Attention: Our Customer Support Portal (CSP) is currently experiencing intermittent login disruptions, and we are actively working towards a solution. We appreciate your patience and apologize for any inconvenience this may cause.
Where does the space go? A log collector is deployed with 4 1TB disk pairs. The GUI reports 3.23 TB of total space that can be allocated via quota. Various CLI commands show different values from the GUI. What is going on here? How much space do you actually have for logs?
This document is for first-time API users to get started and try out the basics of the PAN-OS API. This document leverages the pan-python SDK to get you started with some basic examples of API usage.
Step 1: Get python
Windows: Download Python 2.7.x or 3.x.x for Windows here: https://www.python.org/downloads/windows/
When installing python on Windows, be sure to enable "Add python.exe to Path"
Mac OSX: Python 2.7.x is already installed. Go to step 2.
Linux: Python is already installed (usually 2.7.x). Go to step 2.
Step 2: Get pan-python
Go to https://github.com/kevinsteves/pan-python/releases
Windows: Download the Source Code (.zip)
Mac OSX and Linux: Download pan-python-x.x.x.tar.gz
Uncompress the file.
Step 3: Open a terminal
Windows: Press WinKey+R. In the Run dialog, type 'cmd' and press enter
Mac OSX: Navigate to Applications -> Utilities -> Terminal
Linux: Most distributions have a terminal program you can run.
Step 4: Navigate to pan-python in terminal
In the terminal, use the 'cd' command to navigate to the "bin" directory in the new directory you uncompressed earlier.
For example: cd c:\Users\<username>\Downloads\pan-python-x.x.x\bin
Step 5: Generate an API key for a firewall
When connecting to the PAN-OS API, the connection must include an API key that the firewall uses to authenticate the connection as coming from a specific administrator. In this example, we will generate the API key for the default admin user.
Run this command in a terminal to generate an API Key for the admin user. In this example, the firewall's management IP is 10.1.1.5 and the firewall credentials are username admin and password admin.
python panxapi.py -h 10.1.1.5 -l admin:admin -k
API key: "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"
Record the outputted API key. It will be used in all subsequent API calls.
Step 6: Make a few API calls
The API has many capabilities including the ability to pull statistical data, modify the configuration, and retrieve logs, reports, and pcaps. Here are a few example API calls you can test on any firewall. In each API call, you pass the script the API key, an action type, and a command or xpath that tells the firewall what to retrieve or do.
Example 1: Get interface statistics
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -x -o "<show><counter><interface>ethernet1/1</interface></counter></show>"
Example 2: Get the firewall's hostname
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/deviceconfig/system/hostname"
Example 3: Get all address objects
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/vsys/entry/address"
Example 4: Create a new address object called 'testobject' with the IP 184.108.40.206
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -S "<ip-netmask>220.127.116.11</ip-netmask>" "/config/devices/entry/vsys/entry/address/entry[@name='testobject']"
Example 5: Commit
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr --sync -C "<commit></commit>"
Step 7: Learn more
You can learn more about the PAN-OS API at the following links. Don't forget, you can always post to the API discussion area of the Live Community if you have questions.
PAN-OS Documentation and XML-API Guide
panxapi.py API script documentation
This article explains how to filter specific static routes from being advertised into OSPF while still advertising all other static routes.
The method highlighted in this article is useful when firewall has a large number of static routes configured and only some of the routes needs to be filtered.
PA-1 (18.104.22.168) ------ (22.214.171.124) PA-2
1- Static routes configured on PA-1:
2- Redistribution profile configured on PA-1:
3- This redistribution profile causes all static routes configured on PA-1 firewall to be redistributed into OSPF:
4- Now, suppose we want that all static routes should be advertised to PA-2 except the static route 126.96.36.199/24. This could be achieved by using Priority value in Redistribution Profile:
Profile "Redist-Static" has a priority of 5 and action set to "Redist". New profile, "Filter-Static" has a priority of 1 and action set to "No Redist".
When both profiles are referred in OSPF Export rules, profiles would be evaluated according to the priority assigned.
Lower value means higher priority. This would cause Filter-Static profile to be evaluated first and preferred over "Redist-Static" profile hence route 188.8.131.52/24 would not be redistributed while other static routes would still be redistributed.
Note: Same configuration can be done for routes learned from other source type also e.g. for filtering specific connected routes to be exported into OSPF etc.
The week of 01-December-2015, Palo Alto Networks plans to add a new App-ID named “google-base”, intended to simplify the safe enablement of Google applications and streamline policy configuration. Please follow the FAQ below to learn more about this change and its impact on existing firewall policies.