Can we get master key expiration via API?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can we get master key expiration via API?

L1 Bithead

Hi, I am just starting to explore pan-python and was wondering if there was a way to pull master key details (like expiration date) via the API, whether from Panorama or on an individual firewall?

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @Steven_Lowry,

 

First an FYI, pan-os-python is the successor to pan-python, and is your best resource for your Python work: https://github.com/PaloAltoNetworks/pan-os-python

 

You can call the API directly, targeting Panorama or an NGFW, to get that device's master key details:

https://{{host}}/api/?key={{key}}&type=op&cmd=<show><system><masterkey-properties/></system></show>

 

You can also target Panorama to get a managed NGFW's master key details, if you can't or don't want to target the NGFW directly:

https://{{host}}/api/?key={{key}}&type=op&cmd=<show><system><masterkey-properties/></system></show>&target={{ngfw-serial-number}}

 

Both the API calls above are examples of "op" (operational) commands. Within pan-os-python, op commands can be executed from the base module: https://pan-os-python.readthedocs.io/en/latest/module-base.html#panos.base.PanDevice.op

 

Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

3 REPLIES 3

L5 Sessionator

Hi @Steven_Lowry,

 

First an FYI, pan-os-python is the successor to pan-python, and is your best resource for your Python work: https://github.com/PaloAltoNetworks/pan-os-python

 

You can call the API directly, targeting Panorama or an NGFW, to get that device's master key details:

https://{{host}}/api/?key={{key}}&type=op&cmd=<show><system><masterkey-properties/></system></show>

 

You can also target Panorama to get a managed NGFW's master key details, if you can't or don't want to target the NGFW directly:

https://{{host}}/api/?key={{key}}&type=op&cmd=<show><system><masterkey-properties/></system></show>&target={{ngfw-serial-number}}

 

Both the API calls above are examples of "op" (operational) commands. Within pan-os-python, op commands can be executed from the base module: https://pan-os-python.readthedocs.io/en/latest/module-base.html#panos.base.PanDevice.op

 

Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Wow, this is very helpful, thank you so much I will give this a try 🙂

Hi @JimmyHolland ,

 

Indeed I took your advice, read up on pan-os-python and tested a few scripts out.  So far so good.  I even read up on ElementTree (if only I knew what I was getting myself into before accepting this task lol).  I have one question related to this which I was unable to find searching the community.

 

I can create a bash script to pull the list of devices from Panorama and then loop through that list to pull the master key from each device.  However, I will need this all integrated with other scripts eventually so I need to do the same with Python.  I was able to get the list of devices in Panorama and loop through them, but in the loop I have to log into each device separately to pass the OP command.  I'm sure there's a way to do it directly through Panorama like with the curl command, except I can't seem to figure this out.  This is how my code looks

 

pano = Panorama( {{ip-address}}, {{username}}, {{password}} )
devices = pano.refresh_devices(include_device_groups=False)

for device in devices:
    fw = Firewall( {{ip-address}}, {{username}}, {{password}} )
    system_settings = device.find("", SystemSettings)
    mk = fw.op('show system masterkey-properties')
    print('%s \t %s' %(system_settings.hostname, mk[0].find('expire-at').text))

 

I see that both variables 'device' and 'fw' are firewall objects, so I would have thought I could just do mk = device.op('show system masterkey properties') but when I do it spits out the below error.  Would anyone have some feedback on this?  Thank you.

 

PanXapiError: hostname argument required

 

 

  • 1 accepted solution
  • 4497 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!