API key after configuration migration

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

API key after configuration migration

L1 Bithead


We have old PA-4060 with 4.1.12 version of software which is operated using XML API. Sometime in the past we have generated API key and since then we are using API requests to make periodical changes on the firewall. And all this is working fine.

Now I have to migrate configuration from existing PA-4060 to new PA-5050. For now we will be using same software on new device. Username and password for API user will not change.


My questions is, can I use same API key on the new device after migration or will I have to generate new API key.


I have found this in documentation:
For PAN-OS 4.1.0 and later releases, generating an API key using the same administrator account credentials returns unique API keys every time, and all of the keys are valid.


But I'm not sure if username and password is only component that is used to generate API key or PAN use some other component unique to the device (like serial number) to generate API key.


L4 Transporter

The API key is a hash including the username and password, but there are also other factors. You'll need to generate a new API key for a new device.

For additional information for anyone reading this later, different versions of PAN-OS handle this differently.  The most recent PAN-OS versions generate the same API key across different devices, unless those devices have a different master key.  So it comes down to some best practices.  It is a best practice to have different master keys on each firewall which would mean different API keys, even for admins with the same username and password.


So as nswift suggested, it is also a best practice to regenerate the API key in your situation.  Although in some cases you'll get the same API key, there are other factors besides username and password that could make the API key different.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!