 

For example:  cd c:\Users\<username>\Downloads\pan-python-x.x.x\bin

 

Step 5:  Generate an API key for a firewall

When connecting to the PAN-OS API, the connection must include an API key that the firewall uses to authenticate the connection as coming from a specific administrator.  In this example, we will generate the API key for the default admin user.

 

Run this command in a terminal to generate an API Key for the admin user.  In this example, the firewall's management IP is 10.1.1.5 and the firewall credentials are username admin and password admin.

 

python panxapi.py -h 10.1.1.5 -l admin:admin -k

keygen: success

API key:  "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"

 

Record the outputted API key.  It will be used in all subsequent API calls.

 

Step 6:  Make a few API calls

The API has many capabilities including the ability to pull statistical data, modify the configuration, and retrieve logs, reports, and pcaps.  Here are a few example API calls you can test on any firewall.  In each API call, you pass the script the API key, an action type, and a command or xpath that tells the firewall what to retrieve or do.

 

Example 1:  Get interface statistics

 

python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -x -o "<show><counter><interface>ethernet1/1</interface></counter></show>"

 

Example 2:  Get the firewall's hostname

 

python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/deviceconfig/system/hostname"

 

Example 3:  Get all address objects

 

python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/vsys/entry/address"

 

Example 4:  Create a new address object called 'testobject' with the IP 5.5.5.5

 

python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -S "<ip-netmask>5.5.5.5</ip-netmask>" "/config/devices/entry/vsys/entry/address/entry[@name='testobject']"

 

Example 5:  Commit

 

python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr --sync -C "<commit></commit>"

 

Step 7:  Learn more

You can learn more about the PAN-OS API at the following links.  Don't forget, you can always post to the API discussion area of the Live Community if you have questions.

 

See Also 

PAN-OS Documentation and XML-API Guide

pan-python SDK

panxapi.py API script documentation

Tags (3)
Comments

HI Admin,

 

How to config schedule for xml-api ?

hi @ThongLam

on a linux platform you can use crontab, on windows there's the task scheduler and on MAC you can use automator

Tks admin. I want to "clear session all fillter rule < my policy security>"  by python.

Please help advise to me

the rest API for that is /api/?type=op&cmd=<clear><session><all><filter><rule></rule></filter></all></session></clear>

 

you can use the API browser on your firewall to help build API commands : https://<Firewall-IP>/php/rest/browse.php

 

 

 Hii admin,

my name rule security is rule1 

 

But when running rule:

python panxapi.py -h 192.168.81.162 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -x -o "<clear><session><all><filter><rule></rule1></filter></all></session></clear>"

 

Fail  Reason:    ==>  op: "URLError: code: 400 reason: Bad Request"

Please help me!

hi!

 

the syntax would be <clear><session><all><filter><rule>rule1</rule></filter></all></session></clear>

Hi, All

 

If we have Panorama that control Firewall gateway. Which does I send api command to Pano or Gateway?

 

Thank you