How to deactivate virtual PA firewall with API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to deactivate virtual PA firewall with API

L2 Linker

Trying to deactivate a PA-VM firewall with the API.

 

First I add the Licencing API key to the PA with the firewall API:

 

In order to hide my real values, let's use:

 

myfirewall.corp as my firewall

cxvzvxvcxvczc as my firewall's API key

dgshgdjsgdjsgj as my licensing portal API key.

 

So for the deactivation process, I'm gonna add the licensing portal API key to my firewall, and then deactivate.

I can add this API key via the cli or via the firewall API. I want to do everything with the API.

 

# Add deactivation key
https://myfirewall.corp//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><api-key><set><key>dgs...>

 

this works. I can successfully use the CLI on the firewall to check that the key was added.

 

request license api-key show

API key: dgshgdjsgdjsgj

 

Next, I want to deactivate. I try the following:

 

# Deactivate
https://myfirewall.corp//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><deactivate><VM-Capaci...>auto</mode></VM-Capacity></deactivate></license></request>

 

The response I get is:

 

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response status="error">
<msg>
<line>
(null) Error:Invalid or missing deactivation token Device doesn't belong to this support account.
</line>
</msg>
</response>

 

I do not want to log into the firewall GUI to deactivate, I'm trying to script this. How do I deactivate using the API. I followed the API browser on my firewall in order to get the above command, and it gave me :

 

Rest API Url
/api/?type=op&cmd=<request><license><deactivate><VM-Capacity><mode></mode></VM-Capacity></deactivate></license></request>

 

The mode choices it gave me are auto or manual. So I added "auto" between the <mode></mode> tags.

 

Any ideas what I'm doing wrong? 

Google searches show me how to delete one key feature at a time, on the CLI, but I'm trying to deactivate the whole Palo Alto VM with an API call.

 

thanks

Roger

1 accepted solution

Accepted Solutions

L2 Linker

Solved it.

 

I used the API browser on the PA firewall itself, dug down to the correct path, then in the submit field, I typed "auto" between the mode tags, and clicked submit. It worked, it deactivated the firewall, and on the PA licensing portal, I could see one less license in use for the auth-code.

 

The final URL the API browser gave me was:

 

https://myfirewall/api/?REST_API_TOKEN=1867054624&type=op&cmd=%3Crequest%3E%3Clicense%3E%3Cdeactivate%3E%3CVM-Capacity%3E%3Cmode%3Eauto%3C%2Fmode%3E%3C%2FVM-Capacity%3E%3C%2Fdeactivate%3E%3C%2Flicense%3E%3C%2Frequest%3E

 

it gives hex codes for <, \ and > . So I did the same in my API call, and it worked.

 

https://myfirewall//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><deactivate><VM-Capacity><mode>auto<%2Fmode><%2FVM-Capacity><%2Fdeactivate><%2Flicense><%2Frequest>

View solution in original post

1 REPLY 1

L2 Linker

Solved it.

 

I used the API browser on the PA firewall itself, dug down to the correct path, then in the submit field, I typed "auto" between the mode tags, and clicked submit. It worked, it deactivated the firewall, and on the PA licensing portal, I could see one less license in use for the auth-code.

 

The final URL the API browser gave me was:

 

https://myfirewall/api/?REST_API_TOKEN=1867054624&type=op&cmd=%3Crequest%3E%3Clicense%3E%3Cdeactivate%3E%3CVM-Capacity%3E%3Cmode%3Eauto%3C%2Fmode%3E%3C%2FVM-Capacity%3E%3C%2Fdeactivate%3E%3C%2Flicense%3E%3C%2Frequest%3E

 

it gives hex codes for <, \ and > . So I did the same in my API call, and it worked.

 

https://myfirewall//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><deactivate><VM-Capacity><mode>auto<%2Fmode><%2FVM-Capacity><%2Fdeactivate><%2Flicense><%2Frequest>

  • 1 accepted solution
  • 3437 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!