PAN-OS 9.0.6 API Curl JSON output

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS 9.0.6 API Curl JSON output

L1 Bithead

I'm working on a project to get information from the Palo Altos and use it for an input to a SIEM.  I'm able to run the below and get XML output.

curl -k 'https://<PAN>/api/?type=op&cmd=<show><system><info></info></system></show>&key=<KEY>'

I would prefer getting this in json so I tried &output-format=json after the key and get XML.  I did some research and see that /api appears to be XML output only.  Is this the case?  If so, is there an alternate to get the same output but in json?

 

TIA,

Joe

1 accepted solution

Accepted Solutions

@jwhughes,

So your polling from a Panorama appliance then. Honestly this sounds far more like a process/people issue and not something I would solve like this, but whatever. The /api address will direct you to the XML API, so yes the output is XML. 

There is a limited REST API available in 9.0 and above, but it's pretty limited in what it can do at the moment and can't do any sort of operational command. 

 

You'll need to utilize the XML response at this time until the REST API gets to the point where it's fully functional or you fix your people/process problem. 

View solution in original post

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello,

What information are you looking to get from the PANs to the SIEM?

 

Please advise,

The hostname, ip address, serial number, ha peer, and ha state.  Both the PAN team and the team I am on are tired of asking them if there are any new devices that we need the SIEM to monitor the feed of.  If I could get that from the API only a weekly basis I wouldn't have to ask them and manually update the csv file that the SIEM reads.

Hello,

So you are looking for new PAN's on the network? Sounds like something for a monitoring tool and not a SIEM?

 

Please advise,

The SIEM monitors all the events from the PANs for correlating with other security appliances.  The issue as a member of the SIEM team is keeping up with the changes the PAN team makes.  That is why I'm looking for a way of getting a list of all the PANs.  I can get it with

curl -k 'https://<PAN>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>&key=<KEY>'

Unfortunately the response is XML and the software I work with prefers JSON.  So either I have to convert from XML to JSON or find out if there is an alternative method of getting the information that outputs as JSON.

Hello,

Are you running that against the panorama? There should be logs that are generated when a new device connects. From there you should be able to generate an alert from the SIEM if that new IP is not being monitored.

 

Hope I understood you correctly.

 

Regards,

Hi,

 

Correct.  I'm running this against the Panorama.  What do the logs look like?  I still would like an answer to my original question to do a sanity check on what is currently there, but I can use the log for future PANs.

 

Regards

Hello,

That is something I do not know. However it should be a 'system' log so you might be able to run a SIEM query against that type of log, check its contents and write an alarm/alert around it.

 

Regards,

@jwhughes,

So your polling from a Panorama appliance then. Honestly this sounds far more like a process/people issue and not something I would solve like this, but whatever. The /api address will direct you to the XML API, so yes the output is XML. 

There is a limited REST API available in 9.0 and above, but it's pretty limited in what it can do at the moment and can't do any sort of operational command. 

 

You'll need to utilize the XML response at this time until the REST API gets to the point where it's fully functional or you fix your people/process problem. 

@BPryThanks.  It isn't what I wanted to hear, but it is what it is.  For now I will need to convert from XML to JSON in an external script.

L1 Bithead

Assuming that you're using a Linux CLI for this: a combination of the xpath (or xmllint) and the logger commands might be an easy solution to achieve your goal.

 

Here's a good example:

curl --insecure 'https://10.1.1.1/api/?type=op&cmd=<show><session><info></info></session></show>&key=XXXXXXXXXXXXXXXXXXXXXXXX=' -s | xpath "//pps/text()" 2>/dev/null | xargs logger -t paloaltoapi -n 10.3.3.7 -P 514 Number of sessions from Palo Alto firewall:
  • 1 accepted solution
  • 8535 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!