API-KEY after 9.0. Will it work on all firewalls after the "API Key Lifetime" option is added in 9.0?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

API-KEY after 9.0. Will it work on all firewalls after the "API Key Lifetime" option is added in 9.0?

L6 Presenter

Hello to All,

 

I found strange thing that because of the API Key Lifetime option when generating an api key on different firewalls even when using the same credentials (username and password) and the firewall master key is not configured or the same on the firewalls, the api key is now different on the firewalls and this was not the case in 8.1 and the previous versions.

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/management-features/api-key-lifetim...

 

 

 

 

My question is can the same API-KEY be used in a script to manage many firewalls or as of now in 9.0 and newer this can't be done?

 

 

In 8.1 this is written "" If you want the firewall to generate a unique API key, change the master key on your firewall in order to generate a unique API key. If you have not changed the firewall master key from the default, all firewalls with the same username/password will return the same API key. Keep in mind, however, if you use Panorama to manage your firewalls, Panorama and all of the firewalls that it manages must have the same master key. "" but this is no longer written after 9.0.

 

Version 8.1:

 

 

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

 

 

Version 9.0:

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

 

1 accepted solution

Accepted Solutions

Hi @nikoolayy1,

 

"Thanks for the reply, so if I generate new api keys in version 9.0 and newer on different firewalls even if the username and password and master key are the same I can't use one api key to manage all the firewalls as before?"

- Correct

 

"If so th best option is to generate an API key on Panorama and manage the firewalls from there..."

- Performing your programmatic configuration using Panorama is indeed one solution. Arguably Panorama should be the source of truth for the configuration of your firewalls, so this would work very well in that respect. You could continue to do op commands directly against the firewalls if needed.

 

"...or make an api script that has a table for the api keys related to the different firewalls ip addresses and when the script logs into firewall A IP address it will use the Firewall A API key and when it tries to connect to Firewall B it will use the API key for Firewall B."

- There are various solutions for handling secrets within scripts, including various password stores, safes, vaults, etc. Deploying a password vault which the scripts utilise, means no passwords in plain text within scripts or tables. But however you choose to approach this, yes, each firewall from 9.0 will have its own API key.

 

Hope this helps.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

9 REPLIES 9

L5 Sessionator

Hi @nikoolayy1,

 

You are correct. In 8.1 and below, the same admin username/password pairing would always result in the same API key. In 9.0 and above, the same admin username/password pairing will now result in different API keys, it is no longer deterministic.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

But we had a case and Palo Alto TAC engineers said that still the same api key can be used on all the firewalls after we generete it for the same username and password combo with the same master key as the api key change in 9.0 is just functional and they tested this in their lab for version 9.1 .  But how does that work?

Hi @nikoolayy1,

Please send me the TAC case number directly (for confidentiality), and we can check into that further.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Th for the reply but I am no longer in the same company, so it is no longer an option. I will test it when I get my hands on two firewalls with 9.0 or newer if I generate an api-key on two firewalls with same username and pass and master key if I use one of the keys from firewall-A if it will be able to manage also firewall-B . Maybe the TAC is right but still how do they do this could be internal Palo Alto secret.

Hi @nikoolayy1, I found the ticket. Looks like a misunderstanding. The TAC engineer meant that prior to 9.0 you would get the same API key using the same credentials, but from 9.0 onwards it will be always different (as we already discussed on here). BUT, his point on the ticket was that existing API keys generated when firewall were on 8.1 (or less) will still work if you upgrade to 9.0 or above, and will continue to work until they are expired manually. Hope this helps clarify the situation.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Thanks for the reply, so if I generate new api keys in version 9.0 and newer on different firewalls even if the username and password and master key are the same I can't use one api key to manage all the firewalls as before?

 

 

If so th best option is to generate an API key on Panorama and manage the firewalls from there or make an api script that has a table for the api keys related to the different firewalls ip addresses and when the script logs into firewall A IP address it will use the Firewall A API key and when it tries to connect to Firewall B it will use the API key for Firewall B. Do you agree with this?

Hi @nikoolayy1,

 

"Thanks for the reply, so if I generate new api keys in version 9.0 and newer on different firewalls even if the username and password and master key are the same I can't use one api key to manage all the firewalls as before?"

- Correct

 

"If so th best option is to generate an API key on Panorama and manage the firewalls from there..."

- Performing your programmatic configuration using Panorama is indeed one solution. Arguably Panorama should be the source of truth for the configuration of your firewalls, so this would work very well in that respect. You could continue to do op commands directly against the firewalls if needed.

 

"...or make an api script that has a table for the api keys related to the different firewalls ip addresses and when the script logs into firewall A IP address it will use the Firewall A API key and when it tries to connect to Firewall B it will use the API key for Firewall B."

- There are various solutions for handling secrets within scripts, including various password stores, safes, vaults, etc. Deploying a password vault which the scripts utilise, means no passwords in plain text within scripts or tables. But however you choose to approach this, yes, each firewall from 9.0 will have its own API key.

 

Hope this helps.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

A really great and detailed reply, thanks.

 

I think that this will help many others when doing automation after an upgrade from 8.1 to newer versions. In addition I think the best option is the script to log in with a username and password to the firewall to generate its api key and write it to a safe store thats maps the firewall's ip address to the geneated api key. This way everything will be automated. If the api key timeouts and the script gets the error message, the script can be made to again to automatically use the username and passwords to generate a new api key. Similar to the REST-API tolken based authentication that is used on many other devices and I see that Palo Alto in the newer versions is going this direction.

 

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...

L1 Bithead

You can use same API key still on 9.0+ as long as you have deployed an account with same username and password to each firewall. Key is hash of username/password and generation time

  • 1 accepted solution
  • 8166 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!