- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-25-2018 05:25 PM
Trying to deactivate a PA-VM firewall with the API.
First I add the Licencing API key to the PA with the firewall API:
In order to hide my real values, let's use:
myfirewall.corp as my firewall
cxvzvxvcxvczc as my firewall's API key
dgshgdjsgdjsgj as my licensing portal API key.
So for the deactivation process, I'm gonna add the licensing portal API key to my firewall, and then deactivate.
I can add this API key via the cli or via the firewall API. I want to do everything with the API.
# Add deactivation key
https://myfirewall.corp//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><api-key><set><key>dgs...>
this works. I can successfully use the CLI on the firewall to check that the key was added.
request license api-key show
API key: dgshgdjsgdjsgj
Next, I want to deactivate. I try the following:
# Deactivate
https://myfirewall.corp//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><deactivate><VM-Capaci...>auto</mode></VM-Capacity></deactivate></license></request>
The response I get is:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response status="error">
<msg>
<line>
(null) Error:Invalid or missing deactivation token Device doesn't belong to this support account.
</line>
</msg>
</response>
I do not want to log into the firewall GUI to deactivate, I'm trying to script this. How do I deactivate using the API. I followed the API browser on my firewall in order to get the above command, and it gave me :
Rest API Url
/api/?type=op&cmd=<request><license><deactivate><VM-Capacity><mode></mode></VM-Capacity></deactivate></license></request>
The mode choices it gave me are auto or manual. So I added "auto" between the <mode></mode> tags.
Any ideas what I'm doing wrong?
Google searches show me how to delete one key feature at a time, on the CLI, but I'm trying to deactivate the whole Palo Alto VM with an API call.
thanks
Roger
07-26-2018 09:41 AM
Solved it.
I used the API browser on the PA firewall itself, dug down to the correct path, then in the submit field, I typed "auto" between the mode tags, and clicked submit. It worked, it deactivated the firewall, and on the PA licensing portal, I could see one less license in use for the auth-code.
The final URL the API browser gave me was:
https://myfirewall/api/?REST_API_TOKEN=1867054624&type=op&cmd=%3Crequest%3E%3Clicense%3E%3Cdeactivate%3E%3CVM-Capacity%3E%3Cmode%3Eauto%3C%2Fmode%3E%3C%2FVM-Capacity%3E%3C%2Fdeactivate%3E%3C%2Flicense%3E%3C%2Frequest%3E
it gives hex codes for <, \ and > . So I did the same in my API call, and it worked.
https://myfirewall//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><deactivate><VM-Capacity><mode>auto<%2Fmode><%2FVM-Capacity><%2Fdeactivate><%2Flicense><%2Frequest>
07-26-2018 09:41 AM
Solved it.
I used the API browser on the PA firewall itself, dug down to the correct path, then in the submit field, I typed "auto" between the mode tags, and clicked submit. It worked, it deactivated the firewall, and on the PA licensing portal, I could see one less license in use for the auth-code.
The final URL the API browser gave me was:
https://myfirewall/api/?REST_API_TOKEN=1867054624&type=op&cmd=%3Crequest%3E%3Clicense%3E%3Cdeactivate%3E%3CVM-Capacity%3E%3Cmode%3Eauto%3C%2Fmode%3E%3C%2FVM-Capacity%3E%3C%2Fdeactivate%3E%3C%2Flicense%3E%3C%2Frequest%3E
it gives hex codes for <, \ and > . So I did the same in my API call, and it worked.
https://myfirewall//api/?key=cxvzvxvcxvczc&type=op&cmd=<request><license><deactivate><VM-Capacity><mode>auto<%2Fmode><%2FVM-Capacity><%2Fdeactivate><%2Flicense><%2Frequest>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!