Management Articles

Announcements
Attention: Our Customer Support Portal (CSP) is currently experiencing intermittent login disruptions, and we are actively working towards a solution. We appreciate your patience and apologize for any inconvenience this may cause.
Featured Article
Overview This document is for first-time API users to get started and try out the basics of the PAN-OS API.  This document leverages the pan-python SDK to get you started with some basic examples of API usage.   Step 1:  Get python Windows:  Download Python 2.7.x or 3.x.x for Windows here:  https://www.python.org/downloads/windows/ When installing python on Windows, be sure to enable "Add python.exe to Path"   Mac OSX:  Python 2.7.x is already installed.  Go to step 2.   Linux:  Python is already installed (usually 2.7.x).  Go to step 2.   Step 2:  Get pan-python Go to https://github.com/kevinsteves/pan-python/releases   Windows:  Download the Source Code (.zip)   Mac OSX and Linux:  Download pan-python-x.x.x.tar.gz   Uncompress the file.   Step 3:  Open a terminal Windows:  Press WinKey+R.  In the Run dialog, type 'cmd' and press enter   Mac OSX:  Navigate to Applications -> Utilities -> Terminal   Linux:  Most distributions have a terminal program you can run.   Step 4:  Navigate to pan-python in terminal In the terminal, use the 'cd' command to navigate to the "bin" directory in the new directory you uncompressed earlier.   For example:  cd c:\Users\<username>\Downloads\pan-python-x.x.x\bin   Step 5:  Generate an API key for a firewall When connecting to the PAN-OS API, the connection must include an API key that the firewall uses to authenticate the connection as coming from a specific administrator.  In this example, we will generate the API key for the default admin user.   Run this command in a terminal to generate an API Key for the admin user.  In this example, the firewall's management IP is 10.1.1.5 and the firewall credentials are username admin and password admin.   python panxapi.py -h 10.1.1.5 -l admin:admin -k keygen: success API key:  "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"   Record the outputted API key.  It will be used in all subsequent API calls.   Step 6:  Make a few API calls The API has many capabilities including the ability to pull statistical data, modify the configuration, and retrieve logs, reports, and pcaps.  Here are a few example API calls you can test on any firewall.  In each API call, you pass the script the API key, an action type, and a command or xpath that tells the firewall what to retrieve or do.   Example 1:  Get interface statistics   python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -x -o "<show><counter><interface>ethernet1/1</interface></counter></show>"   Example 2:  Get the firewall's hostname   python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/deviceconfig/system/hostname"   Example 3:  Get all address objects   python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/vsys/entry/address"   Example 4:  Create a new address object called 'testobject' with the IP 5.5.5.5   python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -S "<ip-netmask>5.5.5.5</ip-netmask>" "/config/devices/entry/vsys/entry/address/entry[@name='testobject']"   Example 5:  Commit   python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr --sync -C "<commit></commit>"   Step 7:  Learn more You can learn more about the PAN-OS API at the following links.  Don't forget, you can always post to the API discussion area of the Live Community if you have questions.   See Also  PAN-OS Documentation and XML-API Guide pan-python SDK panxapi.py API script documentation
View full article
btorresgil ‎07-13-2017 02:41 AM
16,209 Views
7 Replies
1 Like
This article explains how to filter specific static routes from being advertised into OSPF while still advertising all other static routes.   The method highlighted in this article is useful when firewall has a large number of static routes configured and only some of the routes needs to be filtered.     Details:   PA-1 (12.12.12.1)  ------  (12.12.12.2) PA-2   1- Static routes configured on PA-1:       2- Redistribution profile configured on PA-1:        3- This redistribution profile causes all static routes configured on PA-1 firewall to be redistributed into OSPF:           4- Now, suppose we want that all static routes should be advertised to PA-2 except the static route 4.4.4.0/24. This could be achieved by using Priority value in Redistribution Profile:       Profile "Redist-Static" has a priority of 5 and action set to "Redist". New profile, "Filter-Static" has a priority of 1 and action set to "No Redist". When both profiles are referred in OSPF Export rules, profiles would be evaluated according to the priority assigned.   Lower value means higher priority. This would cause Filter-Static profile to be evaluated first and preferred over "Redist-Static" profile hence route 4.4.4.0/24 would  not be redistributed while other static routes would still be redistributed.             Note: Same configuration can be done for routes learned from other source type also e.g. for filtering specific connected routes to be exported into OSPF etc.
View full article
poagrawal ‎06-08-2017 03:03 AM
4,513 Views
0 Replies
1 Like
The week of 01-December-2015, Palo Alto Networks plans to add a new App-ID named “google-base”, intended to simplify the safe enablement of Google applications and streamline policy configuration. Please follow the FAQ below to learn more about this change and its impact on existing firewall policies.  
View full article
EmmaF ‎10-05-2016 06:42 PM
60,221 Views
7 Replies
11 Likes
Ask Questions Get Answers Join the Live Community