API Keys in PanOS 9.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

API Keys in PanOS 9.1

L4 Transporter

Hello All.

Do you know of a way to see all generated API keys on Panorama 9.1? Similar command exist on the wildfire appliance, but I could not find in Panorama. 

Also, does anyone know how the API generation process works in 9.1? Are they keys persistent after reboot, software upgrade or configuration reload (e.g. from backup)? 

What causes key regeneration?  

1 accepted solution

Accepted Solutions

L1 Bithead

Quick answer, no you can't see all keys that are valid because they are not stored in a database, they are valid hash's of user's password (with added timestamp in 9.0 and later.)
Long answer, Because 9.0 adds timestamp to the API key generated, you are indeed able to create multiple keys and they are all valid.  You will see the key length increased from the 8.1 key and this is the timestamp being added to key on generation.

 

The keys are a hash of the user password and so therefore are tied to that, if you change the user password all keys are invalid.  If you change the password back to original, they are valid again.

 

When you choose on the firewall to expire the api keys or set a time to expire from, a date stamp is placed on the firewall that then is used to cross reference the timestamp in key offered to it.  If the key converts back to a time that was prior to the expiry flag it fails authentication.

Its quite useful in that if you are setting keys to expire every 90 days, you can generate a new key a week before the old expires and cut over before the expiry of old keys.

 

Now also note that until the "Expire All Keys" button (Device>Management>Authentication settings) is pressed or a lifetime set, the 8.1 key is also valid until this point as all keys with or without the timestamp still verify against password.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

The wildfire (cloud) keys are generated and stored on the wildfire (cloud) platform while the system (hardware) API keys are hashed from the admin's current password, so one admin only has one api key and once their password changes, so does the key (if you've shared this key, you've essentially shared your password)

 

To ensure API keys aren't shared, or forgotten somewhere you can periodically force admins to change their password, this will invalidate any rogue API keys left out there

Each admin should have their own named account and extract/use an API key from that account only

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Thanks for the quick response.

Your description is definitely valid in PanOS8.1, however it looks like the behavior changed in 9.1 (or likely 9.0). 

 

I have just tested again on Panorama running 9.1.6 and you get a new API key every time you run the generate API call. 

I generated 5 different keys one after the other, then executed commands with each one of the keys proving they are all valid. 

 

This is the reason for asking the question because it looks like you can have a lot of keys per user. There is the new feature for expiring API keys, but the option is only to expire all keys. 

 

Another change from 8.1 is that it looks like the keys are not persistent after config reload, but unfortunately I could not find any KB or documentation explaining the behavior and it is all based on testing. 

 

L1 Bithead

Quick answer, no you can't see all keys that are valid because they are not stored in a database, they are valid hash's of user's password (with added timestamp in 9.0 and later.)
Long answer, Because 9.0 adds timestamp to the API key generated, you are indeed able to create multiple keys and they are all valid.  You will see the key length increased from the 8.1 key and this is the timestamp being added to key on generation.

 

The keys are a hash of the user password and so therefore are tied to that, if you change the user password all keys are invalid.  If you change the password back to original, they are valid again.

 

When you choose on the firewall to expire the api keys or set a time to expire from, a date stamp is placed on the firewall that then is used to cross reference the timestamp in key offered to it.  If the key converts back to a time that was prior to the expiry flag it fails authentication.

Its quite useful in that if you are setting keys to expire every 90 days, you can generate a new key a week before the old expires and cut over before the expiry of old keys.

 

Now also note that until the "Expire All Keys" button (Device>Management>Authentication settings) is pressed or a lifetime set, the 8.1 key is also valid until this point as all keys with or without the timestamp still verify against password.

@Tom-Lee Thanks you for responding. This is exactly the information I needed. I also did not realise that the API key expiry time was calculated for each generated key and not for all. 

  • 1 accepted solution
  • 3939 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!